Flomatika Information Security Policy

Document Control Information

Revision History

This document must be formally reviewed at least annually (including when there are significant changes to the business, when risks are identified, when there are changes to adopted standards or when there are changes in legal regulations that impact Flomatika). Interim updates will be documented and integrated as required in response to changing business objectives or the risk environment. Changes will be communicated as broadly as possible using email, company announcements, and other methods as applicable.

1. Purpose

Protecting the security of Flomatika’s information systems and the data they contain is central to Flomatika’s success and is an operational priority. This Information Security Policy outlines the responsibilities and expectations for the security and responsible use of information assets managed by Flomatika. The controls described within this Policy are collectively known as Flomatika’s Information Security System, which is designed to:

• Reflect Flomatika’s information security and privacy objectives;
• Prevent the unauthorised use of or access to the information systems;
• Maintain the confidentiality, integrity, and availability of information and infrastructure.

This Policy is guided by security requirements specific to Flomatika’s operating environment, applications, applicable laws, and regulatory requirements. These security requirements are based on and aligned with industry standards and good practices.

2. Management Statement

Flomatika cannot function without maintaining the confidentiality, integrity, and availability of the sensitive information and infrastructure in use by its customers and employees. The sustained success of Flomatika requires it to protect both, company and personal information, in a private sensitive and responsible manner that balances business needs, customer expectations, and applicable legal requirements. It is equally important that all information is labelled based on its value and risk to Flomatika and is adequately secured. 

An effective Information Security System is essential for:

• Safeguarding the security and privacy of Flomatika customers and employees and thereby retaining their trust;
• Protecting Flomatika intellectual property rights, financial interests and competitive edge;
• Compliance with applicable legal and regulatory requirements and defending against legal action;
• Maintaining Flomatika’s reputation and brand value.

Information security is everyone's responsibility. To support the understanding of Flomatika’s Information Security System, this Policy discusses the basic information security concepts and policies that are expected to be followed when performing daily business activities. All staff, contractors and third-party vendors are encouraged to become familiar with this document, as this will help Flomatika to reasonably ensure the security and appropriate use of its business-critical systems and confidential and personal information.

This Information Security Policy supports the long-term success of Flomatika and its stakeholders.

3. Scope

Flomatika’s Information Security Policy sets out policies and procedures for the use of information technology within the company which must be followed by all staff, contractors and service providers. Flomatika will keep all IT policies current and relevant. Therefore, from time to time it will be necessary to modify and amend some sections of the policies and procedures, or to add new procedures.

4. Maintenance and Support

This Policy is owned and maintained by the Information Security Working Group (see Section 7 for additional details) within Flomatika. It will be reviewed periodically and modified when applicable as a response to any major changes within Flomatika’s information security policies, practices, or applicable regulatory requirements. Questions related to this Policy should be directed to info-sec@flomatika.com.

5. Information Security Working Group

The Information Security Working Group ('ISWG') has been designed as a distributed model with centralised oversight and governance of both information security. While security is ultimately the responsibility of the Chief Product & Technology Officer, everyone who uses Flomatika systems and networks and has access in some form to Flomatika’s information shares and therefore have a responsibility for their protection and appropriate use. The following provides descriptions of the primary groups involved with developing and delivering the Information Security System.

1. Information Security Roles and Responsibilities

hasThe ISWG has been made responsible for supporting management structure and processes to provide reasonable assurance that Flomatika:

• Develops Information Security System, policies, and the supporting framework;
• That this program and Framework aligns with and supports business objectives;
• That it complies with applicable laws and regulations through adherence to policies and internal controls;
• That the security program provides assignment of responsibility for all information security roles;
• The established framework, management structure and processes have all been designed to assist Flomatika in managing risk associated with Information Security.

The ISWG within Flomatika will be composed of individuals from the following business areas: 

• Management Team: Responsible for leading the implementation and management of the ISMS within Flomatika. The team ensures that the business is operating in a trustworthy manner. 

• The Chief Product & Technology Officer will be the incumbent of this role and the Product Manager will be the deputy.

• Security Operations: Responsible for all systems and activities maintaining all network devices, security systems, mobile devices, and any other electronic device endpoints within Flomatika. 

• The Engineering Lead will be the incumbent of this role and the Platform Engineers will be the deputies

To support the Information Security framework and directives, the ISWG is responsible for the following:

• Developing information security standards, guidelines, and/or procedures in support of the Information Security Policy;
• Maintaining and updating existing information security standards when required;
• Reviewing the security standards, guidelines, and/or procedures on an annual basis and to assist management with the approval process;
• Acting as a coordinating department for implementation of the Information Security Policy within Flomatika;
• Implementing appropriate security controls to mitigate security risks;
• Working with relevant operational teams within the company to follow up on any identified issues;
• Controlling and monitoring access to restricted areas and confidential data;
• Working with Security Operations to ensure appropriate technical controls are in a place where business-critical systems and/or client data are present;
• Performing specific security awareness training where appropriate.

2. Information Privacy

The ISWG will act as the technical lead for information privacy and will be responsible for collaborating with the Management Team on the following activities:

• Serving as privacy advocates and providing necessary guidance to the business/process/asset owners;
• Creating and maintaining information privacy policies;
• Monitoring privacy-related legal requirements and informing the affected business managers of these requirements;
• Advising business managers as necessary about privacy requirements and strategies;
• Collaborating with different teams within Flomatika as necessary to contribute to privacy-sensitive practices and compliance.

3. Human Resources

The Human Resources team is responsible for establishing and maintaining the relationship with employees, contractors, and temporary workers. The department is responsible for the following:

• Verifying an employee's identity and criminal history. All employees are required to successfully pass a background verification prior to starting their employment with the Flomatika; 
• Working with the ISWG to establish, maintain, update, and terminate an employee's access privileges;
• Handling of any sanctions as a result of noncompliance with the Information Security Policy or any of its supporting procedures.

4. Information Owners

Information Owners are responsible for approving data access and determining the appropriate classification level for the information contained within the respective applications under their purview. All applications have one or more designated Information Owner(s). The Information Owner may delegate responsibilities regarding classification and handling, such as to a third-party service provider, but is ultimately responsible for determining that the responsibility has been correctly discharged.

6. Responsibilities of Employees and Contractors

1. Social Media

Staff and employees are responsible for their own personal communications online. All Flomatika employees, contractors and service providers should not represent or communicate on behalf of Flomatika in the public domain without prior approval from the Chief Product & Technology Officer. Any potential breaches need to be reported to your manager immediately.

2. Responsibilities

Employees, contractors, and service providers are required to do the following:

• Understand and comply with this and all applicable policies and standards;
• Complete any assigned training;
• Limit access to Flomatika data to only those individuals with a business need to know;
• Reasonably secure personal information that is collected, procured or created;
• Securely dispose of personal information when it is no longer required for business or legal purposes;
• Adequately protect electronic resources, systems, and technologies that provide access to information;
• Take all reasonable steps to protect their accounts from unauthorised use. They must not install or use unlicensed or malicious software or software of unreputable origins on any device that may be used for business purposes;
• All use of information and communication technologies should reflect Flomatika’s Code of Conduct and values;
• Report actual or suspected breaches of this policy or other malicious activity that may be a threat to the security of Flomatika in a timely manner;
• Ensure that files unrelated to business activities are not stored on Flomatika’s cloud systems such as Google Drive;
• Employees and contractors should not respond to or click on links within phishing, spam, or suspicious emails, SMS or electronic communication. They should not be forwarded to other Flomatika employees. Forward suspicious emails to info-sec@flomatika.com and notify IT Admin of any other suspicious communication attempts or incidents.

7. Information Security Program

1. Policy Statement

Flomatika shall establish and maintain an Information Security System, supported by policies and practices designed to protect Flomatika’s information assets according to the sensitivity, criticality, and value of such assets, and in accordance with applicable business and legal requirements.

2. Practices

• Flomatika’s Information Security System shall be established and maintained based on the following guiding principles:

• Individual, group and Flomatika roles, responsibilities and accountability for management and implementation of Flomatika’s Information Security System shall be documented;
• Information security policies and practices shall be designed to provide a level of information security protection relative to risk acceptance criteria as determined by business and legal objectives; and
• The information security policies developed by Flomatika shall be consistent with all applicable laws, regulations, contracts, commitments, and service level agreements.

• Flomatika’s Information Security System shall include policies and practices to support the following information security goals:

• Allocation of responsibility by Management for development, implementation, monitoring and review of information security policies;
• Monitoring, evaluation and management of information security threats, vulnerabilities and risks;
• Awareness of, and adherence to, all published information security policies applicable to the management or use of information assets by Flomatika personnel with access to such information assets;

• Information must be classified based on its sensitivity:

• Public: Information that is intended for the public domain or that has been approved for release to the public. Examples marketing material, website content and press releases
• Internal: Information not intended for public release, but unintended disclosure causes only minor or no impact to Flomatika or an affiliated organisation or individual. Examples include day-to-day correspondence, project and administrative documentation
• Confidential: Information containing personally identifiable data that if released could result in critical or serious financial, reputation or legal impact to Flomatika or an affiliated organisation or individual
• CTO is the official custodian of the information classification

• The ISWG is primarily responsible for developing and maintaining Flomatika’s Information Security System.

8. Device Usage

1. Policy Statement

Flomatika has controls in place to govern the proper access, usage, and limitations of computing devices (e.g., laptops, mobile phones, tablets, etc.), which are used for conducting business for Flomatika.

2. Practices

• Flomatika grants its employees and contractors the privilege of using computers and devices of their own choosing at work for their convenience;
• Flomatika reserves the right to revoke this privilege if users do not abide by the policies and procedures outlined in the Information Security Policy;
• Flomatika employees and contractors must agree to the terms and conditions set forth in the Information Security Policy in order to be able to connect their devices to Flomatika’s systems; 
• Devices connected to Flomatika may not be used at any time to (a) store or transmit illicit materials, (b) store or transmit proprietary information belonging to another company, (c) harass others;
• Flomatika reserves the right to disconnect devices or disable services without notification;
• Lost or stolen devices must be reported to Flomatika within 24 hours. Employees are responsible for notifying their mobile carrier immediately upon loss of a device;
• Employees assume full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable;
• Flomatika reserves the right to take appropriate disciplinary action up to and including termination for noncompliance with this policy;
• Rooted (Android) or jailbroken (iOS) devices are strictly forbidden.

9. Remote Working Security

1. Policy Statement

Flomatika, by default, employs a remote working approach. As such employees and contractors must follow the precautions given in the Information Security Policy.

2. Practices

• Personal equipment cannot be used unless it aligns to the BYOD policy;
• Use a secure WiFi network or Ethernet;
• Keep yourself up to date, and follow best practices and security measures around the use of video conference and remote collaboration software and technology;
• Be extra mindful of the security, permission control, sharing settings of collaboration software you use;
• Take work calls or video meetings in private and consider using headphones;
• When hosting voice/video meetings, seek consent from attendees if you need to record the meeting;
• When attending voice/video meetings, be mindful that your activity might be recorded;
• Make sure your webcam, microphone, and working environments are in good order before commencing work meetings;
• Make sure your webcam, microphone, and meeting sessions are properly terminated at the end of work meetings;
• Lock your screen or log out if you leave your computer unattended;
• Don’t disclose colleagues’ phone number, email address, contact details to third parties without confirming with your colleagues;
• Keep your work device and documents safe and secure.

10. Personnel Security

1. Policy Statement

The information security responsibilities, training and oversight of Flomatika personnel with access to Flomatika’s information assets shall be defined according to the criticality, sensitivity and value of such assets, and in accordance with applicable business and legal requirements.

2. Practices

• For purposes of this Policy, Flomatika personnel are defined as employees, contractors, and third-party users of Flomatika’s information assets.
• Background checks shall be performed for Flomatika personnel, commensurate with the nature of their access to Flomatika’s information assets, proportional to the business requirements, the classification of the information to be accessed, and the perceived risks;
• Flomatika personnel shall receive appropriate information security awareness training and regular updates in organisational policies and procedures, as relevant for their job function;
• The onboarding process for new employees of Flomatika establishes the guidelines for account creation and data access as well as computing system provisioning;
• A process for employment termination (i.e., offboarding process) shall be implemented, which includes the return of Flomatika’s information assets from employee devices;
• All Flomatika personnel shall have their access to Flomatika systems, services, and applications managed within the following constraints:

• New employees shall have the minimum amount of required access provided to perform the functions of their role with additional privilege added as determined by the relevant leadership team and stakeholders. 
• Removal of employee access will follow the guidance from the offboarding process, and any additional items that are required to ensure all employee privileges is revoked within 24 hours of their final day of employment with Flomatika. Any access left enabled past 24 hours must have a documented reason to do so with the ISWG, Human Resources, and the employee's manager all aware.

11. Communications and Operations Management

1. Policy Statement

Information security controls shall be implemented to appropriately protect the confidentiality, integrity and availability of Flomatika’s information assets.

2. Practices

• Responsibilities and procedures for the management and operation of critical Organisation's information assets shall be established;
• Backups shall be performed to ensure that critical data and software can be recovered in the event of a disaster or media failure;
• Controls shall be developed and implemented to prevent, detect, and mitigate unauthorised modification, manipulation and access to systems and data;
• Networks shall be appropriately managed and controlled, to safeguard systems, applications and information in transit from threats and unauthorised access;
• Exceptions and variance requests to Flomatika’s Information Security policies shall be reviewed and approved by the ISWG.

12. Access Control

1. Policy Statement

Access to Flomatika’s information assets shall be managed, monitored, and controlled according to the sensitivity, criticality and value of such assets, and in accordance with applicable business or legal requirements.

1. Practices

• Applications must support sufficient access segregation to ensure that user permissions may be restricted according to the principles of least privilege and default deny;
• Access controls shall be in place to allow only authorised Flomatika personnel access to network services, operating systems, and applications, based on risk;
• Users shall be responsible for maintaining effective access controls to Flomatika’s information assets;
• Authentication credentials must be kept confidential and shall not be shared by multiple users;
• The method and type of authentication shall be sufficient to reasonably protect the resource from unauthorised access;
• User access rights will be reviewed periodically across all production architecture and applications to determine any needed add/change/remove processes that are outstanding;
• Production systems shall have an adequate review as part of the offboarding process to remove access during the final day of an employee's tenure;
• All devices must lock themselves with a password or PIN if it’s idle for five minutes;
• Two-factor authentication will be enforced wherever possible. Default passwords will not be used.
• The following guidelines must be enforced for all passwords:

• Use strong passwords for all systems and devices;
• Do not reuse the same password for different systems and devices;
• Change the password and report to IT Admin and system providers if you suspect a password has been compromised;
• Do not allow others to observe while entering a password;
• Do not share passwords with anyone;
• Keep all passwords and pins confidential;
• Passwords must be at least eight characters and a combination of upper- and lower-case letters, numbers and symbols;
• Passwords will be rotated every 90 days and the new password can’t be one of 15 previous passwords.
• Temporary passwords must be changed on first access to system
• Transmission of passwords must occur over encrypted channels such as “Signal” out of band, or encrypted using 256bit encryption.
• Must have a separate account for high privileged use.

15. Information Systems Management

1. Policy Statement

Information security controls and safeguards shall be appropriately established for the development, implementation and maintenance of Flomatika information systems.

2. Practices

• Information Systems must be classified according to the classification of information it stores, or has access to;
• Security controls must be applied to protect the system based on its classification;
• Segregation of duties shall be implemented, where appropriate, to reduce the risk of unauthorised or unintentional modification or misuse of Flomatika’s information assets;
• Critical systems and software shall be subject to change management control;
• Access to critical operational software, source code and sensitive test data shall be restricted to authorised users;
• All Windows machines utilise antivirus and built-in OS security tools;
• Regularly released OS or application-level security-related patches are rolled out to production servers on a regular basis;
• Additional software requests and requirements can be made to the IWSG. Flomatika will not allow or approve the use of unlicensed, pirated or software of unreputable origins;
• Flomatika explicitly forbid the unauthorised copying, modifying or reverse engineering of any software that we licence or own;
• All employees and contractors must keep software on their devices up to date;
• The IWSG will regularly review and audit all computer systems and software, reassess their security and usage and provide staff with updated instructions as required.

16. Incident Management

1. Policy Statement

Flomatika shall maintain a Cybersecurity and Data Breach Incident Response Plan to ensure timely response to information security incidents.

2. Practices

• Flomatika shall implement internal procedures to ensure notification to information security personnel and management in case of an information security incident;
• Information security incidents shall be documented and reviewed to determine the need for additional information security safeguards or controls;
• Employees and contractors must immediately report all security incidents to their manager and IT Admin;
• Flomatika will handle all incidents in line with Flomatika’s Cybersecurity and Data Breach Incident Response Plan;
• Examples of reportable security incidents include:

• Any unauthorised access, use or disclosure of client and Flomatika data by any person;
• Apparent corruption of data on any system;
• Arrival of a virus or other malware within Flomatika's systems;
• Being able to access a system or directory to which the individual should not have permission;
• Compromise or sharing of user identification or passwords;
• Emails, phone calls, text messages suspected of containing malicious software, inappropriate material or seems of an otherwise questionable nature;
• Inadvertent forwarding of a sensitive document or email to the wrong address;
• Loss or misplacement of a laptop computer or other device, even if it was recovered after a period of time.

17. Business Continuity and Disaster Recovery

1. Policy Statement

Business continuity management and disaster recovery processes shall be implemented to maximise continuous business operations in the event of failures of Flomatika‘s information technology systems.

2. Practices

• Business continuity plans and disaster recovery plans shall be developed, implemented, and maintained for Flomatika and reviewed annually;
• Business continuity Plans for Flomatika shall be tested and updated regularly to ensure that they are up to date and effective;
• Flomatika’s custodians of critical business processes and information shall be responsible for defining and implementing the appropriate business continuity and disaster recovery plans for their processes or systems.

18. Data Confidentiality

1. Policy Statement

Business-related information of Flomatika shall be stored and transmitted in a manner providing confidentiality for sensitive data both at rest and in transit.

2. Practices

• Requirements for data confidentiality controls and safeguards shall be identified and addressed for new information systems or enhancements to existing information systems, based on risk;
• Appropriate controls shall be implemented to ensure information is protected in transit, processing, and storage (e.g., data encryption using AES256 encryption at rest or use of TLS 1.2 in security data in transit);
• All data shall be transmitted via a security protocol (e.g., SFTP, SCP, HTTPS) with equivalent cryptographic security;
• Data that is meant to be for public consumption and use should still be transmitted securely to prevent any manipulation of data in transit when reasonably possible;
• Data that is unable to be transmitted securely over public networks shall be protected by at-rest data encryption;
• Data deemed sensitive by Flomatika shall include, but not be limited to the information stored on:

• Google Drive, Slack, Chargify, Deel, BambooHR, AWS, GitLab

19. Software Change Management Policy

1. Policy Statement

Critical software changes to Flomatika’s systems (including emergency changes), system maintenance and supplier maintenance, database modifications, etc., are supported by documentation and performed under consistent change management procedures to ensure requests are properly authorised and performed on a timely basis.

2. Practices

• The software change requests are logged in Jira from inception to implementation and retained for the useful life of that system;
• The production environment will be restricted based on the principle of least privilege as well as a need to perform appropriate job responsibilities.

20. Approved Software Policy

1. Policy Statement

Employees and service providers of Flomatika must use appropriate software when handling Flomatika information.

2. Practices

• All software must be legally licensed;
• Flomatika explicitly forbids the use of any software which is labelled “for non-commercial purposes”;
• Software must be pre-approved by the CTO before use.

21. Compliance and Audit

1. Compliance with Legal Requirements

The Information Security System is intended to support compliance with applicable laws and regulations. Any requests for non-Public information from law enforcement or any regulatory body must be referred to Management for review and approval before any disclosure is permitted.

Because security evolves over time, additional measures may need to be deployed beyond those covered in this Policy to satisfy those changes as they apply to Flomatika.

2. Third-Party Service Providers

Additional security requirements may be required for any third-party service provider that receives, stores, maintains, processes, or otherwise is permitted access to information provided to them by Flomatika.

Whenever selecting and retaining any third-party service provider, the responsible personnel within Flomatika must take reasonable steps to confirm that the service provider is capable of maintaining appropriate security measures to protect personal information consistent with all applicable laws and regulations. 

3. Audit

Audits may be conducted by independent auditors (e.g., external ISMS auditor) and ISWG. 

22. Enforcement

Those detecting violations of this Policy pertaining to information security must report the violation to the ISWG and Management, who will determine the extent of risk that any Noncompliance condition presents and remediation activities that are required. Any violations of the privacy provisions in this Policy should be reported to the Management. 

Users who deliberately violate this Policy or any of its supporting policies will be subject to disciplinary action up to and including termination from employment or association with Flomatika.

23. Execeptions

Business needs may occasionally require a variance from established policies and standards. A particular business function may not be able to be performed effectively, reasonably, or cost-effectively if the Policy is followed. In these instances, the ISWG must be notified of the underlying business problem and recommended approach or acceptable alternatives. Alternatives and any potential risks or problems the alternatives may cause will be considered.