ATSEC SECURITY POLICY

Mission Statement
Provide our customers with professional and independent advice on information security to empower their business and operations.

Company Philosophy
atsec information security is a vendor-independent consulting company in the business of information security. atsec provides a business-oriented approach to information security combined with in-depth technical knowledge. atsec can provide consulting on all aspects of information security, with the highest level of expertise.

atsec is completely focused on providing information security consulting to our clients. Our guiding principles underscore our unique approach:

We know the business
atsec knows the worldwide information security assessment, testing and evaluation business very well. With a multinational staff, it is only natural that we feel comfortable operating internationally. We are a company with global reach.

We act with integrity
Information security assessment, testing and evaluation is a high-integrity business and trust is key. All atsec colleagues are committed to sustaining the highest degree of integrity in our client relationships. We are devoted to delivering work of the highest quality in a timely manner.

We stay focused
atsec colleagues are information security experts. As such, atsec focuses solely on security assessment, testing and evaluation. We do not provide services in any other areas, and we do not sell hardware, software, or any other ware.

We are independent
We are not affiliated with any hardware or software vendor, and we never will be. Our credibility as security experts hinges on that independence. Our customers can rely on us to be objective. We have no interest in selling anything other than our security assessment, testing and evaluation expertise.

Basic Principles
Our success depends on the trust our customers have in the way we do business. atsec management and all atsec colleagues support these basic business principles:

Trustworthiness
We ensure that our sources are reliable and that we use only verifiable information.

Competence
We assign colleagues to customer projects according to their appropriate skills and experience.

Skills Redundancy
Information security knowledge and expertise are broadly represented throughout the company, so that the absence of one colleague will not compromise the success of a project.

Quality
The quality of our projects and deliverables is maintained according to our quality management organization and processes.

Confidentiality
We provide the highest degree of confidentiality for all information from and about our customers.

Discretion
We use the information we receive only for the purpose for which it is provided to us.

Integrity
We act according to the highest ethical standards and in compliance with the law.

The information security management system described herein complies with our company philosophy and protects our basic business principles.

Objectives
The overall objectives of atsec’s information security management system (ISMS) are:

Awareness
Distribute Information about security objectives, company strategy, and planned measures on a regular basis through suitable channels. Create common awareness of the need for information security and achieve strong commitment to ISMS objectives. Ensure that new colleagues comply with atsec’s company philosophy and basic principles. Make regularly scheduled updates and refresher courses part of our company’s culture.

Training
Provide training that enables colleagues to develop a broad understanding of information security vulnerabilities, threats, and countermeasures. Offer training in national and international legal requirements and standards.

Organization
Create an organization that builds an efficient ISMS and fulfils formal security requirements imposed by laws and standards. Define security roles, assign qualified personnel to them, and provide the necessary rights and resources.

Documentation
Establish a well-structured documentation system for atsec’s ISMS. Have all relevant information, such as principles, guidelines, technical descriptions, and checklists, readily available, periodically reviewed, and maintained under version control. Support information classification guidelines.

Procedures
Define all necessary procedures and prescribe responsibilities. Review the entire information security strategy, monitor controls, and identify new risks and their appropriate handling.

Quality Management
Fulfil the information security requirements as defined by the Quality Manual.

Risk Management
Perform and document regular risk assessments. Describe existing controls, identify vulnerabilities and threats, rate the residual risks, and initiate additional controls to enable the executive board to sufficiently handle all risks.

Security Controls
Provide all systems with the required security components, as determined through risk assessments.

Individual Responsibility
Each atsec colleague is individually responsible for protecting information, as stipulated above as well as in the absence of any explicit rule.

Audit and Certification
Ensure that the standard of information security is measurable and verifiable for both company management and customers.

Confidential Information
atsec colleaguess must handle confidential customer and atsec internal information according to our internal procedures and any special procedures that customers require.

Enforceability
This security policy and all other documents of the information security management system become enforceable and mandatory for all colleagues, when signed off by the atsec executive board.

Sanctions
Colleagues violating information security regulations, especially as described in this security policy, may be subject to appropriate sanctions.

External Personnel
External personnel working for atsec must comply with atsec’s security policy.

Suitable formal agreements must be arranged, and external personnel must sign this security policy and atsec’s nondisclosure agreement.

Please take a look at our own certifications and accreditations.