Security

Version 1.1

Purpose of the document:

The Security Policy is a fundamental document of the organization that defines how the organization intends to protect its information – for example client data, AI models, or important contracts. It explains why security is important, who is responsible for it, which principles must be followed, and what the company will do to continuously improve. It serves as a baseline document for both employees and management so they understand what the organization aims to achieve and how it intends to achieve these goals.

Disclaimer:

This shortened version is intended for publication on the organization’s website. The full version of the document is available upon request or in accordance with contractual terms.

1. Company Strategy

The core strategy of Mongata s.r.o. is to achieve customer satisfaction while maintaining such a level of information security that the company’s activities cannot jeopardize the confidentiality, integrity, and availability of information, nor endanger the life and health of persons, property, or the good reputation of the company and its customers. The fulfillment of this strategy is ensured through active compliance with the established procedures of the information security management system according to the requirements of ISO/IEC 27001, in particular through risk management, protection of personal data and special categories of personal data, access management, continuous enhancement of awareness among employees and selected cooperating persons, and continual improvement of the ISMS.

1.1. Definition of the ISMS Scope

The scope of the information security management system (ISMS) is defined below. The scope is reviewed annually by the organization’s management as part of the security policy review.

Locations

  • the managing director’s permanent residence for the storage of physical documents, limited to the document storage area,
  • the co-working center at Plynární 1617/10, Holešovice, 170 00 Prague 7 (registered office) is EXCLUDED from the ISMS scope.

Persons

  • company employees,
  • cooperating persons (always explicitly specified),
  • visitors (always explicitly specified).

Services Used

  • M365,
  • MS Azure (including web services, including AI models),
  • Stripe
  • Identity providers (Google, Facebook)
  • The Pipedrive CRM system is EXCLUDED from the ISMS scope

Processes

  • Primary:
    • Assessment, analysis, and interpretation of the human potential of individuals, teams, and companies (external service),
    • Development of the platform and its infrastructure, development of interpretation algorithms and AI models (service provided internally within the organization).
  • Supporting:
    • IT administration
    • Legal services
    • Interpretation of results by a psychologist (service to clients)
    • HR and employee management
    • Marketing
    • Financial management and controlling
    • Customer support and administration of customer instances
    • Sales

1.2. Information Security Management System

The information security management system is established and governed by this security policy and related documentation. The information security management system sets requirements, obligations, and management processes relating to information security, including measuring their effectiveness and monitoring their implementation.

2. Leadership

2.1. Leadership and Commitment

The organization’s management recognizes the importance of ensuring information security in order to fulfill the organization’s objectives and therefore declares that it:

  • will ensure compliance with the requirements of the security policy and will lead by example in complying with them,
  • will ensure initial and regular training related to information protection,
  • will ensure regular setting of information security management system objectives in line with the strategic direction of the organization,
  • will ensure the establishment of the security policy and the integration of the information security management system into the organization’s processes,
  • will ensure the availability of sufficient resources (informational, human, technical, and financial) necessary for the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the information security management system and for achieving the objectives set by the board as part of supporting the information security management system,
  • will define roles, duties, and responsibilities in the area of information security,
  • will participate in impact analysis,
  • will ensure that persons in security roles are provided with appropriate authority and resources, including budgetary resources, to fulfill their roles and related tasks,
  • will support persons assigned to security roles in enforcing information security in the areas of their responsibility,
  • will inform employees of the importance of the information security management system and the importance of meeting its requirements for the operation and development of the organization,
  • will lead employees to develop the effectiveness of the information security management system and support their activities in this development,
  • will promote continual improvement of the information security management system,
  • will demonstrably participate in training in the area of information and cybersecurity, including risk management, in accordance with the security awareness development plan,
  • will participate in the preparation of impact analysis,
  • will ensure the testing of business continuity plans, recovery plans, and processes associated with the handling of cybersecurity incidents,
  • will appoint administrators and persons holding security roles, and
  • will ensure that the confidentiality of administrators and persons holding security roles is maintained.

The organization’s management further declares that it:

  • will appoint a representative who will be a member of the Cybersecurity Management Committee if such a committee is established.

2.2. Roles, Responsibilities, and Authorities of the Organization

Within the organization, the following roles relevant to the management of the information security management system are defined:

  • Person Responsible for Security
    • responsible for proposing rules and requirements related to information security,
    • responsible for monitoring compliance with the requirements of the security policy and related documentation,
    • is replaced by another member of management.
  • Head of IT
    • responsible for the administration of IT technologies,
    • responsible for enforcing and complying with the requirements of the security policy and related documentation.
  • Manager
    • responsible for enforcing and monitoring compliance with the requirements of the security policy and related documentation.
  • Auditor
    • an externally hired person responsible for carrying out the audit in accordance with the organization’s audit plan.
  • Cybersecurity Management Committee
    • consists of the person responsible for cybersecurity and the Head of IT,
    • meets as needed,
    • given the size of the organization and the fact that the cybersecurity management committee is staffed by top management, no records are kept of its meetings; outputs are recorded in documents necessary for the management of the information security management system (e.g. the risk treatment plan). The reason for non-applicability is the fact that meetings take place daily, and information security is discussed as needed.
  • Cybersecurity Architect
    • responsible for ensuring the design of the implementation of security measures so that a secure architecture is ensured.
  • Asset Owner
    • responsible for ensuring the development, use, and security of the asset,
    • within the organization, the Head of IT is designated as the owner of all assets.