eMabler 's Security & Privacy Policy

1. PURPOSE AND MOTIVATION
eMabler Oy has implemented an Information Security Management System (ISMS) to ensure its Information Management Systems continuity and protect its customer, employees and partner data in the event of security breaches and malicious attacks. The ISMS implemented by eMabler Oy  is compliant with ISO/IEC 27001:2022, the international standard for information security. 

Purpose of this security and privacy policy is to help the eMabler team and its contractors to protect eMabler’s customers, partners, team members, operations, know-how and other secrets. Furthermore, eMabler wants to be a significant net contributor to online security with a major positive impact. 

Privacy, confidentiality and business continuity are top priorities to us as we are the care keepers and trusted service providers of the online security of our customers and personal end-users. Our customers expect a certain level of governance and security from us, in line with their own policies and practices. 

2. UPKEEP 
This policy is annually reviewed by the InfoSec team and approved by the Company’s CEO. Practice meets the policy and vice versa, in case of conflict they will be brought in sync. 

Any deviations from this Security Policy are documented as Security Exceptions. 

Present and future eMabler team and contractors will study this policy and be notified by the CISO / Security Officer when it changes. 


3. ACCESS RIGHTS AND CONTROL 
All services and devices require user authentication, no open access or community passwords are in use, except when documented and handled as a Security Exception. 

All passwords are personal and unique between different services. Passwords are stored only in a safe and encrypted fashion. 

Multi-factor authentication is enabled for all internal business services with confidential information. 

Access rights to third party and online services, including social media accounts, used in connection with the company’s operations are separately tracked and documented in an Access Matrix. When the team or contractors take a new service in use, it is added to the tracking. 

Devices – including both laptops and mobile devices – are configured to automatically lock and require login if left idle. If this is not feasible, then such equipment is documented as a Security Exception and operated only in an access-controlled space. 

Physical spaces with unprotected equipment or information are physically access controlled and record of the current keys or access codes is kept in a Key Register. Our office Key Register is maintained by Maria01 office space administrators. Keys are given to the personnel only when there is an actual need. eMabler also has the confidentiality and clean desk policy enforced. 

If a team member leaves the team or a contractor stops working for the team, then access rights and keys are immediately revoked or returned accordingly. Offboarding procedures, including revoking of access rights, returning keys and equipment, are done according to an offboarding checklist. 

Adding and removing access rights is the responsibility of our owner or administrator of the system or third-party service in question. Supervisor of an employee or a subcontractor should contact and coordinate access rights with respective owners and administrators as part of the onboarding and exit processes. Access Matrix is updated when access rights are modified and reviewed as whole at least once per year in a periodic Security Review. Access rights are granted and revoked based on business needs only. 


4. DATA STORAGE, RETENTION AND BACKUPS 
All devices, mobiles, computers and removable media storing confidential information are configured to encrypt information at rest with disk or storage encryption. If not feasible for special purpose instruments, then such equipment is documented as a Security Exception and operated only in an access-controlled space. 

Personally identifiable information has a defined data retention in the corresponding Data Retention Policy and it is not stored indefinitely unless explicitly so documented.  

Online services we provide and sell have a Backup Policy. Distributed repositories, synchronised cloud storage and native backups of online services we depend on are used to safeguard our information and data. Ad hoc backups of devices or data that is not centrally stored are only taken to encrypted media and the media is kept either directly in the team's possession or in a physically access-controlled space.  

When removable media or devices are no longer needed to store the data, they are wiped clean of the data before recycling. 


5. OWN INFRASTRUCTURE AND PERSONAL DEVICES
Any own infrastructure (for example web servers, gitlab servers, VPN endpoints, IoT devices) and personal devices should be minimized, and they should have clear ownership. Initial installations should be minimal and when new services are added they should be firewalled and authenticated to limit access to authorized use. Personal devices should be auto-updated. Infrastructure systems and devices should be auto-updated when deemed safe or otherwise patched monthly. The person who installed the system is responsible for patching until responsibility is transferred explicitly to another person. If patches include critical security patches, those will be installed as soon as possible. 


6. OWN PRODUCTS
Periodic product Security Reviews are kept and documented. Our Product Security Officer has been named and authorized to make decisions required to keep our products and services safe and secure. 


6. SUPPLY CHAIN 
Security of the supply chain, both subcontractors and technical dependencies, are considered regularly as part of the periodic Security Reviews.  

As a notable exception, we cannot assume responsibility for the software or hardware security of charging devices.  


7. ZERO-TRUST, REMOTE WORK AND DEVICE SECURITY
No matter where we work from, we should always assume that the environment itself can not be trusted. Don’t let others access the devices you use for work. If you have data to protect on any device or media it should be encrypted in case someone else gets physical access. If you have data to be protected on paper in plain text, always keep it in your hands or behind locks and shred it when done with it. Also keep in mind that it would be best not to have it on paper at all. Lets not keep extra sensitive data with us, only keep the bare minimum that you really need. When you have something sensitive on your screen, keep in mind that there might be prying eyes close by. When you talk aloud, remember that your voice might be heard around you, and snooped on the wire if the service is not end-to-end encrypted. Devices you use for work should automatically lock and require authentication if left idle. There are no trusted networks, all sensitive network usage should be end-to-end encrypted. Finally, in remote access and communications certificates or other mutual authentication should be used and required to make sure that both parties to communication are who or what they should be. 


8. INCIDENT REPORTING AND MANAGEMENT  
Suspected security incidents and major service interruptions are reported to the InfoSec team, CISO or to the supervisor. Suspected incidents are documented, and an Incident Log is kept. Owner or administrator of the affected data or service should be notified and will lead the incident response process. 


9. ONBOARDING AND TRAINING 
When you as a team member or contractor introduce new people or companies to work for or with us, it is your responsibility to make them aware of this security policy. When we make security training or instructions available, you should promptly familiarize yourself with the guidance. We follow an onboarding checklist for new employees and contractors.  


10. CONFIDENTIALITY AND DATA PROTECTION 
Databases, services or registries that contain personally identifiable information have up to date Confidentiality Policies. Applicable data protection legislation and regulation is followed. Personal data should never be collected without a reason and data retention should be planned and minimized both in volume and time. Our Privacy Policy for customer data collected via our website can be found at https://www.emabler.com/privacy-policy. 


11. SECURITY ROLES, QUESTIONS AND LIST OF SECURITY DOCUMENTS

eMabler InfoSec team: 
- Our Chief Security Officer is: Maria Hovila / Maria@emabler.com 
- Security officer is: Ville Parviainen / ville@emabler.com 
- Software / product security officer is: Kasper Nurminen / Kasper.nurminen@emabler.com 
- CEO: Juha Stenberg / Juha@emabler.com 

Customers, Staff & Suppliers: if you have any security concerns or note exceptions, want to create a security incident or have further questions on security related topics, please contact the InfoSec team(security@emabler.com). 

Security, threats and risks are about the unexpected, and they constantly evolve. If ever in doubt, consult your eMabler InfoSec team members. There are no stupid questions. 

These are eMabler’s security documents in place: 

Note: This list might evolve with time. For details, please contact eMabler’s CISO. 

eMabler Policies: 

 POL-1 Acceptable Use Policy        

POL-2 Access Management Policy           

POL-3 Antivirus Policy         

POL-4 Application Security Policy  

POL-5 Asset Management Policy   

POL-6 Availability Policy      

POL-7 Backup Policy           

POL-8 Business Continuity Policy  

POL-9 Change Management Policy          

POL-10         Clean Desk Policy    

POL-11         Code Of Conduct Policy      

POL-12         Confidentiality Policy           

POL-13         Configuration Management Policy  

POL-14         Data Classification Policy    

POL-15         Data Retention Policy          

POL-16         Disaster Recovery Policy    

POL-17         Encryption Policy      

POL-18         Incident Management Policy            

POL-19         Information Security Policy  

POL-20         Logging And Monitoring Policy            

POL-21         Mobile Device Policy           

POL-22         Network Management Policy            

POL-23         Password Policy       

POL-24         Patch Management Policy  

POL-25         Personnel Security Policy   

POL-26         Physical Security Policy      

POL-27         Remote Access Policy         

POL-28         Risk Management Policy     

POL-29         Sanctions Policy       

POL-30         Social Media Policy  

POL-32         Vendor Management Policy            

POL-33         Vulnerability Management Policy  

eMabler Procedures  

PRO-1          Procedure for control of documented information 

PRO-2          Management review procedure 

PRO-3          Business Continuity and Disaster Recovery Procedures 

PRO-4          Contact procedure with local authorities and special interest groups 

PRO-5          Employee on- and offboarding procedures 

PRO-6          Corrective action procedure 

PRO-7          Internal Audit Procedure 

PRO-8          Data backup procedures 

PRO-9          Patch Management Procedure 

PRO-10        Emergency Access to Data 

PRO-11         Save disposal and re-use of IT equipment 

PRO-12        Vendor Management Procedure 

PRO-13        Procedure to Protect Intellectual Property 

PRO-14        Guest Management Procedure 

PRO-15        Information Security in Projects 


Governance Documents 

GOV-1          Information Security Context Requirements and Scope 

GOV-2          Organizational Roles, Responsibilities And Authorities 

GOV-3          Information Security Objectives & Plan 

GOV-4          Risk assessment and treatment plan 

GOV-5          Information Security Communication Plan