Information Security Policy

INTEGRO HEALTH SERVICES AND INFORMATION TECHNOLOGIES INC. Organization 

Authorized Unit: Information Security Management Systems Team Policy Version: v.1
Effective Date: 01.01.2023
Review Date: 01.02.2023
For questions regarding this policy, please contact: [email protected]

Purpose and Scope

This Information Security Policy (“Policy”) outlines the security requirements for the secure and appropriate use of Information Technology services within INTEGRO Health Services and Information Technologies Inc. (“Integro Health”). The purpose of this Policy is to protect Integro Health and its users from security threats that could jeopardize integrity, confidentiality, reputation, or business processes.

This document applies to all users within Integro Health, including temporary users, visitors with temporary access to services, and partners with limited or unlimited access to services.

“Information” refers to any document, data (including personal data), content, or object, regardless of its medium or format (including physical and electronic records).

The information produced or accessed as a result of Integro Health’s functions and activities is a valuable resource regarding Integro Health’s legal, commercial, or administrative requirements, constituting significant business assets.

Responsibilities Regarding Information Security

The ultimate responsibility for information security lies with Integro Health’s quality unit. However, Integro Health will be responsible for the management and implementation of the policy and related procedures on a daily basis.

Managers must ensure that permanent and temporary staff, as well as contractors, are aware of:

• Applicable information security policies for their work areas
• Their personal responsibilities regarding information security
• How to seek advice on information security matters

All employees are required to comply with all information security procedures, including ensuring confidentiality and data integrity. Noncompliance may result in disciplinary action against the relevant employees.

Each employee is responsible for the operational security of the information systems they use.

Every system user is obligated to comply with current privacy requirements and must ensure that the confidentiality, integrity, and availability of the information they use are protected to the highest standards.

Security Management

Integro Health’s quality officer is responsible for implementing, monitoring, documenting security requirements, and maintaining necessary communication regarding these matters.

Information security awareness training should be included in recruitment and onboarding processes. Existing awareness programs will be created and maintained to refresh and update employee awareness as needed.

Staff security requirements should be addressed during recruitment processes, and all employment contracts must include confidentiality clauses. Information security expectations for personnel should also be incorporated into appropriate job descriptions.

Access to information systems or restricted areas containing stored data should only be granted to authorized personnel with a justified business need, approved by relevant units.

Access to computer facilities should be limited to authorized users with a business need to use those facilities. Access to data, system software, and source program libraries should be restricted to authorized users with a legitimate business requirement, and this access must be controlled.

Authorization to use any application depends on the validity of the license provided by the respective vendor. To minimize the loss of all commercial assets or potential damage to them, equipment must be physically protected from all threats and environmental hazards.

Management of computers and internet networks will be controlled through standard documented procedures. Information security risks will be formally managed after identification. Identified issues will be recorded in a foundational risk registry, and necessary action plans will be implemented for effective management of these risks. The risk registry and all related action items should be reviewed regularly.

All information security regulations are a regularly reviewed feature of Integro Health’s risk management program. Reviews will help ensure the continuity of good practices and identify potential risks that may arise since the completion of the previous review.

All information security breaches and suspected security vulnerabilities will be reported to the IT unit. All information security breaches will be investigated to determine the causes and effects, aiming to prevent similar breaches. Integro Health will employ countermeasures and management procedures to protect against malware.

All personnel are expected to cooperate under this policy. Users are prohibited from uploading software to Integro Health’s systems without the approval of the IT unit. Disciplinary actions may be taken against users who violate this obligation. Audit trails of system access and data usage by personnel will be maintained and reviewed regularly.

Changes in information systems, applications, or internet networks must be examined and approved by the IT unit. Integro Health must ensure that all information technology products and services are appropriately licensed. Users are prohibited from uploading software to Integro Health’s systems without IT unit approval, with disciplinary actions possible for violations.

This policy is implemented in light of the guidelines, policies, and supporting documents prepared and enforced by Integro Health. The documents listed below, among others, must be reviewed by relevant personnel for application within Integro Health.