Using machine learning and deep learning, ViNotion realizes software solutions that are able to automatically and in real-time detect and classify people and traffic by leveraging cameras. The products of ViNotion are able to learn and model specific objects from photo and video examples. With these techniques and algorithms, ViNotion builds smart surveillance systems under the product line ViSense. The software solutions generate statistical data from video images allowing guidance and providing insights in the dynamics of traffic. Think of, among others: counts, speeds, trajectories, GPS locations, density and congestion.
ViNotion regards information security as an important issue for years already. ViNotion processes large amounts of data and with that comes a large responsibility. ViNotion acknowledges the importance of privacy and undertakes much to ensure this. It has to be secured that the risks for the customer are acceptable and that the measures have effect without losing effectivity, flexibility and efficiency in providing services. Customers increasingly demand an ISO 27001 certification from ViNotion to make sure it has its information security in order. ViNotion therefore wants to obtain the ISO 27001 certification to provide this assurance.
Responsibility, objective and audience
Regarding the possible impact of disturbances on the business operations and continuity of ViNotion and her customers, the end responsibility for the policy for information security lies at the management of ViNotion. The Information Security Policy aims to control the risks associated with the availability, integrity and confidentiality of information within ViNotion. ViNotion defines it as follows:
A framework of policy principles associated with the confidentiality, integrity and availability of information, in which a well-balanced (effective and efficient) scheme of interdependent measures is developed to protect the information against internal and external threats.
All involved have to make sure that they comply to the formulated policy principles in this Information Security Policy when setting up the organization, procedures, processes and accompanying information systems.
Availability: securing that information is available at the right moments.
Integrity: ensuring that information is correct and complete.
Confidentiality: protection of sensitive information against unauthorized access.
This policy applies to all information which is created, received, sent or stored as part of the service of ViNotion to her clients and the accompanying contractual obligations and supporting processes. The policy and its implementation apply to all staff of ViNotion. Non-conformities have to be reported to continually improve the management system. Moreover, this policy also applies to contract staff which supports ViNotion in her service to clients.
An inextricable part of this policy is the “Code of Conduct”, to which all staff, contract staff and interns also need to comply. As much as possible, ViNotion strives for security measures which are based on logical principles because they are cost-effective and sustainable. These principles are:
- Confidential data which you do not have, you do not need to secure.
- No dragging around with confidential data.
- Separation of data.
All staff is assumed to put these principles into practice.
Ownership and scope of the policy
ViNotion is thus responsible for making her services and products available with adequate security options, so that her customers can comply to their own applicable information security standards and other legislation. Also the hosting and the administration of software meets these requirements. But this does not relieve the client from the end responsibility for the security of her information.
For each information system, including the related data, a single owner must explicitly be defined. The ownership implies the end responsibility for the concerned system, including the assessment of the identifiable risks of the system, the classification of the system and related data and the (outsourced) development of adequate security measures and internal control measures. Besides the application, this does also concern the correct application of infrastructural components (workstations, servers and the internal and external network), the correct processing, the adequate administration, the well-functioning of staff, the agreements with third parties, physical security and facilities to prevent and handle incidents and calamities.
End responsibility is mentioned because some aspects of the information system are subcontracted to other owners than ViNotion. In doing so, a maximum security level is not pursued, but an optimal level, so that ViNotion can offer her services at acceptable cost.
Implementation of the policy
Based on this policy, risk analyses are performed and a set of measures are defined as Internal Standard, which is the minimum level of security for services to clients. In consultation with a client, a higher level can be agreed upon.
Monitoring the operation and compliance of the policy
In the management review, the operation and compliance of the policy are internally evaluated and adjusted, if needed.
Every year, an internal audit is held. Part of this internal audit is the re-evaluating of risks and an assessment of new contracts and legislation. Part of this report is also a plan with improvement proposals. The management evaluates the report, approves or disapproves proposals and assigns budget for the realization of proposals.
Furthermore, every year, an external audit is performed to audit the functioning of the Information Security Management System (ISMS) by an independent third party, which is accredited and knowledgeable. The resulting report is available for (potential) clients.
Using the qualitative policy principles below, ViNotion expects to control her information security risks and to simultaneously retain her flexibility and efficiency when performing her activities. The policy principles form the bridge between the information security risks and the management objectives and control measures of the Internal Standard of ViNotion.
Moreover, the policy principles offer a framework for the management to shape the information security objectives as to fit ViNotion. The mentioned policy principles apply to the data processing for which ViNotion is legally and/or contractually responsible. For the further implementation of this policy the following principles hold:
- Information security is an important business risk for ViNotion. The management therefore determines the policy, evaluates the risks, provides sufficient means and gets the functioning of the policy and the compliance to these measures internally and externally evaluated periodically to ensure that the Information Security Management System (ISMS) continues to work adequately.
- ViNotion conforms with respect to information security to the relevant legislation and the contractual agreements with customers and business partners.
- ViNotion strives to continually improve her service to customers with respect to information security.
- The management objectives and management measures of the NEN-ISO/IEC 27001 norm and the privacy directives of the Autoriteit Persoonsgegevens (AP) constitute, as far as they contribute to the information security of ViNotion and are enforceable, the starting point for the measures to define. This is primarily a business economy consideration.
- ViNotion regards computer criminality as an unwanted social problem and sees it as its task to take appropriate measures to limit the damage as a result of criminal activities.
- Trust is important for ViNotion and it applies the reciprocity principle to employees, customers, suppliers and other stakeholders. ViNotion assumes that they honor their commitments with respect to availability, integrity and confidentiality of information.
- The HRM policy is partially targeted to improve the availability, integrity and confidentiality of the information supply to employees. During an annual evaluation this is brought to the front.
- The physical and logistical security of buildings and their rooms are in such a way that the availability, integrity and confidentiality of the data and data processing including the assets are safeguarded.
- Development and acquisition, installation and maintenance of information and communication systems, as well as integration of new technologies, must as needed be implemented with additional measures, so that it does not affect information security.
- Assignments to third parties to carry out work are surrounded with measures in such a way that there can occur no breach of the availability, integrity and confidentiality of information.
- During processing and usage of data, measures are taken to ensure the privacy of customers, employees and other concerned parties.
- Access control ensures that unauthorized persons or processes do not get access to the information systems, data files, and software of ViNotion.
- External data issue occurs on a ‘need to know’ basis. Internally this is not always desirable because knowledge sharing is essential for a cost-effective service to customers.
- ViNotion and its employees take measures to prevent that confidential information reaches third parties.
- Input from customers which contains confidential information, is archived or destroyed shortly after processing.
- Data transport is in such a way surrounded with measures so that the confidentiality and integrity of this data cannot be violated.
- Authorized employees must get remote secure access to their relevant production environments. No confidential data is stored outside the production environment. Under conditions, there can be deviations from this.
- Production environments are separated from other environments and specific access rights can be granted and monitoring of access is possible.
- The administration and storage of data in production environments are in such a way that no information is lost unless it is a case of force majeure.
- There are function separations applied between the development, administration and user organization. Furthermore a function separation is applied whenever it is possible and desirable.
- There exists a process to handle incidents adequately and to extract ‘lessons learned’.
- There are calamity plans and facilities to ensure the availability of information.
- When outsourcing data processing the management can decide to deviate temporarily from these policy principles and to temporarily accept the risks.
- During conflicts, the mission of ViNotion prevails above the requirements of information security and/or privacy.
- Information security is part of the design, development, and administration of software, also if it is developed by third parties. Security by design and default constitute the most important principles.
- ViNotion and its employees realize the privacy sensitivity of the (special) personal data they process and always ensure the protection, correctability and transparency of this data to protect the privacy of the concerned parties.