Information Security
      Back to home
      1. Inderes Knowledge Base
      2. Information Security

      Information Security Policy

      1. Introduction and Purpose

      Introduction

      This Information Security Policy (ISP) is set forth by the Management Team of Inderes Oyj to establish an information security governance framework for protecting the company’s information assets. Inderes Oyj, a Nordic investor media company, connects investors with listed companies and offers equity research and investor relations solutions.

      Purpose

      The purpose of this ISP is to set a governance framework that enables Inderes Management Team to oversee, steer and take overall responsibility for securing Inderes data and digital assets. This policy provides the foundation for managing information security in a manner that is consistent with Inderes values of Independence, Passion, Quality, and Longevity. Specifically, the ISP aims to:

      • Ensure that our data handling practices preserve the independence of our operations and the trust placed in us by our stakeholders.
      • Embody our passion for excellence by integrating security considerations into all aspects of our business.
      • Deliver quality in our services by protecting the information entrusted to us, thereby maintaining the confidence of our community and clients.
      • Promote the longevity of our company by managing information security risks in a forward-looking and adaptable manner. Ensure that Inderes Oyj adheres to applicable legal and regulatory requirements, as well as our ethical commitments to employees, community, clients, and owners.

      Exclusions

      This ISP provides an overview of information security governance framework, principles and objectives at Inderes Oyj. It does not detail the specific operational procedures or security protocols, which are addressed in separate operational documents.

      2. Objectives

      This policy and all information security activities at Inderes aim to achieve the following:

      • Confidentiality: Ensure that sensitive information is accessible only to authorized individuals and that confidentiality is preserved in all business processes.
      • Integrity: Maintain the accuracy and completeness of information and processing methods, ensuring that data is reliable and trustworthy.
      • Availability: Guarantee that information and critical services are available to users when needed, supporting the continuity of business operations.
      • Business Continuity: Develop and maintain plans to protect against and recover from potential threats to the business, minimizing disruptions and ensuring the resilience of operations.
      • Alignment with Business Objectives: Ensure that information security practices evolve in tandem with the business, adapting to changes in the operational environment and supporting strategic goals.
      • Regulatory Compliance: Fulfill all external security requirements imposed by authorities, industry regulations, and other stakeholders, upholding our legal and ethical obligations.
      • Resource Allocation: Provide adequate resources, including personnel, technology, and budget, to implement and maintain information security measures that meet these objectives.

      3. Scope

      This Information Security Policy covers all digital and physical information assets across the organization. These include:

      • Digital Information Assets: All categories of electronic data, including proprietary research, financial records, customer data, and internal communications.
      • Physical Information Assets: Printed documents and any other tangible media containing sensitive company information.
      • Products and Critical Systems: The array of products and services offered by Inderes Oyj, with a focus on the Inderes.fi and Videosync platforms, which are essential to the Nordic investor information ecosystem.
      • Employee and Workplace Security: Protocols concerning employee security awareness and access to information systems, responsible data handling practices, and the physical security of workplace environments.
      • Third-Party Relationships: This policy establishes the fundamental expectation that all third parties engaged with Inderes Oyj must adhere to compatible security standards. Detailed security requirements for partners and contractors are specified in separate agreements and documents.
      • Insider information management: This is a fundamental aspect of our business, and we are dedicated to full compliance with all applicable laws and regulations concerning insider information. Upholding these standards is crucial for preserving the integrity and trust that underpin our relationships with our community, clients, and the broader financial ecosystem.

      4. Governance Structure

      The governance structure for information security at Inderes Oyj reflects the company’s commitment to an evolutionary structure that values distributed leadership and collaborative decision-making, as outlined in the Inderes Playbook.

      The governance structure for information security at Inderes Oyj has to be dynamic and adaptable, capable of evolving with the organization and the changing landscape of information security threats. It is built on the foundation of our organizational values, ensuring that our approach to information security is as innovative and forward-thinking as our business model.

      Information Security Governance Principles

      • Distributed Leadership with Oversight Roles: Information security responsibilities are not confined to specific titles or hierarchical positions. Instead, they are distributed across the organization, with business unit leaders overseeing the security aspects relevant to their operational areas.
      • Collaborative Decision-Making: The ‘advice process’ is central to our governance structure. Decisions related to information security are made after seeking input from those affected and consulting with individuals who have relevant expertise, regardless of their position within the company.
      • Fluid Responsibilities: Team members are empowered to take on various roles and responsibilities related to information security, fostering a culture of ownership and proactive engagement across all levels of the organization.

      Information Security Governance Bodies

      • Management Team: As the highest information security governance body, the Management Team has set forth this Information Security Policy and is responsible for reviewing and updating this on a regular basis. The Team maintains strategic oversight of information security, ensuring alignment with the company’s mission and values.
      • IT Coordination Group: Led by the CFO, this group reviews and prioritizes group-level information security efforts. It acts as an advisory body, providing guidance and oversight to ensure that information security initiatives are in line with the company’s broader objectives and regulatory compliance.
        • Within the IT Coordination Group, tactical decisions and day-to-day activities are facilitated by the Group Information Security Task Force. The task force is composed of members selected by the IT Coordination Group itself, working closely with the IT Coordination Group.
      • Technology Team with Rotational Facilitator: For our digital product development, the technology team, guided by a facilitator whose role rotates annually, is responsible for orchestrating the implementation of tactical security decisions and leading responses to security incidents. This team ensures that our digital products are developed with security as a foundational element.

      In keeping with our culture of autonomy and proactive engagement, all teams and business units within Inderes Oyj are entitled and encouraged to form permanent or temporary groups and task forces to address specific information security challenges and initiatives. These groups operate within the strategic framework set by the Information Security Policy, ensuring that their activities are aligned with the company’s overall security objectives.

      Reporting and Escalation

      • Transparent Reporting: Reporting mechanisms are in place to ensure that information is communicated effectively to the relevant parties. All employees are encouraged to report security concerns and incidents in a transparent manner.
      • Escalation Process: Security issues are escalated through a consultative process. This ensures comprehensive incident management and promotes a culture of continuous learning and improvement.

      5. Risk Management

      Inderes Oyj recognizes that risk management is an integral part of its governance and operational practices. The company is committed to a systematic, structured, and consistent process of managing information security risks.

      Risk Management Principles

      • Risk-Based Approach: Information security at Inderes Oyj is managed on a risk basis, with the identification, assessment, and prioritization of risks being central to the policy.
      • Documentation: Identified risks, along with their mitigation strategies and controls, are documented to ensure transparency and accountability.
      • Impact Analysis: Impact analysis is conducted to understand the potential consequences to the business and to guide the allocation of resources for risk mitigation.
      • Periodic Review: The risk landscape is not static; therefore, Inderes Oyj conducts periodic reviews of its risk assessments to ensure that they remain relevant and comprehensive in light of new threats and changes in the business environment.
      • Separation of Roles: The ownership of risks is separated from the management of risks to ensure unbiased assessment and mitigation. This separation also facilitates a clear delineation of responsibilities and accountability.

      Risk Management Policy and Processes

      Inderes Oyj has established a Risk Management Policy that outlines the processes for identifying, evaluating, managing, and monitoring risks across the organization. This policy supports the achievement of strategic and operational objectives and ensures business continuity under varying conditions. The ability to effectively manage risks is crucial for the success of the business and the creation of shareholder value.

      The Board of Directors ensures the effectiveness and efficiency of risk management by requiring regular reporting and by defining control measures for all levels of business operations.

      6. Key Security Policy Areas

      Inderes Oyj has several key security policy areas that are critical to overall information security activities. These areas should be governed by specific policies and practices that support the strategic objectives set out in this Information Security Policy:

      Identity and Access Management

      • Access to information and systems is granted based on the principles of least privilege and need-to-know. Identity and access management controls are in place to authenticate and authorize users, preventing unauthorized access.

      Data Security

      • Protect the confidentiality, integrity, and availability of data throughout its lifecycle. This includes implementing measures to secure data at rest, in transit, and during processing, as well as ensuring proper data disposal.

      Continuity and Incident Management

      • Develop and maintain business continuity plans to ensure the resilience of operations in the event of disruptions. An incident response plan is in place to address security breaches and minimize their impact.

      Systems Management

      • All company systems are inventoried and classified according to their operational role and level of confidentiality. Systems are subject to technical, operational, and process requirements based on their classification, with periodic monitoring, review, and updates to maintain security standards.

      Security Awareness

      • Cultivate a security-conscious culture within Inderes Oyj by ensuring that personnel and teams receive targeted training and education. Security awareness initiatives are tailored to the roles and responsibilities of individuals This approach allows for adaptive learning experiences that are both effective and efficient, equipping team members with the necessary skills to identify and mitigate security risks pertinent to their functions.

      Asset Management

      • Maintain an inventory of all information assets and implement appropriate controls to protect these assets from unauthorized access or data loss.

      Privacy

      • Uphold the privacy of all stakeholders, including employees, clients, and the investor community, by complying with applicable privacy laws and regulations. Privacy controls are integrated into processes involving the collection, use, and storage of personal information.

      7. Compliance

      Inderes Oyj is committed to being compliant with applicable legal, regulatory, and contractual requirements related to information security.

      Legal and Regulatory Compliance

      • We adhere to national laws and EU regulations, particularly those pertaining to data protection and the handling of insider information, which are critical due to our extensive work with publicly listed companies. Our operations in Finland, Sweden, and other Nordic countries are conducted in strict conformity with the respective national legislations and the overarching EU framework.
      • Business units and product teams are responsible for maintaining a thorough understanding of all relevant legal and regulatory requirements. They are expected to establish and follow well-defined processes for regular review, monitoring, and adaptation to these requirements, ensuring effective leadership in information security within their areas of operation.
      • We offer the necessary training and education for employees working with information security and insider information.

      We have designated a person in charge of insider issues. Additionally, designated individual(s) may be assigned for certain information security and/or data protection responsibilities.

      Contractual Obligations

      • Inderes Oyj is dedicated to fulfilling all security-related contractual obligations with our clients and partners.

      8. Reporting and Monitoring

      Inderes Oyj is committed to a systematic approach to reporting and monitoring information security matters, ensuring that critical information flows effectively from the operational level to the Management Team, facilitating informed decision-making and oversight.

      Reporting Structure

      • Digital Products: The rotational facilitator, in collaboration with the technology team, is responsible for monitoring information security within the digital product space. They are tasked with reporting relevant security matters, incidents, and the status of ongoing security initiatives to the IT Coordination Team.
      • Business Units: Business leads across other teams and units are responsible for overseeing information security within their domains. They are expected to monitor and report on security issues and compliance status to the IT Coordination Team.
      • IT Coordination Team: This team, working closely with the CFO, serves as the central hub for information security reporting within Inderes Oyj. It consolidates reports from various teams and facilitates communication with the Management Team.

      Management Team Oversight

      • Management Team: The Management Team, as the policy setter, maintains strategic oversight of information security efforts. Through regular updates from the IT Coordination Team, the Team monitors the implementation and effectiveness of the Information Security Policy, ensuring that it aligns with the company’s objectives and values.

      9. Review

      The Information Security Policy of Inderes Oyj is subject to regular review to ensure its continued relevance and effectiveness in the face of an evolving threat landscape and changing business needs.

      Review Process

      Annual Review: The Management Team conducts an annual review of the Information Security Policy to assess its adequacy in addressing current and emerging security challenges. This review also considers changes in regulatory requirements and the company’s strategic direction. The review process involves input from various stakeholders, including the IT Coordination Team, technology team, business unit leaders, and other relevant parties, ensuring a comprehensive approach to policy enhancement.

      Adjustments and Updates

      • Policy Updates: Following the review, necessary adjustments are made to the Information Security Policy to address identified gaps, incorporate best practices, and align with the company’s objectives.
      • Communication: Updates to the policy are communicated across the organization to ensure that all employees are aware of and understand any changes to the information security requirements.