Information Security Policy
Purpose
The Information Security Policy defines the framework for protecting all information technology systems, components and processes of the BAUER GROUP. It serves as the overarching directive of the ISMS and is approved by executive management.
Protection Goals
| Protection Goal | Definition | Measures |
|---|---|---|
| Confidentiality | Information is accessible only to authorized persons | Access control, encryption, classification |
| Integrity | Information is complete and unaltered | Hash verification, versioning, change control |
| Availability | Systems and data are accessible when needed | Redundancy, backup, monitoring |
| Authenticity | Identity of users and systems is verified | MFA, certificates, digital signatures |
Scope
The Information Security Policy applies to:
- All employees, executive management and external service providers with system access
- All information technology systems operated in-house and by third parties
- All locations and remote workplaces
- All phases of the information lifecycle (creation, processing, storage, deletion)
Responsibilities
| Role | Responsibility |
|---|---|
| Executive Management | Approval of the policy, provision of resources (§38 BSIG) |
| CISO | Development, maintenance and monitoring of compliance |
| IT Management | Technical implementation of requirements |
| All Employees | Adherence to policies, reporting of violations |
§38 BSIG – MANAGEMENT OBLIGATIONS
Executive management must approve cybersecurity risk management measures and oversee their implementation. They are personally liable for breaches and are required to undergo regular cybersecurity training.
Review Cycle
| Activity | Interval | Responsible |
|---|---|---|
| Policy review | Annually | CISO + Executive Management |
| Event-driven review | Upon significant changes or incidents | CISO |
| Approval | After each review | Executive Management |
| Communication | After approval to all employees | CISO |
Classification Schema
| Level | Description | Examples | Measures |
|---|---|---|---|
| Public | No restrictions | Marketing materials, published documentation | No special measures |
| Internal | For BAUER GROUP employees only | Internal processes, organization charts | Access control |
| Confidential | Business-critical, restricted access | Customer data, contracts, credentials | Encryption + access control |
| Strictly Confidential | Highest protection level | Key material, security architecture | Encryption + need-to-know + audit trail |