Skip to content

Security policy

Policy Summary

The confidentiality, integrity and availability of Ohalo's information should always be preserved, whatever the form of the information and however it is shared, communicated or stored.

Introduction

Ohalo maintains ISO27001 certification and has implemented an Information Security Management System (ISMS) to protect Ohalo and its customers’ information from a range of internal and external threats. The ISMS is the set of policies and processes to which Ohalo's employees are required to adhere to ensure Information Security. This Information Security Management System Policy has been created to define the purpose, direction, principles and basic rules for the ISMS.

Scope

This policy applies to all the ISMS and to all of Ohalo. This includes all of Ohalo's:

  • physical locations including all offices
  • assets and technology including all desktop and laptop computers, mobile devices and networks, including
    • personal devices used for business purposes,
    • public cloud based services used in the provision of Ohalo's services
    • including of course all information itself.

Objectives

Supporting Ohalo in its core mission of providing value to shareholders and customers through:

  1. Building security into Ohalo’s products;
  2. Identifying and assessing information security risks and treating those risks so that they are acceptable;
  3. Reducing or eliminating security incidents;
  4. Minimizing the negative impact of any such incidents;
  5. Continually improving Ohalo's ability to assess, detect, avoid and ameliorate information security risks and incidents;
  6. Maintaining esteem for and the credibility of Ohalo's brand; and
  7. Protecting the privacy of all stakeholders and particularly the personal information of our customers.

This policy applies to all the ISMS and to all of Ohalo.

Principles

  1. Ohalo will think security first when building its products.
  2. Ohalo will take a conservative approach to all security matters.
  3. Ohalo will ensure all Personally Identifiable Data remains within the environment and control of the Customer; Personally identifiable Data will never be stored by Ohalo unless explicitly agreed to in writing by the customer and only then with contractual provisions in place to define how that data should be stored.
  4. Top management will implement and maintain this Policy, as well as the procedures and policies required to support this Policy.
  5. All employees are educated in information security principles and are responsible and accountable for information security relevant to their roles.
  6. Information security risks are assessed, managed and treated as necessary so that Ohalo's information security risks remain within acceptable parameters.
  7. Information security controls are adequately funded.
  8. Ohalo's security posture is continuously improved.
  9. Violations of this or any related policy or procedure by any employee may result in disciplinary action and/or dismissal and/or criminal prosecution and breaches of information security will not be tolerated.

Key Outcomes

  1. Information security incidents will not result in significant financial losses or reputational damage or disruption to the business.
  2. Customers, suppliers and partners confidence in the confidentiality, integrity and availability of Ohalo's information will be preserved.
  3. Shareholder value will be preserved or enhanced.

Policy implementation

This policy is and will continue to be implemented with Ohalo's internal policy suite that strives to continually improve our security processes and includes:

  1. Information Security Management System Policy Review & Audit
  2. Information Security Roles & Responsibilities
  3. Information Security Handling Policy
  4. Information Security Regarding Staff and Sub-Contractors
  5. Information Security Adverse Incidents and Incident Reporting
  6. Information Security Disclosure Procedure
  7. Information Security Live Services Working Procedure
  8. Database Hardening Guide (for Production Databases)
  9. Personal Communication Policy
  10. Internet & eMail usage Policy
  11. Contact with Relevant Regulatory Authorities
  12. Officers
  13. Anti-Bribery Policy

These additional policies can be provided to clients upon request.