Information Security Management System
Last updated: December 30th, 2024
Marble Box’s Information Security Policy ensures access to information technology (IT) resources and communications networks within a culture of openness, trust, and integrity. Marble Box is committed to protecting itself, its employees, customers, and other stakeholders from unethical, illegal, or damaging actions by individuals using these systems.
Purpose
The purpose of this policy is to outline the ethical and acceptable use of Information Systems at Marble Box. These rules are in place to protect employees by ensuring they have access to reliable, robust IT resources that are safe from unauthorized or malicious use.
Insecure practices and malicious acts expose Marble Box and its employees to risks, including virus attacks, compromise of network systems and services, and loss of data or confidential information. Security breaches could result in legal action against individuals or the company, damage the company’s reputation, and result in loss of services. Misuses, such as excessive use by an individual, can substantially diminish resources available for other users.
Scope
This policy applies to all employees and any other individuals or entities who use information and IT resources at or of Marble Box. It also applies to all IT resources owned or leased by Marble Box and any privately owned equipment connected to the Marble Box network. This includes, but is not limited to, computer equipment, software, operating systems, storage media, the organizational network, and the internet.
Securing and protecting these significant and costly resources from misuse or malicious activity is the responsibility of both those who manage systems and those who use them. Effective security is a team effort involving the participation and support of every member of Marble Box who accesses and uses IT resources. Therefore, every user of Marble Box’s IT resources is required to know the policies and conduct their activities within the scope of the Acceptable Use Policy (AUP), the Marble Box Information Technology Security Policy, and the Policies, Standards, and Guidelines for IT Security. Failure to comply with this policy may result in loss of computing privileges and/or disciplinary action.
‘IT Resources’ include, but are not limited to, servers, enterprise storage, firewalls, desktop devices, portable and mobile devices, networks including wireless networks, IP phones, IP cameras, biometric devices, video conference devices, internet connectivity, internal and external storage devices, peripherals like printers, display boards, scanners, and the software associated with these devices.
Information Security Policy Statement
Marble Box’s management is committed to maintaining the security of its information and the personal information of all stakeholders, including customers. We aim to continuously improve the organization’s Information Security framework.
Unless otherwise specified in this policy, Marble Box’s information technology resources are restricted to purposes related to the company’s mission. Eligible individuals are provided access to support their activities related to official business with the company and other company-sanctioned activities. Individuals may not share or transfer their company accounts, including network IDs, passwords (Marble Box & customers), or other access codes that allow them to gain access to company or customer information technology resources.
Personal use of Marble Box information technology resources must adhere to all applicable company policies. Necessary actions will be taken by the authority as applicable.
Risk Management Framework
We identify, assess, and mitigate risks to our information assets through regular risk assessments and the implementation of controls to manage residual risks. This proactive approach helps us maintain a secure environment.
Incident Response Plan
Our incident response plan outlines procedures for detecting, reporting, and recovering from information security incidents. This ensures swift action to minimize damage and restore normal operations.
Access Control Policies
Access to information and IT resources is granted, managed, and revoked based on the principle of least privilege. This ensures users have the minimum level of access necessary for their roles.
Data Protection Measures
We protect sensitive data through encryption, secure communication protocols, and data masking. These measures help prevent unauthorized access and data breaches.
Compliance and Legal Requirements
Our ISMS policy aligns with relevant laws, regulations, and industry standards (e.g., GDPR, ISO/IEC 27001, SOC2, HIPAA). We conduct periodical audits and document compliance efforts to avoid legal issues and reputational damage.
Training and Awareness Programs
We implement regular training sessions for employees to raise awareness about information security best practices and the importance of adhering to this policy. We also circulate the latest security threats and general awareness through our corporate communication platform.
Monitoring and Auditing
Our dedicated SOC team continuously monitors and regularly audits IT systems and processes to help us detect and address vulnerabilities promptly.
Business Continuity and Disaster Recovery
Our business continuity and disaster recovery plans ensure that critical business functions can continue with minimal disruption during and after a security incident or disaster.
Vendor and Third-Party Management
We manage relationships with vendors and third parties who have access to our information systems through due diligence, contractual agreements, and regular assessments of their security practices.
Policy Review and Updates
We commit to regularly reviewing and updating our ISMS policy to reflect changes in the organization, technology, and the threat landscape.
Marble Box is dedicated to maintaining the highest standards of information security. By adhering to this policy, we ensure the protection of our valuable information assets and uphold the trust placed in us by our stakeholders. Continuous improvement and vigilance are key to our success in this endeavor. We appreciate the cooperation and commitment of all employees and partners in safeguarding our information resources.
For any questions or further clarification regarding this policy, please contact the Information Security Team at it@marblebox.com or the CTO rupak.banerjee@marblebox.com
