Cyber Resilience - Information Security Policy

Information security is everyone’s business: Employees are trained and encouraged at all levels to take responsibility for information security. SV Group is committed to using the best available technology, taking into account economic constraints. Compliance with all relevant requirements (legal, regulatory and customer requirements) is a matter of course. In addition, SV Group is committed to continuously working on improving information security.

SV Group has defined the following goals in the area of information security:

• Teaching safe behavior at the workplace
• Security protection against attacks from the Internet, as well as against malware and other pests, enables secure mobile working on the move and in the home office
• Role-restricted permissions for employees and administrators
• Reduction of damage from potential incidents
   

The SV Group operates an ISMS with the aim of promoting information security in a targeted manner and continuously improving the company's performance. The ISMS is an integral part of quality management. Processes and procedures are defined in such a way that information security is ensured. Systems are audited at regular intervals, including services provided by third parties. Failure to meet or achieve a target is taken as an opportunity to improve the system and achieve a sustainable change in the company's culture and working methods, which also ensures continuous improvement in the future, thereby creating sustainable added value for the SV Group.

The management supports the information security activities with the necessary resources. In addition, it checks compliance with the rules and takes appropriate measures in the event of deviations.

The Chief Information Security Officer (CISO) is responsible for, monitors and improves the ISMS, implements the defined goals and reports to the management and the board of directors.

Employees at all levels are responsible for ensuring information security. They are supported and trained by their supervisors.

External employees are obliged to maintain information security within the scope in which they provide a service. They are supported and trained by the internal client.

When working with third parties and selecting suppliers, information security is an important criterion, and these parties must apply the SV Group's requirements. Contractual arrangements are made to this effect. The SV Group reserves the right to audit the implementation of these rules.

Violations of the information security requirements are not tolerated and are therefore punished accordingly. Conventional penalties are agreed with third parties, and the necessary corrective measures, such as sanctions, are applied to employees.