The First International Cryptographic Module Conference
24.-26. September, Gaithersburg, MD, USA
atsec Security Policy
Provide our customers with professional and independent advice on information security to empower their business and operations.
atsec information security is a vendor-independent consulting company in the business of information security. atsec provides a business-oriented approach to information security combined with in-depth technical knowledge. atsec can provide consulting on all aspects of information security, with the highest level of expertise.
atsec is completely focused on providing information security consulting to our clients. Our guiding principles underscore our unique approach:
- We know the business
atsec knows well the worldwide information security consulting business. With a multinational staff, it is only natural that we feel comfortable operating internationally. We are a global company, with offices in Europe, the United States, and China. We deliver work of the highest quality on time.
- We act with integrity
Information security consulting and evaluation is a high-integrity business, and very much a matter of trust. All of our employees are committed to sustaining the highest degree of integrity in our client relationships. We are devoted to delivering highest quality in a timely manner.
- We stay focused
atsec consultants are information security consultants. As such atsec focuses solely on information security consulting. We do not consult in any other areas, and we do not sell hardware, software, or any other ware.
- We are independent
atsec is an employee-owned company. We are not affiliated with any hardware or software vendor, and we never will be. Our credibility as consultants hinges on that independence. Our customers can rely on us to be objective we have no interest in selling anything other than our security expertise.
Our success depends on the trust our customers have in the way we do business. atsec management and all atsec employees support these basic business principles:
We ensure that our sources are reliable and that we use only verifiable information.
We assign employees to customer projects according to their appropriate skills and experience.
- Skills Redundancy
Information security knowledge and expertise are broadly represented throughout the company, so that the absence of one employee will not compromise the success of a project.
The quality of our projects and deliverables is maintained according to our quality management organization and processes.
We provide the highest degree of confidentiality for all information from and about our customers.
We use the information we receive only for the purpose for which it is provided to us.
We act according to the highest ethical standards and in compliance with the law.
The information security management system described herein and in  complies with our company philosophy and protects our basic business principles.
The overall objectives of atsec's information security management system (ISMS) are:
Distribute Information about security objectives, company strategy, and planned measures on a regular basis through suitable channels. Create common awareness of the need for information security and achieve strong commitment to ISMS objectives. Ensure that new employees comply with atsec's company philosophy and basic principles. Make regularly scheduled updates and refresher courses part of our company's culture.
Provide training that enables employees to develop a broad understanding of information security vulnerabilities, threats, and countermeasures. Offer training in national and international legal requirements and standards.
Create an organization that builds an efficient ISMS and fulfils formal security requirements imposed by laws and standards. See  for details. Define security roles, assign qualified personnel to them, and provide the necessary rights and resources. See , , and  for details.
Establish a well-structured documentation system for atsec's ISMS. See  for details. Have all relevant information, such as principles, guidelines, technical descriptions, and checklists, readily available, periodically reviewed, and maintained under version control. Support information classification guidelines. See  for details.
Define all necessary procedures and prescribe responsibilities. Review the entire information security strategy, monitor controls, and identify new risks and their appropriate handling.
- Quality Management
Fulfil the information security requirements as defined in .
- Risk Management
Perform and document regular risk assessments. Describe existing controls, identify vulnerabilities and threats, rate the residual risks, and initiate additional controls to enable the executive board to sufficiently handle all risks.
- Security Controls
Provide all systems with the required security components, as determined through risk assessments.
- Individual Responsibility
Each atsec employee is individually responsible for protecting information, as stipulated above as well as in the absence of any explicit rule.
- Audit and Certification
Ensure that the standard of information security is measurable and verifiable for both company management and customers. Formal certification according to ISO/IEC 27001:2005 will supply such evidence.
- Confidential Information
atsec employees must handle confidential customer and atsec internal information according to the procedures defined in  and any special procedures that customers require.
This security policy and all other documents of the information security management system become enforceable and mandatory for all employees, when signed off by the atsec executive board.
Employees violating information security regulations, especially as described in this security policy, may be subject to appropriate sanctions.
External personnel working for atsec must comply with atsec's security policy.
Suitable formal agreements must be arranged, and external personnel must sign this security policy and atsec's nondisclosure agreement.