uideli (copy 1)

Guideline information security


Information on the prevention and handling of information security violations

(copy 2)

Aim and Purpose

This document describes the information security management requirements of the Information Security Management System (ISMS) in the applicable field and the information security objectives of CarGarantie.

The objective of this guideline is to provide direction and support by the Management Board in the effective implementation of information security in accordance with business requirements and applicable laws and regulations.

This guideline can also be made available to all external interested parties such as customers and suppliers.

Motivation

The Management Board of CarGarantie supports and is committed to information security through the organisation-wide publication and maintenance of these and other guidelines.

Information technology (IT) plays a central role in the implementation of CarGarantie's business processes, which is being strengthened by increasing digitalisation. This applies equally to internal company processes as well as to the processes required for cooperation with manufacturers, dealers, banks and partners.

CarGarantie continuously develops the effectiveness of its business processes by using modern means of information and communication technology. For us, information security means that our processes, while reducing the unavoidable residual risks,

  • ensure the protection of confidential information,
  • guarantee the integrity of the data,
  • are available on demand and
  • operate reliably.

    Area of Application

    This document applies within the area of application of the ISMS of CarGarantie Freiburg and thus applies to all employees and contractors as well as other external third parties who use CarGarantie facilities or information.

    Security Objectives

    CarGarantie's information security aims to protect processed information of any kind and origin according to its classification. Information is stored on paper, in IT systems or even in the heads of users, whereby the basic values of confidentiality, integrity, availability and authenticity are ensured.

    A stable security level is achieved and maintained by a planned and coordinated approach by all parties involved. CarGarantie establishes an effective information security management system that actively supports issues of information security and risk management.

    CarGarantie establishes an information security management system based on ISO 27001 and BSI IT-Grundschutz, which is regularly reviewed and continuously improved through the phases of planning, implementation, success control and optimisation (Plan-Do-Check-Act). CarGarantie pursues two goals:

    • The security level must cover the current protection requirements of the business processes dependent on the information or supported by IT. For both CarGarantie and the involvement of service providers, the needs-based availability of information or IT services must be ensured and the confidentiality, integrity and authenticity of the processed information must be adequately guaranteed. In particular, the increasing threat of cyber attacks must be adequately countered.
    • The security measures are designed in such a way that CarGarantie fulfils its legal, supervisory and contractual obligations. Internal regulations and guidelines are observed.

    Responsibility and Organisation

    The Management Board is responsible for the information security of CarGarantie and ensures that the ISMS is implemented and operated in accordance with this guideline and that all necessary resources are available.

    Information security is a holistic and strategic task which requires responsible and committed action from all employees. This applies in particular to the reporting and handling of information security incidents.

    Security awareness among employees is continuously maintained and further developed by means of suitable qualification and sensitisation measures on topics of information security, data protection, and the corresponding ISMS guidelines and other regulations.

    ISMS measures are implemented after resolution or approval, subject to compliance with relevant legal, contractual and internal regulations. High priority is given to their consideration. In the event of changes in the legal situation, the ISMS specifications are updated quickly.

    This information security guideline is supported by further guidelines and operationalised by concrete documented information (work instructions, templates). All documents for the ISMS are subject to control.

    Information Security Officer (ISO)

    The Management Board appoints the Information Security Officer in writing, who reports directly to the Management Board. The ISO is responsible for the planning, implementation, maintenance and optimisation of the information security management system.

    A deputy to the information security officer is appointed.

    The Management Board provides the information security organisation with sufficient resources in the form of personnel, time and money.

    The information security officer shall review the ISMS with regard to the implementation of the specifications in this guideline at least once a year and in case of significant changes and document the status. The purpose of this review is to verify the adequacy, suitability and effectiveness of the ISMS.

    Personal Responsibility of each Employee

    The management defines the following information security principles for CarGarantie:

      • Responsibility and awareness: Each individual avoids damage in his or her area of activity by acting responsibly and immediately reports any weaknesses identified.
      • Control and risk orientation: Measures to increase information security are controlled by the Information Risk Management (IRM).
      • Efficiency and integration: A cost-benefit analysis is performed for measures to be implemented. Information security is a cross-sectional function across all departments.
      • Performance review and quality: Regular performance reviews ensure the quality and continuous improvement of information security.

      Measures in Case of Violations

      Violations of this guideline as well as directives and other regulations can lead to considerable negative consequences for CarGarantie. Therefore, in case of intentional and grossly negligent acts which constitute a violation, consequences under labour law must be expected.

      In addition, such violations may also result in criminal or civil legal action.

      Contact Person

      The Information Security Officer is the central contact person for all matters of information security, who can be reached via informationssicherheit@cargarantie.com.