Information Security Policy - ISMS

 

1. Introduction

 

This document provides the reference framework for information security as desired by the management of TRAINING SQUARE in the context of operating its training management software, TMS – Training Square.
This document pursues two main objectives:

  • to inform employees about the implementation of an Information Security Management System (ISMS) within the defined scope;
  • to define the framework for establishing the company’s security objectives and those of its software.

2. ISO 27001 Certification

 

The company TRAINING SQUARE is ISO 27001 certified.

ISO 27001 is an international standard issued by AFNOR (French Association for Standardization), which assures the company’s clients that best practices are implemented in the design, management, and security of information systems.

 
 

3. Scope of the Information Security Management System (ISMS)

 

The ISMS scope includes the following activities, products, and services of TRAINING SQUARE:

 

Activities

  • Design and development of training management software programs;
  • Project management: management and configuration of training management software based on clients’ contexts;
  • Software deployment and user training (employees, managers, training managers, internal trainers, and other profiles);
  • User support and assistance for software usage.

Products and Services

 

TRAINING SQUARE publishes its own training management software, TMS – Training Square, which enables:

  • creation and administration of training catalogs (internal training, external training, mandatory training, access to LMS, LCMS, LXP, etc.);
  • management of registrations with training organizations, both in-person and remote;
  • document management before training (training agreements, invitations) and after training (attendance records, immediate satisfaction assessments, follow-up effectiveness evaluations, diplomas, certificates, training completion certificates, authorization titles);
  • management of invoices and payments to training organizations;
  • updating employees’ training passports;
  • monitoring and management of authorization titles and training renewals;
  • management of professional, annual, and periodic employee interviews;
  • updating activity monitoring indicators for training, both quantitative (budgets, number of training hours delivered, etc.) and qualitative (training evaluations by training organization, by training theme, etc.).

Sites

 

TRAINING SQUARE operates 100% remotely.

 

Interfaces and Software Used

 

TRAINING SQUARE uses HubSpot for CRM and customer management and relies on the Microsoft 365 suite.

 

Dependencies

 

TRAINING SQUARE has outsourced the management of its data centers to VICEM.

 

4. Security Objectives

 

The security objectives listed below relate to the availability, integrity, and confidentiality of data.
These objectives are aligned with applicable information security requirements and the results of risk assessment and risk treatment activities.

For each objective, the following are defined:

  • one or more indicators;
  • expected results;
  • actions required to achieve the objective;
  • a target date;
  • a person responsible for monitoring the objective.

These objectives are reviewed annually during management reviews in order to:

  • ensure the availability of the Training Square software;
  • improve the security and efficiency of the internal information system and protect customer data;
  • implement security governance;
  • promote awareness and training among employees, customers, and suppliers regarding information security;
  • improve the security of user workstations.

5. Roles and Responsibilities

 

The implementation, maintenance, and monitoring of the effectiveness of the ISMS are organized as follows:

Jérôme Lesage (Chief Executive Officer) is responsible for:

  • the security of the company’s information and that of its customers;
  • allocation of resources;
  • monitoring the evolution of the ISMS through management reviews;
  • approving the acceptance of residual risks.

Decisions impacting the ISMS are jointly made with the Chief Information Security Officer (CISO), François Gachot (Chief Operating Officer), concerning:

  • implementation of the ISMS;
  • risk identification and mitigation measures;
  • employee awareness regarding information security;
  • consideration of interested parties’ requirements;
  • preparation of management reviews;
  • coordination of audit activities (internal and third-party);
  • general services related to physical security.

Decisions impacting the ISMS are also jointly taken between the CISO and the ISMS Manager (ISMSM), Dadan Kardiana (Feel Agile), regarding:

  • compliance of the ISMS with ISO 27001 standards;
  • performance of the ISMS.

The GDPR Officer is DIPEEO, responsible for:

  • supervision and implementation of the company’s data protection strategy (internal and external);
  • liaison with supervisory authorities (CNIL) in the event of a data breach;
  • legal monitoring and reporting of new regulatory requirements to the CISO.

The Data Protection Officer (DPO) must not hold positions that determine the purposes and means of data processing in order to avoid conflicts of interest. Examples of incompatible roles include general secretary, CEO, COO, CFO, head physician, head of marketing, HR manager, or IT manager (https://www.cnil.fr/fr/devenir-delegue-la-protection-des-donnees#DPO3).

 

The Customer Follow-up Manager is Marie Dubois (Director of Customer Success), responsible for:

  • escalating new customer security requirements to the CISO and DPO;
  • handling customer complaints related to non-compliance with contractual security measures.

The Supplier Manager is François Gachot (COO), responsible for:

  • escalating new supplier security requirements to the CISO and DPO;
  • handling supplier complaints related to non-compliance with contractual security measures;
  • implementing a supplier relationship policy.

The Lead Developer, François Gachot, is responsible for:

  • enforcing information security rules related to the development of the TMS training management software;
  • immediately alerting management of any identified non-compliance.

All TRAINING SQUARE employees, having been trained in information security, commit to:

  • applying information security rules in accordance with organizational policies and procedures;
  • reporting information security events;
  • reporting information security vulnerabilities.

6. Security Organization

 

Management Review Meeting

 

At least one annual meeting organized by management to review ISMS performance. It involves management, the information security officer, the ISMS compliance manager, and other key stakeholders. Topics include audit results, changes in issues, stakeholder feedback, risk assessment results, progress of the risk treatment plan, ISMS performance, and improvement opportunities.

 

Information Security Steering Committee

 

The Information Security Steering Committee is a key governance body within the organization. It oversees and guides information security initiatives, ensuring that policies, procedures, and security measures are aligned with the company’s strategic objectives.

7. Management Commitment

 

TRAINING SQUARE management commits to:

  • integrating information security into the company’s overall governance;
  • compliance with applicable information security requirements;
  • establishing, implementing, maintaining, regularly updating, and continually improving its Information Security Management System.