Level Access Security Policy

Policy 

Level Access (Level)  is committed to  protecting  its  information assets  to satisfy our business objectives and meet  the information security requirements of our  customers whilst maintaining the safety of individuals and their right to privacy.  To achieve  these  goals, we have established an ISO 27001 Information Security Management System (ISMS).  

 This document outlines  the  highest-level  security policy  by describing: 

1. How we are  committed  to information security.  
2. The scope of what is covered by our ISMS. 
3. Our  information security objectives.   

 There are additional,  supplemental policy documents which provide more detail in specific areas.  

This  and other policy  documents  will be  reviewed  for opportunities for improvement  annually,  or when major changes occur which affect the context of the ISMS.  

Deviations from policy may be allowed under exceptional circumstances. Contact infosec@levelaccess.com before deviating if you believe an exception is necessary. Observed deviations should be raised as an incident (see below). 

Commitment   

The CEO and SVP of Engineering  set Information Security as a priority  for the business  through the approval  and availability  of this  policy.  

The  current  policy is  made  available to all employees and  interested parties by either direct communication or by request to  infosec@levelaccess.com.  

The SVP of Engineering sponsors the ISMS and owns the information security risks. The Director of Information Security is responsible for the implementation and operation of the ISMS, including reporting on its performance.  Other dedicated, competent staff are  responsible for implementing specific controls as needed.  

Commitment is required  from  everyone at Level as described below: 

1. All employees are required to acknowledge they have read, understand and agree  with this and the  Employee Handbook.  
2. Employees will report any suspected security incidents, vulnerabilities or threats to information assets to  infosec@levelaccess.com.  
3. Suppliers working on behalf of Level will be made aware of this  policy and are required to comply with it. 

Level  conducts regular performance reviews of the ISMS that include senior management. This  ensures  the ISMS achieves its intended outcomes and our commitment to  continually improving  our  information security posture.  

Scope   

The scope of the ISMS covers the Level applications delivered through Software-as-a-Service (SaaS) and their supporting operations. This includes the people and processes who directly contribute to the delivery of those services and operations, the physical and digital information assets which the services and operations depend on, and the management of third parties involved in their delivery. 

In addition, Level complies with relevant laws and industry regulations which relate to information security.  

Other information security activities occur at Level but are not within the scope of the ISMS at this time.  

Information Security Objectives   

The Information Security Objectives described below have been established after considering:  

• The context, purpose, and internal, as well as external issues affecting the organization.  
• Determining the requirements of the interested  parties.  
• The boundaries of the ISMS.  
• The  outputs of the  risk assessment  and risk treatment  processes.  

To deliver  reliable cloud  applications  for users and other interested parties who need confidence and assurance the platform is fit for their purpose of sharing and working with sensitive information

To provide a pragmatic digital paperless ISMS for staff  and other interested parties who need to access it  which is  integrated into their day to day work practices to ensure it becomes a habit for good performance not an inhibitor to getting their work done

To identify and manage risks of assets within the scope of the ISMS

To continually strengthen and improve the overall capabilities of the information security management system

To establish  quantified information security goals  annually  through management and review meetings

To design, conduct and run an Application Security Program following best practices to give interested parties the confidence we deliver secure software

To protect the privacy of individuals who use, actively or passively, our hosted software products

To improve the resilience of our hosted software  services

To maintain a highly secure hosted software platform

To certify an ISMS against the ISO 27001 standard, and maintain the certification

Figure 1 – Table of Information Security Objectives 

Measurements of these objectives are established as KPIs and reviewed in the management review meetings.   

Note: A PDF version of this policy is available here : Level_Access_Information_Security_Policy v2.0