The Senior Management Team and management of inmind .ai that is located in Mkalles, Lebanon, are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets. Information and information security requirements will continue to be aligned with inmind. ai’s goals and the Information Security Management System (ISMS) is intended to be an enabling mechanism for information sharing, electronic operations, and reducing information-related risks to acceptable levels.

inmind .ai’s current strategic business plan and risk management framework provides the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS. The Risk Assessment, Statement of Applicability and Risk Treatment Plan identify how information-related risks are controlled. The Information Security Lead is responsible for the management and maintenance of the Risk Treatment Plan. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.

Business continuity and contingency plans, data backup procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting, are particularly fundamental to this policy. Control objectives for each of these areas are contained in the ISMS policies and are supported by specific documented policies and procedures.

inmind .ai aims to achieve specific, defined information security objectives, which are developed in accordance with the business objectives, the context of the organization, the results of risk assessments and the risk treatment plan. Objectives are listed in Record 06.2 Information Security Objectives v02.

All employees of inmind .ai will receive appropriate training and are expected to comply with this policy and with the ISMS that implements this policy. The consequences of breaching the information security policy are set out in Policy 7.3 Awareness Procedure and in contracts and agreements with third parties.

The ISMS is subject to continuous, systematic review and improvement.

inmind .ai has established an Information Security Committee, chaired by the Chief Executive Officer (CEO) and including the Information Security Lead, Soft IT Lead and Sysops (system administrator) to support the ISMS framework and to periodically review the security policy.

inmind .ai’s management is committed to achieving and maintaining certification of its ISMS to ISO 27001:2013, and always being compliant with legal requirements listed in the “Record 04.2 Legislation and Regulation Record” and contractual requirements of clients Record 18.1.1 Schedule of Legal and Contractual Requirements v02.

This policy will be reviewed to respond to any changes in the risk assessment or Risk Treatment Plan and at least annually.

In this policy, ‘information security’ is defined as:

This means that management, all full time or part time employees, sub-contractors, project consultants and any external parties have, and will be made aware of their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches (in line with Policy 16.1.2-3 Reporting Information Security Weaknesses & Events) and to act in accordance with the requirements of the ISMS. All employees will receive information security awareness training and more specialized employees will receive appropriately specialized information security training.

This means that information and associated assets should be accessible to authorized users when required and therefore physically secure. The computer network must be resilient and inmind .ai must be able to detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems and information. There must be appropriate business continuity plans and backup procedures.

This involves ensuring that information is only accessible to those authorized to access it and therefore to prevent both deliberate and accidental unauthorized access to inmind .ai’s information and proprietary knowledge and its systems including its network(s), website(s) and extranet(s).

This involves safeguarding the accuracy and completeness of information and processing methods, and therefore requires preventing deliberate or accidental, partial or complete, destruction or unauthorized modification, of either physical assets or electronic data. There must be appropriate contingency and data backup plans and security incident reporting. inmind .ai must comply with all relevant data-related legislation in those jurisdictions within which it operates.

The physical assets of inmind .ai include, but are not limited to, computer hardware, data cabling, telephone systems, filing systems, cloud servers and physical data files.

The information assets include information printed or written on paper, transmitted by post or shown in films, or spoken in conversation, as well as information stored electronically on servers, website(s), extranet(s), intranet(s), PCs, laptops, mobile phones and PDAs (Personal Digital Assistants), as well as on CD ROMs, floppy disks, USB sticks, backup tapes and any other digital or magnetic media, and information transmitted electronically by any means. In this context, ‘data’ also includes the sets of instructions that tell the system(s) how to manipulate information (i.e., the software: operating systems, applications, utilities, etc.).

The ISMS is the Information Security Management System, of which this policy, and other supporting and related documentation are a part, and which has been designed in accordance with the specification contained in ISO 27001:2013.

A SECURITY BREACH is any incident or activity that causes, or may cause, a breakdown in the availability, confidentiality or integrity of the physical or electronic information assets of inmind .ai.