Finbiosoft Oy is committed to maintaining the confidentiality, integrity, and availability of our information assets. To ensure the security of our information assets, we have implemented a comprehensive information security management system based on the ISO/IEC 27001 standard.

This information security policy outlines the principles and practices that we follow to protect our information assets. This policy applies to all employees, contractors, and partners of Finbiosoft Oy.

For Finbiosoft information security refers to ensuring the confidentiality, integrity and usability of information regardless of its presentation method. This policy determines basic requirements for information security, and lays the foundation for the planning and implementation of operations in line with the policy. In addition, more specific instructions for various areas of information security are prepared to support the implementation of the policy.

Information security is implemented and developed with a risk-based approach, using appropriate and cost-effective solutions. Finbiosoft’s management assesses annually whether the information security policy is appropriate.  The information security policy is an integral part of corporate governance at Finbiosoft.  

Purpose of the information security policy

The primary objective of Finbiosoft’s information security policy is to ensure uninterrupted business operations in all circumstances. Effective information security measures enable us to maintain the accessibility of our IT solutions, safeguard the integrity of our data, and uphold confidentiality across all countries where we operate. This policy serves as the cornerstone for establishing a secure information system and data processing environment at Finbiosoft.

As a responsible organization, Finbiosoft recognizes the significance of protecting customer data and other digital assets, which our customers and partners expect from us. The increasing adoption of digitalization has necessitated the development of robust information security practices that are also compliant with relevant regulations. All employees of Finbiosoft must comply with our information security policy, including its supplementary principles and instructions, and applicable laws in all countries where we operate.

Implementation of information security

Risk assessment

Information security risks are assessed and analyzed regularly based on their business impacts. Risks must also be assessed in the specification phase of new systems and in connection with significant changes affecting the criticality of operations.

Data classification and processing

Finbiosoft has an information classification method in place governing how information shall be classified, as well as determining information security controls for processing information in various classes. All information will be classified according to its sensitivity, and access to the information will be granted on a need-to-know basis. Employees are responsible for ensuring that sensitive information is handled appropriately, stored securely, and protected from unauthorized disclosure.

Protecting data privacy

We protect our customers’, users’ and employees’ right to data privacy. Privacy and data protection principles of Finbiosoft are determined in the data protection policy. We recognize evolving data protection legislation and comply with the requirements for cybersecurity and data protection across jurisdictions, for example, the European Union’s General Data Protection Regulation (GDPR). We follow any legislative changes to personal data processing globally and locally, and make sure that changes are reflected in the data protection policy.

Our solutions only collect the data necessary for the respective solution’s purpose, and we delete the identifying data when it is no longer needed. The technical implementation of our solutions is designed so that it corresponds to the risk level of the processing. Based on the risk level, management methods and information security practices suitable for the situation are selected to manage risk levels and achieve compliance. We strive to process data in a pseudonymous or anonymous format where possible and limit access to the data on a need-to-know basis. We use only trusted vendors for personal data processing and use secure transmission of personal data by encrypting it.

Data privacy is also taken into account in supplier and customer relationships through contractual obligations clearly set for all parties in all of our agreements.

Secure development

At Finbiosoft, we take security seriously in our software development process. Our commitment to secure software development practices ensures that our products and services are reliable, trustworthy, and meet our clients’ security needs. Secure coding practices, regular code reviews, testing, external audits as well as security training and awareness are extensively used to create secure products.

Information security requirements for partners

We expect our suppliers and partner companies to demonstrate a high level of cybersecurity, and we track the cybersecurity of our supply chain. Finbiosoft will assess the security posture of our third-party vendors and contractors before granting them access to our information assets. We also include contractual clauses to ensure they comply with our information security policies and standards.

Information security training and awareness

Through role-based learning paths, a cybersecurity champion network, and campaigns such as a cybersecurity week, we educate everyone at Finbiosoft to understand how to act digitally safe. In addition, we constantly follow the evolving threat landscape using threat intelligence, and we practice handling cybersecurity incidents through simulations and exercises.

Control and monitoring

Improving and maintaining the level of information security require systematic and continuous automatic monitoring of information systems. The persons responsible for control are legally bound by confidentiality in terms of the information they process at work.

The status of information security is reported in connection with normal internal control, as well as internal and external audits. Technical information security is assessed continuously, and separate information security audits are conducted in the most significant environments.

Processing of information security incidents

Finbiosoft has procedures and services in place for detecting information security incidents. There are determined operating models for processing and reporting any information security incidents.

Information security breaches

Non-compliance with the information security policy and instructions is regarded as an information security breach. Finbiosoft has determined procedures for situations involving breaches.

Continuous improvement

Processes, procedures and mechanisms related to information security must represent good management practice and be subject to continuous improvement.

Responsibilities and organization

The information security policy is applicable to the development, marketing, selling and supporting of software products and services that are aimed to improve the quality and efficiency of laboratories and it is applicable in all countries where we operate. Each unit of Finbiosoft is responsible for implementing the policy and ensuring that sufficient resources are allocated to information security in their operations.

Finbiosoft’s management group is responsible for maintaining the policy and for providing support and advice during its implementation. All managers are directly responsible for implementing the policy and ensuring staff compliance in their respective departments and operations.

Company personnel coordinates together with management to develop our information security processes, to identify risks and to create and update our company policies. Each member of Finbiosoft’s personnel must be aware of the risks associated with information security and take proactive measures to mitigate those risks.

Approved by Finbiosoft’s Board of Directors on March 22nd 2023. Enters into force on March 22nd 2023.