Information Security Policy
Last Updated: May 27, 2020
Table of Contents
1.1 This Policy defines the requirements for information security management within MemSQL to ensure all information is adequately protected from unwanted or unauthorised disclosure, alteration, or unavailability.
2.1 This Policy applies to all MemSQL personnel irrespective of status, including temporary staff, contractors, consultants, and third parties who have access to MemSQL’s data and systems. The scope of this Policy includes, but is not limited to:
All information processed by MemSQL in pursuit of its operational activities, regardless of whether it is processed electronically or in paper form, including but not limited to:
External customer products, materials, information and reports
Operational documents, plans, and minutes
Financial and compliance records
All information processing facilities used in support of MemSQL’s operational activities to store, process and transmit information
All external organisations that provide services to MemSQL in respect of information processing facilities.
Introduction to the Policy
3.1 In order to prevent information security breaches, including losses of information confidentiality, integrity and availability, and to prevent any breaches of legal, regulatory and contractual requirements, it is important that MemSQL has appropriate information security controls in place. As we grow as a business and Helios becomes a more prominent product our security posture is integral to our success as a business and the success of the Helios proposition.
Confidentiality of information assets – for example, that access is only permitted to those with a justified business need;
Integrity of assets is maintained – for example, that authenticity of data is assured;
Availability of information assets – for example, ensuring information necessary to deliver our core business services is available when it is needed;
Compliance – legislative, regulatory, contractual and industry standard security requirements are met.
4.1 This Policy establishes the necessary policies and an organisational structure that will:
Ensure MemSQL’s information, systems and infrastructure are appropriately protected and secure, yet remain available in line with business requirements, preserving confidentiality of information, integrity (completeness and accuracy) of information, and availability of information and the systems and places where it is stored and processed
Ensure MemSQL’s information security related legal and regulatory requirements are met, including:
Ensure that MemSQL meets its customers’ contractual information security obligations and provides assurance of its capability and capacity to manage information security adequately and meet its customer needs. This applies to both the products being hosted by MemSQL and being hosted by the customers of MemSQL.
4.2 Compliance with this Policy is mandatory to minimise business damage by preventing and minimising the impact of information security incidents. Incidents can result in legal, regulatory or contractual breaches and financial or reputational loss to the organisation and/or its customers.
5.1 VPs and Directors are directly responsible for ensuring their areas of responsibility are adhering to this Policy.
5.2 All authorised users shall adhere to this Policy. Non-compliance shall be subject to investigation and may result in disciplinary action.
5.3 The Head of Information Security is responsible for ensuring the maintenance, regular review and updating of this Policy. Revisions, amendments or alterations to the Policy shall be issued and communicated as appropriate.
6.1 It is the policy of MemSQL to ensure that:
Information security supports MemSQL’s business objectives
MemSQL’s information security responsibilities are defined and communicated
Information security related policies, processes and procedures are in place to identify and mitigate information security risks to an acceptable level, to protect MemSQL’s systems, infrastructure, and the information security requirements of interested parties, including the organisation’s customers
The confidentiality, integrity and availability of MemSQL’s information and the places where that information is stored, handled and processed are maintained
Information security objectives are established for relevant functions
In the event of a disruption, MemSQL can continue to deliver an acceptable level of service of its critical activities to its interested parties
Appropriate information security measures are included in contracts with third parties, where possible.
Information Security Compliance Management
7.1 Activities related to the use of MemSQL’s information including the systems and places where it is stored and processed shall be monitored to ensure that MemSQL’s requirements for confidentiality, integrity, and availability are maintained. Compliance activities are managed & evidenced with MemSQL’s GRC tool.
7.2 Staff or third parties with access to MemSQL’s information, systems or premises are responsible for reporting any suspicious activity, security breaches or security violations to their Manager, Head of Information Security or other authorised MemSQL contact, in accordance with the Incident Reporting and Escalation Process.
7.3 The Executive Committee, with guidance from the Head of Information Security, may authorise deviation from the organisation’s information security related policies only when:
It has been clearly demonstrated that a cost/benefit analysis of the available compliance options and risks of not complying has been performed
Analysis results indicate that compliance will have a significant and unacceptable business impact
Risk acceptance has been formally approved
MemSQL remains compliant with legal and regulatory requirements.
Information Security Risk Acceptance
8.1 MemSQL’s Executive Committee must formally accept responsibility for all identified information security risks when deviating from the organisation’s information security related policies. Information security risk acceptances must, in advance, be:
Documented by the relevant manager
Filed with, and approved by, MemSQL InfoSec Steering Committee
Managed within Risk Register in MemSQL’s ZenGRC tool
Security Awareness and Training
9.1 Staff with access to MemSQL’s information, systems and the places where information is processed, shall be educated on their security responsibilities. Education shall be provided at induction so that new employees understand their responsibilities in respect of the protection of information and places where information is processed and stored.
9.2 Staff shall be provided with annual information security education and supporting reference materials as required by ISO 27001, SOC 2, GDPR and CCPA. Information Security will provide additional updates and other related materials to regularly remind staff about their obligations with respect to security.
9.3 The security responsibilities of third parties shall be defined and agreed in accordance with MemSQL’s Third Party Management Policy.
Policy Review Date
10.1 This Policy document will be reviewed and appropriately updated on an annual basis. It shall also be reviewed and appropriately updated when there are any changes to ISO 27001, SOC 2, GDPR and CCPA.