Hedgehog Company B.V.
Document owner: Information Security Officer
Information security is a holistic discipline, meaning that its application, or lack thereof, affects all facets of an organization or enterprise. The goal of the Hedgehog Company B.V. Information Security Program is to protect the Confidentiality, Integrity, and Availability of the data employed within the organization while providing value to the way we conduct business. Protection of the Confidentiality, Integrity, and Availability are basic principles of information security, and can be defined as:
Hedgehog Company B.V. has recognized that our business information is a critical asset and as such our ability to manage, control, and protect this asset will have a direct and significant impact on our future success.
This document establishes the framework from which other information security policies may be developed to ensure that the enterprise can efficiently and effectively manage, control and protect its business information assets and those information assets entrusted to Hedgehog Company B.V. by its stakeholders, partners, customers and other third parties.
The Hedgehog Company B.V. Information Security Program is built around the information contained within this policy and its supporting policies.
Hedgehog Company is a team full of pragmatic and ambitious sustainability experts. We guide organizations through the sustainable transition with three simple steps: calculate your impact, build your action plan, and start implementing.
Impact calculations form the core business of our consultancy service for our clients. These provide insight into the status quo of the environmental performance of an organization and enable efficient strategic planning. Life cycle assessments are the foundation for our impact calculations. Specific methodologies adopted by our team are mainly the ISO 14040 / 14044, the EU PEF, ISO 14064, ISO 14072, the EU OEF, and the GHG protocol.
For this consultancy and calculating work we are dependent on information on the organisation, supply chain, and business environment of our clients.
The scope of this policy contains all information for executing the consultancy and calculating services of Hedgehog Company for its clients.
For executing our work, we are dependent on receiving company information that is competitive-sensitive or in any other forms not to be disclosed to third parties without consent. Information can contain, but is not limited to, details from procurement on energy, materials, and other possible categories, product specific information, bill of materials, lists of suppliers, lists of vendors or other supply chain partners, or any other form of company and supply chain specific information.
All employees of Hedgehog Company are subject to the policy in this document. In addition, if applicable, any third party vendor or freelancer is subject to the information in this document.
The appointed information security officer (ISO) is Joost Walterbos. He is responsible for the communication, implementation, maintenance, and enforcement of the policy in this document.
The other managers in Hedgehog Company are additionally responsible for the enforcement of this policy.
For the execution of our services, Hedgehog Company is dependent on 1) collecting and storing, and 2) modelling and assessing the information as described in ‘Scope and applicability’.
1) For collecting and storing the information, we make use of Google Drive Cloud Services. All employees and, if applicable, contractors and freelancers, receive a Google account for access to the stored information. There are four levels of access in the organisation:
There is one admin who can change user settings, safety control, etc. This is the ISO, Joost Walterbos. Other management level stakeholders do not have the same access rights. Information on Google Drive is end-to-end encrypted, and all accounts are forced to use Multi-Factor Authentication (MFA).
2) For modelling and assessing, we make use of third-party software service providers SimaPro and Ecochain. Both these suppliers are ISO27001 certified and all accounts are protected according to the policies of these software providers. In addition, to allow working from home, employees have the possibility to log in on Amazon Appstream 2.0. In this cloud environment, they can use the software services for modelling and assessing. Amazon Appstream is protected and secured under Amazon’s security protocol. Collecting and storing information never occurs through the Amazon Appstream.
As we rely on third-party software suppliers whose systems may experience incidents, our approach focuses on monitoring and coordination with these vendors.
By adhering to these procedures, we aim to ensure that our reliance on third-party software suppliers does not compromise our overall security posture.
All information that Hedgehog Company receives from its clients, our clients’ supply chain partners, or any other information channel, is deemed competitive sensitive and confidential. As consultants in our field of work, we are very well aware about the value of the information we receive and therefore treat it as confidential at all times.
Upon request, we sign and comply with non-disclosure agreements from our clients or other stakeholders. Any additional requirements following these NDAs are treated as client-specific supporting policies on top of the policy in this document.
All information is requested to be communicated via e-mail. Our e-mail servers are also part of Google Cloud Services and protected and secured according to the Google security standards. If clients want to send information via postal services, we recommend sending it via registered or certified mail.
Finally, if requested by our clients, we can access their cloud service via the client's protocol. This occurs via Google Cloud Services or other services such as Microsoft Sharepoint.
All our employees have signed in their labour contract a duty of confidentiality. In addition, all employees are aware of this duty, which is communicated during their introduction and written in our company’s guidelines “Hitchhiker’s guide through HHC”. All employees are aware about the Information Security Officer and the fact that they can contact the ISO with their questions or remarks.
During the bi-yearly, internal team event: ‘Hedgehog Half Year Presentation’, security awareness and training is on the agenda. The internal checklist ‘Training needs for the team’ is discussed and awareness is checked amongst team members. If needed, additional individual or group training is scheduled in the following weeks.
No other security is currently in place for protecting physical assets, network and/or systems security since this is not applicable for Hedgehog Company.
If employees are working remote, they adhere to the same security policy and conditions. All our work is in the cloud, hence working remotely does not differ from working in the office.
Our consultancy services do not require any personal data for identified or identifiable persons. We solely require and collect company data, or a person’s company details, such as their work e-mail or work telephone number.
We do collect personal information from any person that sends us an open application and their CV. When this is the case, we always request their permission for storing this information.
This information security policy will be reviewed and updated on an annual basis, initiated by Joost Walterbos, or, if necessary, reviewed based on new insights or developments in our business environment.
Enforcement of this policy falls under the ISO and other managers’ responsibilities. Consequences for employees breaching with this policy can lead to official warnings. Multiple official warnings can lead to resignation and additional legal consequences.
Version
Notes and review
1.0
First version of Information Data Policy. Prepared by Joost Walterbos. Reviewed by Saro Campisano and Philip Kuipers in the role of managers at Hedgehog Company.