Hedgehog Company B.V.

Information Security Policy

1.1

Information Security Policy

Hedgehog Company B.V.
Document owner: Information Security Officer

Introduction

Information security is a holistic discipline, meaning that its application, or lack thereof, affects all facets of an organization or enterprise. The goal of the Hedgehog Company B.V. Information Security Program is to protect the Confidentiality, Integrity, and Availability of the data employed within the organization while providing value to the way we conduct business. Protection of the Confidentiality, Integrity, and Availability are basic principles of information security, and can be defined as:

  • Confidentiality – Ensuring that information is accessible only to those entities that are authorized to have access, many times enforced by the classic “need to know” principle.
  • Integrity – Protecting the accuracy and completeness of information and the methods that are used to process and manage it.
  • Availability – Ensuring that information assets (information, systems, facilities, networks, and computers) are accessible and usable when needed by an authorized entity.


Hedgehog Company B.V. has recognized that our business information is a critical asset and as such our ability to manage, control, and protect this asset will have a direct and significant impact on our future success.  

This document establishes the framework from which other information security policies may be developed to ensure that the enterprise can efficiently and effectively manage, control and protect its business information assets and those information assets entrusted to Hedgehog Company B.V. by its stakeholders, partners, customers and other third parties.

The Hedgehog Company B.V. Information Security Program is built around the information contained within this policy and its supporting policies. 

Company overview

Hedgehog Company is a team full of pragmatic and ambitious sustainability experts. We guide organizations through the sustainable transition with three simple steps: calculate your impact, build your action plan, and start implementing.

Impact calculations form the core business of our consultancy service for our clients. These provide insight into the status quo of the environmental performance of an organization and enable efficient strategic planning. Life cycle assessments are the foundation for our impact calculations. Specific methodologies adopted by our team are mainly the ISO 14040 / 14044, the EU PEF, ISO 14064, ISO 14072, the EU OEF, and the GHG protocol.

For this consultancy and calculating work we are dependent on information on the organisation, supply chain, and business environment of our clients.

Scope and applicability

The scope of this policy contains all information for executing the consultancy and calculating services of Hedgehog Company for its clients.

For executing our work, we are dependent on receiving company information that is competitive-sensitive or in any other forms not to be disclosed to third parties without consent. Information can contain, but is not limited to, details from procurement on energy, materials, and other possible categories, product specific information, bill of materials, lists of suppliers, lists of vendors or other supply chain partners, or any other form of company and supply chain specific information.

All employees of Hedgehog Company are subject to the policy in this document. In addition, if applicable, any third party vendor or freelancer is subject to the information in this document. 

Roles and responsibilities

The appointed information security officer (ISO) is Joost Walterbos. He is responsible for the communication, implementation, maintenance, and enforcement of the policy in this document.

The other managers in Hedgehog Company are additionally responsible for the enforcement of this policy.

Data storage and access control

For the execution of our services, Hedgehog Company is dependent on 1) collecting and storing, and 2) modelling and assessing the information as described in ‘Scope and applicability’.

1) For collecting and storing the information, we make use of Google Drive Cloud Services. All employees and, if applicable, contractors and freelancers, receive a Google account for access to the stored information. There are four levels of access in the organisation:

  1. Management level: access to all files.
  2. Expert level: access to all project files.
  3. Communication level: access to all marketing and communications relevant files. No access to project files.
  4. File-specific level: these files give access to single specific files for contractors, freelancers, or other applications. Also, upon client request, we generate project files with access for specific employees only.


There is one admin who can change user settings, safety control, etc. This is the ISO, Joost Walterbos. Other management level stakeholders do not have the same access rights. Information on Google Drive is end-to-end encrypted, and all accounts are forced to use Multi-Factor Authentication (MFA). 

2) For modelling and assessing, we make use of third-party software service providers SimaPro and Ecochain. Both these suppliers are ISO27001 certified and all accounts are protected according to the policies of these software providers. In addition, to allow working from home, employees have the possibility to log in on Amazon Appstream 2.0. In this cloud environment, they can use the software services for modelling and assessing. Amazon Appstream is protected and secured under Amazon’s security protocol. Collecting and storing information never occurs through the Amazon Appstream.

Incident response

As we rely on third-party software suppliers whose systems may experience incidents, our approach focuses on monitoring and coordination with these vendors.

  1. Monitoring and Reporting: We continuously monitor our third-party software suppliers' System and Organisation Controls (SOC) reports and ensure they maintain ISO 27001 certification. Any anomalies or issues identified in these reports are promptly assessed for potential impact on our operations.
  2. Communication Protocol: In the event of an incident reported by a third-party supplier, we will maintain open lines of communication with the supplier's incident response team. We will ensure that we receive timely updates and that all relevant information is conveyed to our internal stakeholders.
  3. Incident Assessment and Escalation: Upon notification of an incident, our designated security officer will assess the severity and potential impact on our business. If necessary, the incident will be escalated to senior management, and an internal response team will be activated to address any immediate risks.
  4. Mitigation and Containment: We will work closely with the third-party supplier to contain the incident and mitigate any potential damage. This may include isolating affected systems, implementing temporary workarounds, or applying necessary patches.
  5. Post-Incident Review: After the incident has been resolved, we will conduct a thorough review in collaboration with the third-party supplier to understand the root cause and ensure appropriate measures are implemented to prevent recurrence. Lessons learned will be documented and integrated into our incident response plan.
  6. Compliance and Documentation: All incident response activities will be documented to ensure compliance with relevant legal and regulatory requirements. This documentation will be maintained for audit purposes and future reference.

By adhering to these procedures, we aim to ensure that our reliance on third-party software suppliers does not compromise our overall security posture.

Data classification and handling

All information that Hedgehog Company receives from its clients, our clients’ supply chain partners, or any other information channel, is deemed competitive sensitive and confidential. As consultants in our field of work, we are very well aware about the value of the information we receive and therefore treat it as confidential at all times.

Upon request, we sign and comply with non-disclosure agreements from our clients or other stakeholders. Any additional requirements following these NDAs are treated as client-specific supporting policies on top of the policy in this document.


All information is requested to be communicated via e-mail. Our e-mail servers are also part of Google Cloud Services and protected and secured according to the Google security standards. If clients want to send information via postal services, we recommend sending it via registered or certified mail. 

Finally, if requested by our clients, we can access their cloud service via the client's protocol. This occurs via Google Cloud Services or other services such as Microsoft Sharepoint.

Security awareness and training

All our employees have signed in their labour contract a duty of confidentiality. In addition, all employees are aware of this duty, which is communicated during their introduction and written in our company’s guidelines “Hitchhiker’s guide through HHC”. All employees are aware about the Information Security Officer and the fact that they can contact the ISO with their questions or remarks.

During the bi-yearly, internal team event: ‘Hedgehog Half Year Presentation’, security awareness and training is on the agenda. The internal checklist ‘Training needs for the team’ is discussed and awareness is checked amongst team members. If needed, additional individual or group training is scheduled in the following weeks.

Other security

No other security is currently in place for protecting physical assets, network and/or systems security since this is not applicable for Hedgehog Company.

Remote work and mobile device security

If employees are working remote, they adhere to the same security policy and conditions. All our work is in the cloud, hence working remotely does not differ from working in the office. 

GDPR Compliance

Our consultancy services do not require any personal data for identified or identifiable persons. We solely require and collect company data, or a person’s company details, such as their work e-mail or work telephone number. 

We do collect personal information from any person that sends us an open application and their CV. When this is the case, we always request their permission for storing this information.

Policy review

This information security policy will be reviewed and updated on an annual basis, initiated by Joost Walterbos, or, if necessary, reviewed based on new insights or developments in our business environment.

Enforcement and consequences

Enforcement of this policy falls under the ISO and other managers’ responsibilities. Consequences for employees breaching with this policy can lead to official warnings. Multiple official warnings can lead to resignation and additional legal consequences.

Version logbook

Version

Notes and review

1.0

First version of Information Data Policy. Prepared by Joost Walterbos. Reviewed by Saro Campisano and Philip Kuipers in the role of managers at Hedgehog Company.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.