Security Policy

Purpose and Scope

The purpose of this policy is to ensure the Confidentiality, Integrity, and Availability (CIA) of information managed within LB Consulting Group AB. This policy applies to all employees, contractors, and the purpose is to ensure and safeguard the information belonging to LB Consulting Group AB in a secure environment.

This policy covers:

• All employees of LB Consulting Group AB who work with documents or information that concerns customers, suppliers or any other partner for whom the orgranisation has collected information in the normal course of its business.
• All devices used by LB Consulting Group AB.

Roles and Responsibilities

• IT Security Team: Responsible for configuring security settings, managing access controls, monitoring logs, and responding to security incidents.
• Project Managers: Ensure team members follow this policy and manage permissions within project spaces.
• All Employees: Responsible for using the computer systems securely in accordance with this policy, including protecting login credentials and reporting suspicious activity.

Policy Guidelines

• Access Control:
  • Access is granted based on role-based access control (RBAC) and the principle of least privilege.
  • Multi-Factor Authentication (MFA) is required for all accounts.
• Password Management:
  • Users must follow the organization’s Password Policy.
• Acceptable Use:
  • Computer systems must only be used for work-related project and issue tracking.
  • Users must not store personal, unencrypted sensitive data (e.g., PII, PHI) in Jira issues or attachments unless explicitly permitted.
• Data Handling:
  • All employees must ensure the confidentiality of the information, protect the information from unauthorized access or misuse
  • No data egress, no data that goes out.
  • Data residency support that matches the data residency provide by the host product. More about runs on Atlassian

Incident Response

• All employees must report any suspected security incidents  (e.g., unauthorized access, phishing, data leakage) immediately to the IT Security Team.
• The Incident Response Plan includes:
  • Identification: Use audit logs and monitoring tools.
  • Containment: Disable compromised accounts or integrations.
  • Recovery: Restore data from backups if needed.
  • Lessons Learned: Document incident outcomes and update controls.

Review and Update

• This policy will be reviewed annually or upon significant changes in security requirements, or regulatory obligations.
• Updates must be approved by the CISO and communicated to all employees.

Risk Management

• Usage will be included in the organization’s Information Security Risk Assessment, conducted annually.
• Identified risks (e.g., excessive permissions, outdated apps) will be prioritized and mitigated through technical controls or training.

Importance of this Policy

• Risk Management: Minimizes potential security vulnerabilities in LB Consulting Group AB.
• Compliance: Supports adherence to data protection regulations (e.g., GDPR, HIPAA).
• Employee Education: Sets clear expectations for secure usage of computer systems.
• Improved Security Posture: Promotes a consistent, secure configuration of computer systems across teams.