Über uns

Unsere Mission

Standorte

Policy – Quality, Environment and Information Security

AED Vantage GmbH and AED Vantage SL (AED from now on) are committed to excellence in quality, environmental protection and information security as fundamental pillars of our business activities. Through the implementation and continuous improvement of our Integrated Management System (IMS), certified according to ISO 9001 and ISO 14001 standards and assessed in accordance with TISAX requirements, we establish the following principles:

• Quality: We ensure that our products and services consistently meet customer requirements, legal and regulatory obligations, and the highest standards of reliability and performance.
• Environment: We promote environmental protection, pollution prevention, efficient use of resources and compliance with applicable environmental legislation, contributing to sustainable development.
• Information security: We safeguard the confidentiality, integrity, and availability of information in accordance with TISAX requirements, protecting data from unauthorised access, disclosure, alteration, or destruction. For more extended information go to the page Information Security Policy (see below).

To fulfil these commitments, AED:

• Sets quantifiable objectives and periodically reviews their achievement.
• Promotes awareness, training and involvement among all employees.
• Ensures compliance with applicable laws, regulations and contractual requirements.
• Encourages continuous improvement and proactive risk management in all processes.
• Collaborates openly with stakeholders, ensuring transparency and trust.

This Integrated Policy is available to the public and communicated to all stakeholders through our website and internal communication channels.

Management is fully committed to supporting this policy and providing the necessary resources to maintain its effectiveness.

Information Security Policy

General

Introduction

This document represents an overview on AED’s organizational policies and objectives on information security and serves as a high level guideline. Further, subject-specific guidelines and instructions are found in other sections of the ISMS for better understanding. The information security policiy is reviewed at regular intervals by the information security team in cooperation with top management, taking into account current circumstances. All AED employees are kept informed.

Scope

The Information Security Policy and its supporting controls, processes and procedures apply to all information used at AED, in all formats. This includes systems and information processed by other organisations on AED´s behalf, such as cloud providers, customers, suppliers, subcontractors or other third-party processing activities.

This policy applies to all individuals who have access to AED information and/or AED information security systems, including external parties that provide information processing services on behalf of AED, in the course of conducting business activities.

A detailed scope, including a full description of all the users, information assets and information processing systems, is included in the Information Security Management System (ISMS) space.

Obligation to comply and consequences of non-compliance

All AED employees must be aware of and comply with this Information Security Policy and all supplemental policies relevant to them. All relevant Directives documents are accessible to each employee through Confluence. Disciplinary action will be taken for violations of an applicable policy based on the potential and actual impact of the violation on the level of information security, as described in the Directive on events, incidents and disciplinary measures.

In addition, consideration will be given to whether the violation was negligent or intentional and whether it is a first-time or repeat violation. Violations may result in consequences under employment law. Compliance to laws and regulations to be ensured according to ISMS Statutory and regulatory compliance.

Management commitment 

The statement of the leadership commitment is included within the IMS which also applies to the ISMS: Leadership commitment

Objectives

Description

The objectives derive from the policies and are defined by top management and are communicated to the entire organization. These objectives are specific to the ISMS in addition to the Organizational Objectives.

The organizational KPI’s derive from the objectives and include the targets for these objectives, which can be measured to determine the level of achievement of these objectives

The organizational objectives on Information Security are:

Ensuring the full protection of all relevant information security Assets in the aspects of:

• Confidentiality
  Confidentiality is ensured when information is protected from unauthorized disclosure and unauthorized access. Confidential data and information may only be accessed by authorized persons.
• Integrity
  Integrity means that data and information are correct and complete. They must therefore be protected from unintentional modification and deliberate falsification.
• Availability
  Availability refers to the fact that information and functions of IT systems, IT applications and IT networks can be used by the user at the right time and in the right place.

Policies 

Introduction

AED’s performance depends, among other things, significantly on the level of information security achieved. To protect confidential information of both our company and our customers, and to ensure the integrity and availability of all information and your processing systems, we have written this Information Security Policy.

The goal of this document is to represent the core ISMS values, including a summary on AED policies and objectives in conjunction with building a fundamental understanding of the importance of information security and information security management among all AED employees. The final aim is to ensure that everyone is aware of their responsibilities and how they can contribute to an appropriate level of information security.

Top rules

AED top management together with the ISMS team have identified the following ISMS policies which are fully aligned with the ISMS objectives: 

Directive on Data Management	Proper work stations and equipment management to ensure compliance with ISMS protection rules Proper disposal of all data carriers, digital and physical.	When leaving the workplace: lock computer, stow all documents, lock personal container Use the designated shredder to destroy documents. Data storage devices must be disposed of through IT
Directive on information classification and management	Information classification and labelling Copyright management to protect intellectual property of AED and its customers as well as prevent any liability issues when using copyright protected media from a 3rd party	Identify confidential document and protect them accordingly Use only original media, do not copy or share copyrighted media internally or externally.
Directive on Passwords, Authentication and Data Encryption	Proper handling and management of personnel and collective passwords	Minimum 10 characters, including capital letters, numbers and special characters. Always keep confidential, never note down, change frequently
Directive on physical- access and security	Setting up and managing security zones to ensure maximum protection efficiency. Handling and management of key, digital access chips, management of access rights for those keys  Management of external parties to prevent unauthorized access and full protection of security zones	Entering a red marked zone is forbidden for those who do not have the required access rights Never share or leave your access cards and / or keys unattended. All visits must be announced in advance, monitor visitors in yellow zones, red zones are out of bounds for visitors
Directive on Remote Working	Preventing unauthorised access to information when on itineration/working from home	Mandatory use of VPN connection prior accesing any information when working from home or in public places during a business trip
Directive on secure Software development	Development secure software for internal use or final customer products	Performing regular testing on every build to meet customer requiremenst and mitigate security vulnerabilities
Directive on the secure use of mobile and external devices	Authorised use of corporate equipment and good pratices to prevent security events and incidents	Not using a corporate laptop/mobile phone for accesing personal services
Directive on virtual access management	Definition, implementation and management of lifecycle for user access righs	Requesting permissions when begining to work on a new development project

Certified system

AED’s ISMS system shall be compliant with and certified according to the ISO 27001 and TISAX standard in its currently applicable version.

Roles and responsibilities

Overall responsibility for information security within AED is held by top management as well as the appointed ISMS representative. To transform and maintain the requirements from this Information Security Policy into a complete Information Management System (ISMS), an Information Security Team has been established and is led by the Information security representative The Information security representative reports directly to top management and, together with the Information security officer, has primary responsibility for risk assessments and risk treatment.

The Information Security Team develops requirements and implementation proposals related to measures to ensure information security and associated necessary precautions to achieve an appropriate level of risk. A Data Protection Officer has been appointed in accordance with the requirements of the German Federal Data Protection Act (BDSG) and European General Data Protection Regulation (GDPR).

Roles, responsibilities and organizational chart

Training, awareness and individual contribution

As the primary asset of AED and the main traget of most ISMS protection measures, AED employees must be fully committed to following all the rules and requirements of AED’s ISMS.

All AED employees are required to complete an annual ISMS training covering the basics of information security and with a special focus on current topics and relevant changes of the past year.

The training is followed by a short quiz to measure its effectiveness. If the results of the quiz indicate individual or collective lack of knowledge or awareness, further measures will be taken to understand and address the underlying issues. 

Supplier management

Supplier management is critical for the ISMS and its objectives. Supplier management is a centralized procedure within the IMS: Supplier management guideline and covers all ISMS requirements in this regard to guarantee safeguard on all the processing activities.

In addition, Directive on ISMS security for suppliers and subcontractors enhances information security measurements to prevent any incident when working on behalf of AED.

Continuous Improvement

AED’s ISMS and all related policies, mechanisms and actions are subject to continuous improvement following the Deming cycle („plan-Do-Check-Act“ methodology).

In this context, the ISMS must have established the following mechanisms for evaluation and improvement:

• Measurable management indicators- KPI’s (based on defined security objectives) and associated reporting. ISMS KPI’s
• An audit program that includes both internal and external audits and ensures that all essential parts of the ISMS are subjected to an independent review at regular intervals with regard to their appropriateness and effectiveness. Audits
• Annual management reviews by top management Management Review
• Traceable management and control of measures to implement identified potential for improvement (measures management)- ISMS Advisory Board and other Meetings