GeoStorage
ServicesOur ProfilePartnersBlogContact

Information Security Policy

Information Security Policy
Approved by general director: Tea Butskhrikidze 

 Policy statement 

LTD “GEOSTORAGE” competitive advantage source is qualitative characteristics of technological, administrative and production resources (machinery and equipment, technical and administrative personnel, process-oriented management and leadership), that provides differentiated service. It is essential to improve quality and qualitative specifications and characteristics of service, that differs the company service from competitors 

The management of GEOSTORAGE Georgia (hereafter referred to as "the company") acknowledges the importance of its information systems and the associated risks and is committed to exercising due care in protecting them. 

The Information Security Policy of the company is funded on the best international practices in information security. 

This policy formalizes the governance, structure, and framework for defining the company's information security objectives. 

It establishes the primary direction for enforcing information security, with additional policies and procedures to be defined for specific subjects. 

Scope

 
This policy applies to the protection of the following areas within the company:
 
  • The company’s information systems (IT infrastructure) and its subordinate activities
  • All information owned, stored, or processed by the company
  • Any individuals or entities that use or manage the organization’s data and information

This policy defines:
 
  • Measures to protect confidentiality, integrity, and availability of information
  • Responsibilities related to information security

Information security principles

 
The organization security principles are the following:
 
  • Comprehensive approach based on the risk for the organization and its users.
  • Create a proportional response to the impact, aligned with organization objectives, international standards and best practices.
  • Continuous improvement of the effectivity and effectiveness.
  • Maintain a strong awareness of user.
  • Maintain compliance with the legal framework.

Legal framework

 
The organization is operating in Georgia and aims to comply with local laws and regulation as well as comply with its engagement from partner (contract).
 
Consequently, the organization observe and respect below Laws and Normative acts:
 
  • Law of Georgia on Personal Data Protection 

 

Risk based and continual improvement

 
The organization information system is exposed to multiple threats. This policy aims at watching particularly below risks:
 
  • Unavailability – partial or total impossibility to produce or deliver organization service
  • Data leakage – unauthorized access or public disclosure of confidential information
  • Non-compliance – fail to follow law and normative act

The organization monitors its risk level by conducting regular security assessments and re-evaluating existing risks, as well as identifying new types of risks.
 
 

Information Security Objectives and Governance

 
Information security objectives are defined on yearly basis by the Information Security Officer.
 
  • Those objectives are defined in accordance with this policy, the evaluation of risks, newly identified risks, business requirements and strategy of the organization.
  • Objectives must be documented including key responsible, resource allocated, criteria of success to achieve objective and deadline.
  • Allocation of resources (staff, budget, priority) is arbitrated by the CEO.

Information Security is governed by policies.


Propose rules and strategy
 
  • Information Security Officer proposes information security strategie.
  • Information Security Officer proposes security rules through policies.

Approve rules and strategy
 
  • Information security policies and strategy are reviewed and approved by the Board of Directors (or delegated executive management).

Enforce rules and strategy
 
  • Information Security Officer monitors implementation and follows up on compliance with approved policies, rules, and plans.
  • The Board of Directors / Executive Management ensures enforcement through leadership, accountability, and resource allocation.

Monitor compliance with rules and strategy
 
  • Information Security Officer tracks adherence, performance, and detect violations or inefficiencies.

Review and improve Information Security
 
  • Information Security Officer periodically assess, and update rules based on feedback, performance, or changes.

Resolve disputes and non-conformities
 
  • Executive Management / Board of Directors resolves escalated conflicts and ensures corrective actions for significant non-conformities.

 


Roles and responsibilities

 
  • CEO / Board of directors
     
    • Validate the Information Security Policy
  •  
    • allocating resources (staff, budget)
  •  
    • validating the security strategic plan and objectives
  •  
    • acknowledging the yearly annual progresses
  •  
  • Information Security Officer
     
    • Propose, develop, and maintain information security strategy, policies, and standards
  •  
    • Monitor compliance with information security policies and report status and risks
  •  
    • Advise and support business and IT on security implementation
  •  
    • Draft and maintain information security documentation
  •  
    • Collect and analyze information security incidents and oversee response tracking
  •  
    • Report on information security risks, incidents, and performance
  •  
    • Organize security awareness and training programs
  •  
    • Review and approve or recommend security exception requests (final approval may sit with management depending on policy)
  •  
    • Escalate non-compliance to Executive Management for enforcement action
  •  
  • IT Manager (Infra, Help Desk, Dev)
     
    • daily monitoring and assessing computer systems
  •  
    • collaborate in regard of information security aspect
  •  
    • respect all information security policies and enforce security procedures.
  •  
  • Risk Owner(s)
     
    • Accountable for managing specific risks.
  •  
  • Legal / Compliance
     
    • Ensure identification of law and regulation
  •  
  • DPO
     
    • Ensure compliance with PDP Georgia
  •  
  • Physical Security
     
    • Ensure physical security of people and all assets of the organization including but not limited to IT physical assets and Server room.
  •  

All employees and users of information system
 
All users of the organization information system are concerned:
 
  • Permanent and temporary employees of the organization are important.
  • All people who may be given access to information about the organization (partner, contractors, consultants, interns etc.)

 

All users are obliged to comply with the policy requirements and take responsibility for the proper and thorough implementation of the best practice. Particularly:
 
  • Read and apply all information policies intended to them
  • Keep themselves updates about security practice and policies
  • Follow the mandatory training and awareness
  • Escalate to their manager and/or IT for any suspect activity or incident related to the information system as well as potential security weakness.

 


Framework

 
The organization defines policy in a wide variety of information security-related areas which are described in detail in separate document policy and procedures.
 
Below table present key requirements of each policy of the information security framework:
 
 

 | Key topic-specific policies
| Policy name | Key principles | Asset Management Policy | Maintain a permanent inventory of information assets, define criticality categories, and assign responsible owners.
| Clear Desk and Clear Screen Policy | Enforce rules and best practices for handling organizational data securely in physical and digital workspaces.
| Acceptable use policy (AUP) | Define rules and best practices for using organizational IT devices and resources responsibly.
| Access Control Policy | Restrict system access based on job requirements and enforce least privilege and need-to-know principles.
| Mobile Device & Remote Working Policy | Establish rules for secure use of mobile devices and remote access inside and outside organizational premises.
| User Responsibilities & Awareness Policy | Ensure users understand security responsibilities, follow best practices, and report incidents promptly.
| Supplier Security Policy (Third-Party Risk Policy) | Require third-party providers to comply with security standards and contractual obligations.
| Network Security Policy | Design secure network architecture, enforce segmentation, and monitor network performance and threats.
| Information security incident policy | Detect, classify, and manage security incidents based on criticality, ensuring timely escalation and resolution.
| Patch and Vulnerability Management Policy | Identify, assess, and remediate vulnerabilities through timely patching and continuous monitoring.
| Backup and Recovery Policy | Define backup scope, schedule, retention, and restoration procedures to ensure data availability and integrity.
| Monitoring and Logging Policy | Implement centralized logging and monitoring to detect anomalies and support incident responses and audits.
| Malware Protection Policy | Deploy anti-malware and anti-spam solutions, enforce updates, and train users to recognize and report threats.
| Change Management Policy | Ensure all changes to IT systems are planned, tested, documented, and approved to minimize business disruption.
                                                                  
GeoStorage

Excellence in medical research and clinical trial management since 2010.

Services

    Company

    • About Us
    • Our Team
    • News
    • Contact

    Legal

    • Privacy Policy
    • Terms of Service
    • Certifications
    • Compliance

    © 2025 GeoStorage. All rights reserved.

    LinkedIn
    Contact Us