The purpose of this policy is to communicate our information security policies and outline the acceptable use and protection of Sourcegraph’s information and assets. Sourcegraph has a requirement to protect its data/assets from accidental or malicious disclosure, modification or destruction. These rules are in place to protect customers, employees, and Sourcegraph. Inappropriate use exposes Sourcegraph to various cyber risk as well as legal and compliance issues. Our intention in publishing this policy is to protect Sourcegraph’s assets, not to impose restrictions.
The Sourcegraph “Information Security Policy” consists of this policy and all Sourcegraph policies listed in our handbook policy page.
Effective security is a team effort involving the participation and support of every Sourcegraph employee or contractor who deals with information and/or information systems. It is the responsibility of every team member to read and understand this policy, and to conduct their activities accordingly.
The scope of this policy is all data/information that is created or used in support of Sourcegraph business activities, regardless of its origin, form and format; this is referred to as “company information”.
All employees, contractors, consultants, temporary, and other workers at Sourcegraph are responsible for exercising good judgment regarding appropriate use of company information in accordance with this policy, as well as the policies and procedures mandated by the ISMS (Information Security Management System), local laws and regulations.
Sourcegraph has a dedicated security team authorized to draft, issue, maintain, and implement policies to maintain an effective ISMS (Information Security Management System). The team works collaboratively with Sourcegraph’s management, staff, and contractors to ensure the continuous improvement of the ISMS and the organization’s overall security posture.
All data/information, regardless of its origin, form or format, which is created or used in support of Sourcegraph’s business activities, is corporate information. This data / information is considered as “company assets” and must be protected from its creation, through its useful life and authorized disposal. It is to be maintained in a secure, accurate, reliable manner and be readily available for authorized use.
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, web browsing, and file transfers, are the property of Sourcegraph. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers, in the course of normal operations.
Information security is the protection of data/information against accidental or malicious disclosure, modification or destruction. Data/information will be protected based on its value, confidentiality and/or sensitivity to Sourcegraph, and the risk of loss or compromise. At a minimum, data /information will be update-protected so that only authorized individuals can modify or erase the data /information.
Sourcegraph has developed a number of objectives for the ISMS (Information Security Management System) that have been documented separately. These objectives ensure the effective implementation of the ISMS, ensuring it meets business and client requirements.
Sourcegraph’s Security program described in the ISMS Manual has been specifically designed to meet the requirements of ISO 27001:2022 and to provide the framework to accomplish our Information Security objectives and goals.
Sourcegraph has appointed a senior full-time member of staff as the ISMS Manager, with Board approval to issue, maintain, implement, and withdraw policies and procedures as necessary. The ISMS Manager is also the main point of contact for all staff, contractors, and subcontractors who have any questions/queries regarding the Information Security Management System.
Sourcegraph will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.