Security policy

Purpose
The aim of this security policy is to ensure security in the handling and storage of information as well as to ensure the accuracy, availability and confidentiality of valuables, information and data as well as to ensure the continuous operation and services of Kapalvæðing towards its customers and suppliers. All data must be protected from threats, external and internal, whether due to burglary, theft or accidents. Kapalvæðing's official security policy is important to assure the company's employees and customers of integrity and the correct working methods in the company's operations.

Scope
The security policy covers all of Kapalvæðing's activities. It covers the handling and storage of all information in any form and on any medium. The policy covers all communications of Kapalvæðing, employees, customers, partners and suppliers. It also covers all types of registration, processing, communication, distribution, storage, copying and deletion of information. The security policy also covers premises and equipment where information is handled or stored, as well as employees and contractual customers who have access to information.

Reference to laws and regulations
This security policy is published on Kapalvæðing's website in accordance with the recommendations in Article 28 of Rules no. 1222 on the protection of information in public electronic communications networks.

Policy
It shall be ensured that the following aspects regarding the protection and handling of information are taken into account in all operations of Kapalvæðing:

Information is always correct and available to those who have access rights.

Confidential information is inaccessible to unauthorized persons and protects against damage, destruction or disclosure to parties who do not have access rights, whether intentionally or negligently.

Confidentiality of information and confidentiality is maintained.Information is not received by unauthorized persons intentionally or negligently.Information is protected against theft, fire, natural disasters, etc.

Information is protected against damage and destruction caused by computer viruses.

There are always reliable and secure copies of key data and software systems.Information that passes through the network reaches the right recipient undamaged and on time, making sure that it does not go to others.

Plans are made for continuous operation, they are maintained and they are tested as much as possible.

Deviations, violations or suspicions of information security vulnerabilities are reported and investigated. If a criminal act is suspected, it must be reported to the board or to the security director of Kapalvæðing and investigated in collaboration with the competent authorities.

The above shall be ensured as follows:
A record of information assets shall be kept and classified according to the importance of secrecy, accuracy and accessibility. perform risk assessments on a regular basis.

Regularly analyze with a formal risk assessment the value of information assets, their vulnerability and threats that may endanger them.

Manage risk within acceptable limits by operating a formal information security management system.

Comply with and comply with applicable laws and regulations.

Kapalvæðing and counterparties meet the obligations and terms of agreements to which the company is a party and which concern information security.

All Kapalvæðing‘s employees receive training and education regarding information security and their responsibility regarding information security. All employees, contractors and other parties who carry out work on Kapalvæðing's system or on behalf of Kapalvæðing shall be informed of the company's security policy, information security management system and sign a confidentiality statement.

The safe and continuous operation of Kapalvæðing's telecommunications systems shall be ensured by measuring uptime and defining uptime criteria for telecommunications systems and services for both internal and external customers. In cases where criteria are not met, a timed plan for improvement shall be presented and work initiated accordingly.

The quality of telecommunications through Kapalvæðing's systems shall be ensured by measuring the utilization rate, availability of services, correct functionality and other relevant factors, and defining criteria for each measured component that is reviewed on a regular basis. In cases where criteria are not met, a timed plan for improvement shall be presented and work initiated accordingly.

Liability
The Board and CEO of Kapalvæðing are responsible for ensuring that this safety policy is followed in all the company's operations and that employees, companies and contractors working on behalf of Kapalvæðing are informed of it and are binding on them.

Comments
Comments on this safety policy and announcements concerning it should be made by phone 421‐4688, by letter to Kapalvæðing, Hafnargata 21, 230 Reykjanesbær or to the e-mail address kv@kv.is.

Audit
This safety policy shall be reviewed in connection with any major changes in Kapalvæðing's operations or operating environment, but never less frequently than annually. The company's board of directors shall ensure that the security policy is upheld and initiate regular audits.

Reykjanesbaer, október 14th 2021
Börkur Birgisson
General manager
‍