Security Policy

Goals and implementation program of the Security Policy

Version 2.0 on 04.12.2022
Content of this page
  1. Information Security
  2. Personnel Security
  3. Information Protection Policy
  4. Access Control
  5. Security Principles for Network Communication
  6. Data Security
  7. Security Policy for end-user devices (stationary and mobile)
  8. Data Security: Physical and Environmental Controls
  9. Communication and Operations Management
  10. supply chain security and assurance
  11. Data Protection @
  12. Response to incidents
  13. Risk Management Resilience Program


The security policy adopted by the management of is implemented as part of a program. Protection goals of information security, such as confidentiality, availability and integrity of data, IT systems and their infrastructure are to be ensured.
Corporate values of that require a high level of protection are:
  1. The eLearning platform
  2. source code and other sensitive data
  3. Personal and other sensitive information that collects in the course of its operations, including customer, partner, supplier and employee data processed in's internal IT systems's aim is to ensure that's products and the components and systems necessary for their operation are protected to the fullest extent possible against, for example, theft of information, willful or malicious modification of software, inappropriate use, external threats.
The developers of the platform take into account the principle of secure design at every stage of the product development and software life cycle.
This applies to the phases of specification, development, testing and maintenance of products.

Industry Standards and Certifications's security policies cover security management for both's internal organization and for services provides to its clients.
The security policies apply to all personnel, as well as external employees, service providers and contractors. They are aligned with ISO/IEC 27002:2013, ISO/IEC 27001:2013 and TISAX standards and are authoritative for all defined security areas within

Organization of Information Security Management

Information security management is the responsibility of the CISO (Chief Information Security Manager) appointed by the Executive Board. This position is established as a staff position at and reports directly to the Executive Board.
Tasks include strategic planning and development of concepts, standards and guidelines for information security; technical implementation of IT security; and management and coordination of security measures in compliance with standards (Information Security Process Management, ISO 27001and TISAX)
In addition, the CISO is responsible for coordinating and training the security coordinators of the business units; incident and configuration management; and the continuous analysis and optimization of IT security strategies in line with business processes.
Furthermore, this person organizes the analysis and assessment of risks to the security of information (across divisions and locations); the planning and implementation of security concepts in close cooperation with the specialist departments and IT); as well as the execution and support/supervision of audits.
This person is responsible for organizing and coordinating awareness-raising and training measures on the subject of information security.
The Chief Information Security Officer (CISO) leads the department directly responsible for identifying and implementing security measures at This department drives the company's security program, defines the company's security policies, assesses compliance and provides operational oversight of the multi-dimensional aspects of's security policies and practices:
  1. Information Security
  2. Physical Security
  3. Security Structure

Information Security

At, information security means security oversight, compliance and enforcement and conducting information security assessments.
This forms the basis for developing an information security policy and strategy as well as training and raising awareness among staff.
The entity responsible for information security serves as the primary point of contact for security incident response and provides overall direction for incident prevention, identification, investigation and resolution.
The Information Security Program is dedicated to maintaining the confidentiality, integrity and availability of information resources. This includes the focus areas of:
  1. The definition of technical corporate standards to ensure security, privacy and compliance

Information Security Manager

The Information Security Manager (ISM) manages the information security implementation program. The Information Security Manager serves as the business unit security officer to increase awareness of and compliance with security policies, processes, standards and initiatives within

Physical Security

Physical security at means defining, developing, implementing and managing all aspects of physical security to protect's employees, company facilities and assets.
Risk Based Approach uses a risk-based approach to continuously assess risks and improve physical and environmental security. The goal is to effectively balance prevention, detection, protection and response while maintaining a constructive work environment that fosters innovation and collaboration among employees, partners and customers. conducts regular risk assessments to ensure that proper and effective risk mitigation measures are used and maintained.

Supervision of the Security Structure

The Security Architect (SAC) assists the organization in defining the technical and organizational direction of information security and in developing and deploying information security and identity management solutions.
The Security Architect collaborates with Information Security and Software Development, communicating and implementing enterprise security architecture roadmaps.
The Enterprise Security Architecture manages a variety of programs and utilizes various methods of collaboration with leadership and security teams responsible for operations, services, cloud and all other business units.
  1. Pre-assessment: Risk management teams in each business unit must perform a pre-assessment of each project based on the approved template
  2. The security architecture team reviews the submitted plans and performs a technical security design review
  3. Security assessment review: Based on the level of risk, systems and applications undergo a security review prior to production deployment

Personnel Security

Overview sets high standards for employees for ethical business conduct at all levels of the company. These include employees as well as contractors and customers. They cover legal and regulatory compliance as well as business conduct and relationships. trains its employees in ethics and business conduct every two years.
Security Focus
The company continuously implements initiatives that help minimize risks associated with human error, theft, fraud and misuse of facilities. Measures to ensure that only trusted and well-trained personnel, acting with appropriate privacy and information security awareness, work for
Confidentiality employees are required to maintain the confidentiality of customer information. Employees agree to maintain confidentiality on all business transactions upon joining the company and to comply with company policies protecting sensitive information as part of their initial terms of employment. Subcontractors and relevant service providers are regularly audited by Masterplan for compliance with policies.
Training and further development of security awareness promotes security awareness and trains its employees on a regular basis.
Each employee agrees to complete information security awareness training upon hire and every two years thereafter. This training educates employees on compliance with's privacy and security policies and principles.
Security reviews and audits are conducted periodically to ensure compliance with's information security policies, procedures and practices. Information Protection Policy

Overview's Information Protection Policy applies to all information and data generated in's operations and addresses how employees and business partners should use and apply information classification schemes. categorizes information and data into four classes - public, internal, confidential, and highly confidential - with each classification requiring appropriate security measures, such as encryption requirements for data classified as confidential or highly confidential.
Training and Awareness
During's mandatory training, employees are informed about the company's privacy policy. Employees must complete this training when they join and repeat it periodically thereafter.
System Inventory
Developing and maintaining an accurate system inventory is a necessary element for effective overall information system management and operational reliability.'s Information Systems Inventory Policy requires that an accurate and up-to-date inventory be maintained for all information systems that contain critical and highly critical information assets in infrastructures. Access Control

Access controls refer to the policies, procedures, and tools that govern the access to and use of resources. Examples of resources include a physical server, a file, a directory, a service running on an operating system, a table in a database or a network protocol.
  1. Least Privilege is a system-oriented approach in which user privileges and system functionality are carefully evaluated and access is limited to the resources that users or systems need to perform their tasks
  2. Default deny is a network-oriented approach that implicitly denies the transmission of all traffic and then specifically allows only the required traffic based on protocol, port, source and destination's Access Control Policies and Practices's Logical Access Control Policy applies to access control decisions for all employees and all information processing facilities for which has administrative authority. This policy does not apply to publicly accessible, Internet-facing systems or end users.
Privilege Administration
Authorization depends on successful authentication as control of access to certain resources depends on establishing the identity of an entity or person. All authorization decisions for granting, approving, and verifying access are based on the following principles:
  1. Need to know: Does the user need this access for their job function?
  2. Separation of duties: Does the access create a conflict of interest?
  3. Least Privilege: Is access limited to only those resources and information necessary for a legitimate business purpose?
User Password Management enforces strong password policies for the network, operating system and database accounts to reduce the chances of intruders gaining access to systems or environments by exploiting user accounts and associated passwords.
Periodic Review of Access Rights regularly reviews network and operating system accounts with respect to appropriate employee access levels. In the event of employee termination, death or resignation, will take appropriate action to immediately terminate network, telephony and physical access.
Password Guideline
The use of passwords is covered in the Password Policy. employees are required to follow rules regarding the length and complexity of passwords and to keep their passwords confidential and secure at all times. Passwords may not be disclosed to unauthorized persons. Under certain circumstances, authorized employees may share passwords for the purpose of providing support services.
Network Access Measures has implemented and maintains strong network measures to ensure the protection and control of customer data as it moves from one end system to another.'s Network Service Usage Policy states that endpoints connected to the network must meet well-established standards for security, configuration, and access method.

Security Principles for Network Communication

To manage network security and network management devices, requires IT staff to use secure protocols with authentication, authorization, and strong encryption. Network devices must be in an environment that is protected and defined by physical access controls and other standards for physical security measures.
Communications to and from the corporate network must be routed through network security devices at the perimeter of the internal corporate network.
Vendor and third party access to the corporate network is subject to restrictions and prior approval by's Third Party Network Access Policy.
Asset Management
Network devices must be registered in a approved information system inventory in accordance with policy. This policy requires inventory and documented ownership of all information systems that process critical and highly critical information assets throughout their lifecycle using an approved inventory system.
Wireless Networks
The Wireless LAN Policy governs the deployment and use of wireless networks and connectivity to access the corporate network. manages wireless networks and monitors unauthorized wireless networks.

Data Security

Introduction's Information Asset Classification determines the company's data security requirements for systems. policies and standards provide guidance on appropriate measures to protect the confidentiality, integrity and availability of enterprise data in accordance with the data classification. The required mechanisms are designed to be consistent with the type of enterprise data being protected. For example, security requirements are higher for sensitive or valuable data such as cloud systems, source codes and employment records.'s enterprise security measures fall into three categories: Administrative, physical and technical measures.
  1. Administrative measures, including logical access control and personnel processes
  2. Physische Maßnahmen, die den unbefugten physischen Zugang zu Servern und Datenverarbeitungsumgebungen verhindern sollen
  3. Technical measures, including secure configurations and encryption for data at rest and in transit (data at rest, data in motion)
In addition, has formal programs in place to guide the development of the platform. This covers every phase of the product development lifecycle and is's methodology for building security into the design, build, testing and maintenance of its platform. Security Policy for End Devices (Stationary and Mobile)

Introduction policy mandates the use of antivirus, IPS, and firewall software on endpoints - to the extent possible. In addition, automated security updates and virus signature updates must be enabled on all end devices. Any endpoints that process or customer data will be encrypted with approved software.
Protection against malicious code employees must follow's email instructions and are responsible for promptly reporting to the employee help desk any virus or suspected virus infection that cannot be remedied by antivirus software.
Employees are prohibited from modifying, disabling or removing antivirus software and the Security Update Service from any computer. Any employee who violates this standard may be subject to disciplinary action which may include termination of employment.
End Device Encryption
To protect sensitive information, employees must install encryption software on their endpoints.
Mobility Management for Enterprises deploys a mobile device management solution to protect employee-operated mobile device data. These solutions support all major mobile device operating systems and platforms.'s IT and security organizations regularly promote mobile device security awareness and best practices.

Data security: Physical and Environmental Inspection

Risk Based Approach
Global Physical Security uses a risk-based approach to physical and environmental security. The goal is to balance prevention, detection, protection and response while maintaining a positive work environment that fosters innovation and collaboration among employees and partners. conducts regular risk assessments to confirm that the correct and effective mitigation measures are in place and being maintained.

Preventive Measures: Protection of Assets and Employees has implemented the following protocols:
  1. Physical access to the facilities is limited to employees , contractors and authorized visitors.
  2. Visitors are required to be escorted and/or observed when on premises and/or bound by the terms of a confidentiality agreement with
  3. monitors possession of keys/access cards and ability to access facilities. Employees who leave employment with must return keys/cards, and keys/cards will be deactivated upon termination
Data Center Security's platform runs in data centers that help protect the security and availability of customer data. This approach begins with's site selection process. Data centers meet ANSI/TIA-942-A Tier 3 or Tier 4 standards set by the Uptime Institute and Telecommunications Industry Association (TIA). Data centers hosting platform use redundant power sources and maintain generator backups in the event of a widespread power outage. They are closely monitored for air temperature and humidity and fire suppression systems are in place. Data center staff are trained in incident response and escalation procedures to respond to potential security and availability events. Communication and Operations Management

Introduction's security programs are designed to protect the confidentiality, integrity and availability of both and customer data. continually works to strengthen and improve the Company's security measures and practices for its internal operations and services.
Acceptable Use and Employees has formal requirements for the use of the corporate network, computer systems, telephony systems, messaging technologies, Internet access and other corporate resources available to employees and contractors.
General Security Principles for Communications has formal requirements for the use of the corporate network, computer systems, telephony systems, messaging technologies, Internet access and other corporate resources available to employees and contractors.
Separation of Duties and Awareness of the Principles enforces clearly defined roles that enable segregation of duties among operations personnel. The operations are organized into functional groups, with each function performed by separate groups of employees. Examples of functional groups include database administrators, system administrators and network engineers. Learn more about Access Control.
Monitoring and Protecting Audit Log Information protocols certain security-related activities on operating systems, applications, databases and network devices. Systems are configured to provide a record of access to programs, as well as system alerts, console messages and system errors. implements controls to protect against operational problems, failure to record events, and/or log overwriting. reviews protocols for forensic purposes and incidents and identifies anomalous activity that feeds into the security incident management process. Access to security logs is granted on a need-to-know and least privilege basis. When possible, log files are protected by strong cryptography in addition to other security controls and access is monitored. Logs generated by systems that are accessible via the Internet are moved to systems that are not accessible via the Internet.
Asset Management's inventory management for information systems requires an accurate inventory of all information systems and devices that contain critical and highly critical information assets throughout their lifecycle via a inventory system. This policy defines the required identification attributes to be recorded for server hardware, software, data held on information systems and information needed for disaster recovery and business continuity purposes.
Communication Technology manages enterprise solutions for collaboration and communication within and with external parties.'s policies require that employees use these approved corporate tools when handling confidential information. has defined standards for secure information sharing with suppliers and other third parties. Supply Chain Security and Assurance

Introduction customers around the world rely on the platform to protect their data. As a global company, takes great care in the development and distribution of its platform. has formal policies and procedures in place to ensure the security of its supply chain. These policies and procedures explain how selects third-party vendors to embed in Platform. also has formal requirements for its suppliers and partners to certify that they will protect and third-party data and assets entrusted to them. The Supplier Information and Physical Security Standards describe the security measures that's suppliers and partners must adhere to:
  1. Access to and customers' facilities, networks, and/or information systems.
  2. Handling confidential information and hardware assets in possession
In addition, suppliers are required to adhere to the Code of Conduct, which provides guidelines regarding the security of confidential information and intellectual property of and third parties.
Overview's supply chain risk management practices focus on quality, availability, continuity of supply and resilience in's direct supply chain, as well as authenticity and security of the platform and services.
Other security processes focus on safety and product protection during transportation, shipping, and storage.

Data Protection at

Our privacy policy can be viewed at
Following recommended practices in common security standards issued by the International Organization for Standardization (ISO) and other industry sources, has implemented a variety of preventive, detective and corrective security measures with the goal of protecting information assets.
Network Protection's network protections include solutions to ensure service continuity and defend against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.
Events are analyzed using signature detection, which is a pattern matching of environment settings and user activity against a database of known attacks. updates the signature database frequently.
Monitoring and Incident Alerts
Warnmeldungen werden zur Überprüfung und Reaktion auf potenzielle Bedrohungen an das Sicherheitsteam von gesendet. Alerts are sent to's security team for review and response to potential threats. These alerts are monitored 24x7x365.

Response to Incidents evaluates and responds to incidents that raise suspicion of unauthorized access to or handling of customer data, whether the data resides on hardware assets or on the personal hardware assets of employees.'s Information Security Incident Reporting and Response Policy defines incident reporting and response requirements. This policy authorizes the security organisation to act as the primary point of contact for security incident response and provide overall direction for incident prevention, identification, investigation, and resolution.
Corporate requirements for incident response programs and response teams are defined per incident type:
  1. Validation that an incident has occurred
  2. Communication with relevant parties and notifications
  3. Preservation of evidence
  4. Documenting an incident itself and the associated
  5. Response activities
  6. Containment of an incident
  7. Elimination of an incident
  8. Escalation of an incident
Upon discovery of an incident defines an incident response plan for rapid and effective incident investigation, response and recovery. Root cause analysis is performed to identify opportunities for appropriate action to improve the security posture and mitigation in detail. Formal procedures and centralized systems are used to gather information and maintain a chain of custody during the investigation of an incident. is able to support legally permissible forensic data collection as needed.
In the event that determines that a security incident has occurred, will immediately notify all affected customers or other third parties in accordance with its contractual and legal obligations. Information about malicious attempts or suspected incidents is confidential to and will not be disclosed to outside parties. Incident history is also Confidential and will also not be shared externally.
Security Vulnerabilities
To report a security weakness to, please use the following link:

Risk Management Resilience Program (RMRP) Risk Management Resilience Policy's Risk Management Resilience policy defines requirements and standards on business interruption events. It also establishes the functional roles and responsibilities required to establish, maintain, test and evaluate the business continuity capability for across business units and locations. It defines responsibilities for monitoring compliance with the program. The policy mandates an annual operating cycle for planning, assessment, training, validation and executive approvals for critical business operations
Risk Management Resilience Program
The objective is to provide a business resiliency framework to enable efficient response to business disruption events that impact operations.
The RMRP approach consists of several sub-programs: Initial Emergency Response to Unplanned and Urgent Events, Serious Incident Crisis Management, IT Disaster Recovery, and Business Continuity Management. The goal of the program is to minimize negative impacts to and maintain critical business processes until regular operating conditions are restored.
Each of these subprograms is a uniquely diverse discipline. However, by consolidating emergency response, crisis management, business continuity, and disaster recovery, they can become a robust collaborative and communicative system's RMRP is designed to incorporate multiple aspects of emergency management and business continuity from the onset of an event and leverage them as the situation requires.