Security Policy

The information security policy is a basic document that expresses the intention of the management of Caelor Group d.o.o. (hereinafter Caelor Group) to determine the principles and establish rules and organization, and to implement the necessary security measures in the implementation of the Caelor Group work program. Based on the principles and declarations from the Information Security Policy, the necessary procedures of the information security management system are elaborated, as well as other documents related to the security area of ​​the Caelor Group business system.

The Information Security Policy document contains principles and describes the responsibilities for achieving and maintaining the required level of Caelor Group information security and obliges all participants in the establishment, maintenance and use of the Caelor Group business system to apply in their scope of work.

The information security policy is adopted by the Director of Caelor Group, and is implemented by employees and business partners.

The rapid development of e-business enables Caelor Group, its employees and business partners to access data from the office, user locations, and from home. This means a growing dependence of business on information systems to support development, operational work and business processes. The development of information technology that supports this way of working, as well as the globalization of communications, introduce new potential dangers and vulnerabilities of information systems. Security incidents resulting from these vulnerabilities can seriously compromise the information system and workflows, as well as the reputation of Caelor Group and employees themselves.

Caelor Group's information system and all its resources support business processes and functions. Business system malfunctions, unauthorized data changes, privacy breaches or unauthorized access to information seriously jeopardize business. Consequences of information system failure can cause business downtime, financial losses and legal liability, whether caused by disaster, equipment failure, program errors or intentional damage.

The main goals and tasks of the Information Security Policy are:

  • determining the principles for effective risk management of compromising the confidentiality, integrity and availability of information and other resources of the business system,

  • determining the conditions for business continuity management,

  • incident management,

  • defining responsibilities for information protection,

  • establishing and maintaining a safe working environment for Caelor Group,

  • achieving compliance with all applicable laws and standards,

  • determining the requirements for the protection of the business system from unauthorized intrusions,

  • mitigation of consequences in the event of security incidents (for example, misuse, destruction or unauthorized disclosure of information),

  • stability and reliability as quality equivalents of all Caelor Group business processes,

  • protection of personal data of employees and classified information owned by Caelor Group, protection of data of suppliers and customers, natural and legal persons and all other interested parties who are in a business relationship with Caelor Group.

Roles, authorities and responsibilities for achieving the objectives of the Policy

  1. Management or a specially authorized person by the Management of Caelor Group

Manages all resources of the Caelor Group business system and obliges all employees to establish and implement security measures. It oversees all business and information security operations.

  1. Information Security Manager

Performs the following tasks:

  • organizes, coordinates and supervises the establishment and implementation of security measures,

  • provides professional assistance in planning, implementation, supervision, education and harmonization of overall protection,

  • proposes information security goals,

  • reviews contracts from a security perspective,

  • manages the processes of risk identification, analysis and evaluation, and business impact analysis,

  • manages corrective and preventive measures of the information security management system,

  • manages documented ISMS information,

  • conducts training and awareness raising of employees.

Given the size of the company, the director of Caelor Group d.o.o. is also the head of information security.

  1. Internal auditor

Performs information system security audits, and performs the following tasks:

  • control and audit of the application of business system protection,

  • participates in information system security assessments,

  • controls the operation, development and establishment of technical protection system projects, compliance of procedures with accepted protection policies and standards,

  • Collaborates with other types of audits and can provide them with expert support,

Audit report reports are submitted to the Caelor Group Director directly.

Information security, coordination and supervision of the establishment and implementation of security measures and jobs of internal auditor, according to the decision of the Director of Caelor Group, may be performed by a third party (Outsourcing).

Security risk management

Risk analysis and assessment is performed at least once a year, or more often if there have been changes in business processes or in the environment that could significantly affect the business of Caelor Group.

Purpose of information security policy

The Information Security Policy document is intended for all Caelor Group employees in order to be acquainted with the basic principles of information system security, the importance of the impact of security on business and responsibilities for the implementation of security measures.

The information security policy does not represent detailed technical specifications, but they are described in the procedures and regulations for the protection of the information system.

Updating and consolidating the principles of the Policy is carried out according to changes and requirements of the conducted risk analysis, legal changes, contractual changes or changes in the work plan of Caelor Group, and good business practice at least once a year, and in case of major changes more often.

Scope of information security policy

Information security policy applies to all resources in the design, development, implementation of products and services, use and maintenance of the Caelor Group information system, as well as to all processes, procedures, services, services and products, their construction, use and maintenance.

Resources consist of information, technological support for their collection, processing, storage, use and transfer, and persons who maintain and use the system (a detailed description of resources and ISMS scope limits is shown in document QMS_ISMS-43- Caelor Group _Scope_ISMS_08022023_V1).

Information is defined as the representation of facts, concepts or instructions in a formalized form suitable for communications, interpretation and manual or automatic processing.

Information can be stored and displayed in various forms on a variety of media including: paper, magnetic media, magneto-optical media, microfilm, databases, files, terminal screen, printed lists, video and audio or some other form. Technological support includes all computer and communication equipment, related software used within the business system and all devices and equipment for the collection, storage, transmission, manipulation, processing and use and destruction of media.

The information security policy applies not only to Caelor Group employees but also to external users, subcontractors, suppliers, business partners and other third parties (interested parties) who use the Caelor Group information system in any way or have the right to access business information on any basis.

All information used is considered property and must be protected from partial or complete destruction, misuse, or unauthorized disclosure.

The limits of the scope of the ISMS are determined by the resources, rights and powers of action within the Caelor Group.

Implementation of information security policy

Compliance with the defined Information Security Policy is mandatory.

Every user of the Caelor Group information system must understand their role and responsibilities towards the protection of information and the protection of system resources Failure to apply the principles of this Policy and the rules arising from them may result in disciplinary proceedings, including termination of employment and / or legal proceedings in accordance with applicable regulations. Any non-compliance or suspected non-compliance with security rules, which may result in loss of confidentiality, integrity and / or availability, must be reported to the Information Security Manager.

Depending on the nature and severity of the incident, the incident must be reported, and the person suspected of causing the incident may be suspended from accessing the system and information for the duration of the investigation.

Exceptions

Granting an exception to the application of this Policy is the sole responsibility of the Caelor Group Director.

The reason for exemption from the application of the Information Security Policy must be explained, documented and reported for approval to the Director of Caelor Group.

Areas covered

The policy is structured by areas, so that principles are declared for individual areas, followed by risks and specific issues for a specific area.

  • Business information: Business information is a vital resource of the user and / or his services and must be protected.

  • Classification of information: The management of information, as well as other information system resources, must be regulated and organized during their lifetime, from creation, through authorized use to proper destruction. All information must be proprietary and appropriately classified according to value, sensitivity, risk of loss or disclosure and / or legal requirements.

  • Data privacy: All personal data (information) must be protected from unauthorized disclosure. If such information needs to be provided, it may only be used for the purpose for which it was issued. This information must be available to the person who owns it and it must be possible to correct the data if it is incorrect.

  • Individual responsibility: Individual responsibility for the use of information system resources must be defined and applied at all times on all computer systems.

  • Physical protection: The program of security of persons and property determines the principles according to which physical protection is performed. The protection of the information system must take into account accepted security principles and rules developed for the protection of property and persons.

  • Operating system protection: Initial configuration of operating systems must disable all permissions and change the standard identifiers and passwords installed by the system vendor. Access and use permissions are then added based on the procedure and with the approval of the administrator.

  • Antivirus protection: All users must have antivirus protection programs installed on their workstations, update them regularly and perform system checks. Any suspicion of a virus must be reported to the administrator immediately.

  • Business Continuity Planning: Business continuity plans will be developed, implemented and periodically tested in accordance with risk analysis and business impact analysis.

  • Copyright protection: Reproduction of any information without the written permission of its owner is a violation of regulations, a violation of the copyright of the owner and will not be tolerated.

  • Employee safety: To protect against potentially harmful activities initiated from within, by employees, the principles will apply: minimum authority, segregation of duties, and the rule that everyone should know only the information they need for the job they perform. Raising awareness of protection will be carried out through regular education. After hiring a new employee or transferring, the competent process manager is obliged to inform each new employee about his responsibilities related to information protection as well as existing procedures... Upon termination of employment, the competent process manager shall notify the Information System Security Manager as soon as possible and request the revocation of all authorizations.

  • Use of the system: The use of the information system and equipment is allowed only for business needs and purposes. Any use of information resources will be monitored and verified without special notice. Any abuse of the system will be considered a violation of the principles of this Policy.

  • Control of access rights: The integrity, confidentiality and availability of information resources must be protected by logical and physical security measures in accordance with the value, risk of loss or severity of possible return of information.

  • External access rights to the system: Individual responsibility must be clearly defined when accessing information resources from the outside. Identification and authentication must be performed before connecting to the system.

  • Protection of resources in transport: During physical transport, all mobile computing resources and data media must be secured against breaches of confidentiality or data integrity.

  • Use of electronic communications: Electronic mail system and other electronic communication systems, primarily used to conduct business activities. Special attention should be paid to protecting the confidentiality and integrity of information included in e-mails and the exchange of information via social networks.

  • Network architecture protection: The network configuration must not be changed without the approval of the Information Security Manager.

  • Protection against external networks: Before any connection to an external network, a formal risk analysis must be carried out. The minimum acceptable security standards must be agreed in writing (by contract or otherwise) before the connection is actually established. No connection (to external networks) that may compromise the security of confidential information may be established.

  • Responses to incidents: Any suspicion of a security incident must be reported to the Information Security Manager, who will, if necessary, organize a team to respond to security incidents, investigate incidents and implement appropriate concrete security measures.

  • Internet protection: All necessary and available measures will be taken to protect the systems used for Internet / Intranet communications and Internet services, and the information transmitted to them. Use of resources is permitted primarily for business purposes and in accordance with the rules of acceptable conduct on the Internet (Netiquette).

  • Acceptable use of the Internet: The use of Internet communications and services, using Caelor Group information resources, may be primarily for business purposes.

Business information

PRINCIPLE: Business information is a vital resource of the user and / or his services and must be protected.

All information, regardless of the form, format, method of storage or transfer, which is created or used for the purpose of conducting business activities is considered "business information" and represents assets. They must be provided in an appropriate and reliable environment and be available for authorized use.

Information protection is protection against intentional or unintentional destruction, alteration, disclosure and denial to unauthorized persons. The information must be protected in accordance with its value, confidentiality, and / or sensitivity, and the risk of loss or disclosure. Information security management makes it available to all authorized users according to their needs, while ensuring protection against unauthorized use. The Director of Caelor Group is responsible for defining and implementing appropriate security measures to protect the confidentiality, integrity and availability of information resources. All security measures require implementation by users and suggestions for their improvement.

To achieve the desired level of security of the business system, it is mandatory to implement the following general rules:

  • any significant change, improvement or new function of the business system must be analysed from the aspect of information system security,

  • design, procurement, development, maintenance, testing and establishment of business system functions must include security functions,

  • no function of the information system can be put into production until its security mechanisms have been documented and successfully tested,

  • for certain areas of the information system, procedures and regulations on protection must be developed, as well as instructions for the use of applied security measures.

Procedures and regulations are distributed to all users of the relevant functions of the information system.

Documented procedures and regulations for areas must be adopted and regularly updated:

  • information system security,

  • classifications of confidential data,

  • security of personal data,

  • preserving business continuity,

  • use of personal computers.

Security costs must be commensurate with the value of the resources being protected or the potential damage.

Classification of information

PRINCIPLE: The management of information, as well as other resources of the business system, must be regulated and organized during their lifetime, from creation, through authorized use to proper destruction. All information must be proprietary and appropriately classified according to value, sensitivity, risk of loss or disclosure and / or legal requirements.

All information system resources: persons, premises, IT equipment, software and data, must be classified in accordance with the established criteria for confidentiality (level of secrecy) and vitality).

According to the importance for business, information resources are divided into three classes:

a Vital - Information resources whose destruction or inability to use would cause a downtime that is critical for business, or significant financial damage. The longest period of absence from the use of vital functions of the business system is within the planned renewal time (RTO) of up to three days. At the latest at the end of the critical period thus defined, the functions of the business system must be established in accordance with the tolerance time of the beginning of the renewal (MTPD).

b. Important - Information resources whose destruction or inability to use would cause a delay of up to seven consecutive days (which does not cause major business difficulties and can be replaced by available reserve resources.

c. Useful - Information resources that are useful in business, but whose cancellation does not function for a long period (more than fifteen days) does not cause significant downtime and damage to business and can be replaced by other resources.

Confidential information relating to Caelor Group 's operations in accordance with the provisions of Chapters 8 and 9 of the Data Secrecy Protection Act (Official Gazette 108/96) is classified according to the type of secret as "Business Secret" and "Professional Secret".

According to the level of secrecy, "Business Secret" is classified as:

a. Confidential - Information whose disclosure to unauthorized persons could cause significant damage to business, financial loss or legal consequences. Insight into information and its use is allowed to a very narrow circle of persons with strict rules on access control and registration of document distribution procedures.

b. Restricted- Information whose disclosure to unauthorized persons could cause minor business damage.

c. Private - Information that contains personal data of employees, business partners, customers or citizens and the disclosure of which would mean a violation of the privacy of personal data with appropriate legal consequences.

There are internal or legal sanctions for non-compliance with the rules on the handling of classified and unclassified information.

Information classified at the state level as "top secret", "secret", "confidential" and "restricted" is subject to the security rules prescribed by the Data Secrecy Act (OG 79/07) for this type of classification of information secrecy.

All information classified as "Business Secret" or "Professional Secret" regardless of ownership is subject to security rules under the Data Protection Act.

The same information stored on different media has the same level of importance or confidentiality and must be accompanied by procedures that provide the same level of security.

Procedures for the use of classified information include the complete life cycle of information, from creation, use, storage to destruction.

If cryptographic methods are used to protect information, procedures for generating and distributing cryptographic keys must be defined.

Access to confidential information is allowed only to authorised persons, and prohibited to others except in cases provided by law. The provision of classified and unclassified information at the request of official institutions must be approved by the Director of Caelor Group. Although unclassified information is not the sole property, it is the duty to keep it as well as its own confidential information, and may only disclose it with the express permission of the owner or guardian.

In general, only information that is specifically prepared for the public (for example, press reports, brochures) is considered unprotected information. The disclosure of such information must not in any way jeopardize the ability to conduct business activities, reputation or business reputation.

The marking of documents is carried out according to the level of secrecy, and is carried out exclusively by the owner of the information.

Any unmarked information used in Caelor Group 's business should be considered a "Business Secret" classified "confidential" and must be adequately protected until otherwise specified, i.e., until the owner classifies or marks it with the appropriate classification.

Risks / Problems

Unauthorized disclosure, destruction or alteration of confidential information can have a variety of consequences ranging from financial losses to legal liability. Disclosure, alteration or destruction of user data can jeopardize business reputation and lead to a loss of trust in the business. The second category of consequences is litigation and financial losses due to the payment of damages to the injured parties.

Data privacy

PRINCIPLE: All personal data (information) must be protected from disclosure without the permission of an authorized person. If such information needs to be provided, it may only be used for the purpose for which it was issued. This information must be available to the person who owns it and it must be possible to correct the data if it is incorrect.

Caelor Group keeps personal data in its archives (any data that is unique to a person and is not limited to medical or professional data) in order to perform its tasks. The protection of this data is of the utmost importance. Active security measures must be taken to protect this information. All persons who have access to such data (either directly or through applications that generate such data) must respect their confidentiality. All processes must comply with personal data protection regulations and internal regulations. Personal data, including information about business partners, is collected and stored:

  • can only be used to precisely define the purpose for which they were collected,

  • must be stored for a period of time in accordance with legal regulations or for as long as is necessary for their basic purpose,

  • may not be issued without the express permission of the person to whom they belong,

  • must be available for inspection and verification by the person to whom they belong,

  • they must be corrected if it is known that there is an error in them or if an error is detected by checking.

Risks / Problems

Unauthorized disclosure of personal information may be grounds for legal liability if the injured party files a lawsuit.

Individual responsibility

PRINCIPLE: Individual responsibility for the use of business system resources must be defined and applied at all times to all computer systems.

The right of access to a computer and network system is defined using a unique user identifier assigned to an individual. Each employee must use only their user ID when logging in to computer systems or applications, except for group users who are approved by the IT system administrator and information manager. Each user identifier is also assigned a password or other means of authentication (e.g., smart card). Passwords must be formed in accordance with prescribed standards and must not be disclosed to other persons. Confidentiality of passwords is vital, as each user will be held responsible for activities in the system, that are performed using his user ID.

Rules, standards and procedures for assigning, using and revoking a user ID and password are an integral part of the instructions for using the business system and must be defined for each possible way of accessing the information system.

Risks / Problems

Without defined responsibilities, there can be no effective protection. Using only your own, assigned login identifier allows you to assign activities to the people who started them. This enables monitoring of the use of the system, and investigation of cases of abuse of the system. Likewise, more accurate information can help solve system or network problems.

Access to protected resources is allowed only to authorised users. The right of access is based on an individual user identifier or on a group one, which includes the possibility of identifying the person who used it. Group identifiers are commonly used in models based on the protection of information by function (roles). Therefore, it is important that individual identifiers are assigned to specific individuals and that employees use only their identifier to log in to the system.

Physical protection

PRINCIPLE: The program of security of persons and property determines the principle according to which physical protection is performed. The protection of the business system must take into account accepted security principles and rules developed to protect property and persons.

 

Caelor Group has defined safety requirements and established appropriate physical and technical protection measures in accordance with legal regulations and provisions.

Operating system protection

PRINCIPLE: Initial configuration of operating systems must disable all privileges and change the standard identifiers and passwords installed by the system vendor. Access and use permissions are then added based on an accepted procedure and with the approval of the administrator.

The Information Security Manager has maximum authority and responsibility for the security of operating systems and administrator passwords. The IT system administrator is responsible for applying appropriate fixes to operating systems that address potential system vulnerabilities.

The IT system administrator must be in contact with representatives of operating system vendors as well as relevant third parties in order to obtain timely information on security issues and solutions implemented. Operating system fixes or upgrades must be applied as soon as possible, and periodically at the level of one month.

Risks / Problems

There are a large number of individuals who can compromise the security of a system, if safeguards are not applied in a timely and appropriate manner. Breaking the security system is no longer a matter for only a few individuals. Vulnerabilities or holes in the system are quickly detected and information about them spreads even faster.

Antivirus protection

PRINCIPLE: All users must have antivirus protection programs installed on their workstations, update these programs regularly, and perform system checks. Any suspicion of a virus must be reported to the administrator immediately.

Antivirus software is a necessary mechanism for detecting the appearance of viruses, but the rate of development of new viruses is equal to or greater than that which develops effective protection. Antivirus software vendors are always updating their products so that they are able to detect and eliminate new viruses. Antivirus software only protects the system when it is updated in a timely manner. Because many products have built-in automatic update mechanisms, users are only required to verify that the automatic update feature is turned on.

Prompt notification of possible virus outbreaks can help prevent the virus from spreading and minimize Problems

Computer viruses, including worms and Trojan horses and other malware can cause great damage to the information system. Worms can compromise system availability because they have the property of replication, increasing disk space usage and clogging communication channels.

Some viruses and Trojan horses can destroy or alter confidential information. The biggest risk lies in the time required as well as the cost required to recover the system.

In order to reduce the possible damage that viruses can do, constant use of virus detection software is required. Appropriate virus detection software must be installed, regularly updated, and used to scan computers and media. All files from external sources must be checked with antivirus tools before use.

Business continuity planning

PRINCIPLE: Business continuity plans must be developed and implemented and periodically tested.

To ensure the availability of vital information and to protect business processes as well as resources from the consequences of disasters or downtime, plans must be made to preserve business continuity and rebuild the system. Plans must be developed and implemented, and periodically tested.

It is necessary to have a sufficient number of current copies of the plans, which are kept in a safe place.

Business impact analysis will be performed periodically in order to:

  • identify critical information resources,

  • define accurate time plans for data storage and recovery for most critical systems,

  • enabled their renewal within the set time limit (RPO, RTO and MTPD).

Risks / Problems

The unavailability of vital information can have a negative impact on the ability to provide services to its customers and to perform day-to-day business activities. Vital (critical) information must be stored in such a way that it allows their rapid recovery in another (backup) location.

Copyright protection

PRINCIPLE: Reproduction of any information without the written permission of its owner is a violation of regulations, a violation of the copyright of the owner and will not be tolerated.

All installed software must have a valid and valid license. Licensed Software may not be copied or duplicated, except as expressly permitted by the Terms of Use. Employees may not bring or install any external source program (including the Internet), licensed or unlicensed, without the express permission of the Information Security Manager.

This policy also applies to:

  • third party software owned or leased,

  • any software developed by Caelor Group employees,

  • software whose development is subcontracted,

  • software purchased or rented.

The policy applies equally to text, images, audio, video and all other protected materials.

Individuals who copy without authorization proprietary materials, as well as those who borrow software or other materials for the purpose of unauthorized copying, violate this Policy. Some software licenses explicitly state the number of users for whom a license has been issued. Exceeding this maximum number of concurrent users will be considered a violation of copyright.

In general, the rule of prohibiting copying of software or other media applies, unless approved by the Information Security Manager.

Risks / Problems

Making, distributing or using illegal copies of books and software is a violation of the copyright of the manufacturer. Depending on the nature or gravity of the infringement, an employee may be penalized under the penal provisions of the law governing the field of copyright. If the above actions are proven, Caelor Group could be required to pay high fines. Even minor offenses can expose Caelor Group to serious legal consequences.

In the event that Caelor Group is published using illegal software it may be subject to loss of reputational reputation.

Employee safety

PRINCIPLE: To protect the business system from potentially harmful activities initiated from within, Caelor Group employees will apply the principle: minimum authority, segregation of duties, and the rule that everyone should know only the information they need for the job they are doing. Raising awareness of protection will be carried out through the education of all employees.

Upon hiring a new employee or relocating to another location, management will inform each new employee of his or her responsibilities related to information security as well as existing procedures. Upon termination of employment, all authorizations of the employee are revoked.

The Minimum Authority Principles give each employee only the authority to access the functions and data he or she needs for the jobs he or she performs. The same principles apply in application development where the same person is not allowed to program, test and use the application.

Employee protection procedures must be part of the procedures for hiring new employees as well as the procedures for termination of employment. Every new employee in Caelor Group must be given written instructions for information protection. The employee is obliged to read in full the stated instructions for information protection and confirm by signature that he has understood his rights and responsibilities.

Risks / Problems

Without defined responsibilities it is impossible to demand the application of the Policy. Individuals must be informed of their responsibilities and procedures for the protection of information because otherwise they cannot be held accountable.

Likewise, employees leaving Caelor Group should have their authority to use the system revoked as soon as possible. Statistically, most security incidents have their cause in dissatisfied employees or former employees who have been left with access to the system.

Use of the system

PRINCIPLE: The use of business system and equipment is allowed primarily for business needs and purposes. Any use of Caelor Group 's information resources will be monitored and verified without special notice. Any abuse of the system will be considered a violation of this Policy.

Caelor Group Management reserves the right to monitor the use of the business system and record all records of all electronic communications used for business purposes, and the information collected will be used not only to ensure the quality of work, but also to investigate cases of abuse or suspected misuse of the system. All employees will be informed that their work is monitored and that any use of the system that does not comply with Caelor Group rules will be sanctioned.

Employees accept the rules on the use of the business system in employment.

Access control

PRINCIPLE: The integrity, confidentiality and availability of information resources must be protected by logical and physical security measures in accordance with the value, risk of loss or difficulty of recovering information.

Information owners are responsible for defining the staff who have the right to access the information being protected, and what level of authorization these persons will have (for example, reading, updating, deleting, etc.). The level of authorization must be assigned in accordance with the business responsibilities of the individual. Information owners must provide guidance to the Information Security Manager on how and to whom to grant access rights.

Premises where IT equipment and other resources are located must be physically protected from unauthorized access. Mechanisms, processes and procedures to control access to these resources will be developed to ensure access only to authorized persons. The standard cable marking method will be applied to all cables and connectors.

Caelor Group employees - Each employee is responsible and obliged to respect the mechanisms and measures of information security that are prescribed, and to immediately inform the Head of Information Security about every security incident. The employee must not try to circumvent security control mechanisms, and use or give someone else the right to access data for which he is not authorized. The responsible person to be contacted regarding the granting of access rights is the owner of the information or the person to whom the owner delegates the management of authorizations.

Temporary employees - Information owners must pay special attention to granting access rights to persons in temporary employment (this also applies to subcontracted staff). In any case, the right of access must be granted for a fixed period of time and must be terminated by termination of employment or provision of services (usually defined by the contract).

Suppliers and third parties - In general, individual suppliers or third parties (interested parties) should not be given access to the information system. If access is still required, the Information Security Manager must grant the right of access in writing and only for a limited time. After that, the right must be extended or revoked. Third parties (interested parties) may be granted only a minimum right of access to the system and only for contracted business purposes. All third parties (interested parties) accessing the system must be familiar with this Policy and contractual obligations on data confidentiality, and must sign the appropriate document - statement.

Risks / Problems

People are the most important resource, and information is right behind them. Unauthorized disclosure or alteration of information may result in loss of productivity, legal consequences, and inability to perform normal business activities. In order to reduce the risk of unauthorized disclosure or alteration of information, access control mechanisms must be in place. Control of access rights is a basic security measure that achieves the goals of the security program.

The right to access the system from outside

PRINCIPLE: Individual responsibility must be preserved when information resources are accessed from the outside. Identification and authentication must be performed before connecting to the system.

In order to maintain the required level of information security, individual accountability is required at all times, including access to the network from the outside. For security policy purposes, “external access” is defined as access to a network from an external network or through available access points.

The type of access rights to the system from outside and the manner of granting access rights must be defined and formally adopted, as well as certain procedures for granting and authorized persons who can grant access to resources.

Risks / Problems

External access to any information resource poses a serious threat to information and the network. Without appropriate control measures, unauthorized persons may steal, alter or destroy information, or disable the network and provide services to authorized users, or cause damage that will completely paralyze the network.

Identification and authentication mechanisms are applied to minimize risks to a minimum or acceptable level. Since each telephone line also poses a potential danger, the basic business requirement is that all logical and physical measures of security of information resources from unauthorized use have been applied. Attacks can come from anywhere in the world, even from complete strangers (e.g., hackers) or from known people (e.g., employees who have been fired, former employees, suppliers, subcontractors, etc.).

Protection of resources in transport

PRINCIPLE: During physical transport, all mobile computing resources and media must be protected from disclosure of data confidentiality or integrity.

Protection methods depend on the type of computer resource (device or media), the risk of information being disclosed during physical transport, and the available technological security measures such as various methods for encrypting information. Safety standards must meet specific safety requirements for specific situations. The minimum measure on laptops is the encryption of confidential data files. Users must take advantage of the capabilities provided by the cryptographic technology included in the software products. Information contained on tapes, discs or other media must be encrypted or stored in appropriate secure cabinets (safes) whenever they are outside the control of authorized employees and outside the protected premises of Caelor Group.

Risks / Problems

Theft of laptops has become a big deal, not only because of their resale as commodities, but also because of the information contained on them. To protect the information stored on laptops, it is necessary to apply available security tools such as: passwords, encryption or other mechanisms.

Use of electronic communications

PRINCIPLE: The electronic mail system and other electronic communication systems can primarily be used to conduct business activities. Employees must pay special attention to the protection of confidentiality and the integrity of confidential information that is included in e-mail or communication services via social networks.

The use of e-mail systems and social networking services must be in accordance with this Policy, in particular with regard to the confidentiality of data and data of third parties).

Caelor Group Management reserves the right to check and review any stored electronic communications that are created, sent, stored or received through the business system solely to ensure the quality of work, and if necessary for the purpose of determining liability for misuse of the system. Employees will be informed of all security measures implemented on the communication channels through which Caelor Group's business activities are carried out.

Risks / Problems

A unique feature of electronic communications as the ease of use of services (e.g., email), combined with the fact that the sender of a message does not see, hear or communicate directly with the recipient of the message, sometimes causes people to do things they would never do " live”. It is important that the Internet is used to communicate in an appropriate and acceptable manner so as not to compromise the morale or dignity of employees and to preserve the public reputation of the company. The activities that Caelor Group employees undertake on the Internet directly affect the company's reputation.

Network architecture protection

PRINCIPLE: The network configuration must not be changed without the approval of the Information Security Manager.

Even in the most secure networks, it may occur that the ability to change network parameters and compromise network security are underestimated. Changes can include a variety of actions, from opening ports, adding or removing parts of hardware, changing network traffic routing, changing network configuration, and various other actions. The Policy defined in this way aims to ensure that the Head of Information Security is involved in a timely manner in all changes to the network.

Risks / Problems

Network configuration changes over time due to business needs or changes in technology. It changes over time by adding new or replacing existing devices. It is therefore important that security measures are taken in time or before a security incident occurs

Protection of communication on external networks

PRINCIPLE: Before any connection between the Caelor Group network and an external network, a formal risk analysis must be performed. The minimum acceptable standards of security must be agreed in writing (through a contract or an appropriate document - a statement of confidentiality) before the connection is actually established. No connection (to external networks) that may compromise the security of confidential information may be established.

Leased line communication between the two entities speeds up communication and eliminates the need for manual data processing or similar business activities.

Although such communication has great advantages, it can also pose a very serious threat to the protection of the business system, especially if the level of security of the external network is weaker. This type of communication with third parties (stakeholders), in principle, expands the network and all its weaknesses in protection.

To fully and better understand the level of additional risks that arise from the realization of this type of communication, the Information Security Manager must conduct a formal risk analysis. By identifying the actual or potential security vulnerabilities of their partners' information systems, it is easier to determine the security measures of their own business system. If the risk is judged to be too great communication will be rejected.

Risks / Problems

The danger that exists in the case of maintaining communications with a third party or business partner whose security standards are lower than the minimum acceptable, is at least equal to the fact that the network is unprotected.

In contracts with business partners and all third parties (interested parties) it is necessary to define a minimum-security standard, due to the later possible reference to the contract and / or taking legal steps.

Responses to incidents

PRINCIPLE: Any suspicion of a security incident must be reported to the Information Security Manager, who will provide a security incident response team, investigate the incident, and implement appropriate security measures as necessary.

Potential security incidents include unauthorized use of computers and other information resources, unauthorized disclosure or alteration of confidential information, loss of ability to conduct business normally.

The Information Security Manager will perform an analysis of suspicious activities and organize teams and teams for crisis and security incident interventions.

Risks / Problems

End users are sometimes the first to detect a security incident and as such are a vital part of Caelor Group’s security system. When a security incident occurs, the most important thing is the reaction time according to the established procedures.

Protection on the Internet

PRINCIPLE: The information security manager should take all necessary and available system protection measures related to Internet / Intranet communications and data protection. Employees will use these resources primarily for business purposes and will comply with the rules of acceptable conduct on the Internet (Netiquette).

For the purposes of this Policy, Internet services include all current and future Internet services, including (but not limited to): World Wide Web, FTP, e-mail, TELNET, SSH, various cloud service (Google, AWS, Confluence), various social networks (Facebook, Twitter, etc.), Webmail, and any public or private protocol for the transmission of data and other services.

The Internet provides services that support the free exchange of ideas and quick access to a large amount of information. They also multiply employees' opportunities to gather information, improve internal and external communications and increase business efficiency. However, in addition to giving employees access to information from the environment, the Internet also allows individuals to access the system. Security measures are needed to reap the benefits of the Internet, while reducing the risk of misuse.

The demilitarized zone (DMZ) should be established as a buffer zone between the public (Internet) and private network.

A security incident response team will be established and tasked with helping reduce the risks associated with Internet technology. Caelor Group Management reserves the right to access, intercept, verify, or interrupt any form of information created, received, or stored to ensure the quality of work, and for the purpose of determining liability for misuse of the system. Employees must be made aware that any misuse of the Internet may result in disciplinary action

Risks / Problems

Although the Internet has a huge potential for improving communications, research or information gathering, it can also be a dangerous place to do business, especially if appropriate security measures are not taken. Because there is no complete security on the Internet, any information sent over the Internet can be intercepted and its content can be changed. As a medium, the Internet is often misused for electronic espionage, the sale and distribution of pornographic content, the theft of licensed software, and to harm legal users by attacking their networks or destroying their web servers.

Acceptable use of the Internet

PRINCIPLE: When an employee connects to the Internet using Caelor Group information resources, then this should be primarily for business purposes.

The list that follows does not include all cases but only examples of conduct that may result in disciplinary action. When accessing the Internet from the Caelor Group system, Internet services must not be used:

  • for personal and material gain,

  • for spoofing,

  • to copy or send information to third parties (interested parties) without explicit consent,

  • to express personal views on suppliers, business partners, etc.,

  • to provide lists or information about Caelor Group employees to third parties,

  • to conduct commercial activities for others,

  • in a way that endangers / interferes with their own work or the work of other employees, causing a drop in productivity or degradation of the system response time to other employees,

  • for unauthorized attempts to break into computer systems (for example cracking or hacking),

  • to send messages that in any way endanger, harass or insult others,

  • for theft or unauthorized copying of electronic files,

  • to send or make confidential information available to unauthorized personnel,

  • to copy or download information whose content may cause legal consequences or adversely affect the reputation of Caelor Group, including material with racial, pornographic, political or religious content, material containing offensive statements, graphics, images or material that is prohibited by law,

  • for unauthorized monitoring of network traffic „sniffing“ (for example, network traffic monitoring), except for authorized personnel for whom this is one of the responsibilities.

Risks / Problems

Improper use of the Internet can result in financial damage, reputational risk, etc. Illegal downloads of inappropriate content can also result in lawsuits. The purpose of this Policy is to be the starting point and guide for the proper use of the Internet.