Security Policy

We attach great importance to information security.

The company is certified according to the ISO 27001 standard and the ultimate purpose of the application of the standard is the protection of information at the level of confidentiality, integrity and availability so that there is business continuity. The management of the company is committed to do what is possible to ensure the above as well as is committed to the continuous improvement of the system. The individual goals are to have no more than 2 events related to information security per year. Events can be highlighted through internal inspection or any other recording over time. We will measure this indicator before each management review.

Information Security

Policies

Suppliers & Subcontractors

In terms of relationships with suppliers and outsiders the specifications will vary depending on the product or service to be provided. In general, however, the following apply:

  • Information security requirements should be recorded in the form of a contract which may be an annex to a commercial contract.
  • When selecting and approving new suppliers, due diligence must be exercised prior to the award of contracts.
  • Remote access from vendors must be through approved methods that comply with information security policies.
  • Access to our organization's information should be limited, where possible, according to clear business needs.
  • The company will have the right to control the information security practices of the supplier and, where applicable, the subcontractors.
  • Emergency and incident management plans should be designed based on the results of a risk assessment.
  • The selection of the required checks to the supplier should be based on a comprehensive risk assessment taking into account the information security requirements of the product or service to be provided. It is very important to determine them according to the capabilities of the supplier.

Mobile Devices

Mobile devices such as mobile phones, laptops and tablets are useful tools in our daily lives. However, their use by people who scan or process data during the work poses a high risk as there is a possibility of leaking sensitive information. In particular, the mobile phones of people who scan and enter data should not be used during work and in the workplace. Laptops when connected to the company network should not have access to files other than those necessary for the intended use. No other software should be installed on mobile devices than those already available without the company's approval. If a device is lost, the information security officer should be notified immediately.

Information & Data Transfer

The company transfers customer data in digital and printed form. The reliability of the company depends on the secure transfer of this data. The availability, integrity and confidentiality of data must be ensured when transferring data. The person who receives and delivers the information and data is responsible for any loss of the above if all the necessary measures are not observed. The data is primarily downloaded to the Captoria platform and stored there. Otherwise, if the customer wants, they can be transported either to his own or the company's storage medium. In the latter case, a log is kept when the data was deleted. The data can be encrypted at the customer's request.

Access Control

Each employee has access to data which relate exclusively to the job for which he is responsible. The user's passwords are personal and should not be disclosed to anyone. When an employee leaves the company, then if he had contact with clients, his account is not deleted but he does not have access to it. Otherwise, both his email and his account are deleted. ISO software does not delete users who have approved procedures that are followed by the company. Password policy: Domain passwords have the following attributes: 7 characters, Lock account after 5 unsuccessful attempts. Maximum password age: 180 days. Minimum password age: 0 days. Passwords history: 24 last. There are 2 types of users depending on the access rights: User, Administrator. When a user leaves, his password changes and he is no longer active. Through the organization chart that exists in the ISO system, a log is kept for the users of the active directory. Every 6 months or if there is a change, the rights of the users are reviewed. Users who become "Not Active" are no longer monitored.

Employee Health & Safety

The company is committed: a) to comply with all regulatory requirements of the applicable legislation related to health and safety at work. b) to continuously improve the health and safety conditions of the employees, associates and visitors. c) for the continuous consultation with employees and their active participation for the improvement of the health and safety conditions. The aim is to eliminate accidents and minimize the risk of disease related to the work environment.