privacy policy - banner

Information Security Policy

Information Security Policy of Suppliers/Subcontractors of SPIE Energotest sp. z o. o.
 

1. Purpose and scope of the access control policy

The purpose of the Information Security Policy hereinafter referred to as the Policy is:

  • ensure the confidentiality, integrity, availability, accountability, authenticity, non-repudiation and reliability of the information processed,
  • minimise the occurrence of threats to information security,
  • ensure the correct and secure operation of information processing systems,
  • providing information security awareness to suppliers,
  • providing business continuity to the Company.

The policy applies to all suppliers providing services or materials/products to SPIE Energotest Sp. z o.o.

2. Definitions and terminology

ET - refers to SPIE ENERGOTEST Sp. z o.o.

Provider - an entity performing work for ET, involving the supply of services or materials.

Parties - ET and Supplier

Asset - anything of value to the ET by virtue of the information it contains

Personal Data - any information relating to an identified or identifiable natural person,

Security Incident - an undesired event or series of events that creates a significant likelihood of disruption to business operations and may adversely affect information security.

Information - anything that has been or is capable of being processed in such a way that conclusions can be drawn from it, decisions can be made. Information can exist in many forms: paper, electronic, sound, image, etc.

Information security - a set of technical and organisational actions and measures designed to ensure that information is protected against accidental or intentional destruction, alteration of content or disclosure.

Information processing - any action performed on information, such as creating, collecting, capturing, storing, reading, changing, sharing, deleting, etc.

User - anyone who has access to ET assets.

3. General Principles

  • Policy, is part of the rules and procedures governing the relationship between the Parties. The Policy is subject to periodic review. Compliance with the Policy is a condition for the contractual provision of services to ET.
  • The Parties must comply with laws and regulations relating to Information Technology.
  • Use of Information Systems resources resulting in infringement of intellectual property rights is prohibited.
  • Installing software or storing any other material on the Information Systems entrusted by ET that has not been obtained in a manner that entitles ET to use it is contrary to this Policy.

4. Property rights, id="e80d39dc1a21728530542109d80bba795">Processing of information entrusted to the provider is only possible with the consent of ET

  • ET reserves the right to continuously control the information assets transferred to the provider. The control includes methods such as interception, monitoring, logbook entry and inspection. The purpose of the continuous control is to protect the interests of ET and the Supplier
  • Assets produced by the Supplier in the course of providing services to ET are subject to the same rules as Assets transferred to the Supplier by ET.
  • The Provider must at all times apply appropriate protection mechanisms in accordance with the systems under its control and in respect of the information contained therein. The Provider is fully responsible for making regular security copies of the ET data
  • Assets used to process ET information must have, approved by the Parties, IT safeguards.

  • Without the written consent of ET, information belonging to ET may not be processed or stored on equipment not belonging to ET

    Without the written consent of ET, information belonging to ET may not be processed or stored on equipment not belonging to ET

Electronic equipment not authorised by ET may not be connected to the ET Information System. Connecting business or private mobile phones to the ET Information Systems is prohibited.

5. Use of the ET Infrastructure by the Supplier

  • Private use of the ET IT infrastructure is prohibited

    Private use of the ET IT infrastructure is prohibited

  •  
  • A user of the IT system may only be a person who is duly authorised and registered in the register of users of a given system
  • User registers for information systems are maintained by ET
  • Each registered user uses an assigned user account, provided with an access ID and password.
  • The default rights in ET IT systems are access denied. Access is only granted when the need arises.
  • The granting of rights to data processed in IT ET systems follows the principle of "minimum rights", i.e. the minimum rights are assigned, which are necessary to perform the work of a given position
  • Passwords must be kept secret and may not be disclosed to others. In the event that the User performing the Supplier's obligation transfers the password to another person, the Supplier remains fully responsible for the integrity and confidentiality of the information entrusted to it.
  • To prevent access to assets by an unauthorised person:

- the user is obliged to effectively log out of the system or lock the system each time he/she intends to leave the workstation, regardless of how long he/she intends to leave the computer for;

- in the case of mobile phones, regardless of the PIN number of the SIM card, a system lock must be used (e.g..: PIN no., fingerprint, graphic code)

- no unauthorised persons are allowed to use the equipment;

  • The supplier may not modify the equipment belonging to ET, e.g. by installing computer components, software or in any other way without ET's written consent.
  • The supplier shall take constant care of the ET equipment entrusted to it, and in particular take care to protect it from theft, damage during transport or undesirable environmental influences.
  • Particular care must be taken when handling materials on removable media (e.g. CD-ROM, etc.) that have been created or used outside the ET Information System. Media from a questionable or unknown source must not be used on equipment belonging to ET. Any such material should be scanned with anti-virus software before use.
  • All software installations on ET computers are made by ET or with written permission of ET
  • Installation and/or use of private software/files on IT equipment entrusted by ET is prohibited.
  • The latest version of anti-virus software must be active on the IT equipment entrusted by ET.
  • Any identified instances of threats, breaches and weakening of the security of the Information Systems or the operation of software unauthorised by ET (security incidents) must be reported immediately to ET.

6. Electronic messaging

  • Electronic mail made available to the Supplier's users, is treated as business mail.
  • A user under the responsibility of the Supplier, when sending electronic messages, may not present private opinions and judgements as the position of ET.
  • Sending ET-relevant information including personal data, via external servers not managed by ET, requires its security (e.g.: by file encryption). The password for the encrypted file cannot be sent together with the file
  • The size of the entrusted ET mailbox is limited by a limit. The user, for whom the Supplier is responsible, is obliged to delete outdated messages on a regular basis.

7. Sending relevant information including personal data in paper form

  • Sending small amounts of information (e.g.data of a few persons enrolled in training courses) shall be sent by registered mail in a sealed, non-transparent envelope
  • Message of large amounts of information or sensitive data shall be carried out in a secure envelope.

8. Internet

  • Users for whom the provider is responsible may use Internet access provided by the ET, after training by an ET employee under the terms of the ET IMS documentation.
  • ET reserves the right to monitor any type of connection made on devices connected to the Information Systems
  • Users for whom the Provider is responsible may not:

- seek to bypass the security and access controls applied to the ET edge devices,

- intentionally interfere with the operation of the network e.g.. by spreading computer viruses, using hacking practices and transmitting large amounts of data blocking the network and hindering other users,

- connect to the ET's LAN, devices not authorised by the ET,

- disclose or publish via the Internet secret or proprietary company information such as: financial information, new ideas or ideas related to the company, marketing strategies and plans, databases and information contained therein, customer lists, software source codes, computer/network access codes and business relationships, etc.;

- use the Internet, e-mail or other tools to create legal or contractual obligations without the required ET authorisation;

9. Minimum requirements to be met by the supplier's non-ET IT system:

  • Software (Operating System and applications) installed and used in accordance with the law and license terms,
  • Each Operating System and application must be kept up to date with security updates and patches,
  • Provides installed, up-to-date and functioning anti-virus software.
  • Personnel operating the provider's non-ET IT system should be trained in the use and security principles and familiar with this policy.

.