The present security policy states Management’s commitment and sets out INTELLI’s approach, hereinafter called “Organization”, to managing information security. Information is a critical intangible asset of INTELLI that requires protection from unauthorized access, modification, disclosure or destruction. Therefore, the aim of the “Information Security Policy” is to define the basic requirements and security objectives for the appropriate protection of INTELLI’s information assets to express formally the Management intentions and guidelines with respect of the information security at INTELLI. The Management of INTELLI provides the appropriate resources in order to implement operate and review an effective Information Security Management System that supports the Organization’s business goals and activities and handles the risks that the Organization faces. The document is intended to express formally the Management intentions and guidelines with respect of the information security at INTELLI. With the Information Security Policy the Management aims to involve INTELLI to the core values and principles laid down in the Guidelines for the Security of Information Systems and Networks – Towards a Culture of Security of the Organization. INTELLI wants to continually improve their performance in Information Security area.
This policy applies to all business units of INTELLI and covers all the corporate assets, functions and services. It covers all INTELLI information, in any form and any medium, covering the past, present or future activities and relationships with employees, customers, associates and suppliers. All creation, processing, communication, distribution, storage and disposal of INTELLI information by any combination of INTELLI and external entities are covered in this policy.
The present security policy applies to all INTELLI employees and third parties. Compliance with Information Security Policy’s statements is mandatory for all employees.
4 Security Policy Change Management
The Information Security Department is responsible for the content and the review of the present security policy.
The Information Security Policy shall be reviewed (except for ISO review) annually by the Information Security Officer in order to be aligned with Management business needs and goals. Furthermore, the security policy shall be reviewed whenever it is imposed by business or external factors such as change of business strategy, information security incidents.
8 Security Policy Statements
8.1 Information Security Roles and Responsibilities
INTELLI has defined and documented the appropriate information security roles and the respective responsibilities that result from them. Security roles and responsibilities protect assets from unauthorized access, disclosure, modification and destruction. Roles and responsibilities are clearly communicated throughout the Organization.
8.2 Information / Business Owners
All information assets shall be identified, accounted for and assigned to nominated owners, which are designated parts of INTELLI. The Information Owner is ultimately responsible for ensuring that the information assets are appropriately protected, even if he transfers his duties to specialized individuals or even if other trusted entities are granted access to this information asset. It has to be noted that the responsibility for classifying information relies on the Information / Business Owners.
8.3 Information Classification
Information classification depicts the criticality level of data’s confidentiality, integrity and availability. INTELLI has developed and uses its own “Information Classification Scheme” so as to appropriately classify corporate information. It is imperative that all information created and used within the Organization is given the highest level of protection commensurate with its value, so that security requirements are covered in a way that promotes compliance with legal and regulatory obligation and protection of Organization’s reputation.
8.4 Security Awareness
Staff members, customers, consumers, suppliers, subcontractors and all other participants in the communication should be aware of the need for security of information systems and networks and should contribute to improving security. Employees shall receive appropriate training relevant to their job function. The continuous awareness and training of all employees is very important as the success of information security maintenance through the Organization depends on the ability of people to work towards a common goal of protecting the Organization’s assets.
All participants in the communication process are responsible for the security of the information systems and networks.
All participants in the communication process must act promptly and cooperate to prevent, detect and respond to security-related incidents.
8.7 Risk Assessment
INTELLI has defined and adopted a risk assessment approach following the “Risk Assessment Methodology” that has developed in its premises. Through this methodology the Organization identifies potential threats and vulnerabilities to its information systems, and assesses the impact of the loss of confidentiality, integrity and availability on corporate assets. The Organization formulates a risk treatment plan that identifies the appropriate management action, resources, responsibilities and priorities for managing information security risks. The Management of INTELLI defines the acceptable levels of risk for the whole Organization. All information assets shall undergo a risk assessment process in regular time intervals in order to identify the security risks related to them and implement appropriate security controls.
8.8 Security Design and Implementation
The security shall be included as an essential element of the information systems and networks.
8.9 Security management
Security shall be achieved through an integral approach to management.
8.10 Asset Management
Rules for the acceptable use of information and information systems shall be identified, documented and implemented. Maintaining the confidentiality, integrity and availability of information is a responsibility shared by all people in the Organization. All INTELLI employees are responsible for protecting information and information resources and are expected to be familiar with and comply with this policy. The Organization maintains and keeps up to date an asset inventory where all important information about corporate assets is kept (e.g. owner, physical location, maintenance status etc). The inventory of asset aims to depict the assets that the Organization owns and manage.
The information system and network security should be reviewed and reassessed and, if necessary, be subject to periodic changes in policies, procedures, practices and measures.
The implementation of this Policy is essential to ensure the proper and uninterrupted implementation of the information services offered and provided.
With the Information Security Policy, INTELLI aims to achieve:
• Protection of information against unauthorized access.
• Maintaining the information confidentiality.
• Preventing the disclosure of information to unauthorized persons, if even due to negligence or accidental error.
• Keeping the information intact from unauthorized changes.
• Providing the information to authorized persons whenever they need it.
• More accurate compliance with the applicable legislation.
• Development, implementation and practical examination of the plans for security interruptibility.
• Training on information security to all participants in the communication process.
• Documentation and investigation of all suspected breaches of information security.
The document shall be applied within the whole scope of the information security management system at INTELLI. With this policy, the Management expresses its determination to introduce a comprehensive system for protecting the information and the related assets against all threats, both external and internal, regardless of whether they are intentional or unintentional, in INTELLI facilities where related assets are located. The entire staff of INTELLI is responsible for the implementation of this policy in their daily work. The Management is committed to provide the necessary resources and will support the efforts of everyone involved in the communication process to implement this Policy.
8.13 Key directions
The key directions of the information security where this Policy will seek implementation are:
• protection of information owned by customers and users or other third parties;
• protection of personal data;
• protection of INTELLI information assets;
• Ensure confidence among all stakeholders in the reliability of the information management.
The Top Management has assigned the Information Security Officer to organize the implementation of the following tasks:
• Identification of information and related assets, their vulnerabilities and threats to which they may be exposed and the accurate assessment of the risks;
• Ensuring compliance with the requirements of:
o the Constitution, the laws, the regulations thereto and the other applicable legislation;
o the agreements entered into with third parties and the accepted requirements for information security;
o all internal rules of INTELLI;
o the international standards of the ISO/IEC27001 family.
• Issuance Objectives on information security that will set out the basic eligibility criteria in the Risk Assessment;
• Information security-related risk management within the established limits of acceptability;
• Control of the INTELLI operations for the implementation of this Policy and regular reporting on the status and implementation in the course of the review of the information security management system.
8.15 Main areas
In view of the implementation of this Policy, rules should be developed for its implementation in the following areas:
• physical security;
• control of the access to systems and data;
• security-related education and training;
• private electronic networks, systems and communications;
• rules of conduct of the participants in the communication process;
• backup copies of data;
• mobile devices and technologies;
• storage and destruction of confidential information;
• protection against malicious code;
• planning of the information security continuity;
• relations with:
o suppliers and subcontractors;
The responsibility for the issuance, review and update of the PO1-InfoSecPolicy on the information security is vested in the Top Management. The responsibility for the diffusion and the communication of the PO1-InfoSecPolicy on the information security is vested in the Top Management. The responsibility for understanding and compliance with the PO1-InfoSecPolicy on the information security is vested in every employee of INTELLI, as well as in the suppliers and subcontractors within the arrangements achieved with them. With this Policy, the Top Management undertakes their responsibility to assign and to require the full implementation of the principles set out therein for the management of the information security at INTELLI. The Top Management will periodically review and update, where necessary, this Policy to ensure that it is suitable for the activities performed and continues to contribute to the reliable protection of information in full compliance with all applicable legal and voluntarily accepted requirements. The Information Security Officer is required to implement this Policy by introducing and implementing the necessary rules that are documented in the Rules, Procedures, Regulations, Instructions, Orders and the other internal acts of INTELLI.
All participants in the communication process are required:
• to comply with the rules specified in the documentation of the information security management system and other internal acts of INTELLI;
• to assist with personal contribution to the implementation of this Policy;
• to report on any weaknesses observed in the information security.
8.17 Access Control
8.17.1 Access Control Mechanisms
Appropriate access control procedures and mechanisms shall be established taking into account INTELLI’s business needs and security requirements, in order to protect assets from unauthorized modification, destruction and manipulation. The Organization shall have documented policies and procedures to establish and terminate the right of access to information and information systems. These policies, procedures and mechanisms shall be periodically reviewed and verified.
8.17.2 User Access to Information and Information Systems
Appropriate access levels to information and information systems should be specified and maintained by Information Owners, while access should only be granted when there is a business need for it and based on the principles of need-to-know and need-to-use.
8.17.3 Remote Access
Remote access to systems shall be strictly controlled. There shall be a defined process for approving requests and managing the provision of remote access.
8.17.4 Third Party Access
Access to Organization information systems by third parties is only granted if appropriate identification and authentication is ensured according to the relevant corporate procedure. Third party access to corporate information shall be detailed in a formal contract, which must contain the requirements for complying with INTELLI ’s security policies.
8.18 Network Security
INTELLI adopts all the required controls in order to protect the corporate network from unauthorized access. All the appropriate security countermeasures that ensure the preservation of information confidentiality, integrity, availability shall be implemented, in order to protect information according to INTELLI’s business needs.
8.18.1 Internet & Email Use
Email and Internet services are important assets and are both provided in order to facilitate the performance of employees’ work responsibilities. The Organization enforces the appropriate technical measures which ensure the confidentially, integrity and availability of the e-mail and internet infrastructure. Rules are established for the proper use of the e-mail and Internet. Users shall be aware of the fact that the misuse of e-mail / Internet may have harmful effects such as legal consequences. It is noted that the personal use of e-mail and internet services by employees is allowed but should not interfere or conflict with business use. Employees should exercise good judgment regarding the personal use of email and Internet.
8.19 Human Resources Security
All employees should comply with Organization’s policy, procedures and standards. The responsibilities of each staff member with regards to information security differ and shall be tailored according to their role. Security responsibilities shall be included in job descriptions and contracts of employment. Furthermore, all employees sign non-disclosure agreements.
INTELLI personnel are responsible for:
• Being aware of the current policies and procedures and their responsibilities for protecting corporate assets.
• Using corporate resources only for intended purposes as defined by policies and procedures of the Organization.
• Being accountable for their actions relating to their use of all information assets.
8.20 Management of Information Security Incidents
The Organization adopts mechanisms so as information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. A communication channel for documenting security threats, incidents or malfunctions is established and made known to all employees, contractors and third parties. INTELLI ’s staff shall receive appropriate awareness about information security incidents in order to note and report in time any observed or suspected security weaknesses in systems/ services.
8.21 Management of Business Continuity
The Organization has a documented and tested data backup plan considering both software and data. It is ensured that backup copies of information are taken at planned intervals taking into account information criticality level. Additionally, a backup verification is performed according to the relevant procedure.
8.22 Media and Document Handling
Media and documents shall be controlled and appropriately handled according to their criticality. Formal procedures shall be in place that determines the handling of media in terms of creation, storage, exchange, disposal etc.
8.23 Third Parties
Third parties shall comply with all relevant policies and procedures of the Organization and use INTELLI ’s information and information resources only for the purpose of the business agreement and for no other reasons. The appropriate level of information security shall be ensured during the collaboration with third parties and non-disclosure agreements shall be signed. Each third party that grants access to corporate information systems shall accept and sign INTELLI ’s Information Security Policy, be conformed to its content and understand the consequences in case they are not compliant. The Organization shall have formal mechanisms for verifying that all third-parties meet its needs and requirements.
8.24 Security Audit
The security level of INTELLI’s information and information systems shall be monitored by conducting either scheduled or unscheduled audits. An audit process shall be developed and followed by the Organization covering both technical and managerial controls. Audits shall be conducted at planned intervals in order to ensure the confidentiality, integrity and availability of information and resources, monitor all security measures and investigate potential security incidents.
8.25 Legal and Regulatory Compliance
The Organization always complies with the current legal and regulatory framework that either directly or indirectly specifies additional security requirements and countermeasures for the protection of data and information systems.