INFORMATION SECURITY POLICY OF ARBOR GARDEN SOLUTIONS LTD
1. GENERAL PROVISIONS
1.1. The proper business operations of Arbor Garden Solutions Ltd. ("the Company") are subject to the confidentiality, completeness, and availability of the information, software and the means in which the information is collected, preserved, processed and reported. The preservation of information is necessary from both the need to comply with the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and from aspects of commercial confidentiality.
1.2. The principle of "need to know" is a guiding principle in Information Security. According to this principle, each User should be allowed access only to the information User needs in order to fulfil User’s duty.
1.3. The Authorization system of accessing the information is intended to enable the implementation of this principle, and to ensure that every User of the Company's computerized system will be restricted in User’s access only to the information User needs according to the definition of User’s job and the needs of User’s work.
2. TERMINOLOGY
2.1. Administrator Authorization – access to manage settings on a particular system or manage network settings.
2.2. Authorization – granting an administrative permit to the User to access computer information required for the performance of User’s duties. Permission is given on two levels: access to information, and execution of operations.
2.3. Database – collection of information held by magnetic or optical means intended for computer processing.
2.4. Director of Database (Database Manager) – Country Manager / CEO.
2.5. Disk on Key (DOK) – a mobile data storage medium with high storage capacity, which is used primarily for transferring information between computers.
2.6. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
2.7. Information Security – protection of the information’s integrity or protection from exposure, usage or copying, all without lawful Permission.
2.8. KeePass Manager – employee authorized by the Company to install Password management software.
2.9. Laptop – a computer that can be operated both by connection to the electricity and a battery.
2.10. Password – a sequence of characters known only to the User, used to verify the User's identity. The Password characters are entered as part of the User identification process to the system, i.e., next to the User's name, in order to allow access only to authorized Users who have been identified by the system as authorized. The User Password will be replaced in high sensitivity systems once every 90 days, in systems which the technology allows it. In systems defined with normal sensitivity, the Password is changed once a year.
2.11. Permissions – granting administrative Permission to the User to access the IT information needed to perform User’s job. Permission is granted on two levels: information access, and Permission to perform actions.
2.12. User – an employee of the Company or an external worker, who in his or her capacity uses the Company's computerized information systems.
3. INFORMATION SECURITY
3.1. Secured areas:
3.1.1.the Database Manager shall once a year define and approve areas as being “technologically sensitive areas” and define the authorized personnel able to access those areas;
3.1.2. in these areas, measures shall be taken in order to monitor and record the entries and exits in and out.
3.2. Work environments and computers security:
3.2.1 upon leaving the workstation, sensitive data shall be stored in a secured manner in a locked device (drawer, closet or safe, depending to the degree of sensitivity and the means available), if not being available, the room must be locked by a key;
3.2.2. at the end of the workday or while leaving the workstation for an extended period, the User must leave User’s work environment with the Company’s documents being in order and in dedicated folders;
3.2.3. CTO shall ensure Password encrypted lockout after 15 minutes of inactivity on every workstation;
3.2.4. CTO shall ensure the installation of an anti-virus software on every Company’s server and workstation and a daily update will be defined;
3.2.5. CTO shall ensure the definition of operating systems’ update process on every server and workstation with Information Security updates and manufacturer service pack installation;
3.2.6. CTO shall ensure that the use of external devices (DOK device, CD drive, etc.) will be according to CTO’s approvement only and, if needed, a data download from the cloud to the workstations shall be executed;
3.2.7. any change to the PC configuration, including software or hardware installation, as well as change to the computer settings – Permission access, communication settings, anti-virus settings, shall be executed by the Database Manager’s approval and the activity shall be documented.
3.3. Password and username usage:
3.3.1. the username (User ID) for the purpose of accessing the workstations and Databases is for personnel use only;
3.3.2. generic Users will not be configured for human User activity, except for servers and applications only, with a dedicated documentation.
3.4. Password policy on workstations and Databases:
3.4.1. the Password must be different from the username;
3.4.2. Password length – at least 8 characters;
3.4.3. the Password must contain at least one Latin character (A to Z), one digit (0 to 9) and special characters (!, @, #, $, %, ^, &);
3.4.4. the Password shall not be set as easily guessed by the username;
3.4.5. mandatory change of Password – once in 90 days in Information Systems and once a year in a network;
3.4.6. an automatic User lockout shall be defined after 10 failed attempts and shall only be released after an approval of the CTO only;
3.4.7. the Passwords shall be encrypted in the Database and shall not be visible to the User (Clear Text).
3.5. Data storage:
3.5.1. Information storage in a detachable storage media will be executed by authorized personal only, while the Information will be immediately deleted upon use;
3.5.2. business related Information will be stored on cloud applications rather than on local hard drives (e. g. C, D);
3.5.3. sensitive personal Information will be stored in the Databases in accordance with the requirements set under the GDPR.
3.6. Backups:
3.6.1 Backups must be made regularly: (i) full copy – at least once a week; (ii) incremental copy – at least every day.
3.6.2. CTO shall be responsible for proper Backup process. The CTO shall ensure the process of backups as follows:
3.6.3. backups to all the Databases will be properly executed by the cloud providers;
3.6.4. Backups must be made in different locations.
3.6.5. Backups must be monitored and tested so that they could be properly used in an extreme situation.
3.7. Email usage:
3.7.1. Database Manager shall ensure a separate email is defined for every User;
3.7.2. email access Password policy shall be as described under Password policy on workstations and Databases;
3.7.3. Users will be guided to pay attention to the recipients list and attachments before sending or forwarding an email;
3.7.4. Users will be guided not to open attached email files or attachments in a case of the following:
3.7.4.1. unknown sender, except of the cases of potential new customer connecting sales department;
3.7.4.2. irrelevant mailing list to the activity;
3.7.4.3. random file name irrelevant to the Company’s activity;
3.7.4.4. suspicious message content inviting to open a file or link.
3.8. Social media sites usage:
3.8.1. all the Company’s employees are forbidden to publish any messages in the name of the Company on social media sites without a given approval by the CEO or the Country Manager;
3.8.2. technical restrictions on social media sites’ usage, file downloading etc. will be handled by the Company’s systems, if needed.
3.9. Wireless networks usage:
3.9.1. the Database Manager will act for the minimization of wireless network use (preferred to use wired network as much as possible);
3.9.2. wireless network usage for work purposes will oblige the use of encryption on at least the WPA2-AES level (or more in case of router’s support).
3.10. Peer to peer network must be used in a Windows User ID and Password configuration. The computers are connected via a router, network logon and logout are hardened by a Firewall of CATO company with legitimate addresses. Access to Databases is restricted to a pre-defined IP list.
4. CLOUD INFORMATION SECURITY
4.1. The Company’s Databases are stored on the cloud services of Serveriai verslui, UAB. The Company considers that Serveriai verslui, UAB complies with the Information Security standards and strict privacy standards.
4.2. The Database Manager will ensure the receipt of the relevant documents (e.g. ISO27001) from the cloud service providers at least once per year, which ensures providers compliance with Information Security standards.
5. RESPONSIBILITIES OF PERSONS RESPONSIBLE
5.1. Database Manager shall:
5.1.1. ensure physical and environmental security of Database’s systems;
5.1.2. determine management arrangements for the Database’s systems;
5.1.3. determine Database’s access Permissions according to the access owner’s role definition;
5.1.4. establish regular operating instructions for the Database’s systems;
5.1.5. manage a list of authorized personal to Database’s systems;
5.1.6. sign the authorized personnel on the confidentiality document and comply with the provisions applicable to the Database’s activity;
5.1.7. take reasonable security measures, depending on the level of Information sensitivity, which should prevent intentional or accidental breach into the system beyond the access Permissions;
5.1.8. establish audit arrangements to detect security events and correct deficiencies;
5.1.9. perform periodic tests to ensure the Company’s and its service providers’ compliance with this policy and conduct regular tests dealing with all the matters requiring Database’s maintenance.
5.2. The Company’s management has overall responsibilities for the Information Security and privacy protection issues in the Company’s Databases, cloud located Databases and the Databases held by external entities.
5.3. CTO is primarily responsible for the implementation of this policy and all other processes and procedures related to the operational and security risks management and Information Security. For this purpose, the CTO is assigned with the following responsibilities (the list is not exhaustive):
5.3.1. ensuring the Company’s activities compliance with internal security processes and procedures, legal acts and applicable standards;
5.3.2. escalating operational or security risks and threats to the management;
5.3.3. ensuring continuous monitoring of the Company’s business functions, critical processes and Information assets that are potentially subject to the operational or security risks;
5.3.4. imposing Information Security requirements on third-party service providers;
5.3.5. overall management of operational or security risks, Information Security, cyber-attacks;
5.3.6. ensuring identification and constant monitoring of the security and operational threats that could materially affect the Company’s ability to financial services;
5.3.7. ensuring management and reporting of the operational or security risks incidents;
5.3.8. assessing the necessity to implement additional processes, procedures or measures aiming to properly mitigate operational or security risks;
5.3.9. providing the Company’s employees, managers and third parties with Information Security policies and their updates; etc.
5.4. CTO is responsible for:
5.4.1. maintaining appropriate Information Security systems, including firewalls, intrusion detection systems and ant-virus protection, or managing the provision of these services by third-party vendors;
5.4.2. ensuring proper operation and security of programs, systems and hardware being used in activities of the Company;
5.4.3. daily oversight of Information systems, that include monitoring operations of all computers and software, adding approved new Users to systems, changing User access rights and authorities, capacity monitoring and planning for all systems, acquiring and deploying systems, installing new software and upgrading existing software, managing outsourced vendor relationships;
5.4.4. maintaining current inventories of the software and hardware components that make up information systems;
5.4.5. maintaining and summarizing the Information system operational activities, including daily operational logs, equipment failure logs, security monitoring reports, software licensing Information, troubleshooting systems problems;
5.4.6. preparing of the Company’s IT systems continuity plan; etc.
5.5. The CTO/operating team member:
5.5.1. will ensure that the external parties holding the Company’s Databases, are signed on a confidentiality agreement and will perform periodic tests and risk surveys of external parties, to ensure the implementation of Information Security requirements set under this Policy. Risk survey will be conducted at least once in 18 months;
5.5.2. will examine the need of updating the Database settings document or the security procedure as a result of the risk survey and will operate in order to correct the deficiencies discovered by the survey, if any;
5.5.3. will initiate penetration tests into the Database systems for the purpose of assessing their resistance to internal and external hazards, once every 18 months, at least;
5.5.4. will discuss the penetration tests results with the Company’s management and operate to correct the discovered deficiencies, if any.
5.6. Therefore, the CTO/operating team member will ensure that the following issues are defined and implemented in the Company:
5.6.1. computing means – system logon Passwords, compartmentalization within the Database between the various Information details, external penetration protection means, etc.;
5.6.2. physical means – Database location, physical access, etc.;
5.6.3. monitoring means – frequency of tests executed for external penetration prevention, the manner of monitoring the use of the Information by the authorized Users, monitoring Databases, etc.;
5.6.4. authorized examination – which persons will be granted with the Permission to review the Information provided, their number and for what purpose they are given the access;
5.6.5. examination of handling the excess Information - how to destroy surplus data, which is accompanied by the main request, and what to do with old Information that is no longer in use;
5.6.6. the Company’s employees will be trained on sensitive personal data processing and Information Security procedures, they will sign confidentiality agreements and undergo periodic training related to work with the Databases.
5.7. The CTO/operating team member shall also ensure that an internal or external audit for the compliance with Information Security standards would be carried out at least once every 24 months.
5.8. the Company’s management shall discuss the risk surveys and penetration tests’ results received and cooperate with the CTO/operating team member to correct the discovered deficiencies, if any.
6. THE USER ACCESS PROCEDURE BODY
6.1. New Employee Reception
6.1.1. CEO or another person authorised by CEO will sign the employment contract and the confidentiality agreement.
6.1.2. HR specialist shall:
6.1.2.1. copy the relevant documents;
6.1.2.2. request a building tag certificate from the office building management;
6.1.2.3. perform opening (welcome) conversation, introduction to functions and responsibilities of other employees.
6.1.3. As per Information Security, the tasks concerning new employee are the following:
6.1.3.1. reading and approving the Information Security presentation;
6.1.3.2. reading and understanding of this policy;
6.1.3.3. performing a brief at Information Security referent;
6.1.3.4. computing and Authorizations as detailed in this policy;
6.1.3.5. training and reading of the on-the-job training documentations.
6.1.4. The Country Manager / CEO will notify the appointment of a new employee by email to the CTO, and accounting, specifying the necessary Permissions for the Employee to perform employee’s duties.
6.1.5. The CTO will grant the employee:
6.1.5.1. Office 365 User (email);
6.1.5.2. additional Permission (if needed).
6.1.6. An authorized employee will update the “access Permissions” document.
6.1.7. An authorized employee of the Company will install at the new employee's workstation:
6.1.7.1. Anti-Virus Program;
6.1.7.2. program for Password management;
6.1.7.3. VPN (in case of Laptop).
6.1.8. An authorized employee will connect the workstation to the internal network in the office.
6.2. Users Training
6.2.1. The Country Manager / CEO and / or the Team Leader will give an Information Security briefing to new employees and sign them of receiving the training.
6.2.2. The authorized employee will give annual awareness training to all employees.
6.2.3. The training sessions will be conducted in the form of presentation and reading procedures.
6.2.4. The trainings will bring to the attention of Users, inter alia, the following topics:
6.2.4.1. securing the workspace;
6.2.4.2. physical security of mobile computing devices;
6.2.4.3. prohibition of passing Passwords between employees or external entities;
6.2.4.4. actions to be taken when receiving a message on a virus;
6.2.4.5. the prohibition against opening emails and installing software from an unknown source;
6.2.4.6. proper use of email;
6.2.4.7. internet etiquette;
6.2.4.8. shredding sensitive documents.
6.3. Authorizations definition and Users’ compartmentalization
6.3.1. The CTO will define specific Permissions for each of the Company's network folders:
6.3.1.1. public folders for the entire Company;
6.3.1.2. folders open to specific groups;
6.3.1.3. folders open to individuals or to cross-company forums.
6.3.2. The direct manager shall define the level of Authorization given to each User and will approve it with the Country Manager / CEO, as the case may be:
6.3.2.1 reading;
6.3.2.2. updating;
6.3.2.3. deleting (in rare cases);
6.3.2.4. system administrator;
6.3.2.5. transverse Authorization by function.
6.3.3. The CTO will define the User’s Permissions (read / update / delete) according to the work needs only (the "Need to Know & Act" principle).
6.4. Authorization to a new employee
6.4.1. Upon reception of a new employee to the Company, the Country / Operations Manager will notify the CTO by e-mail, indicating the necessary Authorizations for the employee to carry out employee’s duties.
6.4.2. The CTO will define the required Permissions for the employee in accordance with the instructions of the Country Manager / CEO.
6.5. Audit Trail
6.5.1. The CTO/operating team member will ensure the execution of automated logging of access to the Company’s network and information systems to identify the accessing party, the subject of access and details of time and place, type and scope of access and whether the access was approved or denied.
6.5.2. Audit trail will detect changes or cancelations by its activation and be linked to a component distributing alerts to CTO.
6.5.3. The CTO shall ensure that the logs are kept securely at least for 24 months.
6.6. Computer Equipment
6.6.1. The Country Manager / CEO will ensure that employees who have been assigned mobile computers to assist them in the performance of their duties, will act in accordance with the following guidelines:
6.6.1.1. the use of Laptop in the Company will be mainly for work purposes;
6.6.1.2. the Information Security rules that apply to work stations will also apply to Laptop;
6.6.1.3. the User will verify the lock of the Laptop with a personal Password, using the screensaver immediately when User stops or finishes User’s work on the computer;
6.6.1.4. the User will ensure that the Laptop is under User’s supervision at all times;
6.6.1.5. it is forbidden to leave Laptop in a vehicle unattended;
6.6.1.6. the User will keep the device in a safe place in User’s home, ensuring there is at least one lock between the exterior and the device;
6.6.1.7. if the Laptop is lost, the User will report immediately to the Country Manager / CEO.
6.6.2. The employee of the Company authorized to do so will define a fixed telephone for the new employee.
6.7. Smartphones
6.7.1. The authorized employee will set or instruct an employee to define security and version update synchronization for the smartphones.
6.7.2. The authorized employee will either define, or instruct the employee to define synchronization, version and security updates for the Smartphone.
6.7.3. The CTO and / or the Country Manager / CEO will define, as needed, encrypted access from the Smartphone to the Company's systems that require identification.
6.7.4. The smartphone holder is responsible for maintaining the confidentiality of the information contained in the device, and deleting the information stored on the device before handing it over to another party (who does not work for the Company) either for repair or for any other purpose.
6.7.5. A lost, stolen or hacked smartphone will be immediately reported to the CTO.
6.7.6. The CTO will delete the information on the smartphone (WIPE) when the device is lost / stolen as much as technologically possible and with the approval of the employee.
6.8. Change of Authorization during work
6.8.1. The Country Manager / CEO / the direct manager of the employee will report in writing to the CTO, and accounting regarding the decision to change the employee's position and will specify the necessary Permissions for the employee to carry out employee’s new role.
6.8.2. The CTO will perform a process of closing the employee's previous Permissions on the network and in the information systems, and opening Permissions according to employee’s new position in accordance with the directives of the direct manager.
6.8.3. The Country Manager / CEO will verify the return of material belonging to the Company not required by the employee in employee’s new position and will sign the employee on a document stating that all that is required was returned.
6.8.4. The CTO will block Authorizations in the network and in the information systems during a long absence of an employee (such as maternity leave) and will reopen the Permissions upon the return of the employee.
6.8.5. The direct supervisor will update the “access Permissions” document according to the change.
6.8.6. The CFO will ensure to keep the notifications of employee’s role changes in a dedicated folder.
6.9. Cancelling Permissions in case of employee's departure
6.9.1. The Country Manager / CEO / direct manager of the employee will notify in writing to the CTO about the employee's departure.
6.9.2. The direct supervisor will send an email with a list of services which the employee had access to and will ensure their closure.
6.9.3. The CTO will cancel the employee's Authorizations on the network, in the Company's information systems and the remote access. During the overlap period, the CTO will clarify with the employee’s direct manager what Permissions should be left to the User until the end of the overlap period.
6.9.4. The CTO will replace the access Password of the departing employee's computer.
6.9.5. The CTO will delete (WIPE) the information on the smartphone of the employee who leaves, as much as technologically possible, with the approval of the employee.
6.9.6. The Country Manager / CEO will verify the return of materials belonging to the Company by the employee and sign employee on an "exit document" stating that employee does not possess equipment or information belonging to the Company.
6.10. Permissions granting to providers (infrastructure providers)
6.10.1. When the Company starts to work with a new provider, provider’s direct supervisor will reach out by an email to the CTO and indicate the Permissions required for the provider.
6.10.2. The CTO will limit the provider’s Permissions to the infrastructure supported by him/her only, and for a period of one year as far as possible technologically.
6.10.3. The CTO will define the provider’s Permissions on network, information systems and define him/her an encrypted access (VPN) and strong identification (such as: Token) only.
6.10.4. The CFO will ensure to keep the notifications of provider’s Permissions in a dedicated folder.
6.10.5. The authorized employee of the Company working with the provider will update the CTO about the Permissions granted to the provider.
6.10.6. The authorized employee of the Company will document the provider’s Permissions and transfer them for the audit of Information Security.
7. MONITORING
7.1. The CTO shall ensure the receipt of relevant documents from the holders once a year (ISO27001).
7.2. The CTO shall ensure the Users’ Permissions being updated once in a year.
7.3. The CTO shall conduct a periodic review on the anti-virus and the operating systems update.
7.4. The CTO/operating team member:
7.4.1. will monitor the active Users’ Permissions on network on quarterly basis;
7.4.2. will monitor the Users’ Permissions on the Company’s information systems once every 1 (one) month;
7.4.3. will monitor the Users’ Permissions on systems administrator once every 3 (three) months;
7.4.4. will monitor the Users’ Permissions authorized to the remote access once every 3 (three) months;
7.4.5. will define an automatic block for the employees with no use of information systems for a long period of time, as possible technologically;
7.4.6. will monitor vendor Permissions once every 6 months;
7.4.7. will document the Permission’s monitoring. The documentation will be kept by the CFO in a dedicated folder;
7.4.8. will ensure the filing of employee hiring/departure notifications and approved Database security procedure in a dedicated folder.
8. RESPONSIBILITIES
8.1. The direct manager of each employee is responsible for applying the procedure to the employees under him / her.
8.2. The Country Manager / CEO is responsible for monitoring the implementation of the procedure.
8.3. The Country Manager / CEO is responsible for updating the procedure.
9. FINAL PROVISIONS
9.1. The procedure shall come into effect once approved.
9.2. The procedure shall be introduced to the Company’s staff against signature.
9.3. The procedure shall be revised once a year and updated as necessary.