Data protection policy

BY Patrick
Oct 5, 2018

Table of content

Data protection policy

Collected data

General rules

Information classification

Resources management

Information protection

Resources protection

Information access requirements

End-users privacy policy

What personal information do we collect from the people that visit our app?

How do we use your information?

How is user content shared?

How do we protect user information?

Do we use ‘cookies’?

Third-party disclosure

Third-party links

Information obtained from third-party services

Does our platform allow third-party behavioral tracking?

COPPA (Children Online Privacy Protection Act)

How do you delete your account?

Changes to this Policy

Policy compliance

 

Security policy

Governing Policy

Definition of information security system

Security System objectives and scope

Importance of security

Statement of management intent

Security principles and standards

Definition of responsibilities for information security and data protection

User Policy

General use

Access Policy

Authentication and Accountability

Passwords

General Software and Network activities

Hardware

Physical Security

Data Classification

Document Handling

Data Files

Email

Internet

End-User Support Policy

Guidelines on Antivirus Process

Incident management

 

Data protection policy

Collected data

ATOBI – a innovative, low-cost and highly effective engagement and execution platform for Brand, Retail and Hospitality companies. The Platform combines gamification, nudging and habit change expertise with a unique understanding of the industry. It enables clients to increase sales and customer in-store experience while cutting training costs in half and reducing number of systems they use and integrating with relevant systems: POS, ERP.

ATOBI is intended to operate only with following information:

  • Profile: name, position code, email, spoken language, photo (avatar)
  • User participation in activities and competitions defined by platform administrator
  • Users comments and pictures relevant for the business context they take by themselves while commenting to competitions
  • Information system usage measurements to improve user experience

ATOBI is used by clients supporting non-core processes towards staff in physical locations: staff management, tasks scheduling, communication. System rules handle user workflow, data validation, internal controls and authority limits, connectivity/integration with other systems (like POS, ERP). Primary work-streams are:

  • Tasks management
  • Competitions management
  • Administrative tasks
  • Reports Engine

ATOBI is a web application with de-centralized storage for each client. ATOBI is built to support centralized management and reporting. Remote access to ATOBI is allowed for administration purposes.

Access to the workflows and data fields is controlled by configurable user role based system. Access to system configuration is also controlled by specific user roles. All changes to the configuration are logged.

 

General rules

  1. These Internal Rules of the Information System Security and Data Protection, hereinafter the “Rules”, stipulate the order in which ATOBI, hereinafter the “Company” keeps and processes its information in any it’s form, including the third person information and physical person information in particular.
  2. Pursuant the any Service Agreement signed with Clients the Company will be bound by and its operations related to the information security as defined in the Company’s Security Policy (for End-Users).
  3. Binding to the Company and its employees are the regulations of the law of the “On Personal Data Protection” and regulations.
  4. The Rules are developed basing on the analyses of the potential risks and their probability, in order to decrease the threats to the Information System.
  5. The purpose of these Rules is to ensure the integrity, congruence and information confidentiality by the means of physical protection (protection against threats to data protection system created by physical actions) and logical protection (protection, which is implemented by the software means, passwords, encrypting, etc.)

 

Information classification

  1. Depending on the potential damage to the information source or the Company in the case of the failure to ensure the information integrity or availability, the information possessed by the Company is classified as MEDIUM RISK information.
  2. Depending on the potential damage to the information source or the Company in the case of the failure to ensure the information confidentiality, information possessed by the Company is classified as CONFIDENTIAL information.
  3. Information, which contains data on physical persons in all cases shall be regarded as information of the degrees described in 2.1. and 2.2. of these Policy and Procedures.
  4. The description of the information confidentiality according to the degrees defined in Paragraphs 2.1. and 2.2. is provided in Policy and Procedures document.

 

Resources management

  1. The Company board by a resolution appoints:
  2. The Holder of Information Resources;
  3. The Holder of Technical Resources;
  4. The authorities of each employee to access and process personal data in accordance with the employee’s job responsibilities.
  5. The Holder of the Information Resources in responsible for: the security of physical person data, risk analyses, provision of logical protection measures, system administration records, their storage and availability for audit, the levels of Information System user authorities and rights, backup copies of information resources, their storage and data recovery in case of trouble.
  6. The Holder of the Technological Resources is responsible for the measures of the physical protection, risk analyses, replacement of technical resources.
  7. The holders of the Information Resources and Technical Resources define the duties of the employees in the information system security area and ensure the training of employees and checking of their knowledge.
  8. Company employee – System Administrator – is responsible for the data carrier registration, transfer, organizing, copying. The Holder of the Information Resources appoints a substitute for fulfilling the above functions for the time of absence of the System Administrator.
  9. Not less than two times a year the Company carries out the internal audit of the personal data system in accordance with the plan developed by the Holder of the Information Resources.
  10. The Holder of the Information Resources writes a report on every tracked breach of the Rules that threatens or may threaten the security of personal data, reports about this breach as well as takes measures to control (e.g. remove unintended information entered by the user) and cure the breach, to diminish the damage and prevent a repeated threat.
  11. If the data have to be restored as the result of the damage, it shall be documented what data will be restored and in what procedure.
  12. The Company develops a system of privileges in order to minimize the risk of breaching the logical protection of the Information System.
  13. Any questions regarding the information security that the employee may have shall be referred to the Holder of the Information Resources or its appointed person.

 

Information protection

  1. The security measures of the Information System are stipulated in accordance with the classification of Section 2 of these Rules.
  2. Information and data, which are necessary in order to access the information stored in the information system shall have the same confidentiality level as the stored information.
  3. During the whole period of its storing the information is protected by cryptographic protection.
  4. The local network is protected from threats from the external networks by the following means:
    1. Anti-virus software for each user computer, which is updated every time the computer is turned on, but not less frequently than once a day. The anti-virus software has to be adequate to ensure the screening of all electronic mails and their attachments.
  5. The information transmission through the external networks is ensured by cryptographic protection where needed.
  6. The user access to the Information System from external networks is allowed only when there is ensured the same security level of Information System as if the user accesses the system from the local network.
  7. Data carriers cannot be left in places where the physical protection adequate to the threats to the Information System is not ensured.
  8. The data carriers shall indicate that they contain information with a confidentiality degree.
  9. Computers are assigned to employees with an order issued by the Holder of the Technical Resources.
  10. Each user of the Information System is assigned a unique user code. The password is known only by the Information System user.
  11. New Information System user profile for Company employee is registered only when there is documented request from the direct supervisor of this employee. In the case of Information System user’s or System Administrator’s duties change or in the case of job relations termination, rights of Information System user or System Administrator are immediately changed or cancelled.
  12. After finishing work the employee shall leave the computer in such a position that the work can be resumed only after entering the employee’s password (authentication of the Information System User).
  13. Only such software and in such configuration is used In employees’ personal computers which is necessary for the performance of job description functions.
  14. The Company’s requirements for the audit records of the Information System are as follows:
    1. Audit records shall be protected by the means of the logical protection;
    2. Information System traces the following audit records: successful access, unsuccessful access, user register, user time register, transaction register;
    3. Time of storing of audit records is not limited.
  15. Electronic data backup copies are created at least once per day by preserving it information in cloud based solution. The copying of the server’s hard disk content and configuration is ensured.
  16. Electronic data backup copies are checked once a week;
  17. Electronic data backup copies are stored for one month;
  18. Electronic information is coded by passwords.
  19. Additional security is provided to the information stored electronically:
    1. Network access is monitored, the user access is blocked after three unsuccessful authentications of the user, there is no possibility that two or more users with one password could simultaneously use the Information System;
    2. The network supervision is performed only by authorized persons.
  20. User information is deleted completely on request

 

Resources protection

  1. The Holder of Technical Resources ensures the security of the room where the Information System is located.
    1. The premises are equipped with alarm system and code lock.
    2. The entrance in the premises is guarded.
    3. The employees are responsible for locking the premises if no other employees remain in the office.
    4. The premises are equipped by alarm system that reacts to smoke and/or increase of temperature.
  2. The Holder of the Technical Resources ensures that the physical and climate environment guarantees the preservation of the Information System and its protection from physical damage related to changes of temperature, interruption of power supply, humidity. The uninterrupted power supply is ensured.
  3. The information system servers are kept in separate locked rooms, where access is provided only to the Holders of the Information Resources and Technical Resources and the System Administrator, or invited specialists supervised by the above persons.

 

Information access requirements

  1. The employees have no right to disclose data of physical person without a written permission of these persons and to provide information without a substantiated written request, except for cases provided by the law and the agreement with the data subject.
  2. In the case of providing personal data the employee shall store information on the following:
    1. time of provision of data;
    2. person, who has received the personal data;
    3. personal data that was provided,
    4. person, who has received data,
    5. basis of provision of data.
  3. The employees are entitled the access to the personal data only in relation to and for the performance their job responsibilities.
  4. The duty of the employees is to ensure that confidential information in paper format is not left in places available to the third persons, including occasional visitors. The duty of the Holder of the Technical Resources is to place warning signs at the rooms, which are not meant for visitors.
  5. Employees shall meet the visitors in rooms with ensured information security. Information carriers shall not be left in conference rooms without supervision.
  6. The originals of the agreements as well as other important documents creating rights or liabilities are kept in fireproof safes.

 

End-users privacy policy

We, at ATOBI (“we”, “us”, “our”, “our platform”), have built our app as a B2B app. If you choose to use our app, then you agree to the collection and use of information in relation to this policy.

This privacy policy has been compiled to better serve those who are concerned with how their ‘Personally identifiable information’ (PII) is being used online. PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Please read our privacy policy carefully to get a clear understanding of how we collect, use, protect or otherwise handle your Personally Identifiable Information in accordance with our platform.

 

What personal information do we collect from the people that visit our app?

When registering in our app we may collect your full name, email address, username, work title and department information within your organization. We may also collect the content that you create on the platform that is public within your organization. Content includes but is not limited to text, video and images.

 

How do we use your information?

We may use the information we collect from you when you register to personalize and improve the user’s experience and to allow us to deliver information relating to your account (e.g. for purposes of account recovery or password reset).

 

How is user content shared?

The ATOBI app allows you to collaborate, share and discover information with users within your organization. Content shared within the platform via our app may be published to all users within that same organization. We also provide possibility that lets you share content privately (e.g. to your colleagues). Please note that anything you share privately with another user, may be posted to the organization by that user. We may use the content your share to enhance and improve our platform.

 

How do we protect user information?

We are continuously implementing and updating administrative, technical, and physical security measures to help protect your information against unauthorized access, loss, destruction, or alteration. All data are processed and stored using Amazon Web Services as our hosting provider. Data for EU customers is stored within EU region only.

 

Do we use ‘cookies’?

We uses cookies and similar technologies to help provide, protect, and improve the ATOBI Platform. We do not use cookies to store any personal information. You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser (like Internet Explorer) settings. Each browser is a little different, so look at your browser’s Help menu to learn the correct way to modify your cookies.

 

Third-party disclosure

We do not sell, trade, or otherwise transfer your personally identifiable information to outside parties.

 

Third-party links

Occasionally the app may contain links to third-party services. These third-party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our platform and welcome any feedback about these sites.

 

Information obtained from third-party services

In some cases, we partner with third-party services that may provide information about you, if you have disclosed that information to that third-party and made it available for us, ATOBI, to access. We may use that information to personalize your app experience. We do not receive or store your password for third-party service accounts.

 

Does our platform allow third-party behavioral tracking?

We have not yet enabled Google Analytic in our app, but we may do so in the future. If so, this will provide insights for behavioral tracking.

 

COPPA (Children Online Privacy Protection Act)

When it comes to the collection of personal information from children under 13, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, the nation’s consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online.

We do not specifically market to children under 13.

 

How do you delete your account?

If you want to delete your account, you can do so by emailing us (see ‘Contacting Us’). Deleting your account may not remove all the content you have published from our app within your organization, as some of the public activity may remain stored and visible to users within your organization.

 

Changes to this Policy

We reserve the right to modify this Policy at any time in accordance with this provision. If we make changes to this Policy, we will post the revised Policy on the ATOBI Platform and update the “Last Updated” date at the top of this Policy. We will also provide you with notice of the modification by email at least thirty (30) days before the date they become effective. If you disagree with the revised Policy, you may cancel your Account. If you do not cancel your Account before the date the revised Policy becomes effective, your continued access or use of the ATOBI Platform will constitute acceptance of the revised Policy.

 

8. Policy compliance

The compliance of data protection and security procedures shall be evidenced quarterly by CEO and CTO

 

 

 

Security policy

1. Governing Policy

1.1 Definition of information security system

Information security system is concepts, techniques, technical measures, and administrative measures used to protect information and technical assets from deliberate or inadvertent unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or use.

 

1.2 Security System objectives and scope

The scope of an information security system is to address the security objectives of the organization. These security objectives include:

  • Information integrity, which is understood as accuracy, correctness and completeness of information and its processing methods
  • Confidentiality, which prevents unauthorized entities, individuals or processes from getting access to information
  • Accessibility, which assures that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them

 

1.3 Importance of security

Security is a critical element in the organization life cycle. Without proper attention to security, organization’s information technology may become a source of significant mission risks. With careful planning from the earliest stages, security becomes an enabler, supporting and helping to achieve organization mission.

 

1.4 Statement of management intent

Management recognizes that security of informational and technical assets is vital for the existence and development of the company. Used responsibly information can help company serve customers better. Information is asset, sometimes – invaluable asset. But, advances in communications technology bring growing concerns of information security. Therefore management takes security concerns very seriously and puts special attention to maintenance of information security. Management treats security as a part of the company strategic development plan and will promote security within organization through appropriate commitment and adequate resourcing.

 

1.5 Security principles and standards

Security Principals

  • Establish a sound security policy as a foundation of security system design
  • Properly allocate responsibilities for security
  • Reduce risks to an acceptable level
  • Strive for simplicity and operational ease-of use of security controls
  • Implement security through a combination of measures distributed physically, logically, and administratively
  • Identify informational assets and clearly define security processes
  • Always authenticate users and processes to ensure appropriate access control
  • Use unique identities (for users and processes) in order to achieve accountability
  • Isolate public access systems from mission critical resources
  • Design and implement audit mechanisms to detect unauthorized use and to investigate incidents
  • Protect information while being processed, in transit and in storage
  • Develop and exercise disaster recovery procedure to ensure operational availability
  • Design security to allow adoption of new technology, including technology upgrade process
  • Identify and prevent common errors and vulnerabilities
  • Ensure that the team is trained on how to develop secure software
  • Ensure that the team is trained on how to protect information.

Security Standards

Information security should be aligned with ISO 27001 requirements.

 

1.6 Definition of responsibilities for information security and data protection

General responsibilities for information security

Effective security is a team effort involving the participation and support of every Company’s employee and affiliate who deals with information and/or information systems. It is the responsibility of every company employee to know security policy guidelines, and to conduct their activities accordingly.

 

Specific Responsibilities for information security

Specific responsibilities for information security are carried by:

  • Management committee (IT Strategy committee) lead by Data Protection Officer
  • The Holder of Information Resources (further HIR)
  • The Holder of Technical Resources (further HTR)
  • The System Administrators.

All above listed people and committees must be appointed and approved by Company management.

The section below outlines responsibilities of above listed committees and individuals with respect to information security.

 

Management committee responsibilities

Management committee, also called IT Strategy Committee, initiates and controls the implementation of information security within the organization. It should consist of key business and technology managers and IT contractors. This committee must carry out the following key responsibilities:

  • Ensure that data protection and security policies are part of company process
  • Review and adapt Data Protection and Security Policy (further SP)
  • Approve changes in SP
  • Review and monitor incidents
  • Approve major initiatives with respect to data protection and security policies
  • Coordinate implementation of security controls
  • Approve specific roles and responsibilities towards company security
  • Control allocation of responsibilities to protect individual assets or carrying out specific processes
  • Control of proper assignment of asset ownership and proper documentation of responsibility towards assets
  • Control training on security issues, and regular update in policies and procedures
  • informing the organisation and its employees who are processing personal data of their obligations under the GDPR
  • monitoring compliance with the GDPR
  • providing advice regarding privacy impact assessment
  • cooperating with Supervisory Authorities
  • acting as a point of contact for the Supervisory Authorities

 

HIR responsibilities

  • Determining the authority of each employee to access and process person data in compliance with the duties of each employee.
  • the security of the following assets:
  • Information Systems
  • Physical person data,
  • Risk analyses,
  • Provision of logical protection measures,
  • System administration records, their storage and availability for audit,
  • The levels of Information System user authorities and rights,
  • Backup copies of information resources, their storage and data recovery in case of trouble.
  • accessibility to Company’s information resources;
  • for ensuring that external service providers of information technologies provide system security level that is not lower than determined by the Company;
  • ensures that the rights of external providers of information technologies to access the Information system are determined on the ground of their duties;
  • For the development, improvement, implementation and changes of Information system as well as the process of its usage termination, documentation and security. The HIR\ allocates resources, develops the rules for such process taking into account the requirements of Information system security regulations of Finance and Capital market members and submits them to the Management for approval;
  • ensures elaboration of Information system recovery plan and manages regular trainings of persons involved in this plan and testing of the plan;
  • ensures elaboration of methodic of information system risk analysis;
  • for proper reporting on every tracked breach that threatens or may threaten the security;
  • reports to the Management about performance of the requirements listed in these rules;

 

HTR responsibilities

  • The HTR is responsible for the measures of the physical protection, risk analyses, replacement of technical resources.
  • The HTR collaborates with the Holder of Information Resources to implement security tasks of Information system.
  • The HTR helps HIR to define the duties of the employees in the information system security area and ensure the training of employees and checking of their knowledge.

 

System Administrator responsibilities

The system configuration management, system data entry, user authorization, network services. The HIR appoints a substitute for fulfilling the above functions for the time of absence of the System Administrator.

 

2. User Policy

2.1 General use

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of Company. These systems are to be used for business purposes in serving the interests of the Company, and of our clients and customers in the course of normal operations.

Effective security is a team effort involving the participation and support of every Company employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

All data that users create on the corporate systems remains the property of Company. Because of the need to protect Company network, management cannot guarantee the confidentiality of private information stored on any network device belonging to Company.

For security and network maintenance purposes, authorized individuals within Company may monitor equipment, systems and network traffic at any time. Company reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

 

2.2 Access Policy

Access to all computing systems, documents and files and other resources on the corporate network is strictly controlled to prevent unauthorized access. Access is restricted unless explicitly authorized. Access is authorized by the owner of the resource and such access, including the appropriate access rights (or privileges) is recorded in the User Authorization Request (UAR).

The direct supervisor of the user is in charge for timely submitting the UAR. The System Administrators are in charge for proper and timely processing of UAR.

The request for user authorization is absolutely required after:

  • Hiring of the user. Account must be created not later than at the day, when the employment starts.
  • Termination of employment. Account must be disabled immediately after termination of employment.
  • Changing of the employee position. Account must be configured in parallel with the changes to the job description.
  • Changing of responsibilities/rights of the employee or change of business process. Request must be sent at the same time when the new policy is issued or job description is changed.
  • Account locking after several unsuccessful logins. Request must be sent right after locking.

The request for user authorization may be required in other situations; these are up to management decision.

The user must be informed about informational and technological resources he has been granted access to. All user actions towards access of not-granted resources are strictly prohibited.

 

2.3 Authentication and Accountability

User Authentication is the process when the system verifies the eligibility of an individual to carry out a desired action, thereby ensuring that security is not compromised by untrusted source.

Every user or process must have a unique identifier (login) that will allow maintaining accountability and traceability of a user or process. Allowing use of your account by others is prohibited.

Having unique identifiers will provide for non-repudiation (which is the verification process of occurrence or non-occurrence of an action), and enforce access control decision.

 

2.4 Passwords

The selection of passwords, their use and management as a primary means to control access to systems is to strictly adhere to best practice guidelines. Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Company’s entire corporate network. As such, all Company employees (including contractors and vendors with access to Company systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

  • All passwords must be changed on at least a quarterly basis;
  • Passwords must not be inserted into email messages or other forms of electronic communication;
  • Passwords shall not be shared with any other person for any reason;
  • The best practice of storing password is storing them in your memory. Passwords can be also stored in the places with high security (safes, confidential folders) if encrypted.

Poor, weak passwords have the following characteristics:

  • The password contains less than eight characters
  • The password is a word found in a dictionary (English or foreign)
  • The password is a common usage word such as:
  • Names of family, pets, friends, co-workers, fantasy characters, etc.
  • Computer terms and names, commands, sites, companies, hardware, software.
  • The words ATOBI or any derivation.
  • Birthdays and other personal information such as addresses and phone numbers.
  • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
  • Any of the above spelled backwards.
  • Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Strong passwords have the following characteristics:

  • Contain both upper and lower case characters (e.g., a-z, A-Z)
  • Have digits and punctuation characters as well as letters e.g., 0-9, [email protected]#$%^&*()_+|~-=\`{}[]:;<>?,./)
  • Are at least eight alphanumeric characters long
  • Are not words in any language, slang, dialect, jargon, etc.
  • Are not based on personal information, names of family, etc.
  • Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: “This May Be One Way To Remember” and the password could be: “TmB1w2R!” or “Tmb1W>r~” or some other variation.

NOTE: Do not use either of these examples as passwords!

Do not use the same password for Company accounts as for other non-Company access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don’t use the same password for various Company access needs. For example, select one password for the Windows systems and a separate password for Accounting system.

Do not share Company passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as Confidential Company information.

Here is a list of “dont’s”:

  • Don’t reveal a password over the phone to ANYONE ,
  • Don’t reveal a password in an email message
  • Don’t reveal a password to the boss
  • Don’t talk about a password in front of others
  • Don’t hint at the format of a password (e.g., “my family name”)
  • Don’t reveal a password on questionnaires or security forms
  • Don’t share a password with family members
  • Don’t reveal a password to co-workers while on vacation

If someone demands a password, refer him or her to this document or have him or her call information Security Administrator. Do not use the “Remember Password” feature of applications. Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption. If an account or password is suspected to have been compromised, report the incident to HIS and change all passwords. HIS or its delegates may perform password cracking or guessing on a periodic or random basis. If a password is guessed or cracked during one of these scans, the user will be required to change it.

 

2.5 General Software and Network activities

All software installations, downloads and replacements must be done by authorized personnel only (System Administrators) with accordance to the approved list of software.

The following actions are strictly prohibited, with no exceptions:

  • Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by Company.
  • Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Company or the end user does not have an active license is strictly prohibited.
  • Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
  • Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
  • Making fraudulent offers of products, items, or services originating from any Company account.
  • Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
  • Port scanning or security scanning is expressly prohibited unless prior notification to HIR is made.
  • Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
  • Circumventing user authentication or security of any host, network or account.
  • Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).
  • Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet/Intranet/Extranet.
  • Providing information about, or lists of, Company employees to parties outside Company.

 

2.6 Hardware

Equipment is always to be safeguarded appropriately – especially when left unattended.

Computer equipment that is logged on and unattended can present a tempting target for unscrupulous staff or third parties on the premises.

  • Unauthorized access of an unattended workstation can result in harmful or fraudulent entries, e.g. modification of data, fraudulent e-mail use, etc.
  • Access to an unattended workstation could result in damage to the equipment, deletion of data and / or the modification of system / configuration files.

After finishing your working day, you must log-off (Ctrl+Alt+Del -> Log Off or switch off computer). Never leave your computer without supervision if you are logged in. For short leave, block your login Ctrl+Alt+Del -> Lock Computer.

Using a Company computing asset to engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction is strictly prohibited.

The use of personal information processing facilities in the workplace for processing business information is generally prohibited, because it may cause vulnerabilities. However in some exceptional cases it is allowed after approval and authorization of HIR.

 

2.7 Physical Security

Hosting service provider must ensure must guarantee that physical access to high security areas is to be controlled with strong identification and authentication techniques. Staff with authorization to enter such areas is to be provided with information on the potential security risks involved.

 

2.8 Data Classification

All Company information is classified into 2 categories:

  • Public
  • Confidential

Company public information is information that has been declared public knowledge and can freely be given to anyone without any possible damage to Company.

Company Confidential contains all other information. It is information to be protected very closely, such as:

  • The commercial secrets, including remuneration policy, provisions of the employment contract, contracts, agreements and other documents to which the Company is a party or any of its clients is a party, its assets and liabilities, bank accounts, banking and bookkeeping operations, correspondence (except personal), business or marketing practices or procedures, trade secrets, computer software, computer network and passwords;
  • Lists, books, records, draft projects, descriptions, sales materials and other documents and data, including computer files, discs, memory, print-outs and other information pertaining to the business of the Company learned through actual or anticipated business, work, research or investigations, or which result from use of the Company premises or property;
  • Information that is provided by Clients’ users while using the ATOBI platform: user profile: name, position code, email, spoken language, photo (avatar); user participation in activities and competitions; users comments and pictures relevant for the business context they take by themselves while commenting to competitions; Information system usage measurements to improve user experience.
  • The clients or partners of the Company, their obligations to the Company, financial situation, contracts, agreements and other documents received from or entered into with them.

Company personnel are encouraged to use common sense judgment in securing Company Confidential information. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should look for the answer in security policy and confirm with contact their manager.

 

2.9 Document Handling

Hard copies of confidential material must be protected and handled according to the distribution and authorization levels specified for those documents.

Remove papers from the desk. Store them in suitable cabinets and furniture. Lock confidential information.

Remove confidential information, when printed or faxed, from printer and fax immediately.

All employees have to be aware of the risk of breaching confidentiality associated with the photocopying (duplication) of sensitive documents. All information used for, or by the Company, must be filed appropriately.

All documents of confidential nature are to be shredded when no longer required. The document owner must authorize or initiate this destruction.

The designated owners of documents that contain confidential information are responsible for ensuring that the measures taken to protect their confidentiality, integrity and availability, during and after transportation or transmission, are adequate and appropriate.

All users of information systems must manage the creation, storage, amendment, copying and deletion / destruction of data files in a manner which safeguards and protects the confidentiality, integrity, and availability of such files. The degree to which software techniques and disciplined user procedures are necessary will be set by management and determined by the classification of the information / data in question.

 

2.10 Data Files

All users of information systems whose job function requires them to create or amend data files, must save their work on the system regularly in accordance with best practice, to prevent corruption or loss through system or power malfunction. Data Files of common usage should be saved to the dedicated shared folders on server. Confidential files should be saved on the confidential folders on servers.

The naming of the Company data files must be meaningful and capable of being recognized by its intended users.

  • Saving data on a local workstation disk (e.g. the ‘C drive’) may appear more convenient but it can limit access by colleagues and will not be backed up.
  • Saving data on your ‘system disk’ (e.g. the ‘C’ drive) is particularly risky as any requirement to upgrade / replace the operating system would likely destroy the data files.

Temporary files on users’ PCs and laptops are to be deleted regularly to prevent possible misuse by possible unauthorized users.

Draft version(s) of reports must be deleted or archived following production of a final version. A single version of the file should be retained for normal operational access.

 

2.11 Email

E-mail should only be used for business purposes, using terms that are consistent with other forms of business communication. Incoming e-mail must be treated with the utmost care due to its inherent Information Security risks. Email server must scan all attachments for possible viruses or other malicious code.

Unsolicited e-mail is to be treated with caution and not responded to. Computer files received from unknown senders are to be deleted without being opened.

Ensure that information you are forwarding by e-mail (especially attachments) is correctly addressed and only being sent to appropriate persons.

Keep all business emails. Recommended retention period for emails is 1 year. Emails that are older than 1 year or in case if email box limit is exceeded should be archived.

Email via approved mail client only (Outlook mail client). Run it always during working hours.

The following activities are strictly prohibited, with no exceptions:

  • Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).
  • Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages.
  • Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies.
  • Creating or forwarding “chain letters”, “pyramid” schemes of any type.
  • Use of unsolicited email originating from within Company networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by Company or connected via Company’s network.
  • Posting the same or similar non-business-related messages to large numbers of newsgroups (newsgroup spam).
  • Postings by employees from Company email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of Company, unless posting is in the course of business duties.

 

2.12 Internet

Internet should only be used for business purposes. Persons responsible for setting up Internet access are to ensure that the Company network is safeguarded from malicious external intrusion by deploying, as a minimum, a configured firewall. Management must ensure that all personnel with Internet access (including e-mail) are aware of, and will comply with, an acceptable code of conduct in their usage of the Internet in addition to compliance with the Company Information Security Policies. Great care must be taken when downloading information and files from the Internet to safeguard against both malicious code and also inappropriate material. Management is responsible for controlling user access to the Internet, as well as for ensuring that users are aware of the threats, and trained in the safeguards, to reduce the risk of Information Security incidents. Staff authorized to make payment by credit card for goods ordered on the Internet, are responsible for its safe and appropriate use.

Web browsers are to be used in a secure manner by making use of the built-in security features of the software concerned. Management must ensure that staff is made aware of the appropriate settings for the software concerned. Information obtained from Internet sources should be verified before used for business purposes. Company will use software filters and other techniques whenever possible to restrict access to inappropriate information on the Internet by staff. Reports of attempted access will be scrutinized by management on a regular basis.

 

2.13 End-User Support Policy

The scope of the user support

The scope of the user support involves management of issues related to ATOBI software and its modules. Support must be done via specialized entity – Help Desk (further – Help Desk).

Communication with the Help Desk

Software users have to contact Help Desk and clearly describe problem they have. The following types of issues should be communicated to the Help Desk:

  • Problems (system errors, crashes, mistakes in calculations, etc)
  • Inquiries (“how does it work?”)
  • Suggestions for system improvements

When reporting the problem, the user must double-check if the problem really exists and if the situation is not covered by the User Guide yet. It is strongly recommended not to report the problem to any IT employee except the Help Desk specialist. Users should use email channel or electronic issue tracking tool (Jira or simple request form) when submitting low and medium priority requests. Only requests of high priority (ones that must be solved immediately, otherwise Company is under the threat to suffer losses) can be reported by phone or walk-in. Software users have to clearly describe the circumstances under which the problem has occurred and attach to the request illustrative stuff – reports, screenshots with error, etc.

 

Responsibilities of the Help Desk

First of all the Help Desk must process support requests corresponding to the type of “problems”, and after that – inquiries and suggestions. The Help Desk personnel take ownership for resolving the problem with respect to users data privacy. If Help Desk personnel can’t answer the question or provide a solution, they contact technicians and/or software specialists, coordinating efforts until the issue is closed. Help Desk personnel keep user informed of issue status. The Help Desk is in charge for fast and efficient collection of all necessary information from the user. The Help Desk must clarify how urgent is the problem and prioritize problems, in order to minimize repeated calls, user downtime, and frustration.

The Help Desk personnel must possess enough system and business process knowledge to provide answers to routine questions quickly, help the user learn how to perform simple diagnostics and functions, understand the applications, and be able to identify effectively what resources are necessary to handle a problem.

The Help Desk must use problem tracking system (Jira) for all incoming requests that they cannot answer on-fly. The Help Desk must set deadline for the problem resolution, based on the input received from the user and available IT resources that will process the request. This will give the CEO the knowledge necessary to take preventive action, ideas about risky areas in the system and better focus training efforts. Building a knowledge base also enables the Help Desk personnel to share successful solutions for quicker resolution of problems. The Help Desk must encourage users to use issue tracking system Jira and grant access to this system for all users who has requested it.

The Help Desk must regularly check for items overdue and strive to avoid such situations. If item became overdue due to IT, the Help Desk must inform the user about this and find solution in this situation. Generally progress of all support issues except ones of High Priority must be monitored. When problem is solved, the Help Desk specialist must make sure that the user is informed about this and user guide covers this issue. If it does not, the Help Desk personnel must submit the work order to person in charge for documentation update. Sometimes the work order may be sent to QA specialist for Test Case update.

Help Desk must deliver high quality user support and associated cost reductions by combining highly trained personnel, reliable processes, and in-depth experience with cutting edge Help Desk tools and technology.

 

Help Desk availability and response time

The Help Desk ensures that help is there during business hours from Monday to Friday. Maximal response time of the Help Desk should not exceed 3 business hours.

 

Contact Help Desk

# Contact via Resource Recommended usage
1 Issue Use for low and medium priority problems, as well for
Tracking inquiries and suggestions
System Jira
2 Email Use for low and medium priority problems, as well for
inquiries and suggestions
3 Speed dial Use for high priority problems (ones that must be solved
immediately, otherwise the company will lose money)
4 Walk–in Use for high priority problems (ones that must be solved
immediately, otherwise the company will lose money)

 

2.14 Guidelines on Antivirus Process

Without exception, Anti-Virus software must be deployed across all PCs with regular virus definition updates and scanning across servers, PCs and laptop computers. Anti-Virus software must be chosen from a proven leading supplier.

The threat posed by the infiltration of a virus is high, as is the risk to Company systems and data files. Formal procedures for responding to a virus incident have to be developed, tested and implemented. Virus Incident response must be regularly reviewed and tested.

  • Never switch off the corporate standard anti-virus software installed for you.
  • Download and install anti-virus software updates as they become available.
  • NEVER open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then “double delete” them by emptying your Trash.
  • Delete spam, chain, and other junk email without forwarding.
  • Never download files from unknown or suspicious sources.
  • Always scan floppy disks for viruses before using it.
  • If you suspect that your computer is infected, immediately plug it out of Network, switch –off and contact System Administrator and your supervisor.

 

2.15 Incident management

To minimize damage from security incidents and malfunctions, and to monitor and learn from such incidents, the users of information services are required to report any weaknesses and threats to systems and services to the owners of systems (services).

The following actions are relevant:

  • Symptoms of problems
  • Computer should be isolated
  • Matter should be reported immediately

Management should quantify and monitor incidents and malfunctions.

RSS
Follow by Email
Facebook
Facebook
Google+
https://www-test.atobi.io/data-protection-policy">