Introduction
The document represents a summary of the overarching security policy and is intended for the company's business partners. The document presents a summary of security controls and procedures used by the company to ensure information security. Acquaintance with the content of the document represents acquaintance with the operation of the information security management system and thus acquaintance with the expectations we have in the company for achieving and respecting the level of data security management.
This summary is available through the Company's website. The Company reserves the right to make changes to the content of this document and thus adapt it to its own business needs, technical and organizational standards, as well as available solutions and the current situation in the field of information security.
Since the document is publicly available on the company's website, no notification activities to all business partners are carried out upon changes – prompt review and monitoring of the document is the expected duty of the business partner.
PURPOSE AND SCOPE
In order to ensure an adequate level of information security, the company has established an information security management system, which at certain points also touches on relations with business partners (you).
The information security management system refers to and manages the security of information from four sets of information security:
- organizational security,
- personnel security,
- physical security,
- technical security
Risk-based decision-making
In order to determine security mechanisms and controls, the company has established a risk management process aimed at identifying, analyzing and assessing risks, on the basis of which we perform the management of safety deficiencies. Based on the risk assessment carried out, we determine the measures, which can be:
- organizational (behavioral measures such as policy-making, education and training,...)
- technical, divided into
- physical (measures to ensure safety at the physical level, such as guardrail, doors, safe,...)
- logical (actions that provide logical level security (such as passwords, multifactor authentication)
Regular repetition and implementation of risk assessment is also a guarantee that the information security management system is constantly being improved and developed.
Information classification
All information used by organization is classified according to the level of importance. Data classification lays down the basic conditions for handling and managing information as well as the use and introduction of security controls.
Terms of business cooperation
In order to ensure adequate protection of information, the Company has an appropriate non-disclosure agreement with partners where the cooperation is not limited only to the bare sales relationship.
Physical security
The goal of physical security is to ensure adequate protection of physical assets, including access to the premises, the use of surveillance systems, other physical security devices and security controls.
Business partners who wish to attend a business meeting or wish to carry out activities at the location of the company must announce themselves to their contact person beforehand (prior to the visit).
Parking for business partners visiting the company's headquarters is in a parking lot in front of the company's headquarters. Access to the premises is carried out by passing a safety guard rail, where the dedicated door is equipped with a bell and a system for communication and remote opening of the door. Upon entering the protected zone, a warning is also displayed that the company area is under video surveillance.
After entering the area, visitors can move only accompanied by a contact or named person. For the purpose of general safety, all visitors are entered in the guestbook. Visitor records are stored in the guest book for a period of 1 year.
Independent entry and movement around the company's premises is possible for external contractors who carry out maintenance of critical support and information infrastructure. Their movement within the facility and within the protected zone must be coordinated beforehand with the contractual contact person.
Information and cybersecurity
The common information security consists of measures, which are in place to protect information sources and data, and measures in place, to defend against security threats.
Business communication
Business partners and representatives of the company also carry out business communication and correspondence during cooperation. This is done through user accounts, which are recognized by business partners through the use of the company domain (kopur.si). User accounts of other domains do not represent the official position of the Company and are not used for business communication by employees.
Exchange of information
Depending on the type of business cooperation, partners may also carry out Electronic Data Exchange (EDI). In the event of such an exchange, the technical staff of both partners are involved to determine the concepts and requirements of technical implementation and other conditions of such communication.
In the event that the partners share data in a way that allows access to dedicated applications (web applications or remote access to the application), the application users are provided with relevant access data, which is considered a business secret. If technically feasible, a separate user account is used for each employee.
Use of business information systems and logical security
Business partners may, as part of mutual cooperation, also provide access to their information system resources and services. Password based access verification uses unique usernames and passwords that comply with complexity rules of at least 8 characters, contain at least 1 uppercase, 1 lowercase letter and at least 1 number. Company names, usernames and other easily related markings (e.g. car registration designation) are not used for the password. To the extent possible, multifactor authentication shall be used for access verification.
The connections used for direct access to partner environments are security equipped with data encryption mechanisms (https or VPN or another mechanism coordinated with technical staff).
Access control
Both partners communicate changes related to the list of users promptly, so access rights can be managed (added or revoked).
In order to ensure that the actual state of users is up-to-date, revision and confirmation of up-to-date conditions are also regularly carried out. The revision period is agreed between the business partners.
Ensuring the secure operation of the information system
In order to ensure the operation of the company, an appropriately secured and maintained information system with appropriate support infrastructure (air conditioners, uninterruptible power supply provision – UPS and generators, ensuring the operation of Internet access through primary and secondary providers,...) is in place.
The information system is subject to regular maintenance (system administration, capacity management) and appropriate updates (upgrades and upgrades) carried out by competent personnel. Capacity monitoring and management ensures the prevention of system overload, proper operation and responsiveness. Regular maintenance activities also include monitoring security deficiencies for individual systems that make up the entire information system of the company.
Both the support infrastructure and the infrastructure of the information system are subject to regular verification of the ability to operate in emergency situations (business continuity and operation test).
Manage security events
Regardless of the prepared and specified procedures for operating and handling of the information system assets, and the implemented and established controls that ensure its intended operation, security events may occur. In case a security incident would occur, the company has a procedure in place to deal with such an incident. As these require clear and effective responses to minimize damage to operations and operations.
In the event that this is a major security incident, we also provide direct notification to business partners about events (type and nature of the incident, status of the incident, impact on operation and operations). The resolution of security incidents containing personal data is carried out in accordance with the applicable legislation that determines the procedures and measures in the field of personal data processing.
Responsibilities and powers
In our organization, we have clearly defined roles or functions that determine which tasks an individual can perform and which tasks he or she must perform. User roles in the information security management system are subject to regular review to ensure adequacy and alignment with business needs. User roles clearly define who is responsible for the operation of which security controls.
Training
Information system users must participate regular trainings on the use of the information system and on handling data and information. As part of regular trainings and awareness-raising, users are informed about changes in procedures, standards, legislation and other aspects (e.g. requirements of business partners) that affect the information security management system.
Business partners are committed to monitoring this summary of the overarching security policy (this document). This document is also available via company's website.
Verification and assurance of compliance
The functioning of the information system shall be regularly checked for compliance. Compliance check consists of verifying the compliance of operational information system to the company’s security policy and to the compliance of the companies security policy itself (does it meets the business needs and is it compliant to best practices).
The second set of verifications concerns the verification of compliance with legislation and standards in the field of information system management. This part of the compliance check is carried out through regular reviews (audits, audits) of the system. This includes checks carried out by business partners.
The findings of the examination are recorded, on the basis of which the measures and the persons responsible for their implementation are determined and the deadline by which the implementation of the measures must be implemented.
In the event that the measures requires a change in the configuration of the information system or change to an asset that makes up the information system, this change must be approved by the company's management – the company's management approves all changes to the information system.
Business partner requirements
When determining security controls and mechanisms, we also take into account and respect the requirements of business partners relating to the handling and management of data and information. In case of any ambiguities, we research and determine these together with our business partner in such a way that there are no doubts about the use of security mechanisms and controls.
Legislation and regulation
Sectoral legislation and regulations relating to data management and handling are monitored regularly. Based on the changes, complementarity of the overarching security policy and, consequently, of the summary of the overarching information security policy is also carried out.
Publication and validity of the document
This document is published on the company's website and is valid from the date of publication.
Date of publication: 15.04.2024
Company's CEO