Information Security Policy

Solwit’s Management Board is authorized to represent the company and to make decisions about the purposes and means of data processing in the organization. The Management Board ensures that the data processing at Solwit complies with the applicable legal provisions, in particular the provisions on the protection of personal data. Solwit’s Management Board is willing to constantly adapt the management process, information processing and quality of services provided to the level determined by recognized norms and standards, such as: PN-ISO/IEC 27001: 2017-06, PN-ISO/IEC 27002:2017-06, PN -ISO/IEC 27005:2014-01, PN-ISO 31000:2018.

Aiming to create information security management system that would guarantee the protection of data processed by Solwit and the security of information relevant to the implementation of the company’s strategic goals, as well as information that requires protection for other reasons – Solwit Board introduces the Information Security Policy. The Policy establishes the basis for creating and improving the information security management system and a sets general rules of conduct for all Solwit employees. At the same time, Solwit Board declares that these principles will be applied to third parties.

Confidential Information at Solwit is all data and records relating to the Solwit company and all partner and client data, owned by Solwit, for collaborative projects that have been marked as confidential. Data that is under special protection, is understood to be:

  • Personal data,
  • IT systems access data,
  • Information about technologies developed in the company,
  • Company’s financial information,
  • Information about customers,
  • Information about ongoing contracts (both planned, current, and historical),
  • Organizational information,
  • Information about a competitive advantage of a competitor,
  • Other information marked as “Solwit Confidential Information” or “Confidential information”.


DEFINITION OF SECURITY

Solwit Information Security is understood to be:

  • Confidentiality (preventing access to data by Third Parties).
  • Integrity of information (to avoid unauthorized changes to data).
  • The availability of information (providing access to data when needed by authorized users).
  • Accountability for operations on protected information (Complete history of data access and information about who has obtained such access).

Solwit management has implemented specific measures to ensure the security of information in the company. In addition, for the security policy, these terms have been defined:

  • Security Breach.
  • Verification of compliance with security policies.
  • Monitoring of safety.
  • Documenting security.


RULES OF CONDUCT

Due to the nature of the company, Solwit places special emphasis on confidentiality of data in computer systems and information technology. The Information Security Policy defines specific regulations regarding the handling of data in these systems and the regulation relating to access of data. Presented below are examples of rules of conduct.

  • The principle of minimal access.
    As part of granting access rights to data processed in the company’s IT systems, a principle of ‘minimal access’ should apply , that is assigning only the rights that are required to perform work.
  • The principle of multi-layered security
    The company’s IT systems are protected in parallel, on multiple levels. This provides a more complete and efficient data protection.
  • The principle of limited access
    The default privileges in IT systems should prevent access. Only when further access is needed, an IT administrator can assigns appropriate permissions.


ACCESS TO CONFIDENTIAL DATA

Access to confidential data (successful or unsuccessful) on the servers is recorded.

If the PC station is a portable computer (laptop) it must be additionally secured (for example, using hard disk encryption – FDE).

Access to confidential data outside the company is only done using an encrypted channel (for example, VPN, access to e-mail via an encrypted protocol).


SECURITY OF DATA AND DATA CARRIERS

  • It is forbidden to transfer unsecured confidential data outside the company.
  • Portable data storage devices must be stored in a secure manner, for example, in lockable cabinets.
  • It is forbidden to copy business data to a private devices, such as a smartphone
  • The Clear Desk Policy. Confidential documents must not be left on the desk.
  • Disk drives and other storage devices ,which are no longer used, must be deleted in a secure manner to prevent data restoration.
  • Any faulty disks should be handed over to an external company specializing in their secured destruction.


EMPLOYEE EDUCATION

The company provides cyclical education of employees (full-time and contractors), in particular, in the field of information security.

Each new employee undergoes training in the safety procedures of the company.

Staff, depending on their position, participate in trainings about data protection, awareness of safety issues, and specific aspects of security.

Staff executing tasks for a Client are required to complete training that is required by the Client.

Cyclical verification of the company security level and employee knowledge about safety policies.


INTERNAL CONTROL SYSTEM

Internal Control System (ICS) defines the rules for dealing with strategic goods within international trade. Term ICS defines the procedures for dealing with strategic goods that meet the requirements of international and national regulations and ensures proper supervision of goods requiring special care. This applies to HVI (High Value Inventory) goods, such as hardware and software, whose value is high, due to the innovative solutions and technical know-how they contain.


Rules of Conduct

  • Verify whether goods are subjected to import controls
  • Keeping records
  • Performing procedures that govern the transfer of goods from the Company (including the obligation to possess export permits)
  • Proper record-keeping
  • Training employees in the rules and procedures regarding TS and HVI and the responsibility for breaking these rules.


COMPLIANCE WITH REGULATIONS

Solwit Internal Control System complies with the following national and international rules and regulations:

  • Consolidated list, a list of organizations, companies, and individuals prohibited from participating in goods trade and transfer, published by United Nations at: http://www.un.org/sc/committees/1267/consolist.shtml
  • U.S. Department of Commerce at: http://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/denied-persons-list
  • EU Regulations:
  • Regulation (EC) No 428/2009 , which provides for common EU control rules, a common EU control list and unified policies for implementing control of exports, transfer, brokering and transit of dual-use items, available at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do’uri=OJ:L:2009:134:0001:0269:PL:PDF
  • Amended by Parliament, Regulation (EU) No. 388/2012, available at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do’uri=OJ:L:2012:129:0012:0280:PL:PDF
  • POLISH Regulations: Regulations of Minister of Finance of the 10 May 2013, on the records concerning trade in strategic goods available at: http://isap.sejm.gov.pl/DetailsServlet’id=WDU20130000619
-->