INFORMATION SECURITY POLICY

Confidential Information at Solwit is all data and records relating to the Solwit company and all partner and client data, owned by Solwit, for collaborative projects that have been marked as confidential. Data that is under special protection, is understood to be::

  • Personal data,
  • IT systems access data,
  • Information about technologies developed in the company
  • Company's  financial information ,
  • Information about customers,
  • Information about ongoing contracts (both planned, current, and historical),
  • Organizational information,
  • Information about a competitive advantage  of a competitor,
  • Other information marked as "Solwit Confidential Information " or "Confidential information".

Definition of security

Solwit Information Security is understood to be:

  • Confidentiality (preventing access to data by Third Parties).
  • Integrity of information (to avoid unauthorized changes to data).
  • The availability of information (providing access to data when needed by authorized users)
  • Accountability for operations on protected information (Complete history of data access and information about who has obtained such access).

Solwit management has implemented  specific measures to ensure the security of information in the company. In addition, for the  security policy, these terms have been defined:

  • Security Breach
  • Verification of compliance with security policies.
  • Monitoring of safety
  • Documenting security

Rules of Conduct

Due to the nature of the company, Solwit places special emphasis on confidentiality of data in computer systems and information technology. The Information Security Policy defines specific regulations regarding the  handling of data in these systems and the regulation relating to access of data. Presented below are examples of rules of conduct.

The principle of minimal access

As part of granting  access rights to data processed in the company's IT systems, a principle of 'minimal access' should apply , that is assigning  only the rights that are  required to perform work.

The principle of multi-layered security

The company's IT systems are protected in parallel, on multiple levels. This provides a more complete and efficient data protection.

The principle of limited access

The default privileges in IT systems should prevent access. Only when further access is needed, an IT administrator can assigns appropriate permissions.

Access to confidential data

  1. Access to confidential data (successful or unsuccessful) on the servers is recorded.
  2. If the PC station is a portable computer (laptop) it must be additionally secured (for example, using hard disk encryption - FDE).
  3. Access to confidential data outside the company is only done using an encrypted channel (for example,  VPN, access to e-mail via an encrypted protocol).

Security of data and data carriers

  1. It is forbidden to transfer unsecured confidential data outside the company.
  2. Portable data storage devices must be stored in a secure manner, for example, in lockable cabinets.
  3. It is forbidden to copy business data to a private devices, such as a smartphone
  4. The Clear Desk Policy.  Confidential documents must not be left on the desk.
  5. Disk drives and other storage devices ,which are no longer used, must be deleted in a secure manner to prevent data restoration.
  6. Any faulty disks should be handed over to an external company specializing in their secured destruction.

 

Employee education 

  1. The company provides cyclical education of employees (full-time and contractors), in particular, in the field of information security.
  2. Each new employee undergoes training in  the safety procedures of the company.
  3. Staff, depending on their position, participate in trainings about data protection, awareness of safety issues, and specific aspects of security.
  4. Staff executing tasks for a  Client are required to complete training that is required by the Client.
  5. Cyclical verification of the company security level and employee knowledge  about safety policies.

 

Internal Control System

Internal Control System (ICS) defines the rules for dealing with strategic goods within international trade. Term ICS defines the procedures for dealing with strategic goods that meet the requirements of international and national regulations and ensures proper supervision of goods requiring special care. This applies to HVI (High Value Inventory) goods, such as hardware and software, whose value is high, due to the innovative solutions and technical know-how they contain.

Rules of Conduct

  1. Verify whether goods are subjected to import controls
  2. Keeping records
  3. Performing procedures that govern the transfer of goods from the Company (including the obligation to possess export permits)
  4. Proper record-keeping
  5. Training employees in the rules and procedures regarding  TS and HVI and the responsibility for breaking these rules.

Compliance with regulations

Solwit Internal Control System complies with the following national and international rules and regulations.

Consolidated list, a list  of organizations, companies, and individuals prohibited from participating in goods  trade and transfer, published by:

  • United Nations at: http://www.un.org/sc/committees/1267/consolist.shtml
  • U.S. Department of Commerce at:  http://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/denied-persons-list
  • EU Regulations:
    1. Regulation (EC) No 428/2009 , which provides for common EU control rules, a common EU control list and unified policies for implementing control of exports, transfer, brokering and transit of dual-use items, available at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do'uri=OJ:L:2009:134:0001:0269:PL:PDF
    2. Amended by Parliament,  Regulation (EU) No. 388/2012, available at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do'uri=OJ:L:2012:129:0012:0280:PL:PDF
  • POLISH Regulations
    1. Regulations of Minister of Finance of the  10 May 2013, on the records concerning trade in strategic goods available at: http://isap.sejm.gov.pl/DetailsServlet'id=WDU20130000619