Data Security Policy

Content:

Definition of “Security”

• Data marking
• The principle of minimum permissions
• The principle of multi-layered security

The principle of restricting access

• Access to confidential data on PC stations
• Workstation security
• Use of passwords
• Employees’ liability for confidential data

Security monitoring
Education of employees in the field of security
Employees’ responsibility for system access data
Transport of confidential data by employees
Use of company IT infrastructure for private purposes
Local Area Network (LAN)
IT systems / servers
Security documentation
Personal data
Public sharing of IT infrastructure
Backups
Access to IT systems after termination of the employment contract
Security Violation
Verification of compliance with the security policy

Definition of “Security”

Information security in IT systems means ensuring:
1. Confidentiality of information (preventing access to data by third parties).
2. Information integrity (avoiding unauthorized changes to data).
3. Information availability (providing access to data at any time requested by the user)
4. Accountability of operations performed on information (ensuring storage of the full
history of access to data, together with information on who obtained such access).

StorMagic Management Board applies appropriate measures to ensure the security of information in the Company.

Data marking

Data subject to special protection (confidential information) means:

1. information on ongoing contracts (both planned, current and historical),
2. StorMagic’s financial information,
3. organizational information,
4. access data to IT systems,
5. personal data,
6. information constituting the competitive advantage of the Company,
7. other information marked as “confidential information” or “confidential data”.

The principle of minimum permissions

As part of granting authorizations to data processed in the StorMagic’s IT systems, the principle of “minimum authorizations” will be applied, i.e., assigning the minimum authorizations that are necessary to perform work in a given position.
For example: when working on a PC, each employee will have only the rights required to perform their duties (and not, for example, administrative rights).

The principle of multi-layered security

The company’s IT system will be protected in parallel on many levels. This ensures a more complete and effective data protection.
For example: to protect against viruses, many techniques are used in parallel: anti-virus software, firewall systems, appropriate configuration of the Windows update system.

The principle of restricting access

The default permissions on IT systems will be denying access. Only in the event of an appropriate need does the IT administrator grant appropriate permissions.
For example: by default, access to the database storing customer data is prohibited. Appropriate access is granted to a person whose position involves the necessity to work in this type of system.

Access to confidential data on PC stations

1. Access to confidential data in LAN is provided on dedicated servers.
2. Access to confidential data (successful or unsuccessful) on servers is recorded. The list of systems covered by this type of activities is available in a separate document.
3. If the PC station is a portable computer (laptop), it must be additionally secured (e.g. using hard disk encryption).
4. Access to confidential data from outside the company will be made using an encrypted channel (e.g. VPN, access to e-mail via an encrypted protocol).
5. Access to confidential data through the company’s WiFi network will be done using an encrypted WiFi network.

Workstation security

1. Workstations will be secured against unauthorized access by third parties.
2. The minimum protection measures are:
   1. firewall and anti-virus systems installed on stations
   2. implemented operating system update system and its components
   3. requiring a password before accessing the station,
   4. not leaving unblocked PC stations unattended,
   5. current work using an account without administrative privileges.

Use of passwords

1. Passwords will be changed periodically.
2. Passwords cannot be stored in an open (not encrypted) form.
3. Passwords will not be easy to guess, which means:
   1. will consist of a minimum of 8 characters, including one special character
   2. they cannot take simple forms, e.g. 123456789, bob, house99, password, Jim8, etc.
4. Passwords can be created according to the combination of “random” (ie not existing in popular dictionaries) syllables / words, e.g. may-jun-Yellow. In this way, you can get a long password relatively easy to remember.

Employees’ liability for confidential data

Each employee is responsible for maintaining confidentiality of confidential information to which he has been entrusted.

Security monitoring

In order to ensure information protection, the Management Board may use monitoring of the use of the company’s IT infrastructure, in particular including the following elements:

1. analysis of software used on workstations,
2. analysis of workstations in terms of using illegal software / multimedia files and other elements infringing Copyright Law,
3. analysis of visited websites,
4. analysis of working hours at computer workstations,
5. analysis of all access (authorized and unauthorized) to IT systems owned by the StorMagic,
6. Analysis of network traffic in terms of communication, harmful to the security of company data.

Security monitoring must take place in accordance with applicable law.

Education of employees in the field of security

The company ensures cyclical education of employees in the field of information security. Depending on the position held, employees can participate in training in:

1. personal data protection,
2. awareness of security problems,
3. specific aspects of security.

Employees’ responsibility for system access data

Each employee is obliged to protect their access data to information systems. Access data includes, among others, elements such as:

1. access passwords
2. software keys (files enabling access – e.g. VPN certificates) and hardware keys,
3. other mechanisms enabling access to IT systems.

Examples of access data protection:

1. not transferring access to IT systems to other people (e.g. passing your access password to third parties),
2. not storing data in public places (e.g. saving access passwords in easily accessible places),
3. Protection of access data against theft by third parties.

Transport of confidential data by employees

It is forbidden to transfer unsecured confidential data outside the Company’s premises. In particular, it is prohibited to transfer confidential data on electronic media (e.g. flash drives, CD media) outside the StorMagic.

Use of company IT infrastructure for private purposes

It is forbidden to use the company’s IT infrastructure for private purposes.

Local Area Network (LAN)

The local network must be adequately protected against unauthorized access, for example:

1. important servers must be separated from client networks,
2. publicly available power outlets must be inactive,
3. guests cannot access the LAN.

IT systems / servers

1. IT systems storing confidential data (e.g. personal data) must be properly secured.
2. In particular, care will be taken about the confidentiality, integrity and accountability of data processed in the systems.

Security documentation

The company maintains documentation in the field of:

1. currently used methods of IT systems security,
2. building an IT network,
3. possible breaches of IT systems security,
4. access to data sets / systems granted to employees.

Personal data

Detailed guidelines regarding the processing of personal data are contained within GDPR regulations.

Public sharing of IT infrastructure

Publicly available infrastructure must be particularly secured. Examples of security measures:

1. Separation from a LAN (e.g. using DMZ)
2. Performing system hardening (increasing the security offered by default by the system)
3. Internal or external verification of system security (e.g. by performing penetration tests)

Backups

1. All relevant data (including confidential data) will be archived in the event of a failure in the company’s IT infrastructure.
2. Backup media will be stored in a place that prevents unauthorized access.
3. Periodically, backups must be tested for real restoration.

Access to IT systems after termination of the employment contract

In the event of termination of the employment contract with the employee, all his access in IT systems shall be deactivated.

Security Violation

Any suspected breach of data security in the Company will be reported email to the Company’s Management Board.
Each incident is recorded in an appropriate database and the Company’s Management Board takes appropriate remedial action.

Verification of compliance with the security policy

The Management Board periodically performs internal or external security audit aimed at detecting possible deficiencies in the implementation of security policy assumptions.