Get in touch
IntroductionData processingData securityCookiesCertificatesChanges
DATA SECURITY

Security Policy

Information Security

Cybersecurity

Reporting Security Incidents and Personal Data Breaches

security policy, cybersecurity and incident reporting

Security Policy

The company, as a leading company in the IT industry, is aware of the essential role of information and the need for its effective protection. We are aware of the risks and responsibilities in terms of cybersecurity and the protection of information, including legally protected and Personal Data.

In order to meet business and legal requirements and good practices and standards in the field of information security, as well as to provide effective support to the Company's management in the protection of information Processed by the Company, a management structure, responsibility and processes dedicated to ensuring information security has been established.

The security of the information processed by Asseco is provided by organizational and technical security, which are grouped into the following domains:

Information security policies

We have defined an Information Security and Business Continuity Policy. Our Management Board has defined the objectives of information security and business continuity, expressed support and commitment to the protection of the information processed by us and declares compliance with legal and business obligations in the field of information security.

Organization of information security

We have established internal organizational structures responsible for supervising the effective implementation of the Information Security Policy and continuous improvement of security processes. Our Management Board has appointed a representative of the Management Board for ISMS responsible for improving and implementing information security and business continuity principles in line with the information security objectives set by the Management Board.

Security of human resources

As part of the campaigns we carry out, we are trained in the principles of information security. We undertake to keep confidential all information, legally protected data, including those constituting a company secret.

Asset Management

We keep a register of information assets. We have developed and implemented internal security standards requiring the use of safeguards appropriate to the degree of criticality and sensitivity of information assets and identified threats.

Access Control

We apply a policy of controlling access to information. The assignment of rights to information and their modifications are carried out on the basis of the principles of minimum rights and knowledge necessary on the basis of documented access requests. Accounts and permissions are reviewed on a regular basis. Information rights are granted only for a strictly defined purpose.

Cryptography

We use cryptographic security of IT systems, workstations, mobile devices, external media, e-mail, IT networks adequate to the sensitivity of the Information Processed and the form of Information Processing.

Physical and environmental safety

We ensure a high level of physical and environmental security in order to ensure the security of information against access to information assets of unauthorized persons and to prevent their damage or unauthorized modification of information.

Safe operation

We take care of the application of security and operating principles of IT systems based on the best practices in the field of information security.

The designated security standards of the Company define the rules, among others, in the scope of:

protection against malware,
infrastructure management,
management of access and rights of Users and administrators,
password policies,
change management in the ICT environment,
creating and managing backups and archival copies,
recording and monitoring of events;
encryption;
management of availability, performance and capacity,
communication with the information system,
management of vulnerabilities and security events.

Security of communication

In order to ensure the security of information transmitted in IT networks and to protect network services, we have defined internal rules for the configuration and security of LAN and WAN networks included in the corporate network, as well as the rules for access to the corporate network and the use of the Internet.

Acquisition, development and maintenance of systems

We carry out processes related to the acquisition, development and maintenance of IT systems in a supervised manner, guaranteeing the maintenance of an adequate level of information security. It consists of, among others:

taking into account relevant security requirements for new or modified IT systems,
multi-level testing of the IT system and its modifications,
protection of confidentiality, authenticity and integrity of information through systemic mechanisms,
separation of development and test environments from production environments,
supervising access to software source codes,
implementation of management procedures including control of changes\ software updates,
Use of the “privacy by design” and “privacy by default” principles.

Relations with suppliers

The rules for establishing cooperation between the Company and suppliers have been defined within the framework of internal purchasing processes. The level of quality and safety of the provided services is constantly monitored and evaluated. Information security is selected individually during the selection of the supplier, in order to protect the risks associated with the access of an external entity to the Company's information. When defining security requirements, we take into account, among others, requirements resulting from contracts signed with Customers and legal requirements.

Information Security Incident Management

The Company operates an incident management process based on best practices in this regard. We analyze each incident in detail in terms of its causes and as part of its handling we carry out corrective and improvement actions with the aim of minimizing the likelihood of occurrence or consequences of past incidents.

Information Security Aspects in Business Continuity Management

The Company operates a Business Continuity Management System, regulated by the “Business Continuity Policy”, the “Business Continuity Management” regulations and subordinate documentation. The way of functioning in a crisis situation and the principles of returning to normal mode of operation describe the functioning business continuity plans and contingency plans. The requirements for information security and continuity of information security management in crisis situations are taken into account during the construction of business continuity plans.

Conformity

We have implemented a process of ensuring compliance and managing the risk of non-compliance, within which we manage legal, regulatory and contractual obligations related to, among others, information security.

The process of ensuring compliance and managing the risk of non-compliance are set out in the “Compliance Policy” and the “Non-Compliance Risk Management” regulations.

Information Security Reviews

We regularly test and review the Information Security Management System within the framework of internal and external audits, compliance checks carried out by the Data Protection Officer, compliance tests carried out by the Board's representative for ISMS.

Information Security

The competent representatives appointed by the Management Board are responsible for the individual areas of information security in the Company:

Board representative for information security management system — responsible for maintaining the information security management system and certification processes;
Confidential Information Protection Officer — responsible for ensuring compliance with the rules on the protection of classified information;
Representative of the Management Board for stock exchange reporting and confidential information management — responsible for ensuring compliance with stock exchange obligations in the Company, including the rules of protection and circulation of confidential information;

Supervision over information security issues is carried out by the Vice President of the Management Board supervising the Compliance and Process Management Department.

THE APPROACH TO INFORMATION SECURITY IS BASED ON
ON THREE RULES:
Rules of confidentiality of information
Rules for the availability of information
Information Integrity Rules

ensuring that the information is not shared or disclosed to unauthorized persons, entities or processes;

ensuring that authorised persons, entities and processes have access to information and related assets when the need arises;

ensuring the accuracy and completeness of the information and the methods of its Processing.

The company also takes care to provide competent and trustworthy employees and collaborators to carry out the tasks. Regardless of the form of employment, the Company carries out activities in the field of personal safety:

pre-employment - ensures that employees and co-workers understand their responsibilities, are suitable for their assigned roles and that the risk of abuse is reduced; each employee and co-worker signs an appropriate confidentiality statement before starting work,
in the course of employment - ensures that employees and colleagues are aware of the risks and other aspects of information security, their duties and legal responsibilities,
upon termination or change of employment - ensures that employees and associates leave the Company or change their position in a controlled manner.

All employees and associates are familiar with the information protection rules in force at Asseco.

The information security management system operates on the basis of the requirements of ISO/IEC 27001:2013, and is additionally certified for compliance with this standard in selected business areas of the Company.

Declaration of conformity with ISO/IEC 27001:2013 is available HERE.

In connection with the alarm rate of CHARLIE-CRP and BRAVO maintained in 2022, the company has launched additional procedures for physical security control and monitoring the security of ICT infrastructure.

Cybersecurity

Cyber attacks pose the greatest threat to any organization operating in the world of digital services. Facing the challenges related to modern threats, the Company operates the Security Operation Center (SOC) team, which deals with comprehensive monitoring of infrastructure security based on people, processes and technology.

Security Operation Center consists of three lines:

1 SOC line in 24/7 mode monitors IT systems and handles events and alerts according to established scenarios (including escalates to 2 SOC lines),
2 line SOC in 24/7 mode deals with the analysis and handling of the transmitted events,
The 3rd line of SOC performs tasks related to advanced cybersecurity analysis.

On 24 February 2022, a crisis staff was established at Asseco, within the framework of which the work related to securing the Company against the risks associated with cyber attacks and the expansion of the Ukraine-Russia armed conflict in the territory of the Republic of Poland is coordinated. Staff meetings with the Management Board are held on a regular basis every 1-2 weeks.

Reporting Security Incidents and Personal Data Breaches

We have implemented an information security management procedure under which Personal Data Breaches are handled.

We refer to a Personal Data Breach when we accidentally or unlawfully destroy, lose, modify, disclose or share Personal Data.

Any Personal Data Breaches can be reported:

Through a dedicated form available at https://pl.asseco.com/zglaszanie-naruszen
If it is not possible to use the form, please contact the IOD by sending a request to iod@asseco.pl; or by traditional mail with a note “Data Protection Inspector” to the address Asseco Poland S.A., ul. Olchowa 14, 35-322 Rzeszów.

Attention! If you report a Data Protection Breach via the form and at the same time request the exercise of your rights as a data subject, leave in the form data allowing us to contact you or use one of the other communication channels. Failure to provide your contact details will prevent us from responding to your request.

When, who and by what date will we notify if there is a breach?

If it is highly likely that the violation will result in a violation of the rights and freedoms of a natural person

Supervisory authority

Within 72 hours of the discovery of the violation

The data subject

Promptly

Let's talk about software!
Tell us about your needs and we will suggest the best solution.
Get in touch
Join our team!
We are looking for talents ready to participate in strategic projects.
Write to us
+48 17 888 55 50
info@asseco.pl
Olchowa 14, 35-322 Rzeszów
Menu
NewsCase studyDocumentsCertificatesShopping
Finance
Commercial banksCooperative banksCapital marketsBusiness Intelligence
Healthcare
HealthcareClinicsHospitals
Administration
Central administrationSocial securityUniformed services
Enterprises
CybersecurityERP solutionsCloud servicesCustoms solutionsFMCG Solutions
Energy
Energy
Telecommunications
Telecommunications
Copyright © Asseco. All rights reserved
Privacy policyViolations reportingIncidents reporting
Asseco Poland S.A. with its registered office in Rzeszów, ul. Olchowa 14, 35-322 Rzeszów, NIP (TIN): 522-000-37-82, REGON: 010334578, PKD 6201Z. District Court in Rzeszów, 12th Commercial Division of the National Court Register, KRS No.: 0000033391. The share capital of PLN 83.000.303,00 is fully paid up. Waste Database (BDO) No.: 000004848