1. Αρχική
  2. Information security policy

Information Security Policy

1 PURPOSE OF DOCUMENT

This document aims to present the Information Security Policy as designed to support the Information Security Management System.

2 SCOPE

This Policy applies to the whole company.

3 INFORMATION SECURITY POLICY

3.1 INTERESTED PARTIES

The company has identified the interested parties, as well as their relevant needs and expectations relating to its Information Security Management System.

3.2 SCOPE / EXCEPTIONS

3.2.1 Facilities

The company facilities that are located in the building of INVENTOR (Thoukididou 2, Agios Stefanos, PC 14565, Attica Greece), fall within the scope of the Information Security Management System.

3.2.2 Scope

Sales, distribution and technical support of air conditioners and electric appliances.

3.3 SECURITY POLICY

Inventor operates in the area of Design, development, sales, distribution and technical support of air and electric appliances and applies an Information Security Management System (ISMS) in the entirety of its areas of activity. This security policy safeguards:

  • The confidentiality, integrity and availability of information.
  • The training of employees regarding information security issues.
  • The appropriate alerting and management of security breaches.
  • The compliance to all legal and other requirements.

In order to achieve the above, the Management supports the information security policy as follows:

  • Measurable targets are set for the information security.
  • The interested parties are identified.
  • The business requirements regarding information systems availability are defined.
  • The importance of the targets and their achievement, as well as the company’s contractual obligations relating to security, are communicated to all parties involved in the implementation of the information security management system.
  • The Information Security Manager is responsible for the compliance with the policy and the offer of support and advices during its application.
  • Each party involved in the implementation of the information security management system has clear and predefined roles and responsibilities.
  • All changes in the information security management system are in accordance with the standard ISO 27001 and communicated promptly and appropriately to all parties involved.
  • The system is inspected regularly under the Management’s responsibility.
  • The management has the responsibility to set the criteria for the assessment and classification of threats.

The Company commits to satisfying the requirements (legal and customers' specifications) that apply to its services, to the information management and to the continual improvement of the ISMS.

The top Management, by taking into account any technological developments and changes in the legal framework related data protection issues, establishes a series of objectives relating to the performance and security level improvement. The objectives and the actions taken to achieve them, such as the establishment of new objectives, are being examined under the annual management review of the Information Security System.

The top Management invests consistently in technical and operational interventions in order to ensure the continually improvement of the security level. All the parties involved are required to apply the Information Security Management System.

The Information Security Policy is reviewed annually during management review, in order to ensure its suitability.

The CEO
10/06/2023

3.4 INFORMATION AND COMMUNICATIONS INFRASTRUCTURE

The ISMS concerns the following equipment / software:

  • Information systems and applications that support company procedures
  • Applications and software tools that are being exploited during the provision of services to the company clients.
  • Software that supports the company procedures.
  • Central equipment and systems software.
  • Users’ workstations and portable computers.
  • Peripheral equipment (photocopiers, multifunction devices, printers, scanners).
  • CCTV
  • Protection systems against power supply cuts.
  • Cable infrastructure, active and passive network equipment, wireless networks, air conditioners, other telecommunications equipment to the extent that they are relevant to the ISMS scope.

3.5 SEPARATION OF DUTIES AND RESPONSIBILITIES

The company has ensured that there is a clear separation of duties and responsibilities between the various positions. More specifically, an individual’s access to the company’s information resources is permitted only following the appropriate authorisation. The responsibilities of all the positions involved in the system have been determined.

3.6 DATA IN ELECTRONIC FORM

The company operation is based on the retention and processing of a series of data, sourced both from the internal network, external network of partners and third parties, and clients. Such data are retained, mainly, in electronic form at the company information systems and include (indicatively):

  • Documents of the Financial and Administrative Management department
  • Documents of the Computerization department
  • Files and documents of the Management
  • Files and documents of the sample analysis services
  • Documents of completed orders
  • Documents of orders in progress
  • Documents related to technical support services
  • Documents related to sales activities and development strategies
  • Backup
  • Shared documents
  • Documentation related to products

3.7 INFORMATION IN PHYSICAL FORM

Non-electronic data that fall within the ISMS, are the various documents that affect the company operation. Indicatively, documents that are retained in physical form are the following:

  • Invoices
  • Order sheets
  • Agreements
  • Tax records of past years
  • Current tax record
  • Payroll
  • Labour-DPD etc.

3.8 ORGANISATION OF INFORMATION SECURITY

The company has determined its organizational structures and positions that are responsible or relevant to its information security management. The company aims to its information protection against unauthorized access, disclosure, alteration or destruction. The organization for the information security has been communicated from the company Management to the company’s employees and collaborators.

3.9 HUMAN RESOURCES SECURITY

All the company executives are obliged to implement the company security policy when they are managing or getting involved with information resources that fall within the scope of the ISMS, depending on their position. Under the same obligation are the company collaborators that do not belong to its manpower.

The executives that are under the obligation to comply with the company security policy must:

  • Be informed about the targets and security policies of the company.
  • Implement the ISMS and the prescribed security procedures.
  • Use the company’s information resources in accordance with the respective applicable policies of appropriate use.
  • Be always prepared diagnose and report security incidents.

3.10 ACCESS CONTROL

Access rights are granted to the company executives and collaborators, in order to obtaining access to information resources, only in accordance with the specific and documented procedure that has been approved by the company Management. The access to information resources is monitored with appropriate means and user identification mechanisms. The users are responsible for the integrity of their access identifiers for the company’s information resources. The company’s passwords are determined by the internal Password Policy.

3.11 PHYSICAL AND ENVIRONMENTAL SECURITY

The access to the company’s premises is permitted solely to individuals with the appropriate authorization and only in accordance with the measures set by the company. All spaces have fire-extinguishing agents. The central computing, networking and telecommunications equipment is supported by reserve energy sources.

3.12 COMMUNICATIONS SECURITY

The company has taken measures to protect its network from unauthorized access. Similarly, to the protection of information within the company, appropriate measures have also been taken for the protection of company information that is shared via electronic mail, the Internet or other communication media.

3.13 MANAGEMENT OF INFORMATION SECURITY INCIDENTS

The company executives, regardless of their position, must report any incident relating to a security breach of the company’s information resources, that may come to their attention.

Third parties, such as collaborators and suppliers, have a corresponding obligation, if their collaboration with the company includes relevant terms.

Therefore, the Management has established the proper security incidents reporting procedure, which has been communicated to all parties involved. Additionally, the investigation of security incidents is conducted by the company’s competent personnel, in accordance with the respective procedure, which determines, when required, the security measures that must be taken.

3.14 COMPLIANCE

All the security measures are in accordance with the company’s obligations. Accordingly, the executives that undertake positions relating to the security management, are responsible for the implementation of the security policy in the area of their responsibility.

3.15 CONTACTING THE AUTHORITIES

The communication with the Authorities in the event of a security breach incident, takes place in a predetermined way. The person responsible – from the company’s end- to report security incidents to the competent Authority, as well as for the overall communication with the Authorities, is the IS Manager. Depending on the type of the incident, it is possible that he/she will need to contact the following Authorities:

  • Hellenic Police
  • Fire Department
  • National Telecommunications and Post Commission
  • Hellenic Authority for Communication Security and Privacy
  • Hellenic Data Protection Authority
  • Cyber Crime Division (of the Hellenic Police)

The IS Manager has a list with the contact details of the above Authorities.

3.16 COMMUNICATION WITH SPECIAL GROUPS

Maintaining contacts relating to security matters, participating to specialized working groups and professional associations, accessing specialized electronic data libraries, are means to ensure that the company, and more specifically its executives that are responsible for its information security management, follow closely the developments in the field of information security and have always updated knowledge regarding the modern threats and protective measures.

Indicative information sources are the following:

  • Hellenic Data Protection Authority http://www.dpa.gr/
  • European Union Agency for Network and Information Security (ENISA), http://www.enisa.europa.eu
  • National Institute of Standards and Technology (NIST), U.S. Department of Commerce, http://www.nist.gov
  • Information Systems Audit and Control Association (ISACA), http://www.isaca.org

3.17 INFORMATION SECURITY IN PROJECTS MANAGEMENT

While managing processes and the provisioning of services that fall within the scope of the ISMS, and throughout their existence, the company ensures their compliance with the company security requirements. More specifically, while analyzing the requirements and determining the standards of the projects, the company sets the security requirements and standards that must be met.

4 VERSIONING HISTORY

VERSION ISSUANCE DATE DESCRIPTION OF CHANGES
1st 10/06/2023 Initial design and issuance of the document as part of the ISO 27001 documentation design