Daugavpils Mark Rothko Art centre INFORMATION SECURITY POLICY

Daugavpils, 24 April 2018

Place, date

 

Contents

  1. Defining the terms
  2. Purpose and scope
  3. Information classification
  4. Systems involved in data/information processing
  5. Personnel duties
  6. Management of access and protection
  7. Safety measures
  8. Forbidden actions
  9. Reporting breaches of security

 

  1. Defining the terms
Company Municipal institution of Daugavpils City Council “Daugavpils Mark Rothko Art Centre”, registration No. 90009938567, legal address 3 Mihaila Street, Daugavpils, LV-5401, which is the employer of every employee employed on the grounds of Employment Contract
Direct manager Company representative who has been named in respective Employee’s Employment Contract or appointed by a Company decree as the Employee’s direct manager
Employee Natural person employed by the Company
Management Manager and/or any other person at the Company who has been vested with managerial functions and  authority
Policy This information security policy
Third party A natural person, legal entity or any other person not related to the Company
  1. Purpose and scope
    • The purpose of information security policy is to protect Company employees, partners and clients from unlawful or harmful direct or indirect, conscious or unconscious actions by other persons in the course of processing information and data that become available to these persons as well as in the course of using specific equipment to perform their professional duties.
    • The policy regulates processing of information across any systems or data carriers involved in data/information processing at the Company irrespective of whether data/information processing is related to internal commercial operations within the Company or its external relations with any third parties.
    • This policy also regulates how Company employees use available equipment and tools while performing their professional duties.
    • The policy can be applicable together with any other policy, rules, procedures and/or guidelines on occasion ratified and implemented by the Company.
    • Any questions about information security system and information/data security not stipulated in this Policy should be directed to ______________________________________________ (Appointed responsible person or department of the Company).
  2. Information classification
    • Any information/data that become available to the Employee while performing their professional duties and is related to the Company and its operations, clients or cooperation partners is considered classified Company property and thereby falls under the scope of normative acts about classified information, trade/commercial secrets and protection of personal data.
    • To guarantee proper protection of information and data, the Company conducts internal classification of information. Information/data are protected irrespective of whether this kind of information has become available to the Employee in the form of printed materials, any data carries, audio/visual materials or any other format.
    • The Company uses the following general classification of information:
Category Description Scope of application (including, but not limited to)
Public information Information which can be processed and distributed within the Company or beyond without any negative effects on the Company, any of its partners, clients and/or parties involved. (a) Public financial reports submitted to governmental institutions;

(b) Information that is available in public resources or is in any other way publicly known unless it has become publicly known due to actions taken by an Employee in violation of information/data security requirements.

Internal information Any information whose use in any way or form, provided that it involves violation of normative acts, this Policy or stipulations of any other Company regulations, can harm the interests of the Company and/or any of its Employees, partners or clients. (a) Any documents created and/or prepared by the Company, its Employee or structural unit;

(b) Any catalogues (mailing lists, information directories etc.) created and/or used by the Company for commercial purposes;

(c) Any internal official memos, notifications, references or testimonies created for commercial purposes of the Company.

Classified information Any information that is so essential to the Company, any of its clients and/or partners or parties involved that its unauthorised disclosure can have negative effects on commercial activity, operations, reputation and general status of the Company, its participants/shareholders, clients and/or cooperation partners and cause serious harm to any of these persons. (a)  Policies, procedures, internal regulations, managerial decisions;

(b)  Information specified to the Employee as commercial secret of the Company;

(c)  Other information of financial, human resource related, legal or marketing nature, trading procedures, plans and operations;

(d) Business plans, production plans;

(e)  Personal identification data;

(f)   Information protected by non-disclosure agreement which is signed by every Employee;

(g)  Information protected by non-disclosure agreement or cooperation agreements concluded by the Company in the course of its commercial activity.

  1. Systems involved in data/information processing
    • Any information systems, including but not limited to computer technologies, all and any kinds of software, operating systems, any storage environments, network accounts, e-mail accounts, browsers and any other technical provisions and tools used by the Company in its operations are considered Company property.
    • It is incumbent on every Employee to use such technical equipment and tools with due care and attention and only for commercial purposes of the Company. The only exception is cases when the Company has issued the Employee with technical equipment (for instance, a mobile phone) and expressed clear consent to use it for private needs.
  2. Personnel duties
    • Any information/data that becomes available to the Employee while performing their professional duties is considered classified and to be used as classified in strict adherence to this Policy and without disclosing it to third parties until and unless the Management notifies the Employee that this information has become public or is in any other way reclassified as information that is no longer protected by this Policy.
    • All personal data and other information that can be used to identify a natural person is accumulated and processed only if it is necessary and to the extent that is necessary for the Employee to perform their professional duties, provided that the Employee is authorized to perform such actions and that they are performed in strict adherence to data protection requirements stipulated by the law (especially the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)).
    • Any data requests and/or requests regarding data processing, which are received by the Employee while on duty from data owners who are natural persons, are to be immediately forwarded to the Management for further consideration.
    • It is incumbent on any Employee to follow this Policy as well as abide by all local, regional or international normative acts about information/data processing and protection. Failure to follow the Policy is considered a gross violation of employment norms and regulations and entitles the Company to administer disciplinary sanctions or fire the Employee. The Employee can also be subjected to administrative or criminal prosecution.
  3. Management of access and protection
    • Employees can access any equipment available to them, provided that access is required to perform their professional duties, occurs within the scope of their responsibility and on a need-to-know basis. Having access rights to any system does not mean that the Employee is authorised to view or use all information stored in this system.
    • User IDs are unique and identify a specific Employee. Every Employee is responsible for any actions related to their personal ID account. Hence, it is their primary responsibility to guarantee that Employee ID is not accessible to any third parties and not even other Employees unless the Company has stipulated otherwise.
    • System security passwords are generated with due care so that they cannot be easily guessed, do not contain personal data and are changed on a regular basis (at least once every 3 (three) months). Every Employee is personally responsible for conformity of their password security to this Policy and any other Company regulations.
    • An Employee accesses classified information/data only if they are authorised to do so in their Employment contract and/or if the Company has otherwise authorised the Employee to do so.
  4. Safety measures
    • Any data and information gathered and processed in any way or form (printed, electronic, etc.) falls within the scope of this Policy and any other normative regulation about data/information gathering, processing, protection and storage, and such documents are stored in a safe location designated by the Company for the duration stipulated by the law and/or Company regulations.
    • Employees are forbidden to store any classified information on their devices excepting information that is temporarily required to perform specific work-related actions. All required classified and personally identifiable information is to be stored exclusively in a cloud ratified by Company IT personnel and in the Company’s intranet. Downloading of such data onto local devices should be avoided and should only be done if it is justifiably required for processing of information due to work related reasons.
    • Properly authorised IT personnel of the Company has the right to filter and supervise Internet access of the Employees and their actions online as stipulated in relevant normative acts.
    • Any mobile or portable devices (including laptops, tablets, smartphones and other palm computer devices) as well as any cloud storage locations need to be ratified by Company IT personnel and properly protected to avoid unauthorised access.
    • Only systems and software licensed and authorised by the Company can be installed on any equipment or tools used at the Company. Permission from IT personnel is required before downloading or installing any software on devices belonging to or used by an Employee for purposes described in this Policy.
    • In cases when Employees use personal (home) devices to access the Company’s corporate resources (such as client relationship management (CRM) programme, e-mail, online/cloud databases), it is incumbent on Employees to observe the stipulations of this Policy just as if they were using Company equipment. Therefore, it is forbidden to store any Company related data and information on the device; any data processing is allowed only via cloud and online storage locations used by the Company.
    • In all and any cases, it is strictly forbidden to use public access devices (such as internet cafes, libraries, etc.) unless it is critically and urgently needed for work related reasons and the Employee’s Direct manager has given written permission for such actions.
    • In cases when an Employee has been given authority to access Company client’s or cooperation partner’s data storage system, it is incumbent on the Employee to use the client’s or partner’s access tools and follow the guidelines concerning requirements for safe information/data processing (including encryption systems, password usage, limitations on data use, use of specifically designated locations, etc.).
    • The moment the Company believes that protected data/information is no longer needed for Company operations, such data/information is deleted, all copies destroyed and Employees involved in processing such information/data notified about their duty to delete/destroy and return to the Company any information/data that they no longer need to do their job and, especially, to return to the company, delete and destroy any copies if employment relationship with the Employee is terminated.
    • No information/data mentioned in this Policy is sent, forwarded or in any other way or form handed over to a third party unless it is necessary for proper discharge of Employee’s duties and only insofar as it is necessary for proper discharge of such duties. In cases when data is forwarded or handed over to Third parties, data protection should be guaranteed and all relevant safety measures taken.
    • The Company audits the systems involved in information/data processing to control ongoing correspondence with this Policy and applicable normative requirements.
  5. Forbidden actions
    • With the exception of specific cases, in no conditions should any equipment, systems or tools belonging to the Company, its clients or cooperation partners ever be used for purposes unrelated to an Employee’s professional duties or Company operations.
    • Any actions listed hereinafter are strictly forbidden, with no exceptions:

(a) Violation of any rights protected by any person’s or company’s intellectual property rights, including but not limited to installation, copying, distribution or storage on any Company systems or devices of any illegal software, online platforms or any other electronic content that the Company is not licensed to use.

(b) Unauthorised copying of copyrighted materials;

(c) Violation of any person’s rights by excessively and needlessly collecting and processing the subject’s personal data;

(d) Access to data, server or account for purposes unrelated to the Company’s commercial transactions or proper discharge of the Employee’s professional duties;

(e) Exporting any software, technical information, encryption software or technology, which involves violation of applicable international or national normative acts and/or Company stipulations;

(f) Exporting any data or information that has property and/or classified value for the Company if such exporting is not required for the Company’s commercial transactions or proper discharge of Employee’s professional duties and/or if it violates the Company’s internal regulations and applicable normative acts;

(g) Disclosing an Employee’s account password to other persons and giving such persons access to such an account (including but not limited to the Employee’s relatives);

(h) Creation of fraudulent products, commodities or services through the Company’s account;

(i) Violating network security measures or causing network interruptions. Such security violations include but are not limited to access to data if an Employee is not their intended recipient or signing into a server or account to which the Employee has no clearly authorised access unless access rights are granted to the Employee due to their participation in a specific Company project;

(j) Using any programme/script/command or sending any message with a view to interfering or disabling a user’s session.

  1. Reporting breaches of security
    • All incidents or possible incidents related to information/data processing should be immediately reported to the Management who, in turn, takes all the necessary measures to avert any harm or perform damage control and restore the previous state of security.
    • If applicable, it is incumbent on the Management to guarantee further reporting about violations of data/information security to relevant institutions and natural persons as stipulated in applicable normative acts and/or European Union legislation.