This Security Policy to Ensure the Confidentiality of Communications, concerns the users, subscribers, employees and associates of our Company.
This Security Policy to Ensure the Confidentiality of Communications is not included in a broader information and communication security policy.
Any failure to comply with the requirements set out in this Security Policy Regulation to ensure the Confidentiality of Communications, including the individual policies and procedures that implement it, which, indicatively, may be due to non-applicability or technical inability to cover specific adequately recorded and documented. An internal procedure for recording and documenting the weaknesses of this paragraph is foreseen and applied.
Specific security procedures and organizational structures are defined, documented, implemented and reviewed to implement individual policies. Security procedures define specific actions of employees, associates, users and subscribers, the person responsible, the sequence of actions, those responsible for their execution and the manner and means of their documentation.
The Security Policy for Ensuring the Confidentiality of Communications with the individual policies that make it up, defines the administrative entities or the natural persons with specific responsibilities regarding the implementation of the policy. The obligors shall designate the persons responsible for defining and carrying out the design, development, procurement, installation, operation, management, support, upgrade, updating, deletion, withdrawal and access to each IP.
The Company must appoint a specific employee, as the Responsible for Ensuring the Confidentiality of Communications, in charge of controlling the implementation of the measures and requirements set out in the Security Policy for Ensuring the Confidentiality of Communications.
The Company must notify A.D.A.E. the contact details of the respective Communications Privacy Officer.
The Company is obliged to ensure that the recordings of the log files are complete and continuous. It must also maintain a Special Log File, which includes, at a minimum, the architecture and individual methods of creating, collecting, storing and managing logs, a complete description of their contents, and measures to ensure its their integrity, confidentiality and availability.
The Company must activate the Security Incident Management Policy in case of interruption of recordings and in case of violation of their integrity, confidentiality and availability.
The Company follows an Information Risk Assessment Procedure every 2 years that aims to assess the risks or threats associated with a possible breach of the confidentiality of communications. For this reason the company:
- Maintains a list of PES with a brief description of their operation
- The threats related to possible breach of confidentiality by external threats, employees or associates of the liable person are assessed, the relevant vulnerabilities of the PES are assessed and the possible effects of the breaches of confidentiality are assessed.
The results of the risk assessment are taken into account for the drafting and review of the Security Policy to Ensure the Confidentiality of Communications and the implementation of appropriate measures for its implementation. The results of the risk assessment are taken into account for the drafting and review of the Security Policy to Ensure the Confidentiality of Communications and the implementation of appropriate measures for its implementation. The results of the risk assessment are maintained by the liable person and are available during the regular or extraordinary audit of the implementation of the Security Policy to Ensure the Confidentiality of Communications by A.D.A.E.
The Company appoints Kotronakis Nikolaos as the Privacy Officer who is responsible for overseeing the implementation of the measures and requirements set out in this policy.
- Acceptable Use Policy.
1.1. The Company is obliged to post the Security Policy on its website “www.e-virus.gr” and to inform its employees, as well as to train them in its implementation as well as in any of its revisions.
1.2. Employees and associates of the Company must comply with the Security Policy to Ensure the Confidentiality of Communications, including the relevant procedures, security measures and instructions. For this purpose, the company informs in writing the employees and associates with the Security Policy for the Ensuring of the Confidentiality of Communications as well as the procedures, security measures before gaining access to the PES. The employees and associates of the Company sign the relevant information document and it is kept in a special binder, before gaining access to PES and communication data.
1.3. The Company maintains an up-to-date file in which its associates are registered, natural or legal persons, who in order to provide their services, acquire or may gain access to communication data of the subscribers or users of the provided networks or services.
1.4. The Company concludes with its associates contracts with which the associates accept the obligation to observe the security measures to ensure the confidentiality of the communications which it at least includes.
- Terms of confidentiality, non-disclosure and confidentiality.
- Requirements and security measures taken to ensure the confidentiality of communications, which ensure the confidentiality and integrity of communication data during the processing of these by the associates of the liable person, as well as their final deletion and destruction after the termination of cooperation .
- Acceptance by associates of the obligation to comply with security measures to ensure the confidentiality of communications.
- The liable person must activate the Security Incident Management Policy, for any violation of the contractual terms.
1.5. The partners of the company will be informed through the website “www.e-virus.gr“, by e-mail or by phone for any revision as well as through the contracts between them.
1.6. The employees and associates of the Company are prohibited from disclosing any information or information that comes to their notice or possession as a result of the nature of their work.
1.7. The employees and associates of the Company are obliged to immediately inform the person in charge in case they realize a security gap or a relevant incident which threatens to ensure the confidentiality of communications.
1.8. The partners agree with the conclusion of the contract not to process the communication data but also in case this is needed, the data should be destroyed immediately after the end of their work with the communication data.
1.9. The Company is obliged to activate the Security Incident Management Policy, for each violation of paragraphs 1.3, 1.4, 1.5.
1.10. The subscribers of the provided services will be able to be informed through the website of the company “www.e-virus.gr”, for the way of protection of the confidentiality of their communications as well as for the rules of proper use of the provided services.
1.11. The Company does not store sensitive data in storage media (such as passwords to IPs or structure data. If this becomes necessary, then the only one who can store, move the data in question, is the Privacy Officer who must destroy them after the work is completed.
- Physical Safety Policy.
2.1. The physical security of our company’s systems and network infrastructure is ensured with authorized access to the premises where they operate. These respective sites are also protected by passwords.
2.2. This policy concerns the staff of the technical support department, the staff of the Network & Operations department, the staff of the Development department and the management of the company.
2.3. The space where the PES are installed, within the Company’s facilities, is controlled by a powerful security mechanism with the method of controlled entry cards. The physical access to the spaces of this paragraph is recorded in a special file, according to paragraph 2.8.
2.4. The physical access to the premises of the PES is done with the following procedure.
- Only authorized persons can have physical access to the site of the PES.
- In the case where partners or visitors need to gain access, then they must first be authorized and after being authorized to always be accompanied by an authorized employee. The authorization procedure is referred to in paragraphs 2.4 & 2.5 & 2.6 2.5. In order to verify the authorization of the persons, the head of the respective technical department responsible for the person who is required to be granted physical access completes the respective application for authorization of physical access to the information systems, and receives a signed approval from the person in charge of information systems and networks. YAPSD) and the Director of Informatics.
2.6. This form must be completed for all persons who must have physical access to one of the information systems and networks of the company by the staff of the Network & Operations department.
2.7. Approved applications must be notified to those involved by the Network & Operations staff as well as to the custodians and filed.
2.8. The access to the premises of the PES by authorized persons is recorded in a special access file (name, capacity, time of entry and exit). In the case of access of a partner of the liable person or another visitor, in the file of this paragraph is additionally recorded the reason for access, as well as the details (name and capacity) of the employee to be met.
2.9. The company does not have PES which are under its supervision outside its facilities.
- Logical Access Policy.
3.1. This policy concerns all the staff of the company and the associates who for their work handle a PES of the company as well as the sales and marketing departments.
3.2. Access control to PCs is done using an access account consisting of a pair of usernames and passwords. The access control and authentication mechanisms of each IP are recorded in a relevant file.
3.3. Each employee and associate is assigned a password per PC and the assignment of the access accounts of employees and associates is recorded in a relevant file, so that it can be determined with certainty who is the holder of each account.
3.4. Each password is categorized according to the type of work it is going to do and these categories are listed in a relevant file.
3.5. No common or predefined passwords are generated.
3.6. A file is kept in which the categories of users and their access rights are recorded for each IP.
3.7. The Company records in a file the ways of access of its employees and associates to communication data of the subscribers or users of the provided networks or services. Any access to communication data of the subscribers or users of the provided networks or services is recorded and justified
3.8. The access to the PES is recorded in a relevant file and includes the name of the user who gained the access, the date, start time and end time.
3.9. The addition of new PES users, the removal, modification and change of permissions or access levels are analyzed in the “PES User Management Process”.
3.10. For each of the actions mentioned in paragraph 3.8 of the present, the prior approval by a competent employee of the Company is mandatory.
3.11. The PES User Management Procedure provides for the obligation to keep a record of applications related to any change in the access status of PES users. There is also the obligation to keep a file with the history of all rights or access levels of the accounts that have been approved and activated in the Company’s IPAs, such as access account, rights / level of access, validity period.
3.12. The company must follow the Procedure for Controlling the Correct Implementation of the Logical Access Policy, where periodic audits are performed, in accordance with the principles of the Audit Policy for Ensuring the Confidentiality of Communications, as follows:
- The access rights of PES users are checked to determine if the access right granted to him is correct.
- The access accounts are checked by comparing the file that includes the approved applications (par.3.10) with the accounts resulting from each PES.
- Access logs are sampled for possible unjustified access.
3.13. For the creation and management of Access Accounts, the Company maintains the following:
- File with a description of the rules according to which a user name is created,
- File with a description of the rules according to which a password is created,
- Procedure according to which each employee and associate is given the username and password that concerns them,
- Procedure according to which the regular change of the passwords is achieved and in general their management
- Procedure according to which an audit is carried out for the correct application of the above rules and procedures, in accordance with the principles of the Control Policy Implementation Control Policy to Ensure the Confidentiality of Communications.
3.14. For the implementation of the obligations of paragraph 3.12, the Company takes into account the following requirements:
- The usernames should not indicate the role in the IP of the employees and associates of the liable person (indicatively, they should not be derivatives of the word admin or root).
- The passwords used will be strong and are created by combining at least two (2) different types of characters (numbers, letters, special characters). Passwords will have a sufficient minimum length of 8 characters, the use of recent passwords in the process of changing them will be prohibited and no specific patterns will be followed when creating them.
- The passwords will change periodically, at a frequency that is explicitly defined per PES and refers to a file maintained by the Company. The Company uses and records in this file the ways in which it imposes the periodic change of passwords. In typical cases such as, for example, the removal of a PES user or the breach of an account, the corresponding change of the password is foreseen.
- In case of repeated entering of incorrect passwords (after five consecutive failed attempts to enter it) the access account can be used only after a lapse of 15 minutes.
3.15. Special Requirements for the Subscribers or Users of the Provided Networks or Services:
- The Company maintains a file that details the access control and authentication mechanisms used to access its subscribers or users to the services it provides.
- The Company configures and follows a specific procedure for managing the access accounts of subscribers or users to the services and / or networks it provides, which clearly describes how to add and remove access accounts, as well as the assignment of the username and password to subscribers or users of the provided networks or services. When creating or re-issuing the password, the Company creates it in a way that prevents its easy identification. Informs by any appropriate means the subscribers or users of the provided networks or services about the necessity of changing the password, as well as about the appropriate rules for creating strong passwords.
- The Company has a procedure according to which a periodic check is carried out regarding the change of the password that it gives to the subscribers or users of the provided networks or services and ensures their re-information about the necessity of changing the passwords in case they do not have make the relevant change.
- The Company does not offer the possibility to the subscribers or users of the provided networks or services to access their communication data (such as outgoing calls, e-mail) through a specific website.
- The Company informs the subscribers or users of the provided networks or services, at least during the conclusion of the contract between them, by printed or electronic information, but also in an easily accessible part of its website, about the rules of appropriate use for the protection of passwords they hold.
- Remote Logic Access Policy.
4.1. The Policy concerns the employees and associates of the Company who, in the context of their work, gain remote access to the PES.
4.2. Remote access to PES is acquired only by authorized persons and only if deemed necessary for the business needs of the company. The Company maintains a file with the requests for remote access which states the reason for the access, the PES that the access will be obtained as well as the time period required.
4.3. The Company ensures that any connection of its employees and associates in this PES is allowed only if this connection does not violate any of the security rules of its network.
4.4. Authorized person remote access is done using secure authentication (VPN) mechanisms and this access is only allowed for a certain period of time, after which the passwords are disabled.
4.5. The Company allows remote access of its partners to its systems only after approval of the relevant requests, which state the reason for access, the system to which access will take place and the time required. The Company therefore keeps a file with all the information of this paragraph.
4.6. Authorized persons with the possibility of remote access are recorded in a file (name and title), as well as the access rights that correspond to them for each IP.
4.7. The company follows the “Remote Access Management Procedure” to manage the remote access accounts of its employees and associates.
4.8. The company carries out audits at least every three months (3) for
Assign remote access accounts according to the file in paragraph 4.4.
4.8.2 The changes or deactivations of the codes according to the file of paragraph 4.3.
- PES Management and Installation Policy
5.1. The company during the management and installation of PES takes all necessary measures to minimize the risk of leakage of information related to the confidentiality of communications.
5.2. Changes (insertion / modification / deletion) in the software / hardware of the PES related to ensuring the confidentiality of communications will be made without undue delay.
5.3. For any change in hardware or software, the company maintains a file that records the date, manner, justification and employee or associate who made the change. The file is updated and maintained by a specific employee of the Company.
5.4. For the Procurement − Development of Hardware and Software of PES, a procedure is followed in which the Company carries out a risk assessment to identify possible threats, weaknesses and risks regarding the confidentiality of its communications under procurement / development of PES.
5.5. In the framework of the Procurement Process ξης Development of hardware and software of the PES, a list of requirements is drawn up regarding the regulations or characteristics of the PES under procurement / development, regarding the assurance of the confidentiality of communications. Confidentiality requirements also include the minimum requirements for the configuration and management characteristics of the PES under development / development and the configuration requirements for access logging and operations to comply with the security specifications set by the valuation results. risk and safety best practices. The records of this paragraph are approved by the competent personnel of the liable person and are kept.
5.6. The Company follows a Procedure for Testing, Accepting and Checking the Proper Operation of Hardware and Software of the PES in which tests are performed of the implementation or configuration of the requirements that have been determined at the stage of describing the requirements of the Confidentiality of Communications and compliance with these requirements is checked. The test results are recorded and kept in a relevant file. Upon successful completion of the pilot operation, an acceptance report of the PES is prepared and signed by the involved parties, which is kept by the obligated person in a relevant file. During the initial stage of the operation, the correct operation of the PES is monitored, in order to detect in time any errors or safety gaps. The results of the audits are recorded and kept in a relevant file
5.7. The Company for the Supply-Development of hardware-software, Installation-Operation of hardware-software, Maintenance-Support-Operation of hardware-software and Deletion-Withdrawal of Hardware and Software PES, follows the corresponding procedures.
5.8. The Company follows the Maintenance Δια Support Δια Hardware and Software Operation Procedure of the PES, which includes the monitoring of the proper operation of the PES, through the control of events and alarms of each system, in order to detect any errors or security gaps without delay. The Company records and maintains in a file the actions in the operating system and in the applications of the PES, as well as the system events of the PES.
5.9. The Company follows a Procedure for Deleting − Withdrawal of Hardware and Software of the PCs where the Company ensures that when the hardware or software of the PCs is deleted and withdrawn, the information recorded in the equipment of the PCs (eg ROMs, hard drives, magnetic tapes etc.) is permanently deleted and cannot be used by third parties. The Company maintains a log file in which the PES are recorded, which are withdrawn. The Company also maintains a record of the deletion actions of the PES data, in which the username of the employee or associate who performs the deletion is recorded.
- Security Incident Management Policy.
6.1. The Company activates the security incident management process without delay in any case of a security incident.
6.2. The following data related to the security incident are recorded in the Security Incident Management Procedure, as well as a file is kept with all the records related to the security incidents, from which the execution of the respective foreseen actions will be documented.
- Date, time of event and description of the incident,
- Date and time the incident was reported,
- Point at which the incident occurred (system, service, application, protocols, data type),
- Estimated cause of the incident,
- Consequences of the incident (number of users affected, type and volume of data affected),
- Data collected by the person responsible for the investigation of the incident (logs, evidence of violation, etc.),
- Information on the possible occurrence of the incident more often,
- Time to resolve the problem,
- Corrective measures and relevant timetable,
- Informing affected subscribers or other persons affected by the incident and notifying the competent authorities in accordance with applicable law,
ια. Possible recommendations to affected subscribers or other people affected by the incident, in order to mitigate its negative effects
6.3. In case of a security incident, the company is obliged to immediately inform ADAE by submitting an immediate incident report which will record the data defined in the Security Incident Management Procedure, according to the data available at the moment and after completion. of the investigation of the incident, will submit to ADAE the Final report of the Security Incident Report in which will be recorded in detail all the information defined in the Security Incident Management Procedure as well as any additional information in the possession of the Company.
6.4. The Company provides its subscribers with the opportunity to complain about the possible violation of the confidentiality of their communications via e-mail and telephone.
6.5. The Company checks at regular intervals the readiness to activate the Security Incident Management Process.
6.6. Competent executives who will be informed immediately about each security incident are the following: a. Charis Zacharakis
- Network Security Policy
7.1. The Company records the systems and mechanisms it uses in hardware and software for the purposes of the Network Security policy. The operation of the mechanisms is continuous, with the exception of the cases of scheduled maintenance or upgrade.
7.2. The Installation, updating and management of mechanisms and systems is in accordance with the principles of the PES Management and Installation Policy.
7.3. In case a mechanism or system detects an unusual event, an alert is activated and depending on its severity, the Security Incident Management Policy is activated or not.
7.4. The Company maintains a schematic network diagram, which contains the network architecture, their segmentation, the systems as well as the security zone that have been installed as well as the previous versions of the said file.
7.5. The systems that contain the databases as well as the software that uses them, have been placed in internal trust zones.
7.6. The systems that provide the public with electronic communications services are placed in internal trust zones.
7.7. The systems that are not installed in internal trust networks or in a demilitarized zone use appropriate security mechanisms and the company maintains a file with a full analysis of the protection and security measures that have been implemented.
- Security Policy Implementation Control Policy to Ensure the Confidentiality of Communications.
8.1. The Company audits the implementation of the Security Policy to Ensure the Confidentiality of Communications every 2 years and covers the entire scope of application of the Policy.
8.2. The audit includes the use and examination of the log files of each PC and is performed only by the specially authorized employees of the Company, their responsibilities are described in detail in a special file and do not belong to the department of audited systems or code development, installation or operation under system control.
8.3. In the event of an audit of the implementation of the Security Policy to Ensure the Confidentiality of Communications by an external body, care is taken regarding issues of confidentiality and non-leakage of information and data, through a relevant contract. During the entire duration of the audit by the external body, a specially authorized employee of the Company is present.
8.4. The following are recorded in a relevant file for the preparation of the audit:
- Defining the system and procedures / mechanisms for ensuring confidentiality that will be checked and the checks for finding technical vulnerabilities.
- The schedule of the audit
- The collection of required information and data and
- The definition of the persons that make up the Audit Team.
8.5. The responsibilities of the Company’s employees, who carry out the audits, are defined and described in detail in a relevant file.
8.6. The findings during the audit as well as any proposed improvements or modifications are recorded in a special file maintained by the company even if there are no findings during the audit.
8.7. The assignment to one or more members of the Control Group of access rights to software tools, systems or premises of the premises is allowed only for the period of the respective control
8.8. In the event that findings arise during the audit, the Company must define the required actions, such as the review of procedures, etc., the required schedule, the authorized persons. Depending on the criticality of the findings, the Company may or may not activate the Security Incident Management Policy.
8.9. The Company has and implements a procedure in which the stages of preparation, conduct, results and corrective actions of audit are recorded, according to the mentioned in this article, and to maintain, for all the performed audits, the respective files.
- Malware Management Policy.
9.1. The Company takes all possible measures to protect PCs from malware using Anti-Virus programs and informing its employees about the ways to protect and deal with their systems from malware.
9.2. In case of detection of malware, the Company immediately evaluates the incident and depending on its criticality, activates the Security Incident Management Policy.
9.3. The Company carries out audits in the PES from time to time in order to ascertain or not, the existence of other software, unauthorized.
9.4. The Company maintains a file in which the application details of the above are recorded.
- Cryptography Use Policy.
10.1. The Company uses SSH (Secure Shell) to access the PES, and only from the trusted internal network zone.
10.2. Where service users need to set passwords, they are protected by the use of SSL (Secure Socket Layers), which can come either from a certified provider or from the Company itself.
10.3. The Company for the creation and management of the encryption keys produced by it, follows the corresponding procedures.
10.4. The encryption is applied in the PES based on the results obtained from the risk assessment according to the Information Risk Assessment Procedure.
10.5. Where algorithms and encryption systems are used, including digital signature algorithms, internationally accepted standards are taken into account.
10.6. The key length used takes into account internationally and widely accepted standards, depending on the encryption algorithm used and the results of the risk assessment, in accordance with the Information Risk Assessment Procedure.
10.7. The Company prevents unauthorized access to keys used for encryption, authentication or digital signature.
10.8. Where asymmetric cryptographic algorithms are used
(a) for reasonable access to MRLs,
(b) for encryption; or
(c) for digital signature, each private / public key pair corresponds to a single user and the corresponding private key is known only to the specific user to whom it corresponds.
10.9. In the event that the Company uses digital public key certificates, which are produced by certification service providers, it ensures that the certification service provider complies with the applicable legislation.
10.10. In case the Company generates and manages the encryption keys that are used in PES, it compiles and observes appropriate procedures for the creation, certification, distribution and revocation of the cryptographic keys.
10.11. The Company maintains a file in which the application details of the above are recorded