Security Measures
Data Protection Measures
Method of Securing Premises
Paper documents containing personal data are stored in lockable non-metallic cabinets, to which only authorized employees have access.
A Clear Desk and Clear Screen Policy has been implemented.
Employees have been instructed regarding the prohibition on leaving documents unattended, and this ban has been implemented.
Rooms where personal data sets are processed are equipped with a burglary alarm system (Intrusion Detection System).
Access to rooms where personal data is processed is restricted to authorized persons and is enforced via a multi-level access control system (control of building entry, access to floors, and office rooms based on employee ID cards).
Access to rooms where personal data sets are processed is controlled by a monitoring system using industrial cameras (CCTV).
Office entry is covered by an access control system (identification via employee ID card).
Access to rooms where personal data sets are processed is supervised 24/7 by security services.
A single designated area has been allocated for printing and scanning documents. Printers are located in the employee zone behind security gates, the elevator, and the office entrance protected by magnetic card.
A "no tailgating" policy has been introduced and communicated to employees, along with the use of self-closing doors.
Rooms where personal data sets are processed are secured against fire hazards via a fire suppression system and/or standalone fire extinguishers.
Documents containing personal data, once no longer needed, are destroyed using document shredders (P3 security level).
A reception desk and a Guest "Entry/Exit" Log are in place.
Organizational Measures
Personnel employed in data processing have been familiarized with regulations regarding personal data protection.
Personnel employed in personal data processing have been trained in IT system security.
Personnel employed in personal data processing have been obligated to maintain data confidentiality.
Computer monitors used for processing personal data are positioned in a manner that prevents unauthorized persons from viewing the processed data.
Personal data is not made available by employees to unauthorized persons during the performance of duties (e.g., retrieving personal data for a VAT invoice in the presence of another client).
Policies and procedures regarding incident response and documentation have been introduced.
A Personal Data Protection Policy and an Instruction for Management of the IT System used for personal data processing have been implemented.
An Integrated Management System (IMS) compliant with ISO 27001, ISO 22301, and ISO 27018, along with the associated information classification system, has been implemented.
The principle of accountability is applied to demonstrate that administrative activities related to ensuring security are being performed.
An inventory of equipment processing personal data is maintained.
Incidents regarding personal data security are logged.
A Record of Processing Activities and a Record of All Categories of Processing Activities are maintained. Additionally, Technical and Organizational Measures are updated in the event of changes.
Personalized authorization for data processing specifies the scope, systems, and categories of data processed by the employee.
A registry of authorizations for processing various categories of personal data by employees is maintained (updated on an ongoing basis).
Phishing simulations are conducted to increase employee awareness.
A periodic review of the privileges of persons authorized to process internal audits regarding the functioning of GDPR within the organization is conducted.
Remote work rules have been regulated in the form of appropriate Regulations.
A password policy has been implemented, regulating, among other things, minimum length in Vercom systems and the necessity of using special characters.
Hardware and Telecommunications Infrastructure Measures
Personal data sets are processed using portable computers (laptops), the hard drives of which are additionally encrypted.
Computers used for processing personal data are connected to the local computer network via VPN. Additionally, Multi-Factor Authentication (MFA) using Cisco Duo is applied for portable computers.
UPS devices, power generators, and/or a dedicated power grid are used to protect the IT system used for processing personal data against the effects of power failures.
Access to the operating system of the computer where personal data is processed is secured via an authentication process utilizing a user ID and password.
Measures have been applied to prevent the making of unauthorized copies of personal data processed using IT systems.
System mechanisms forcing periodic password changes have been applied.
A system for logging access to the system/personal data set has been applied.
Cryptographic data protection measures are applied for personal data transmitted via telecommunication channels.
Access to telecommunication transmission means is secured via authentication mechanisms.
Disk arrays (RAID) are used to protect personal data against the effects of disk storage failure.
Protection measures against malware (such as worms, viruses, trojans, rootkits) are applied.
A Firewall system is used to protect access to the computer network.
A mechanism for automatic locking of access to the IT system used for processing personal data in case of prolonged user inactivity has been applied.
Encryption of data carriers is applied, particularly hard drives in portable computers.
A strict prohibition on BYOD (Bring Your Own Device) and BYOAI (Bring Your Own AI) has been introduced throughout the organization.
VLAN separation has been implemented – The "Guest Wi-Fi" network is separated from the corporate network.
Wi-Fi security measures have been introduced (WPA3, strong password).
A procedure regarding the loss/theft of company equipment and magnetic cards has been introduced.
Company data is backed up and stored in secure Data Centers (see below).
Backups are stored on different servers than those used in production for the ongoing operation of applications. Additionally, restoration tests are performed periodically.
A mechanism for monitoring and managing system updates on employees' portable devices has been introduced.
Blocks and restrictions regarding the use of USB devices on employees' portable devices are applied.
Access to data folders is based on employee privileges (e.g., the HR department does not have access to Sales department folders).
Software Tools and Database Security Measures
Measures enabling the definition of access rights to a specific scope of data within the processed personal data set (Role-Based Access Control) have been applied.
Access to the personal data set requires authentication using a user ID and password.
Screen savers (auto-lock) have been installed on workstations where personal data is processed (set to 5 minutes).
Backups are performed and stored on Vercom S.A. servers in secure Data Centers (see below).
Updates of applications and operating systems are performed.
Internal and external penetration tests as well as automatic vulnerability scans are conducted (SIEM/Wazuh, integration with CERT Polska).
Regular testing, measuring, and evaluating of the effectiveness of technical and organizational measures (audit) is conducted.
A prohibition on sharing administrative accounts has been introduced.
Encryption in transit (TLS) has been introduced for services, mail, and client portals.
Encryption of attachments/sensitive data (such as passwords/Personal Data) when sending via email has been introduced (policy + tools – Kleopatra, PGP keys).
A prohibition on sending company data by employees to their private email inboxes is in force.
Data Loss Prevention (DLP) measures regarding emails and attachments have been introduced.
Access
VERCOM conducts risk analysis and implements appropriate controls in its systems prior to obtaining access to data. These controls encompass a combination of legal, technical, physical, procedural, and human layers to prevent unauthorized misuse, destruction, disclosure, or modification of data.
The area of premises, facilities, or buildings housing information, IT systems, or other network infrastructure is protected in a physically durable manner and via appropriate risk-based security measures.
Formal procedures for granting access to data have been introduced.
Access to data is granted exclusively to authorized employees.
Access is granted based on the Principle of Least Privilege (also known as the "need-to-know" principle), minimizing access to what is necessary and justified, directly resulting from the employee's scope of duties.
Access to data may be granted only to an identified natural person with associated individual user accounts, and audit trails of these activities must be logged and made available upon request. The use of privileged access rights and non-personal (generic) accounts is restricted and controlled.
Data is made available on a "need-to-know" basis. Users or clients (external or internal) must not have the possibility to access data that does not concern them.
Portable media are secured via encryption and appropriately labeled.
Multi-Factor Authentication (MFA) is implemented for all authorized access.
A periodic review of access is conducted at least annually.
Responsibility
An identifiable person or automated process is responsible for every access to Client data.
Formal processes for granting, revoking, or modifying access to data are in place. All such activities are logged.
Systems, hardware, and software used for data processing are maintained in accordance with these security requirements.
Incident Response and Reporting
All detected security incidents and data breaches affecting Client data or services provided to the Client must be reported by VERCOM without undue delay, in accordance with the Incident Procedure.
The notification of a personal data breach shall contain at least the following information:
The nature of the personal data breach;
The nature (categories) of the personal data concerned;
The categories and approximate number of data subjects concerned;
The approximate number of personal data records concerned;
Measures taken to address or mitigate the data breach;
Possible consequences and adverse effects of the data breach; and
Any other information that the Client is obliged to report to the relevant regulatory authority or data subject.
Employment Screening
VERCOM applies employment screening (background checks) for employees, which includes verification of employment references, appropriate qualifications, and the following matters:
Identity verification document (e.g., passport).
Document confirming educational background (e.g., diplomas/certificates).
Document confirming professional experience (e.g., CV/Resume and references).
Signing of a statement of no criminal record by the employee.
Business Continuity and Backups
VERCOM maintains a Business Continuity Plan (BCP) containing appropriate sections regarding incident and crisis management, resilience, backups, and disaster recovery procedures, which are subject to review and testing at least annually.
VERCOM securely stores copies of current, essential system software, images, data, and documentation to ensure rapid and controlled recovery of information assets.
Data Integrity, Change, and Vulnerability Management
All user-supplied and user-input data must be validated to maintain data integrity.
A formal Change Management process has been implemented.
Vulnerability and patch management has been implemented, incorporating regular updates to ensure continuous system integrity and timely mitigation of new security threats.
Strict separation of production data from development or test environments is required. Storing production data in any non-production environment, such as development or test environments, is not permitted.
Penetration tests are performed at least annually, and a summary of results is provided to the Client upon request.
Encryption
Data in transit is encrypted using the SSL/TLS protocol. Long-term data storage in the form of backups is fully encrypted. Operational data is not encrypted due to performance optimization reasons.
Antivirus Protection
VERCOM continuously raises user awareness and implements appropriate controls and policies regarding detection, prevention, and recovery in the event of malware (viruses, malicious code).
VERCOM conducts periodic employee training in this area.
Legal Responsibility
Full compliance with GDPR provisions and other applicable laws, regulations, and contractual obligations is required.
Security Training
All employees with access to data or information are required to undergo appropriate security training.
Vercom verifies employees' knowledge levels following training.
Asset Ownership
All information assets (data, systems, processes, etc.) must have a defined responsible owner within VERCOM.
Upon completion of commissioned activities or when data is no longer needed for processing activities, it shall be returned to the Client and securely destroyed.
Non-Repudiation
Controls must be implemented to ensure that actions and events have legal effect and cannot be challenged or denied (repudiated) by VERCOM, and that actions meet the requirements of responsible persons at VERCOM, including the Representative and the DPO.
Periodic Review
Vercom conducts a periodic review of access, security controls, and risk at least annually to guarantee that asset security is not compromised.
Right to Audit
The Client and its affiliates have the right, during the term of the agreement with VERCOM, to conduct a security assessment at an agreed time and scope, to ensure an appropriate level of data protection. This security protection covers measures related to technical, physical, procedural, and human measures and controls.
Last updated