Introduction to Information Security
Definitions:
The term ‘Information Security’ refers to the preservation of the confidentiality, integrity, availability, and accessibility of information.
The term ‘information’ refers to any element/data subject to processing in the company’s information systems as part of its activities.
The term ‘processing of information’ (elements/data) refers to any action or series of actions, performed with or without automated means, on data or data sets (including personal data), such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of provision, alignment, combination, restriction, erasure, or destruction.
The term ‘Information Systems’ refers to individual or combinations of equipment and software used by the company for processing and sharing information.
The information processed by the company ‘Polimeros Papadopoulos Single-Member PC’ during its activities is considered a high-value asset. Therefore, all measures are taken to protect both the information and the Information Systems that allow the company to process and share this information.
At the company Polimeros Papadopoulos Sole Proprietorship Ltd, a Management System has been designed and implemented with the aim of effective management and continuous improvement of the Information Security level.
During the design of this Management System, all legal, regulatory, and contractual obligations that the company’s management commits to adhere to are taken into account.
The management of Polimeros Papadopoulos Sole Proprietorship Ltd declares its commitment to provide all the resources required for the effective implementation of the Information Security Management System and the continuous improvement of its effectiveness.
The company’s performance regarding Information Security is continuously monitored by the management as part of the Management System’s implementation, through the establishment of performance and efficiency indicators for processes and corresponding measurable objectives for Information Security.
This Information Security Policy is binding for all personnel and associates of the company whose activities may affect the company’s performance in terms of Information Security. The management of Polimeros Papadopoulos Sole Proprietorship Ltd ensures that every member of its personnel and external associates is aware of and commits to complying with this Policy.
To adhere to the principles of this Information Security Policy, the procedures and guidelines of the Management System, as well as the Job Descriptions specifying the responsibilities for Information Security, should be taken into consideration.
General Principles:
General Points:
Information Security is the responsibility of all.
The IT system of Polimeros Papadopoulos Sole Proprietorship Ltd is provided exclusively for company-related activities.
The use of the IT system of Polimeros Papadopoulos Sole Proprietorship Ltd for personal reasons (including email and internet) is prohibited. There should be no expectation of privacy when using the IT system of Polimeros Papadopoulos Sole Proprietorship Ltd.
Polimeros Papadopoulos Sole Proprietorship Ltd reserves the right to monitor every aspect of the IT system to protect its legitimate business rights. Information gathered from such monitoring may be used to initiate or support disciplinary actions.
Violation of the terms of this policy may result in disciplinary actions which, depending on the seriousness of the violation, may include:
Verbal recommendation/warning from management
Official written recommendation/warning for a serious offense
Termination due to a serious offense
Legal proceedings
Civil procedures for damage restoration
On the internet, information and material are circulated, often described as ‘elements that others may consider offensive,’ and are frequently used by malicious entities to trap internet users with the ultimate goal of compromising systems with malicious software. This term includes but is not limited to:
Pornographic or sexual material
Racist, sexist, or homophobic material
References to religious/political content
Unsightly/antisocial material (such as vandalism, violence against people or animals)
Accessing websites with such content is strictly prohibited over the network or using the company’s IT equipment (it constitutes a high-risk action for information security).
Compliance actions
Prudent, careful, and deliberate use of information systems.
Immediate reporting of any incident or suspicion of an incident related to information security or facility security to the IT Department.
Principles of sound Operations and Communications Management
Standard Operating Procedures
General Points
Polimeros Papadopoulos Sole Proprietorship Ltd applies standard operating procedures for the daily maintenance of information systems and infrastructure to ensure the highest possible availability and performance of these systems.
Changes to the company’s information systems and primary infrastructure are implemented in a controlled manner for effective change management.
Development and testing environments of the systems and applications are always kept separate from the live operational environment to reduce the risk of accidental changes or unauthorized access.
Compliance actions
Issuance and implementation of appropriate standard operating procedures/instructions.
Assessment of all significant changes to information systems and primary infrastructure for their impact on information security (an integral part of risk assessment).
Segregation of the operational environment and development/testing environment with appropriate control measures, including the following:
Execution on separate computers, domains, and networks.
Different usernames and passwords.
Use of virtual data and information during testing – controls.
Assignment to personnel capable of evaluating and testing operational systems.
Design and acceptance of information systems.
General Points
All components and features of the information systems equipment and infrastructure of Polymeros Papadopoulos Sole Proprietorship Ltd. are taken into account when preparing the company’s annual budget, and the necessary resources are provided for their procurement, maintenance, and replacement to always meet the requirements based on the workload and operational needs of the company.
Indicative essential components and features of the equipment and infrastructure of information systems include the following:
File servers.
Domain servers.
Email servers.
Web servers.
Printers.
Networks.
Supporting equipment (CCTV, Access Control, Server room, etc.)
Compliance Actions
All departments must inform the General Director of the requirements for new equipment/systems or upgrades, or improvements needed for existing systems.
The procurement of new equipment/systems follows the relevant standardized operation procedure of the management system after approval by the General Director.
New information systems, service upgrades, patches, etc., must undergo suitable testing by the IT Department before acceptance and implementation in the live environment.
The acceptance criteria must be clearly defined, documented, and agreed upon with the supplier.
Significant system upgrades should be thoroughly tested alongside the existing system in a safe testing environment.
Protection from Malicious and Mobile Code General Points
Polymeros Papadopoulos Sole Proprietorship Ltd. takes all necessary measures to protect the information systems and IT infrastructure, as well as the information and data they handle, against malicious software.
The operation of information systems is always underpinned by suitable and updated antivirus software on all servers and computers.
In order to prevent malicious software, appropriate access controls are in place (e.g., administrator rights and user permissions) to prevent the installation of software by all users.
Malicious and Mobile Code is found in new technologies and applications, which are often located in websites, emails, and include (indicatively mentioned):
ActiveX.
Java.
JavaScript.
VBScript.
Macros.
HTTPS.
HTML.
Compliance Actions
The personnel and external collaborators of the company are obligated:
Not to allow situations that may lead to a compromise of the company’s IT systems by malicious software, following the relevant Standard Operating Procedures / Instructions.
To immediately inform the IT Department, and in the absence of the IT Manager, the General Director or the Security Department if they detect or suspect a compromise from malicious software in the IT system or company storage media.
Software patches are suitably applied to all network software, with a complete record of which patches have been applied and when.
Requests for software installation must only be accepted when there is technical verification by the IT Manager.
Suitable and updated malicious software protection software must be installed at appropriate points in the network (fixed and mobile equipment) and on guest equipment connected to the company’s network.
Backups General Points
Polymeros Papadopoulos Sole Proprietorship Ltd. regularly takes backups of the information handled by the company to ensure that operations can effectively recover after a disaster, equipment failure, or error.
Backups are taken at a defined frequency, and full documentation of the backup process is ensured, with backup copies stored in a secure location outside of the company premises.
Within the context of the collaboration contract with any third party (e.g., external collaborators, clients) with whom the company shares information, compliance with the company’s backup and recovery procedures is ensured.
Compliance Actions
A file containing the complete documentation of backup receipt, a copy of the recovery process, and a complete system information record is kept at all times in a safe location outside of the company premises, with an additional copy in the primary premises.
Ensuring that the remote location is far enough to avoid being affected by any disaster occurring at the primary premises.
Regular recovery exercises from backup media are carried out to ensure the reliability of the media and storage process (at least annually and whenever deemed necessary by the IT Manager, e.g., after a significant change in the system or after a security incident, with an archive maintained documenting the results of the exercise).
Handling of Storage Media (Electronic and Printed) General Points
The electronic storage media allowed to connect to the Polymeros Papadopoulos Sole Proprietorship Ltd. network are:
Computer hard drives (internal and external)
CD
DVD
Optical Disks
Digital Cameras
Removable storage media on computers (e.g., disks) are protected to prevent damage, theft, or unauthorized access.
Electronic storage media that are transported are protected against unauthorized access, incorrect use, or interruption.
Documentation of the system (documents and files) is protected against unauthorized access. Examples of protected documents include, but are not limited to:
Files and documentation related to the applications and programs installed on the network.
Procedures/Standard Operating Procedures and their accompanying documents/forms.
Processes.
Files and documentation related to the network structure and the organization of databases, folders, and other network elements.
Files and documentation related to authorization details and access rights.
Actions for compliance.
Access to electronic storage media and the documents of the Management System is strictly controlled only for appropriately authorized personnel.
Irreversible deletion of all information from electronic storage media that are transferred outside the company for repair and file maintenance. Information regarding the date and time of sending/receiving, the responsible senders/receivers, the destination, and the reason for transfer is recorded. If this is not feasible, the storage media are not transported outside the company for repair and are replaced with others after mechanical destruction (drilling) and keeping a destruction protocol.
A file of all documented backup copies, a copy of the recovery process, and a complete record of the system’s information are kept on a backup hard drive stored at a safe location outside the company’s premises, with an additional copy in the main area.
For the disposal of useless/withdrawn documents, the municipality’s recycling bin is used after the documents have been destroyed with a shredding machine, and a destruction protocol is maintained.
Monitoring General Points
In the company Polimeros Papadopoulos & Co. GP for achieving security and facilitating incident investigation, monitoring techniques are applied. In this case, the audit logs contain at a minimum the following information:
System identity.
Username.
Successful/Unsuccessful login.
Successful/Unsuccessful logout.
Unauthorized access.
Changes in system configurations.
Use of privileged accounts (e.g., account management, policy changes).
Actions for compliance
Retention of audit logs for at least 6 months, recording exceptions and other security-related incidents.
Protection of audit logs from unauthorized access.
Disabling the ability of system administrators to deactivate audit logs.
Maintenance of an activity log file for IT personnel and system administrators, including:
Backup timings and details (date/time/user) of changes to backup media exchange.
System event start and system finish times and details of involved users.
System errors (description, date, time) and corrective actions taken.
Regular verification of the proper maintenance of audit logs by authorized personnel (at least monthly, with a record of the audit results and whether there were incidents or near-security information breaches).
Synchronization of all computer clocks on an annual basis with GSI time to ensure the accuracy of all system audit log records and the investigation of security incidents.
Network Management General Points
In the company Polimeros Papadopoulos & Co. GP, network management is considered a critical factor for smooth and secure operation.
Connections to the company’s network are controlled.
Wireless networks operate with increased access control, only for company personnel and appropriately authorized external collaborators.
Actions for compliance
Issuance and application of procedures/guidelines with clear responsibilities and actions for the management and proper use of both fixed and mobile equipment.
Documentation of the architecture and all parts of the network and equipment components comprising the IT system, with configuration settings for all hardware and software components of the network (a catalog that is updated when essential elements are added or removed).
The company’s network is characterized by two separate VLANs, one with access only for staff and one for company systems.
Data traffic on client networks is not monitored; access is unrestricted to all websites except those containing information deemed racist, sexist, or homophobic content, materials related to terrorism with references to religious/political content, animal abuse, child pornography, and other offensive/antisocial materials (e.g., vandalism, violence against people or animals, or elements that some may find offensive).
The IT system is protected by UPS to reduce the risk of damage or information loss due to power supply voltage disturbances.
Cables that transmit data or support significant information services are protected against tapping or damage.
Power cables are separated during their routing from network cables to avoid interference.
Network cables are protected by routing channels, and paths through areas with open access are avoided.
The use of methods and encryption techniques to protect data transmitted over the network.
Ensuring that all hosts have a satisfactory level of security.
Review of network services on a semi-annual basis for operating systems and disabling all unnecessary services.
Use of encryption in wireless networks to prevent information disruption (at least WPA2).
Information security in relationships with external providers General Points
The company Polymers Papadopoulos Single Member S.A. for the provision of equipment, goods, or services that may affect the security of the information it manages (e.g., computer support, legal support, computer and telecommunications equipment, security, postal services, rental of premises) may turn to external providers.
Before any such collaboration, the company specifies the requirements to mitigate the risk to the security of information from the access of external providers to the information.
These requirements are agreed with the external provider, and their satisfaction is monitored as part of cooperation agreements, through which the following are specified:
The concept of security (availability, accessibility, integrity, confidentiality), security requirements, and the level of security to be ensured (classification).
The precise characteristics of the equipment/software/services and acceptance criteria.
The information that the external provider will have access to and the type, methodology, and duration of access, including requirements for remote access.
The obligation of the external provider to protect the company’s information to which they have access and to comply with the provisions of this Policy and the security requirements arising from it.
Rules for acceptable and unacceptable use of information.
The risk mitigation measures that the external provider must take and how these measures are enforced.
The checks that must be carried out to verify the ongoing security of the information, including the company’s right to inspect the processes and control measures applied for the provision/cooperation.
Procedures for dealing with incidents of information security loss and provisions for addressing emergency needs, with an emphasis on requirements for notifications/disclosures and cooperation between the company and the supplier in emergency situations or incidents of information security.
The process for handling the delivery of products or services that do not comply with agreed requirements by the external provider.
Requirements for the infrastructure and facilities of the company that should be used during the provision/cooperation, as well as training, knowledge, and experience requirements for the company’s personnel involved in the implementation.
Identification details of the external provider’s staff authorized to access information or requirements for verification of education, knowledge, previous work experience, and conduct.
Provisions regarding the external provider’s ability to subcontract a part or the entire provision of the service and the conditions that will apply to it.
Requirements for information exchange and provisions for maintaining the security of information during transmission.
Legislative and regulatory requirements (data protection, intellectual property protection) and a description of how the requirements are met.
Acceptance by the external provider to submit periodic reports on the effectiveness of measures, if required.
Actions for compliance.
Signing cooperation agreements with product and service suppliers that affect the company’s information security.
Ensuring the information and consent (where required) of individuals for the processing of their personal data and maintaining a relevant record.
Annual Status Check General Points
During the activities of Polymers Papadopoulos Single Member S.A., the IT system, resource adequacy, technical and organizational risk management measures, and overall system effectiveness for supporting the company’s activities are regularly monitored and adjusted accordingly.
Actions for compliance.
On an annual basis, an internal audit of the condition of all IT systems and infrastructure of the organization is conducted under the responsibility of the IT Department, including but not limited to the following:
A full penetration test.
A network summary identifying all IP-addressable devices.
A network analysis, including exploitable switches and gateways.
Vulnerability analysis, including patch levels, insecure passwords, and used services.
Exploitation analysis.
A detailed report with improvement suggestions.
Secure Areas General Points
The Management of Polymers Papadopoulos Single Member S.A. takes special care for the security of the areas housing the company’s activities. The appropriate level of protection for the security of these areas is determined through a comprehensive risk assessment.
Measures for compliance.
Issuance and implementation of procedures/guidelines with clear responsibilities and actions for the security of the company’s areas and for access management to these areas.
The building has suitable access control mechanisms that include:
Placement of access control mechanisms on all accessible doors (where codes are used, they change frequently and are known only to authorized personnel).
Placement of metal bars/iron on windows on lower floors and any other accessible openings.
Locked doors and windows outside working hours.
Installation of an intrusion detection and alarm system that activates outside working hours.
Installation of a closed-circuit television (CCTV) monitoring system in all common areas of the company, except for the corridors leading to restrooms and locker rooms.
Installation of disaster protection system (e.g., fire, flood, vandalism).
Coverage with Private Insurance for damage caused by unauthorized access by individuals to the premises.
Maintenance of an entry-exit log for all individuals in protected areas (e.g., server room).
Every company visitor is recorded in the visitors’ book, from their arrival until departure, and is monitored by an organization employee who is reported in the visitors’ book.
Keys to all protected areas and areas with IT equipment are centrally stored by the General Director.
The stay of staff, external collaborators, or visitors in the company’s premises outside working hours is prohibited without the approval of the General Director or the head of the department to which the employee belongs or with whom the external collaborator works.
Document and Equipment Security General Points
The management of Polymeros Papadopoulos Single-Member Private Company takes special care of the security of documents and equipment used for processing information. The appropriate level of protection for document and equipment security is determined through a comprehensive risk assessment.
Actions for compliance
Documents in an open office are protected according to the protection provided by the building and through appropriate measures, which include:
Filing cabinets that are locked with keys kept away from the cabinets.
Locked safes.
Storage in a Secure Area with access control.
For the disposal of unused or retiring documents, a municipal recycling bin is used after shredding each discarded document with a shredder machine, and a destruction protocol is kept.
The surfaces of desks and other furniture at employee workstations are kept free of any documents when not in use by authorized employees for each workstation (clean desk).
The screens of computer monitors at employee workstations are deactivated within a maximum of 3 minutes when not in use (screen saver setting: 3 minutes with a request for username/password entry).
All general computer equipment is located in suitable positions/areas that provide protection from:
Environmental hazards (e.g., heat, fire, smoke, water, and dust).
Theft risk.
Risk from visual contact or access by unauthorized individuals.
All information is stored in folders on the network server as designed to facilitate their retrieval in case of loss due to damage, malfunction, or other issues through the backup process.
Documentation of the architecture and all parts of the network and equipment components comprising the information technology system and its storage, documentation of configuration settings for all hardware and software components of the network (a catalog that is updated when assets are added or removed).
The information technology system is protected by UPS to reduce the risk of damage or data loss due to disruptions in the power supply voltage of the electrical network.
Cables that transmit data or support critical information services are protected from eavesdropping or damage.
Power cables are separated during their routing from network cables to avoid interference.
Network cables are protected by conduit pathways, and pathways through areas with open access are avoided.
Equipment Lifecycle Management General Points
The management of Polymeros Papadopoulos Single-Member Private Company, in collaboration with the IT Department and equipment suppliers, ensures that all the company’s equipment is maintained according to the manufacturer’s instructions and any internal procedures to ensure that it remains in excellent condition.
Actions for compliance
Maintenance of a record with the equipment’s history so that decisions can be made about the appropriate time for replacement as the equipment ages. The IT Department ensures that:
Requirements for warranties, good operation, and technical support are determined during equipment and software procurement agreements.
The frequency of checks/maintenance is specified, necessary related tasks are described, and they are consistently implemented.
A copy of the manufacturer’s instructions for each piece of equipment is maintained (available to support personnel for use when programming and performing repairs).
A detailed record is maintained of the actions for inspection/maintenance/repair and the recording of error details, interruptions, and required/implemented actions.
An appropriate call-out procedure is implemented in case of damage, malfunction, or IT system failure, in which only authorized technicians perform tasks related to the information technology system.
There is complete and sufficient licensing for the software installed on the company’s IT system.
The use of the company’s IT system equipment outside the company’s premises is prohibited without the approval of the General Director.
Irreversible deletion of any information is carried out from electronic storage media transferred outside the company (e.g., returned after a leasing agreement for repair), and a record is kept indicating the date and time of dispatch/receipt, responsible parties for dispatch/receipt, the destination, and the reason for the transfer. If this is not feasible, storage media is not transferred outside the company for repair and is replaced with others after being mechanically destroyed (e.g., drilling), and a destruction protocol is maintained.
Access to the IT System General Points
The management of Polymeros Papadopoulos Single-Member Private Company, in collaboration with the IT Department, ensures that access to the IT system is allowed only for authorized users.
Actions for compliance
For the smooth and secure operation, procedures/standard operation guidelines for user access control are issued and implemented, covering all stages of user activities, from initial registration of new users to the final deletion of users who no longer require access, ensuring the following:
Authentication of individual users (not user groups, not general accounts).
Protection concerning password retrieval and security details.
Monitoring of access systems and recording at the user level.
Role management so that functions can be performed without sharing passwords.
Accounts and permissions for “system administrators” are provided only to the Head of IT and the General Manager.
Each user has access and rights for using the IT system:
Depending on the tasks they perform
Using a unique username that:
is not shared with other users
has not been given to another user in the past
Using a unique password that:
only the user knows
consists of at least 8 characters, including at least one digit and one symbol
is required by the system to be entered at each login
is required by the system for the user to change after 30 days
is given the option to change at the discretion of each user whenever there is suspicion or certainty that it has been compromised by another.
It is impossible to bypass it (by hiding or removing the settings from the administrator without recording the bypass and requiring the system to set a new password by the user after any bypass).
Through an entry process that includes:
an initial login screen that makes it clear that only authorized users are allowed
no display of previous login information, e.g., username
masking the password characters with symbols during typing
locking the account after 2 unsuccessful attempts.
Access rights to the company’s computer systems are granted and modified upon request of the user to the General Manager and with a written approval after consultation with the head of the department under which the user works.
They are reviewed at regular intervals (at least every 6 months) to ensure that they always correspond to authorized users and their tasks.
They are immediately terminated when the company’s cooperation with an employee or external collaborator ends (before the last working day of the cooperation).
Software General Points
There is always full and adequate licensing for the software installed on the company’s information system equipment, Polymers Papadopoulos SA. Management ensures that information processing is only done with software that is installed on the company’s information system equipment.
Compliance: It is forbidden to process information related to the company’s activities in software that is not installed on the company’s information system equipment.
The procurement of software that is installed on the company’s information system equipment is approved by the General Manager after consultation with the Head of IT.
The software installed on the company’s information system equipment is registered in the name of Polymers Papadopoulos SA and the department for which it will be used (under no circumstances in the name of individual users to avoid problems and information security risks in case of termination of cooperation with the user).
With the responsibility of the Head of IT, a continuously updated catalog of all software that has been installed on the company’s information system equipment is drawn up, which includes:
Software that may have been downloaded and/or purchased from the Internet, Shareware, Freeware, and Public Domain Software.
The title and publisher of the software.
The serial number of the software product.
The date and source of software acquisition.
The point of the information system where each copy is installed, with reference to the serial number of the hardware on which each copy has been installed.
The existence and location of backup copies.
Details and duration of support agreements for software upgrades.
Software in Local Area Networks or on multiple machines is used only according to the granted license.
Software on the company’s information system equipment is installed/parameterized/configured/modified/upgraded only with the responsibility or after the approval of the Head of IT as soon as the registration requirements are met.
It is forbidden to install personal or unwanted software (e.g., games, wallpapers, etc.) on the company’s information system equipment (it is a high-risk action for information security).
The company’s information system has a mechanism to control and monitor changes in software installed on the system elements. The Head of IT immediately reports to the General Manager when unauthorized changes are detected, which, within the framework of the information security management system, are treated as security breaches.