1   SCOPE

This document describes PRIMEVIEW’s policy regarding the organization for the security of its information within the scope of the Integrated Management System.

2   INTRODUCTION

This Policy defines the objectives/principles for all aspects of Information Security within PRIMEVIEW and applies to all Systems, Operations, Employees, Trainees, Potential Employees of PRIMEVIEW.

3   PARTIES INVOLVED -RESPONSIBILITIES

All human resources and external partners of the company are obliged to implement this policy.

4   SCOPE / EXCEPTIONS 

4.1.1         FACILITIES

The scope of the Integrated Management System covers the company’s premises at 5 Konitsis Street, P.O. Box 151 25 Maroussi, Attica.

4.1.2         FIELD OF CERTIFICATION

Market Research in Health Sector.

4.1.3         EXCEPTIONS

The exceptions to Annex A of ISO 27001:2013 are listed in the document SOA – Statement Of Applicability

4.1.4         ORGANISATIONAL STRUCTURES 

The ISMS covers all the organisational units of the company, as depicted in the company’s organisational chart.

In addition, they cover the following partners of the company, to the extent that they are involved in the processes covered by the Integrated Management System:

  • Equipment Suppliers
  • Suppliers / Service Providers
  • External partners with whom the company cooperates within the framework of the implementation of a specific project and with whom a relevant cooperation agreement/contract is signed.

Finally, it includes PRIMEVIEW’s customers who receive services that fall within the scope of the development of its activities.

4.1.5         INFORMATION AND TELECOMMUNICATIONS’ INFRASTRUCTURES 

The Integrated Management System shall cover the following equipment/software items: 

  • Information systems and applications that support corporate processes.
  • Central equipment and system software.
  • Users’ workstations and laptops and related software (operating system, office automation software).
  • Regional equipment (photocopiers, multifunctional machines, printers, scanners).
  • Power failure protection systems.
  • Cable infrastructure, active and passive network equipment, wireless networks, air conditioners, other telecommunications equipment to the extent that they are related to the scope of the Integrated Management System.

4.1.6         DATA IN ELECTRONIC FORMAT 

The company’s operation is based on the maintenance and processing of a range of data for both internal use and customer data. These data are mainly kept in electronic form in the company’s information systems and include (indicatively): 

  • General purpose files.
  • Contract Documents, Project Management, Finance.
  • Administrative files and documents.
  • Product files and documents. 
  • Completed project documents. 
  • Documents of projects in progress. 
  • Contracts (projects, partners etc.).
  • Documents related to labor etc. 
  • Payroll. 
  • Customer Information. 

4.1.7         INFORMATION IN PHYSICAL (NON ELECTRONIC) FORMAT 

The category of non-electronic data included in the Integrated Management System includes various types of documents that are related to and affect the operation of the company (e.g. incoming documents in physical form via mail and fax, documents requiring a physical signature, project contracts, invoices, etc.). Indicative records kept in physical form are:

  • Tax file (income tax, VAT, etc.).
  • Invoices.
  • Documents related to labor etc. 
  • Copies of contracts. 
  • Support Service Documents. 
  • Completed project documents. 
  • Documents of projects in progress. 
  • Customer Information. 

4.2          INFORMATION SECURITY POLICY 

4.2.1         STRUCTURE OF SECURITY POLICY 

PRIMEVIEW‘s security policy consists of: 

  • This general security policy, which includes the company’s objectives for the protection of its information, its management’s commitment to the implementation of the Integrated Management System, as well as the basic principles of the security policy.
  • A series of individual security policies, the aim of which is to define detailed security scopes in different areas of information security.

The implementation of the security policy is supported by individual procedures and records, where required.

4.2.2         INFORMATION SECURITY OBJECTIVES 

Information Security is defined in the international literature as the assurance of the following properties:  

  • Confidentiality: Ensuring that only those with appropriate authorisation have access to the information.
  • Integrity: Ensuring that the information is complete, accurate and valid.
  • Availability: Ensuring that information is available every time an authorised user attempts to access it.

In addition to the above three basic security objectives, complementary information security objectives include: 

  • User identification and authentication: Ensuring that the user attempting to access information/system/application is who they claim to be. This is essentially the process of verifying the user’s identity.
  • Access control: Ensuring that the user attempting to access information/system/application is authorised to do so.
  • Audit & monitoring: Monitoring and recording of users’ actions.
  • Personal data protection: Protection of personal data and sensitive data of the individual from unauthorized collection, storage, and processing, in accordance with the applicable legislation.
  • No disclaimer: Ensuring that a user cannot deny that he/she has performed an action related to accessing/processing information/system/application.

The achievement of all the above security objectives (basic and complementary) leads to the maximum protection of information, systems, and applications.   

4.2.3         MANAGEMENT COMMITMENT TO INFORMATION SECURITY 

PRIMEVIEW‘s Management fully recognizes the objectives of the Integrated Management System, supports the implementation of these objectives in accordance with this security policy and ensures the continuous improvement of the System.

In particular, Company’s Management is responsible for: 

  • The review and approval of the security policy, both the initial version and any revision thereof. 
  • The control and approval of roles and responsibilities for the management of the systems. 
  • Monitoring significant changes in the company’s organization or infrastructure that create the need to revise the System.  
  • Monitoring security-related incidents. 
  • Taking initiatives to enhance the security of the company’s information resources by adopting additional measures. 

4.2.4         ORGANIZATION OF INFORMATION SECURITY 

PRIMEVIEW has defined the organizational structures and roles that are responsible for or related to managing the security of its information. Through these structures and roles, the company aims to protect its information from unauthorized access, disclosure, alteration, or destruction. The company’s information security organization has been transferred from the company’s management to the company’s staff and partners. 

4.2.5         HUMAN RESOURCES SECURITY 

All company executives have an obligation to implement the company’s security policy, if they manage or are related to information resources that fall within the scope of the Management Systems, depending on their role. The company’s partners who are not part of the company’s staff have a similar obligation.

Executives (staff or associates) who have an obligation to comply with the company’s security policy must, at a minimum:

  • Be aware of the company’s security objectives and policies.
  • Implement the Management Systems and the prescribed security procedures.  
  • Use the company’s information resources in accordance with the relevant policies for proper use, where applicable. 
  • To be constantly on alert to identify and report security incidents. 

4.2.6         INFORMATION RESOURCES MANAGEMENT 

PRIMEVIEW keeps a record of all company resources protected by the security policy. Each information resource is placed under the responsibility of a specific company executive. 

4.2.7         ACCESS CONTROL 

The granting of rights to the company’s executives and partners for access to information resources follows a clear and documented procedure approved by the company’s Management. Access to information resources is controlled by appropriate means and mechanisms to identify the identity of users. Users are responsible for protecting their access details to the company’s information resources. 

4.2.8         PHYSICAL AND ENVIRONMENTAL SECURITY 

Access to PRIMEVIEW‘s premises is only allowed to persons with proper authorization and only by using the measures defined by the company. All staff areas are equipped with an appropriate air conditioning system. The central computer, network and telecommunications equipment is supported by back-up sources of electricity supply.  

4.2.9         OPERATIONAL SECURITY 

The operating procedures of the company’s information systems have appropriate documentation, are updated in case of changes and are available to all users who need them, through the websites of the respective manufacturers. The company’s management has ensured that the systems are adequate to meet its business needs, and takes all appropriate measures to protect against malware, to deal with incidents of data loss and to fully record every action in relevant files (logs) for monitoring and control purposes.

4.2.10     COMMUNICATIONS SECURITY 

The company has taken a significant number of measures to protect its network from unauthorized access. Similarly, to the protection of information within the company, appropriate measures have been taken to protect company information circulated via e-mail, the Internet, or other means of communication.

4.2.11     SYSTEMS SUPPLY AND MAINTENANCE 

When purchasing new systems or expanding and upgrading existing systems, the company ensures the maintenance of the security level of its information resources, including, among others:

  • The relevant security requirements in the specifications of the systems. 
  • ‘Security clauses in contracts with system suppliers. 
  • Control scenarios relating to the safety of systems in the testing of systems before they are put into operation.  

4.2.12     RELATIONS WITH SUPPLIERS 

In cases where the company’s suppliers gain access to the company’s resources, such access is governed by specific terms and only for the purposes provided for by the partnership. 

The company informs its suppliers of their obligations regarding the protection of its information resources. Similarly, suppliers shall comply with the relevant provisions of the company’s security policy.

4.2.13     COOPERATION ARRANGEMENTS WITH EXTERNAL PARTNERS

In cases where the company’s external partners gain access to the company’s resources, such access is governed by specific terms and only for the purposes provided for by the cooperation.

The company informs its external partners of their obligations regarding the protection of its information resources. Similarly, external partners shall comply with the relevant provisions of the company’s security policy.

4.2.14     MANAGEMENT OF INFORMATION SECURITY INCIDENTS 

All company executives, regardless of their position in the hierarchy and their role in the company, must report any incident related to a suspected breach in any way of the security of the company’s information resources. Third parties (partners and suppliers) have a corresponding obligation, as long as their cooperation with the company includes relevant conditions.

To this end, PRIMEVIEW Management has established an appropriate security incident reporting procedure, which has been communicated to all involved parties. Also, the investigation of security incidents is carried out by the appropriate personnel of the company through a relevant process, which determines, where necessary, the security measures to be taken.

4.2.15     INFORMATION SECURITY DURING BUSINESS CONTINUITY MANAGEMENT 

PRIMEVIEW attaches great importance to maintaining a satisfactory level of security while managing the impact of a security incident. In this context, it has ensured that the company’s business continuity plan includes roles, procedures and measures that ensure the desired level of security of the company’s resources.

4.2.16     COMPLIANCE 

PRIMEVIEW‘s policy, procedures and other security measures consider and comply with the company’s statutory, regulatory or contractual obligations. Accordingly, executives who undertake security management roles are responsible for implementing the security policy.