HomeSecurity requirements for subcontractors

Basic information security requirements for subcontractors

Before establishing cooperation and at least once a year, the subcontractor (contractor) should review the following information:

Employee safety

  • The subcontractor undertakes to have, implement, and certify policies that include:

    • providing staff performing tasks for Euvic with information about the security requirements of cooperation with Euvic;
    • ensuring (by way of trainings) an appropriate level of information on security requirements;
    • declaring that employees performing tasks for Euvic will become familiar with security requirements.

Security of information systems

  • The security of information system environments should include:

    • data flow control ensuring no leakage and no unauthorized access to the systems;
    • separation of environments depending on the works performed with a division into environments (production, development and testing environments);
    • physical protection of systems;
    • ensuring the security of data shared or taken outside the protected area.

External media

  • The subcontractor shall:

    • have and implement policies that ensure secure and effective deletion of data from storage devices containing protected data;
    • have and implement policies that ensure secure transfer of storage devices containing protected data and their effective protection.

Remote work

    • remote access to resources may be used only for purposes and scope agreed with Euvic;
    • remote access is personal and issued to each employee of the subcontractor individually;
    • people using the content may not share or transfer it to others;
    • it is forbidden to transmit protected data provided by Euvic via unsecured public networks;
    • people using remote access must ensure that the remote computer has up-to-date anti-virus software and is not simultaneously connected to a computer network that does not meet security requirements.

Permissions management

    • granting of access rights to systems must be documented and controlled;
    • the subcontractor must provide access and control by persons having access to Euvic systems;
    • it is necessary to apply mechanisms that allow the revocation of previously granted permissions.

Termination of cooperation

  • The subcontractor is obliged to:

    • return of all assets entrusted by Euvic;
    • ensure the security of all protected information;
    • the effective destruction of information that should be deleted after the end of the contract;
    • other activities specified in the contract relating to security guarantees.

Mobile devices

  • The subcontractor ensures that the safety of work performed for Euvic carried out using mobile devices complies with the rules, which, depending on the nature of cooperation, may include:

    • physical protection requirements for mobile devices (smartphones / tablets / notebooks);
    • ability to control installed software on mobile devices;
    • management of mobile device access rights;
    • protection of mobile devices against external interference and malware;
    • appropriate encryption that ensures the security of the stored data;
    • ability to remotely manage mobile devices in a secure manner.

Transmission of information

  • Access to systems and transactions processed in them should meet two basic security requirements:

    • encryption of the connection using an SSL certificate (HTTPS) or other mechanism that ensures secure information transfer;
    • authentication and authorization mechanisms as well as policies and rules for assigning user rights.
  • In addition, the exchange of information should take place using properly secured channels. It is forbidden for the Subcontractor to perform works requiring access to and processing of protected data using unsecured public networks.

Assets

  • The Subcontractor undertakes to ensure the proper use of the assets entrusted by Euvic and ensures that:

    • users of those assets have the ability to securely use the assets provided, the data stored on them or the ability to access protected data;
    • after completing the tasks assigned, users will return the assets and, in the case of data, delete them in an effective manner.

Security incidents

  • In the event of a security incident, the subcontractor must immediately inform Euvic and take all necessary actions to minimize the impact of this incident on the operation and image of Euvic. The subcontractor should use appropriate tools to monitor events/logs and control access to them to enable the collection of evidence.

    Incidents should be reported to: abuse@euvic.pl

Backups

  • The subcontractor should ensure that backup copies of the processed information are made and protected and physically secured. In the case of cloud systems, it should document that backup copies are made, indicate the frequency and (if possible) the place of their storage.

logo Fundusze Europejskie Program Regionalnylogo Rzeczpospolita Polskalogo ŚląskieLogo UE fundusz rozwoju