Found.ation Your innovation platform

Privacy Policy

1.     Purpose and Scope

The operation of FOUND.ATION MAKER’S PLACE P.C (“the Company”) relies vastly on its physical assets as well as its digital databases and IT equipment which are used in order to collect, store and manage information. For this purpose, the Company is vigilant in ensuring and preserving the security of its databases and its technology infrastructure from any security breach or unauthorized disclosure of information. Any such security breach or unauthorized disclosure, caused either by human errors or outside attacks or system malfunctions, could cause not only significant financial damage but also put the Company’s good reputation in risk and hamper its efficiency. Everyone, from the Company’s customers and partners to its employees and contractors, should feel that their information is safe.

In light of the above, the Company’s IT department in cooperation with its Legal team and having the support of the Company’s Management, have developed, maintain and review, often and when necessary, the present Information Security Policy that (a) outlines all the security measures that have been implemented in order to protect the company’s assets from risks related to cyber threats, human errors or any other action that may affect the assets’ confidentiality, integrity and availability and to minimize the exposure of IT equipment to computer viruses and other malicious software threats, (b) describes the processes followed to control access to and management of the information systems and (c) contains instructions to employees that might help to prevent and mitigate any security risks or threats to its information and information systems.

This Information Security Policy applies to all Company departments and serves as a general guide for all Company employees (full-time and part-time), independent contractors, consultants, including anyone who has permanent or temporary access to the Company’s systems and hardware regardless of their place of work (“Employees”). Furthermore, since the Company acts as an Incubator for other enterprises which use and have access to the co-working spaces of the Company premises, the present Policy is disclosed to and extends also to all employees, independent contractors, consultants or similar of such legal entities.

The Information Security Policy applies to all computer and network systems owned by or administered or licensed by the Company, and similarly any platforms (operating systems), and any applications systems and the information handled by them (“Information Systems”).  

2.     Roles and Responsibilities

All Company’s personnel are responsible for the implementation of this Policy, as applicable to their activities.

The Company IT team is responsible to communicate to all employees and monitor the proper implementation of this Policy, as well as implement the technical measures and controls described in this procedure and ensure the orderly operation.

3.     Asset Classification

The company lists all premises information assets and updates it according to asset changes. Asset refers to hardware, system and application software, software dependent systems, networks and databases.

Computer Equipment

Network Equipment

Mobile Storage Media

Software

IT Data

Network Utilities

Work Stations, Laptops

Switches

USB

Operating Systems

Databases:

OneDrive, Microsoft, Eventora, Moosend

Telecommunications

Printers, copying machines

Routers

 

Other applications

 

Power Supply Network

 

Firewalls

 

 

 

Air Conditioner

 

 

 

 

 

UPS

 

4.     Access Management

Access to Information and Information Systems is granted only to authorized users strictly on a “need-to-know” basis, namely to Employees who have a legitimate business need to access the information depending on their job duties, project responsibilities and other business activities.

All employee accounts must be requested by the Leader of his/her team by filling out a form with all access privileges the new Employee will need. The Company’s IT department or the appointed technical information system administrator creates and provides credentials for the authorized Employees, which include a user ID (e.g. e-mail account) that is unique to each individual user for the purpose of providing individual accountability as well as individual user passwords. 

 

Employees Password Policy:

 

Each Employee is personally responsible for the usage of his or her user ID and password and must follow a sound password construction strategy. The passwords must conform to certain rules contained in the present Policy and specifically:

  • All user-chosen passwords require a secure level: they must contain at least 8 characters -and must be a mix of uppercase and lowercase letters, numbers and symbols);
  • All user-chosen passwords must not comprise of, or otherwise utilize, words that can be found in a dictionary, nor must it comprise of an obvious keyboard sequence (i.e., qwerty);
  • All user-chosen passwords must not include data that can be easily guessed such as personal information about the user, family members’ names, pet names, birthdays, addresses, phone numbers etc.;
  • Each access touchpoint must include a session time-out (between 15 Minutes and 1 hour depending on the system);
  • All password required systems must be set as to lock the user accounts after five (5) unsuccessful log in attempts;
  • All passwords must be promptly changed if they are suspected of being disclosed or known to have been disclosed to unauthorized parties. All employees must be forced to change their password at least once every 180 days or at more frequent intervals and repetition of passwords used in the previous 6 months is not allowed;
  • Employees must always choose different passwords for the Company systems and any external services or personal accounts they have;
  • All employees are instructed to use the Last Pass system (https://www.lastpass.com) for the secure managing of their passwords.

Network Devices, Passwords and Administrative Accounts:

The following rules apply to the construction of passwords for network devices and administrative accounts on premises such as Routers and Firewalls.

  • Passwords must be at least 12 characters;
  • Secure Passwords must comprise of a mix/random collection of letters (upper and lower), numbers, special characters;
  • Administrative passwords must be changed every 6 months;
  • If any Network Device Password is suspected to have been compromised, all network device passwords must be changed immediately;
  • Administrative passwords should not be the same in different systems and/or accounts;
  • If a company network or system administrator leaves the company, all passwords to which the administrator could have had access must be changed immediately;
  • Any vendor default passwords must be changed when new devices are put into service;
  • The above rules shall also apply to any Employee who has access to administrative passwords due to his/her position in the Company.

Password Confidentiality:

Passwords are considered confidential data and must be treated with the same discretion as any of the company’s other proprietary information. The following rules apply to the confidentiality of company’s passwords. Employees must not:

  • Disclose their passwords to anyone, including fellow co-workers, supervisors, family;
  • Write down their passwords and leave such documents unsecured. Passwords must not be stored in readable form without access control or in other locations where unauthorized persons might discover them. All passwords must be strictly controlled using either physical security or computer security controls;
  • Check the “save password” box when authenticating to applications when the same workstation is shared with other company’s employees;
  • When needed to distribute a password via e-mail, these e-mails must be transmitted encrypted and deleted after the reception;

A.     Access Authentication

The IT department is responsible for administration of allocated and authorized user and group rights in conformity with the present Information Security Policy. Each user is accessing data and information according to the authorization profile configured by the IT team or each Team Leader/Manager.

B.      Account Set Up

During initial account setup, certain checks must be performed to ensure the integrity of the process:

  • During the initial creation of the user the below accounts are created:
  • Microsoft 365 Account
  • Eventora
  • Moosend
  • Tandem
  • Monday
  • Workable (only accessed by the Management)
  • Access to systems sensitive applications is granted only to authorized users;
  • Users will be granted least amount of network access required to perform his or her job function according to the need to know and need to use principles;
  • All accounts are password protected. Accounts are for individuals only. Account sharing, and group accounts are not permitted;
  • Occasionally guests will have a legitimate business need for access to the corporate network. When a reasonable need is demonstrated, temporary guest access is allowed. This access, however, must be severely restricted to only those resources that the guest needs at that time, and disabled when the guest’s work is completed.

 

C.      Account Termination

When managing network and user accounts, it is important to stay in communication with the HR department so that when an employee no longer works at the company, that employee’s account can be disabled. HR must notify the IT team in the event of a staffing change, which includes employment termination, employment suspension, or a change of job function (promotion, demotion, suspension, etc.). Account from users that left the company must get deactivated.

5.     Physical Security

Core network computer equipment must be housed in a controlled and secure environment. Company a secure “box” closet which remains locked and can be accessed only by restricted personnel whose job requires it for security purposes. The Company’s offices feature a receptionist who regulates the entry of staff and clients or visitors and ensures that no unauthorized person can enter the Company offices always in compliance with the local Labor regulations. All employees can entry the premises only using a magnetic card provided. Furthermore, the Company premises include an effective alarm system, CCTV security cameras, fire protection system and a night guard. Each month, a Security technician who has been appointed by the Company, visits the premises in order to make sure that all security measures are being followed and when necessary provide the company employees with relevant instructions and recommendations.

6.     Network Security

The company’s main software (all third-party software) is listed below:

  • Microsoft 365 Account
  • Eventora
  • Moosend
  • Tandem
  • Monday
  • Workable (only accessed by the Management)

Software Protection Mechanisms include:

  • Application Access through a username / password pair;
  • Each and every application user has a unique username/password combination in order to get access to the application;
  • Configurable password lifetime and expiration policy;
  • Authorized access to classified information. Each user is accessing data and information according to the authorization profile configured by the administrator;
  • Data Export. Software may provide unique abilities for data exports from authorized users in various formats, satisfying the GDPR stipulations for providing personal information to Data Subjects. Only authorized user should have the ability to download;
  • The Company server is the main data repository of the Company and as such, it is the most protected part of the system against common threats. Data files are organized in folders at the server and shared with Microsoft Networking;
  • Mail server has anti-spam and mail filtering solutions installed. Network servers, even those meant to accept public connections, are protected by a firewall or access control list and antivirus;
  • All company-provided user workstations have antivirus/anti-malware software installed;
  • Patches, updates, and antivirus signature file updates are installed in a timely manner, either automatically or manually. On premises antivirus are updated automatically;
  • Only legally licensed software is used. Software that is not license compliant is brought into compliance promptly or uninstalled;
  • User are not permitted to install new software;
  • Software is kept up-to-date by installing new patches and releases from the manufacturer in order to remove critical security vulnerabilities;
  • Software and application software that are no longer required are decommissioned.

7.     Logs

Logs of all inbound access into the Company’s internal network by systems outside of its defined network perimeter must be maintained. All system and application logs must be maintained in a form that cannot be readily reviewed by unauthorized persons.

8.     Business Continuity – Incident Management – Back up Procedures

Data to be backed up will include:

  • All data determined to be critical to company operation and/or employee job function;
  • All information stored on network servers, which may include web servers, database servers, domain controllers, firewalls, and remote access servers and corporate file server(s). 

Backup frequency is critical to successful data recovery. The Company has determined that the following backup schedule will allow for sufficient data recovery in the event of an incident:

  • The Company uses Microsoft One Drive as its information back up system.

Personal Backup

Personal computer users must not keep any data relevant to work and current projects permanently on their hard-drives and use their personal account to the Company file system to store data there. The Company file server has standardized backup routines which will ensure that no data loss will occur. Temporary storage of data is permitted until the end of each work-day at which point the data must be transferred to the Company file server.

Vulnerability Assessment

The company will run periodic, vulnerability scans at least every year. Results of these scans will be addressed in accordance with the risk posed. The Company will use the Common Vulnerability Scoring System (CVSS) to aid in setting patching guidelines.

Incident management

The Company has appropriate mechanisms in place in order to detect whether a breach incident is connected or affects any Company Information. Online Servers undergo human inspection and security updates routinely every month. Furthermore, an automated active monitoring system is in place in order to alarm the security personnel on a 24/7 basis about potential security breaches (or situations dangerous for loss of data).

All Company Employees are trained adequately in order to be able to identify simple security incidents. Any Employee who becomes aware of an Information Security Incident must promptly inform the IT Department (using the Incident Report Form 1 that is attached as Annex 1 to the present Policy) which will then immediately start the investigation process in order to minimize the impact of the Information Security Incident on the affected system. Together with the IT Department, any detected or reported incidents must be reported also to the Company CEO and the Legal team and must be handled according to ISO 27001:2013 standards and any applicable data protection legislation in case they involve breach of personal data.

More specifically, the IT department should review the received Incident Report Form 1 and fill in the Incident Report Form 2 (attached as Annex 2 to the present Policy) before proceeding with the following processes:

Collection of Evidence Procedure

All information gathered during responding to an information security and personal data incident is potentially evidence to be used in a disciplinary, criminal or civil action. The IT department is responsible for the collection and retention of information in respect of information security and personal data incidents. The guidance of enforcement bodies or the company lawyers must be sought and followed in respect of evidence collection and retention. Furthermore:

  • All originals of paper documents should have, attached to them, a statement describing precisely where, and under what conditions, it was found, who found it, who witnessed the event, together with a machine date-stamped photocopy of the document that indicates its original state;
  • The original computer media should be removed and retained securely and copies of information on hard drives, in memory or on removable computer media should be taken (with a log of all actions during the copying process) with a witness present;
  • Paper documents or magnetic media must be kept securely.

In case a Security Breach Incident involves Personal Data

The Company ensures a regulatory process for reporting violations of the protection of personal data to the Supervisory Authority (according to article 33 of the General Data Protection Regulation) and for notifying the individuals concerned about a breach of the protection of personal data (according to article 34 of the General Data Protection Regulation). If a violation of the protection of personal data is suspected, together with all the aforementioned parties (IT department, Company CEO, Legal team) the Company’s appointed Data Protection Officer (DPO) must be informed immediately. This is always to be assumed if a security deficit leads to the destruction, loss or alteration or unauthorized disclosure, or to an unauthorized access to personal data. The violation of the protection of personal data, including all facts related to the infringement of the protection of personal data, their effects and the remedial measures taken, must be documented.

More specifically, should a violation of the protection of personal data is confirmed to have actually occurred, the Company, in consultation with the appointed Data Protection Officer shall notify the Supervisory Authority without undue delay and where feasible not later than 72 hours. Such notification is made by email. Confirmation of receipt of this information must be also sent per mail by the Supervisory Authority.

The Company (when acting as a Data Controller) shall provide the following information to the Supervisory Authority:

  • A description of the nature of the breach;
  • The categories of personal data affected;
  • Approximate number of data subjects affected;
  • Approximate number of personal data records affected;
  • Name and contact details of the person responsible for GDPR (DPO);
  • Likely consequences of the breach;
  • Any measures that have been or will be taken to address the breach, including mitigation.

Insofar as the Company acts as a Data Processor, i.e. is not itself the owner of the data, the third-party client/partner owner of the data must be notified as soon as possible. The notification must contain at least the following information:

  • A description of the nature of the personal data breach, where possible, stating the categories and the approximate number of data subjects, the categories concerned and the approximate number of personal data records affected;
  • The name and contact details of the DPO or other contact point for further information;
  • A description of the likely consequences of the violation of the protection of personal data.

 

The Company must also assess whether the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the specific breach. If this is confirmed, then the individuals affected must be notified immediately of the violation. The notification of the data subject shall, in a clear and simple language, describe the nature of the personal data breach and include at least the information and recommendations referred to in point 4 (b), (c) and (d) of Art. 34 of the General Data Protection Regulation. The notification of the data subject can exceptionally be omitted if the conditions set out in Art. 34 para. 3 of the General Data Protection Regulation are met. The examination leading to such a result must be documented and agreed with the company DPO for each case.

 

 

9.     Network and Equipment use

A.     Internet Access and Electronic Communication

All Company employees are provided in the course of their job duties with Internet access, an electronic e-mail address and related privileges. The Company is entitled to monitor the employees’ internet access in order to ensure that it continues to be in compliance with the present Information Security Policy. All the Company communications sent by electronic e-mail must be sent and received using Company’s electronic e-mail address and not any personal internet service provider electronic e-mail account without a prior approval by the management or the appointed team leader.

The Company shall ensure that all office Wi-Fi networks are secure, encrypted, and hidden. The Company has established two distinctive Wi-Fi networks, one for the visitors of the premises (guests) and one for the Foundation employees and users of the co-working spaces.  If employees are working remotely or doing work outside of the office or on a business trip, they must be limiting the time using a Public Wi-Fi network.

Employees who are granted use of company equipment and devices are advised to keep both their personal and company issued equipment secure. They can do this if they:

  • Keep all devices password protected;
  • Choose and upgrade a complete antivirus software (as set up by the technical team on the company issued equipment);
  • Not disable any firewall installed;
  • Ensure they do not leave their devices exposed or unattended;
  • Install security updates of browsers and systems monthly or as soon as updates are available;
  • Log into company accounts and systems through secure and private networks only;
  • Turn off their screens and lock their devices when leaving their desks;
  • Report stolen or damaged equipment as soon as possible;
  • Refrain from downloading suspicious, unauthorized or illegal software on their company equipment;
  • Avoid accessing suspicious websites;
  • Ensure that they have all the required licenses for the applications they install on their devices and that they never install unauthorized copies;
  • Report to the IT Department when their equipment is “acting weird”, i.e. running slower than usual, fan going into overdrive without any obvious reason, or showing unexpected error messages.

 

More specifically:

B.      Avoiding Phishing and Other Scams risks

If Employees receive an email that looks out of the ordinary, even if it looks like an internal email sent by another employee, they are advised to be cautious and always check with the sender first before opening any attachments included therein. When in doubt, they must visit a company website instead of clicking on a link in an email that could have viruses and malware embedded in them, enabling thus hackers to infiltrate the Company’s network. Employees are further advised to determine fake e-mails by looking for inconsistencies in the sender’s address or subject line, links where the domains look similar to the legit ones but have a slight variation in spelling or a different domain and are always encouraged to reach out to the Company IT department with any questions or concerns on how to detect scam and emails.

Same cautiousness should be shown to pop-up e-mails, advertisements and chain letter without the recipient’s consent (spam). Employees should never respond to such e-mail but instead always delete them.

C.      Removable Media

The Company has an established procedure regarding the principles and working practices that are to be implemented by all Employees in order for data to be safely stored and transferred on removable media. This procedure should be adhered to at all times but specifically when any Employee intends to store any information used by the company to conduct official business on removable media devices. Specifically:

  • Removable media devices must only be used for work purposes;
  • Employees must avoid using personally-owned or unknown removable media devices in company’s systems;
  • Employees must avoid using Company-owned removable media devices on personal machines or machines that do not belong to the company;
  • Before plugging in a media device, employees must ensure that the system is up-to-date with the latest patches and anti-virus signatures;
  • Removable media containing confidential data must be physically secured to prevent unauthorized access in an appropriately secure and safe environment;
  • When USB flash drives are used to store company data, employees must choose those which provide the possibility to encrypt such data.

D.     Report immediately Lost or Stolen Devices

Employees must immediately report lost or stolen devices, in case the IT department is able to wipe the devices remotely and in order to initiate as soon as possible the incident management processes.

E.      Proper Use of Company E-mail Systems and Prohibited Actions

All Company Employees are asked to exercise common sense when sending or receiving email from their company accounts. The Company has established the following rules regarding the proper use of the Company email system:

  • In order to help the Company, avoid the unintentional disclosure of confidential information, when using a company email account, email must be addressed and sent carefully. Extreme care must be taken when typing in addresses, particularly when email address auto-complete features are enabled using the “reply all” function; or using distribution lists in order to avoid inadvertent information disclosure to an unintended recipient;
  • Employees must not under any circumstances send any emails that may cause embarrassment, damage to reputation, or other harm to the company, e-mails that are considered spamming, that include harassment or threats or any information that is illegal, that include non-company related business or make fraudulent offers for products or services;
  • Employees must not send business e-mails from a non-company provided e-mail account;
  • Employees are asked to recognize that email sent from a company account reflects on the company, and, as such, email must be used with professionalism and courtesy.

 

F.      Clean Desk Policy

The Company has established the following rules:

  • Physical copies of sensitive information (papers, folders, envelopes etc.), removable media or another portable device must be never left on a desk surface, but always placed in a cupboard or drawer when left unattended;
  • Employees must not input password while being watched by third parties;
  • Employees must set their computer to automatically lock after 15 minutes;
  • Employees must disconnect from the company systems and must tidy up their desks at the end of each working day;
  • Employees must promptly collect and remove from shared printers, fax and photocopying machines;
  • Food and drinks must be kept away from workstations in order to avoid accidental spills.

All company documents and print outs must be disposed using a shredder machine.

10.  Disclosure to third parties and secure transfer of Information

Company Information must not be disclosed to third parties unless there is a need to know basis and there are contractual obligations in place, such as a non-Disclosure Agreement or any other contract that includes appropriate confidentiality obligations clauses or any other mean as required by the applicable data protection legislation. Such agreements must contain clauses which, among others oblige the third-party recipient of Company information to immediately report to the Company in case there has been a security incident or suspicion of loss, unauthorized disclosure of the Information. The Company must perform privacy, compliance and information security risk assessments and evaluation to any said third party.

Personal Information on printed Invoices and Tax-related documents or other sensitive and confidential documents is printed out and stored in locked cupboards, only accessible to employees with the Role of Book-Keeping and/or Management.

Transferring data introduces security risks. In order to avoid this, employees are instructed to:

  • Avoid transferring data (customer information, employee’s records) to other devices or accounts unless it is absolutely necessary;
  • Share confidential data over the company network /system and not over public Wi-Fi;
  • Ensure that recipients of the data are properly authorized people or organizations and have adequate security policies. Especially when it comes to transfer of personal data employees must always verify the identity of the recipient using any additional customer information necessary and further security techniques must be applied.

 

11.  Data Classification

Documents containing confidential or any personal information are the highest level when it comes to data classification and require always the maximum amount of secrecy and caution when handled and only by those Employees who are absolutely required to do so. Loss or theft of such documents can cause severe damage to physical persons and/or at the Company. The retention time of this type of documents should be as little as possible in order to minimize the risk of exposure. When the documents are maintained in digital form they should be kept with adequate levels of security, such as encryption. If they are kept in physical form they should be maintained in locked drawers/cabinets, or safes. The documents that fall in this category shall be marked at both the top and bottom of each page, with red capital letters, as “CONFIDENTIAL” unless, it is a standardized form that must not be further processed, such as official government documents. When transferring such documents electronically this should be done only over adequately encrypted channels. Employees shall refrain from printing documents marked as such, unless it is necessary and when they wis to dispose them they should always use a shredding machine (when in physical form) or a secure deletion system (when in digital form).

12.  External Vendors and 3rd Party Providers

In addition to the Company’s internal operations, big part of its daily activities is related to external Suppliers/ Vendors. Third party entities play an important role in the support of hardware and software management, and operations for the company. Setting limits and controls on what can be seen, copied, modified, and controlled by a third party will eliminate or reduce the risk of loss of revenue, liability, loss of trust and potential embarrassment to the Company.

The purpose of this procedure is to specify what actions third parties can perform and under what conditions. Most importantly, this procedure will help to establish rules and contracts to provide a set of measures that will mitigate information security risks associated with third party access.

For the control of Security risks arising in engaging external Vendors, the Company examines it very carefully and accordingly adjusts:

  • The facilities in which external associates or customers have access to;
  • The access kind that is given (physical, networked, logical, remote or local);
  • The works – procedures, the action log requirements and the assignment contracts;
  • The protection of the company’s interest;
  • The protection and handling requirements of any confidential and/or personal data transferred to external associates.

Each Vendor and external associate is informed for the Information Security Policy that the company follows and is obliged to apply, and the cooperation between them. Moreover, the procedures to provide access are clearly defined and specifically:

  • The approval and change implementation procedures to the existing systems;
  • The provision of documentation;
  • Proven compatibility with the company’s policies and procedures;
  • The company’s right to periodic inspection and control of all of the activities that involve its information technology resources and systems that a third party handles.

Third party physical access to equipment will require the appropriate approval and authorization by the appropriate department.

Third parties must comply with all applicable rules, policies and the company’s standards and agreements, including, but not limited to:

  • Password Policy;
  • Network Security;
  • Network Access and Authentication;
  • Clean Desk and Endpoint Security;
  • Incident Response Procedure.

13.  Employees’ Rights and Expectations

Employees must use the equipment and networks provided by the Company for business purposes only. Any personal use us permitted only if it does not interfere with the work obligations and productivity and if it does not impede the Company’s operation. All employees shall have no expectation of privacy associated with the information they store in or send through these information systems. The Company owns and maintains all legal rights to its email systems and network, and thus any email passing through these systems is owned by the Company and it may be subject to use for purposes not be anticipated by the users. The Company’s Management retains the right to remove from its information systems any material it considers offensive or potentially illegal and to monitor, inspect, or search at any time all Company information systems including company provided equipment.

All new Employees must go through an evaluation process in which the respective Team leaders is having the lead role. Skills are tested with various tasks given during the evaluation process, which prove the experience in the specific job skills required. Furthermore, all new Employees must be informed and trained in all company policies. The respective Team Leaders and Management control that all policies are implemented by monitoring the work of the Team members of each department and initiate any corrective actions when required. New employees must have trained when starting the job in all policies applicable to their responsibilities. When changes are made all employees undergo training in all new services/systems. Yearly a “refresh” course must be made on all vital company policies.

Every employee must have apart from any employment agreement required by the local labor legislation, a Non-Disclosure Agreement in place already from the start of their employment. In case of dismissal or resignation, the NDA must still be still valid for at least 3 more years in order to insure that all company information stays protected. All accounts must immediately be deactivated/deleted or whenever needed passwords must be changed. All company proprietary devices are returned and this must be recorder in writing in order to make sure that data cannot be used after dismissal/resignation.

14.  Prohibited Activities and Disciplinary Action

Employees are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems and compromising the computer security measures. Incidents involving unapproved system hacking, password guessing, file decryption, or similar unauthorized attempts to compromise security measures will be considered serious violations of the Company Information Security Policy. With the exception of ordinary backup copies Employees must not copy software provided by the Company to any storage media, transfer such software to another computer, or not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security.

Employees who deliberately violate the present Information Security Policy will be subject to a verbal warning and repetition of the security training in case of a first-time, unintentional and small scale security breach and to disciplinary action up to and including termination in case of intentional, repeated or large scale breaches (which might cause severe financial or other damage to the Company).