Skip to main content
Skip table of contents

Basic Principles of Information Security Management for Employees, Contractors, and 3rd Parties

Effective from: September 23rd, 2025 (version 1.1)

Purpose

This procedure sets out the basic principles of information security management for employees and cooperating workers across the entire Palaxo Group. It also applies, to a limited extent, to suppliers and persons who are present on company premises and work with information assets.

Terms

  • Information asset – anything that has value to the organization and therefore must be protected (documents, software, hardware, buildings, archive, people, etc.).

  • Threat – a potential cause of an incident that may result in damage to a system or the organization (external and internal dangers to which assets are exposed).

  • Vulnerability – a weakness of an asset or group of assets that can be exploited by one or more threats.

  • Risk – the potential that a given threat will exploit vulnerabilities of an asset or group of assets and cause the loss or destruction of assets.

  • Security perimeters – security measures aimed at eliminating asset vulnerabilities (always a set of mutually reinforcing measures. Some are organizational—e.g., facility placement, enforcing security policy, employee selection and training, regular audits; others are technical—e.g., locks, grilles, technologies, monitoring. It is important to assess the effectiveness and efficiency of measures).

  • Security incident – any breach of IT/ICT security and the rules defined to protect it (security policy).

  • Asset owner – the worker responsible for an information asset.

  • Company management – managing directors.

Abbreviations

  • ISMS – Information Security Management System

  • RA – Risks/Assets

  • IS - Information security

Duties of Employees and Cooperating Workers

Basic Principles

Every employee is introduced to the rules and current information protection directives immediately upon starting employment and during regular training. The following universal principles underlie the implementation of the information security directive:

  • Principle of authorized access
    Every employee has completed information protection training, meets the criteria to have access to information, and has signed the relevant confidentiality undertaking.

  • Principle of least privilege
    Each employee’s access to information is limited strictly to what is necessary to perform assigned tasks.

  • Principle of need-to-know
    Each employee’s knowledge of the systems they can access is limited strictly to what is necessary to perform their assigned tasks.

  • Principle of team awareness
    All staff recognize the need to protect the company’s IS and actively participate in this process.

  • Principle of individual responsibility
    Specific persons are responsible for the security of specific components.

  • Principle of constant readiness
    Systems are prepared for all threats. Temporarily disabling security mechanisms is unacceptable.

  • Principle of completeness
    Security is effective only when comprehensive approaches are applied, covering all stages and links in the overall information processing chain.

  • Principle of adequacy
    The mechanisms used must be appropriate to the situation.

  • Principle of acceptable balance
    Remedial measures implemented must not exceed the organization’s level of risk acceptance.

Basic Obligations

All employees and cooperating workers assume responsibility for the entrusted information resources they use in their work and for the secure handling of information they encounter in the course of their duties.

Each employee is especially responsible for:

  • the content of data they store, modify, or otherwise use within their authorization,

  • storing work-related data in shared locations,

  • all actions performed in information systems under their account,

  • promptly informing the security team or their supervisor upon discovering faults in entrusted information resources or any violation of security measures.

Employees must maintain confidentiality about entrusted information and security measures whose disclosure could jeopardize the protection of personal data. This obligation continues after employment or relevant work ends.

Employees must process information only under conditions and to the extent set by the company. They must not process or use information for private or other purposes.

Employees must not allow unauthorized persons to move within areas where information is processed or stored, nor allow unauthorized persons to view documents or computer screens that contain protected information.

Employees must immediately report to their direct supervisor any complaint submitted orally or in writing by any stakeholder in connection with information protection.

General Obligations

Every employee and external collaborator must:

  • provide company management with used information resources for inspection and give necessary cooperation for planned maintenance of IT resources or when resolving faults,

  • protect all devices and equipment against theft or mechanical damage,

  • submit proposals, suggestions, and complaints related to IT operations or violations of this directive,

  • protect documents from loss, theft, damage, or degradation,

  • ensure the secure transport of documents and portable devices/media against theft or loss,

  • attend training on handling protected information.

Employees and external collaborators are strictly prohibited from:

  • providing protected information to unauthorized persons in electronic, written, or verbal form,

  • allowing unauthorized persons, including family members, to access information systems,

  • allowing others to access systems under their account and access rights,

  • working on the network under someone else’s identity (another user’s account),

  • leaving documents unattended or accessible to strangers during transport (e.g., in an unlocked car),

  • tampering with hardware and devices (router, switch, printer, cabling), i.e., moving them, disconnecting them from the network, accessing administration (if possible) without permission, or changing their configuration,

  • using application programs on personal devices and using IT equipment for private purposes.

Data, Information, Personal Data, Software

Every employee and external collaborator must:

  • obtain or process information from information systems only in accordance with assigned user access rights and authorization,

  • be familiar with the classification (category) of information they handle and follow protection rules in line with set measures,

  • maintain confidentiality of all information they encounter,

  • respect copyright,

  • regularly maintain files in shared folders and on their computer, remove old/unused files, and store only files needed for work,

  • ensure that important data on their computer is regularly backed up.

Employees and external collaborators are strictly prohibited from:

  • installing software without the consent of their direct supervisor,

  • changing system time on work computers,

  • accessing the network or data sources contrary to assigned access rights or attempting to gain unauthorized access to information.

IT Equipment

IT equipment includes all information technologies intended for working with data (computers, laptops, mobile phones, tablets, etc.).

Every employee and external collaborator must:

  • use assigned information resources (computing and communication technology) only to perform work tasks and in accordance with their intended purpose,

  • use applications and IT in accordance with user guides, supplier requirements, or knowledge arising from job description and required qualifications,

  • protect entrusted IT equipment and media from damage, theft, unauthorized access, and unauthorized manipulation,

  • immediately report any incident, defect, malfunction, need for maintenance, need for consumable replacement, or any suspicious behavior of information resources to their direct supervisor or a member of the security team,

  • prevent access to information on the computer/screen when leaving the workplace (log out). For longer absences, close applications and shut down the computer (except for applications requiring continuous operation).

Employees and external collaborators are strictly prohibited from:

  • relocating IT equipment without the consent of their direct supervisor,

  • using IT to promote or disseminate religious, political, national, or racial propaganda,

  • making any technical interventions in hardware,

  • testing information systems or exploiting their weaknesses unless duly authorized,

  • repairing IT faults on their own.

Viruses

Every employee and external collaborator must:

  • ensure that all storage media brought into the company are scanned for viruses before use.

Employees and external collaborators are strictly prohibited from:

  • installing other versions of antivirus programs,

  • opening suspicious email attachments from untrusted sources,

  • disabling antivirus programs,

  • using suspicious websites or self-downloaded applications.

Symptoms of infection:

  • the computer/laptop reports a virus or suspected virus,

  • the computer/laptop runs unusually slowly,

  • the computer/laptop behaves abnormally,

  • some applications cannot be launched,

  • the operating system does not boot,

  • the antivirus system reports suspected virus presence.

Procedure if infection is suspected:

  • immediately inform your supervisor or a member of the security team,

  • follow instructions from your direct supervisor or the security team.

Passwords

Every employee and external collaborator must:

  • have their computer/laptop protected by a password,

  • choose a password that is hard to guess:

    • at least 8 characters long,

    • contains at least one lowercase and one uppercase letter and one digit,

    • contains at least one special character,

    • does not contain personal names or usernames,

    • is significantly different from the username and previous passwords,

  • change the password immediately if compromisation is suspected,

  • promptly report suspected compromisation of their account password to their supervisor or a member of the security team.

Employees and external collaborators are strictly prohibited from:

  • using the same password for company accounts as for other services,

  • disclosing passwords:

    • over the phone, by e-mail,

    • to coworkers,

    • to family members,

  • talking about passwords in front of others,

  • keeping passwords in visible or easily accessible places,

  • entering passwords into questionnaires, etc.,

  • writing down or storing passwords anywhere without proper encryption.

If it is absolutely necessary and with the knowledge of the direct supervisor, a password may be provided only to an authorized person who has a legitimate reason; the password must be changed immediately afterward.

Email

Every employee and external collaborator must:

  • check correctness and clarity before sending emails and write them with the same care as any other written document,

  • keep in mind that emails are generally as binding and legally valid as officially signed documents,

  • keep their mailbox tidy by deleting spam, system mail, and unnecessary emails,

  • password-protect attachments when sending sensitive data (e.g., payroll data sent to an external provider, health information, etc.),

  • delete emails containing personal data once their processing purpose has expired.

Principles for every employee and external collaborator:

  • company email accounts are given to the users primarily for work purposes (communication with colleagues, customers, partners, and other business contacts),

  • note that occasional reasonable personal use is permitted, but excessive or unlawful use is not tolerated. The company reserves the right to monitor and record employee email use to ensure compliance,

  • keep in mind that unencrypted email and the internet are insecure channels. Unencrypted information sent by email or stored on the web may be viewed by others and likely accessed by unauthorized persons.

Employees and external collaborators are strictly prohibited from:

  • forwarding sensitive emails to other company users or external users without the sender’s prior consent (due to reputational risk, loss of important information, or potential legal action by a customer),

  • forwarding materials with excessive data volume requirements,

  • sending bulk advertising messages, etc.,

  • sending or otherwise disseminating company property or trade secrets, or those of customers, without explicit authorization from a superior,

  • using non-official company email accounts to perform company work,

  • posting company email accounts on the internet (chats or forums) to protect against spam,

  • using company email for personal purposes (registrations, e-shops, etc.).

Internet

Principles and obligations for employees and external collaborators:

  • Using the internet is permissible to communicate with company colleagues, customers, partners, and other business contacts,

  • The company reserves the right, without prior notice, to monitor time spent on the internet or the use of programs,

  • After prior notice, the company may inspect any files stored on the network or on company-provided computers to ensure compliance,

  • Data transfers via web services occur only when necessary (e.g., online banking, webmail).

Employees and external collaborators are strictly prohibited from:

  • deliberately accessing inappropriate or illegal sites,

  • downloading large files, videos, music, or visiting pornographic or otherwise dangerous websites,

  • using company internet resources to download games, entertainment software, or to play games.

Remote Access

Every employee and external collaborator must:

  • approach remote connections to the company network with the same security caution as on-site connections,

  • ensure that remote connections are not used by other persons who could thereby gain access to company information resources.

Employees and external collaborators are strictly prohibited from:

  • using a private modem in the office without prior notification to and approval from the security team.

Mobile Phones

Every employee and external collaborator must:

  • if possible, secure the phone with a password or at least a 4-digit PIN,

  • enable automatic locking,

  • download apps only from safe, official sources,

  • review app permissions,

  • promptly update the system after updates are released,

  • if possible, use backup and encryption of stored data.

Employees and external collaborators are strictly prohibited from:

  • opening unsolicited links and attachments in emails and SMS,

  • leaving mobile phones unattended,

  • lending mobile phones to others for unauthorized use.

Access to Company Premises

Principles for every employee and external collaborator:

  • when leaving company premises during or after working hours, check that windows and doors are closed; if leaving last, lock up,

  • enter locked areas related to their work only if you have appropriate authorization under the key/card/chip system. If entering without such authorization, it must be only with the knowledge and explicit consent of an authorized person,

  • ensure authentication tools (keys, chip cards, etc.) are available in stock for issuance to new users,

  • give special protection to areas where protected information is stored.

Employees and external collaborators are strictly prohibited from:

  • allowing strangers into company buildings and areas without escort,

  • lending keys and chips to unauthorized persons for secured areas,

  • leaving areas unlocked when leaving,

Protection Against Theft During Transport

When transporting information assets (e.g., IT equipment, client documents, personal data) by car, the driver must:

  • not leave the vehicle unattended (except when refueling),

  • lock the vehicle when leaving it to pay for fuel,

  • activate the car alarm when leaving the vehicle (if equipped),

  • never leave information assets unattended in the vehicle.

When transporting information assets by public transport or on foot, the person must:

  • keep documents close and never leave them,

  • not lend or entrust assets to strangers* for guarding or carrying.

 *A stranger is anyone who is not an employee or collaborator of the company.

Employees and external collaborators are prohibited from:

  • leaving information assets unattended in the vehicle.

Copyright Protection

Employees and external collaborators are strictly prohibited from:

  • installing or using any gaming software without the security team’s knowledge,

  • in any way bypassing or forging software licenses,

  • distributing any software that is part of IT, even free of charge. All software may be used only in accordance with license terms,

  • removing any information, markings, or devices identifying copyright holders or performers for the software used,

  • creating or altering data to mislead or otherwise affect checks of lawful software use,

  • modifying or distributing software source code.

Protection of Personal and Other Protected Data

  • Recognize what constitutes personal data—name, home address, date of birth, national ID number, photograph, video recording, phone, e-mail, salary, and more.

  • Recognize what constitutes sensitive personal data—nationality, race, political views, trade union membership, religion, criminal history, health status, sexual orientation, and any biometric data.

  • Do not gratuitously share personal and especially sensitive data of colleagues, clients, or others! Otherwise, you need consent to share!

  • Maintain confidentiality about all facts learned in the course of your work!

  • Personal data do not belong in the trash (including the computer recycle bin)—submit them for shredding!

  • Follow the clean desk rule. Keep your computer files tidy!

  • Never leave documents containing personal or other important data unattended!

  • Before sending an email, check its correctness and clarity. Be careful what information you share and with whom (especially when multiple recipients are in copy).

  • Visitors to the office must never be left alone, especially in front of an unlocked screen or with access to personal data!

  • Further procedures for protecting personal data are set out in the Personal Data Protection Directive.

Privacy Monitoring

The privacy of every employee is extremely important to the company. However, to ensure overall company security and the security of user information and data, the company has adopted certain measures affecting employee privacy. The company reserves the right to reasonably monitor all aspects of employees’ computer systems. The following principles summarize the means used to monitor computer usage.

Employees accept that the company may use automated monitoring software to track materials created, stored, sent, or received on the company network and may monitor websites visited, chats, and discussion groups. It may also review logs of data downloads and uploads to the internet to ensure optimal network performance and security. Specifically, if network performance degrades, the company may review users’ internet access and email logs to determine the cause and restore optimal performance. Similarly, it may access the same logs for security reasons to protect against viruses or detect them, or to verify compliance with policies and internal security measures (e.g., not all employees have access to all information on the network).

Employees agree that the company may reasonably inspect user emails, files, and internet usage when necessary to protect company assets, protect other users, or where there is specific suspicion of repeated policy violations, subject to the following requirements:

  • Access is necessary to reasonably enable work operations; if there are less intrusive means, the company will use them;

  • Users’ privacy and dignity are respected to the maximum extent possible;

  • If accessing a user’s emails and files, the following additional measures will be taken:

    • Emails and files will be reviewed at the workplace during normal working hours and with the assistance of the employee’s representative, if one exists; if absent, with another company employee present.

    • Emails and files will be reviewed in the presence of the affected user.

Failure to comply with this policy, as well as refusal by a user to grant access in accordance with these conditions, may result in disciplinary proceedings (see Disciplinary Directive).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close