The present policy states Management’s commitment and sets out INTELLI’s approach, hereinafter called “Organization”, to managing information security and personal data protection.
Information is a critical intangible asset of INTELLI that requires protection from unauthorized access, modification, disclosure or destruction. Therefore, the aim of the “Information Security Policy” is to define the basic requirements and security objectives for the appropriate protection of INTELLI’s information assets to express formally the Management intentions and guidelines with respect of the information security at INTELLI. The Management of INTELLI provides the appropriate resources in order to implement operate and review an effective Information Security Management System that supports the Organization’s business goals and activities and handles the risks that the Organization faces. The document is intended to express formally the Management intentions and guidelines with respect of the information security at INTELLI. With the Information Security Policy the Management aims to involve INTELLI to the core values and principles laid down in the Guidelines for the Security of Information Systems and Networks – Towards a Culture of Security of the Organization. INTELLI wants to continually improve their performance in Information Security area.
This policy applies to all business units of INTELLI and covers all the corporate assets, functions and services. It covers all INTELLI information, in any form and any medium, covering the past, present or future activities and relationships with employees, customers, associates and suppliers. All creation, processing, communication, distribution, storage and disposal of INTELLI information by any combination of INTELLI and external entities are covered in this policy.
The present security policy applies to all INTELLI employees and third parties. Compliance with Information Security Policy’s statements and General Data Protection Regulation’s statements is mandatory for all employees.
4. General Data Protection Regulation
4.1 Controller – Data Protection Officer
Intelli informs that, for the purposes of its business activities, processes the personal data of its clients & associates in accordance with applicable national law and European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as the “Regulation”), as such is in force as of May 25, 2018.
4.2 Your Rights
We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
The right to access – You have the right to request Intelli for copies of your personal data. We may charge you a small fee for this service.
The right to rectification – You have the right to request that Intelli correct any information you believe is inaccurate. You also have the right to request Intelli to complete the information you believe is incomplete.
The right to erasure – You have the right to request that Intelli erase your personal data, under certain conditions.
The right to restrict processing – You have the right to request that Intelli restrict the processing of your personal data, under certain conditions.
The right to object to processing – You have the right to object to the processing of your personal data, under certain conditions.
The right to data portability – You have the right to request that Intelli transfer the data that we have collected to another organization, or directly to you, under certain conditions.
For any issue related to the processing of personal data, please contact the Department of Personal Data Protection at the email firstname.lastname@example.org.
4.3 Links to other websits
4.5 Contact Details
Email us at: email@example.com
Call us: 0030 210 9570983
Or write to us at: 46 El Venizelou, 17676, Athens, Greece
5. GDPR – What data we collect, how we collect them and how we process them
We process the personal data you provide us with, and we only do so under the grounds of legitimate interest. Your personal data collected and processed by us are those absolutely required, necessary and appropriate to achieve our intended purposes. We hereby note that the data concerning your identification, as well as the contact details are absolutely required and necessary for any transaction or contractual relationship with the Company. Moreover, we note that in relation to the personal data we collect directly from you as customers or partners, you must inform us of any changes in the data that concern you without delay, as well as to respond to any request for update. We also consider that the personal data we collect are provided to us by you and in no way do such data come from other sources.
We collect “personal information” about users of our Services. “Personal information” is information such as a name, email address, or identification card image, which refers to an identified or identifiable person. Intelli processes personal information on behalf of the Customer Data Controller.
Personal information. Intelli collects a wide range of personal information through the Services. This information varies depending on the idbox™ service and the Customer Data Controller in question, but may include such information as name, physical address, email address, telephone number, social security number, driver’s license number, state or national ID card number, passport number, other ID card number, credit or debit card number, CVV, expiration date, and/or date of birth. In some cases, Intelli may collect a visually scanned or photographed image of your face and/or your identification card, driver’s license, passport, utility bill, bank account statement, insurance card, or credit/debit card. This image may include your photograph and other information from the imaged document, such as your eye color, weight, height, and organ donor status.
Facial recognition. If you agree to use our idbox™ service or other facial recognition service that we offer to our business customers, we will collect an image of your face that you provide through our Web Onboarding Portal or a mobile app (i.e. a selfie) and a photo or scan of your face as it appears on an identification document. Intelli will use facial recognition technology only for the purpose of verifying your identity as the person who appears on the identification document. Intelli may share the facial scans with the customer through which you used our identity verification service. Intelli will retain your facial recognition information, including the photo of your face and photo or scan of your identification document, for the amount of time requested by the customer through which you used our identity verification service. In no event will Intelli store your facial recognition information after Intelli ceases to have a customer relationship with the customer through which you used our identity verification service.
At the direction of the Customer Data Controller, Intelli also might obtain information about you from other third parties, such as consumer reporting agencies and fraud-prevention services.
Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology
What types of cookies do we use? There are a number of different types of cookies, however, our website uses:
- Functionality – Our Company uses these cookies so that we recognize you on our website and remember your previously selected preferences. These could include what language you prefer and location you are in. A mix of first-party and third-party cookies are used.
- Advertising – Our Company uses these cookies to collect information about your visit to our website, the content you viewed, the links you followed and information about your browser, device, and your IP address. Our Company sometimes shares some limited aspects of this data with third parties for advertising purposes. We may also share online data collected through cookies with our advertising partners. This means that when you visit another website, you may be shown advertising based on your browsing patterns on our website.
How to manage cookies? You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
7 Security Policy Change Management
The Information Security Department is responsible for the content and the review of the present security policy.
The Information Security Policy shall be reviewed (except for ISO review) annually by the Information Security Officer in order to be aligned with Management business needs and goals. Furthermore, the security policy shall be reviewed whenever it is imposed by business or external factors such as change of business strategy, information security incidents.
8 Security Policy Statements
8.1 Information Security Roles and Responsibilities
INTELLI has defined and documented the appropriate information security roles and the respective responsibilities that result from them. Security roles and responsibilities protect assets from unauthorized access, disclosure, modification and destruction. Roles and responsibilities are clearly communicated throughout the Organization.
8.2 Information / Business Owners
All information assets shall be identified, accounted for and assigned to nominated owners, which are designated parts of INTELLI. The Information Owner is ultimately responsible for ensuring that the information assets are appropriately protected, even if he transfers his duties to specialized individuals or even if other trusted entities are granted access to this information asset. It has to be noted that the responsibility for classifying information relies on the Information / Business Owners.
8.3 Information Classification
Information classification depicts the criticality level of data’s confidentiality, integrity and availability. INTELLI has developed and uses its own “Information Classification Scheme” so as to appropriately classify corporate information. It is imperative that all information created and used within the Organization is given the highest level of protection commensurate with its value, so that security requirements are covered in a way that promotes compliance with legal and regulatory obligation and protection of Organization’s reputation.
8.4 Security Awareness
Staff members, customers, consumers, suppliers, subcontractors and all other participants in the communication should be aware of the need for security of information systems and networks and should contribute to improving security. Employees shall receive appropriate training relevant to their job function. The continuous awareness and training of all employees is very important as the success of information security maintenance through the Organization depends on the ability of people to work towards a common goal of protecting the Organization’s assets.
All participants in the communication process are responsible for the security of the information systems and networks.
All participants in the communication process must act promptly and cooperate to prevent, detect and respond to security-related incidents.
8.7 Risk Assessment
INTELLI has defined and adopted a risk assessment approach following the “Risk Assessment Methodology” that has developed in its premises. Through this methodology the Organization identifies potential threats and vulnerabilities to its information systems, and assesses the impact of the loss of confidentiality, integrity and availability on corporate assets. The Organization formulates a risk treatment plan that identifies the appropriate management action, resources, responsibilities and priorities for managing information security risks. The Management of INTELLI defines the acceptable levels of risk for the whole Organization. All information assets shall undergo a risk assessment process in regular time intervals in order to identify the security risks related to them and implement appropriate security controls.
8.8 Security Design and Implementation
The security shall be included as an essential element of the information systems and networks.
8.9 Security management
Security shall be achieved through an integral approach to management.
8.10 Asset Management
Rules for the acceptable use of information and information systems shall be identified, documented and implemented. Maintaining the confidentiality, integrity and availability of information is a responsibility shared by all people in the Organization. All INTELLI employees are responsible for protecting information and information resources and are expected to be familiar with and comply with this policy. The Organization maintains and keeps up to date an asset inventory where all important information about corporate assets is kept (e.g. owner, physical location, maintenance status etc). The inventory of asset aims to depict the assets that the Organization owns and manage.
The information system and network security should be reviewed and reassessed and, if necessary, be subject to periodic changes in policies, procedures, practices and measures.
The implementation of this Policy is essential to ensure the proper and uninterrupted implementation of the information services offered and provided.
With the Information Security Policy, INTELLI aims to achieve:
• Protection of information against unauthorized access.
• Maintaining the information confidentiality.
• Preventing the disclosure of information to unauthorized persons, if even due to negligence or accidental error.
• Keeping the information intact from unauthorized changes.
• Providing the information to authorized persons whenever they need it.
• More accurate compliance with the applicable legislation.
• Development, implementation and practical examination of the plans for security interruptibility.
• Training on information security to all participants in the communication process.
• Documentation and investigation of all suspected breaches of information security.
The document shall be applied within the whole scope of the information security management system at INTELLI. With this policy, the Management expresses its determination to introduce a comprehensive system for protecting the information and the related assets against all threats, both external and internal, regardless of whether they are intentional or unintentional, in INTELLI facilities where related assets are located. The entire staff of INTELLI is responsible for the implementation of this policy in their daily work. The Management is committed to provide the necessary resources and will support the efforts of everyone involved in the communication process to implement this Policy.
8.13 Key directions
The key directions of the information security where this Policy will seek implementation are:
• protection of information owned by customers and users or other third parties;
• protection of personal data;
• protection of INTELLI information assets;
• Ensure confidence among all stakeholders in the reliability of the information management.
The Top Management has assigned the Information Security Officer to organize the implementation of the following tasks:
• Identification of information and related assets, their vulnerabilities and threats to which they may be exposed and the accurate assessment of the risks;
• Ensuring compliance with the requirements of:
o the Constitution, the laws, the regulations thereto and the other applicable legislation;
o the agreements entered into with third parties and the accepted requirements for information security;
o all internal rules of INTELLI;
o the international standards of the ISO/IEC27001 family.
• Issuance Objectives on information security that will set out the basic eligibility criteria in the Risk Assessment;
• Information security-related risk management within the established limits of acceptability;
• Control of the INTELLI operations for the implementation of this Policy and regular reporting on the status and implementation in the course of the review of the information security management system.
8.15 Main areas
In view of the implementation of this Policy, rules should be developed for its implementation in the following areas:
• physical security;
• control of the access to systems and data;
• security-related education and training;
• private electronic networks, systems and communications;
• rules of conduct of the participants in the communication process;
• backup copies of data;
• mobile devices and technologies;
• storage and destruction of confidential information;
• protection against malicious code;
• planning of the information security continuity;
• relations with:
o suppliers and subcontractors;
The responsibility for the issuance, review and update of the PO1-InfoSecPolicy on the information security is vested in the Top Management. The responsibility for the diffusion and the communication of the PO1-InfoSecPolicy on the information security is vested in the Top Management. The responsibility for understanding and compliance with the PO1-InfoSecPolicy on the information security is vested in every employee of INTELLI, as well as in the suppliers and subcontractors within the arrangements achieved with them. With this Policy, the Top Management undertakes their responsibility to assign and to require the full implementation of the principles set out therein for the management of the information security at INTELLI. The Top Management will periodically review and update, where necessary, this Policy to ensure that it is suitable for the activities performed and continues to contribute to the reliable protection of information in full compliance with all applicable legal and voluntarily accepted requirements. The Information Security Officer is required to implement this Policy by introducing and implementing the necessary rules that are documented in the Rules, Procedures, Regulations, Instructions, Orders and the other internal acts of INTELLI.
All participants in the communication process are required:
• to comply with the rules specified in the documentation of the information security management system and other internal acts of INTELLI;
• to assist with personal contribution to the implementation of this Policy;
• to report on any weaknesses observed in the information security.
8.17 Access Control
8.17.1 Access Control Mechanisms
Appropriate access control procedures and mechanisms shall be established taking into account INTELLI’s business needs and security requirements, in order to protect assets from unauthorized modification, destruction and manipulation. The Organization shall have documented policies and procedures to establish and terminate the right of access to information and information systems. These policies, procedures and mechanisms shall be periodically reviewed and verified.
8.17.2 User Access to Information and Information Systems
Appropriate access levels to information and information systems should be specified and maintained by Information Owners, while access should only be granted when there is a business need for it and based on the principles of need-to-know and need-to-use.
8.17.3 Remote Access
Remote access to systems shall be strictly controlled. There shall be a defined process for approving requests and managing the provision of remote access.
8.17.4 Third Party Access
Access to Organization information systems by third parties is only granted if appropriate identification and authentication is ensured according to the relevant corporate procedure. Third party access to corporate information shall be detailed in a formal contract, which must contain the requirements for complying with INTELLI ’s security policies.
8.18 Network Security
INTELLI adopts all the required controls in order to protect the corporate network from unauthorized access. All the appropriate security countermeasures that ensure the preservation of information confidentiality, integrity, availability shall be implemented, in order to protect information according to INTELLI’s business needs.
8.18.1 Internet & Email Use
Email and Internet services are important assets and are both provided in order to facilitate the performance of employees’ work responsibilities. The Organization enforces the appropriate technical measures which ensure the confidentially, integrity and availability of the e-mail and internet infrastructure. Rules are established for the proper use of the e-mail and Internet. Users shall be aware of the fact that the misuse of e-mail / Internet may have harmful effects such as legal consequences. It is noted that the personal use of e-mail and internet services by employees is allowed but should not interfere or conflict with business use. Employees should exercise good judgment regarding the personal use of email and Internet.
8.19 Human Resources Security
All employees should comply with Organization’s policy, procedures and standards. The responsibilities of each staff member with regards to information security differ and shall be tailored according to their role. Security responsibilities shall be included in job descriptions and contracts of employment. Furthermore, all employees sign non-disclosure agreements.
INTELLI personnel are responsible for:
• Being aware of the current policies and procedures and their responsibilities for protecting corporate assets.
• Using corporate resources only for intended purposes as defined by policies and procedures of the Organization.
• Being accountable for their actions relating to their use of all information assets.
8.20 Management of Information Security Incidents
The Organization adopts mechanisms so as information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. A communication channel for documenting security threats, incidents or malfunctions is established and made known to all employees, contractors and third parties. INTELLI ’s staff shall receive appropriate awareness about information security incidents in order to note and report in time any observed or suspected security weaknesses in systems/ services.
8.21 Management of Business Continuity
The Organization has a documented and tested data backup plan considering both software and data. It is ensured that backup copies of information are taken at planned intervals taking into account information criticality level. Additionally, a backup verification is performed according to the relevant procedure.
8.22 Media and Document Handling
Media and documents shall be controlled and appropriately handled according to their criticality. Formal procedures shall be in place that determines the handling of media in terms of creation, storage, exchange, disposal etc.
8.23 Third Parties
Third parties shall comply with all relevant policies and procedures of the Organization and use INTELLI ’s information and information resources only for the purpose of the business agreement and for no other reasons. The appropriate level of information security shall be ensured during the collaboration with third parties and non-disclosure agreements shall be signed. Each third party that grants access to corporate information systems shall accept and sign INTELLI ’s Information Security Policy, be conformed to its content and understand the consequences in case they are not compliant. The Organization shall have formal mechanisms for verifying that all third-parties meet its needs and requirements.
8.24 Security Audit
The security level of INTELLI’s information and information systems shall be monitored by conducting either scheduled or unscheduled audits. An audit process shall be developed and followed by the Organization covering both technical and managerial controls. Audits shall be conducted at planned intervals in order to ensure the confidentiality, integrity and availability of information and resources, monitor all security measures and investigate potential security incidents.
8.25 Legal and Regulatory Compliance
The Organization always complies with the current legal and regulatory framework that either directly or indirectly specifies additional security requirements and countermeasures for the protection of data and information systems.