Technical and Operational Measures

C&F has implemented and introduced several documents such as policies (describing, what we would like to achieve in different areas), procedures (what we do) and instructions / guidelines (how we exactly do that). These regulations were created using ISO 27001, ISO27002, ISO 27005 and ISO 27701 guidance to assure that all areas of our business are cover in line with best practices.

With ISO 27001 certification, we showcase our commitment to top cybersecurity standards, proving our dedication to protecting sensitive data and managing risks. It’s a mark of excellence that assures our clients and partners of our strong security practices.

Document management

To assure that all internally developed, documented and implemented rules are clearly communicated to all users, made available and that the content of documents is controlled and reviewed, the “Procedure for Documents Versioning and Control” has been introduced.

Assets management

C&F is identifying and evaluating its assets continuously according to the rules described in “Information Security Policy (SEC_PBI)”.

1. Information classifications

Each information processed in C&F can be assigned to one of identified Information Assets. Different classification groups of information, rules of classification and general rules for classifying information, handling and labeling are described in “Information Classification Procedure (SEC_I_KI)”.

2. Acceptable use of assets

C&F regulates the use of its assets such as information, systems and networks, software and hardware. The “Acceptable Use Rules (SEC_I_ZAU)” describe activities strictly forbidden when using C&F assets. The “Systems Use Instruction (SEC_I_IST)” provides guidelines for users how to facilitate company’s key information systems in an efficient and secure way.

3. Media handling

To prevent unauthorized disclosure, modification, removal or destruction of information stored on media, C&F has developed set of rules describing how media should be managed, transferred and disposed in the “IT Security Policy (IT_P_IT)”.

4. Mobile devices and remote work

Since using mobile devices and remote work are important way of how C&F is delivering its services, we have addressed specific requirements for users in “Acceptable Use Rules (SEC_I_ZAU)”. Details regarding control of implementation are to be found in “IT Security Policy (IT_P_IT)”.

Risk management

The “Risk Management Policy (SEC_PZR)” describes Risk Management as the collective set of Risk Management processes at C&F, which ensure that material risks – the possibility that an event would occur and adversely affect the achievement of objectives – are identified, managed and – if occurred – reported. It defines the respective basic principles, process, roles and authorities. The “Information Risk Management Procedure (SEC_PR_ZRI)” describes the process of information risk management.

Personal Identifiable Information Protection

To satisfy both legal and contractual requirements for PII security in all areas of its business, C&F has introduced “Privacy Policy (SEC_PODO)” for general rules and declarations, to standardize PII aspects in the recruitment process and describing how PII processing specific requirements and PII  should be handled in course of project management and service delivery.

Physical and environmental security

C&F has applied controls to prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. Security premiers and secure areas, access rules, physical security procedures including accessing sites, suppliers and visitors receiving, were defined and described in “Physical Access Guide (SEC_I_DF)”.

Access Management

Access to all types of assets including physical locations, systems, networks, data etc. is being granted based on common rules. Each access request must be justified by business need confirmed by requestor’s supervisor and approved by asset owner as well as security function. The access granting is being realized by access administrator after all steps of access verification were completed. The process is described in the “Access and Credential Management (SEC_PR_ZDU)”.

Communication

To ensure protection of computer network and its supporting information processing facilities C&F manages access to and controls its networks. The “Systems and Hardware Maintenance Rules (SEC_I_ZUS)” describes how the access to network is secured, classifies the information services, and provides insulation for users and information systems on the networks. The network access and usage are being monitored as described in “Audit and control” section below. The expected use of networks and communication hardware and software is specified in “Acceptable Use Rules (SEC_I_ZAU)” and “Systems Use Instruction (SEC_I_IST)”.

Operations security

The Technical and Operational Measures in area of standard operations, covering systems and software acquisition, change management, capacity management, separation of test and production environments, threat and technical vulnerabilities management, malware protection, information backup, event logging and logs protection are described in “IT Security Policy (IT_P_IT)”.

Suppliers

The rules of cooperation with suppliers, covering areas such as legal, performance and security requirements for supplier’s selection, suppliers service monitoring and compliance verification, subcontracting works are described in “Cooperation with Suppliers (ADM_PZWD)”.

Business continuity

The “Business Continuity Policy (SEC_PCD)” describes the expectations and responsibilities for ensuring the continuity of C&F critical processes. The policy provides general statements in the area, while the “Disaster Recovery Procedure (SEC_DRP)” Contains information about identifying and declaring disaster, rules of conduct in disaster scenarios and detailed instruction for identified disaster scenarios.

Audit and control

All technical and operational controls in order to be truly effective need to be verified and monitored in an independent way. The “Control Rules (SEC_P_ZK) specifies, why, who, how and when has the responsibility and right to verify controls efficiency. The “Audit Program” details the rules of independent audit. As ISO27001: 2022 certificate holder, C&F is regularly audited by independent third parties.

Incident management

The rules for information security incident management, including, reporting suspicious events, preparation incident identification, containment, eradication, recovery and escalation are described in “Incident Handling (SEC_I_RI)”. To assure data availability for analysis, future reference as well as to demonstrate compliance with requirements set by law, contracts and standards, a secure Incident register is being maintained.