Confidentiality. Employees are guided by a secure table policy and are familiar with signing requirements for data security. Also, all employees have signed confidential information storage contracts, which impose penalties for non-compliance.
Employees. Employees are introduced to the importance of data security, rules and responsibilities assigned to them to ensure the protection of data (including personal). Executions of special social engineering attacks help to scrutinize employees’ awareness and, at the same time, train them to identify possible threats of security breach. There is also a designated employee responsible for data protection in the organization, dissemination of knowledge, and the enforcement of the requirements of the General Data Protection Regulation (“GDPR”) and the ongoing monitoring.
Process control. A management system has been prepared and implemented to help manage data protection and prevent from potentially threatening activities, minimizing the likelihood and impact of incidents and risks. The responsibilities, powers and commitments of employees are set out in process descriptions, procedures and instructions. The processing of personal data for specified purposes is carried out in accordance with the established procedures.
Standardization. Certified Management System Compliant with International Standard ISO / IEC 27001: 2013. Standard defining the information security management system requirements. It is based on risk assessment and appropriate security measures to protect confidentiality, integrity and availability of information.
Business continuity. A business continuity plan has been prepared and approved, indicating the steps necessary to ensure business continuity in the event of an accident. The planned business continuity plan is tested and evaluated to see if unforeseen situations (accident) can ensure uninterrupted service provision.
Legislation. Compliance with the laws and regulations of the Republic of Lithuania, as well as agreements between UAB Blue Bridge and its customers, suppliers / subcontractors and partners.
Use of Information systems. The information systems necessary for the organization’s activities (hereinafter referred to as the “IS”) are evaluating the impact of data protection on the requirements of the GDPR. Access to data stored in the IS is controlled through consumer rights. Only certified software is used, which is updated in accordance with the established procedure.
Access control. Employees provide services (including data center and maintenance) from the Blue Bridge facilities, access to which is protected by the passage control system.
Data Center. Blue Bridge has its own cloud computing data center. This data center only hosts Blue Bridge hardware. The data center can be accessed by staff working on this equipment. For security, a backup copy is stored in another data center in the territory of Vilnius. Both the main and backup data centers are monitored throughout the year and throughout the day by video cams while recording the monitored image, and the entrance and exit of the premises are protected by the entrance control system. Videos are kept for 7 days. Access to data centers can only be provided by authorized staff. Other people can only access data centers by accompanying one of the authorized employees.
All staff working with the Data Center are trained in specific security requirements and carry out regular updating training. Access to internal data center systems is possible only with two-factor authentication, and all internal passwords are stored in an encrypted repository, copies are stored in another location of the data center.
Reliability. In the event of a hardware failure, the solution used to provide cloud computing services automatically restores the operation of the service, while duplicate power supplies and Internet lines protect against electrical and communications interruptions. The data center also has a fire extinguishing system, a moisture control and a dual cooling system. The system’s data center is configured to minimize the impact on client services when doing refresh or refill tasks. All used equipment is periodically serviced in accordance with the manufacturer’s instructions to avoid unplanned equipment failure. Preventive actions and other updating procedures are carried out in accordance with the change management process.
Power (electricity) supply. The data center has an autonomous generator for power supply, a dual uninterruptible power supply supplied from two independent power lines. The generator automatically switches on after 1 min. from the moment when electricity is not supplied through both lines. The generators constantly maintain a stable temperature to enable them to immediately switch on and fully power up on demand. These components work seamlessly around the clock all year round, and their service is carried out according to the requirements of the manufacturers without disturbing the data center’s operations.
Systems. Microsoft and VMware are using cluster-based platforms for Blue Bridge cloud computing to ensure uninterrupted supply of virtual resources. Regular updating of the systems according to the requirements and recommendations of the manufacturers in the framework of security management and change management processes is carried out. Systems changes are made without interrupting customer service.
Preventing External Intrusion. The levels of external protection are used with the help of known manufacturers for breaking intrusion prevention solutions. The network’s perimeter is protected by the next-generation firewall (NGFW), with its manufacturer’s constantly updated burst-detection analytics. The network infrastructure is duplicated, its maintenance is carried out in 24×7 mode. All security incidents are processed under a security assurance process that is constantly being improved, and systems are updated and maintained in accordance with manufacturers’ requirements.
Data transfer. Data center connections are made by high-speed lines separating each client’s virtual networks.
Data storage. Data in the Blue Bridge data center is stored in data warehouses of known manufacturers, which are supervised according to the manufacturer’s requirements. The storage capacity is limited to minimize the magnitude of exposure and ensure maximum recovery of data in case of significant storage disruptions. In storage, physical drives are protected by RAID5, and the storage itself controls multiple duplicate controls. Data is segregated between users logically, thus ensuring the safe isolation of customers from each other.
The policy of destroying and cleaning discs and other media. In the event of a failure in the data center, the data contained in the data center is cleared in accordance with manufacturers’ recommendations, and obsolete and no longer usable data carriers are physically removed.
Password management. The Blue Bridge employee is given a unique login and password for joining the Blue Bridge Group. Employees must keep the access information provided and not disclose it to third parties. The login details are required to access the IT systems or other computer hardware, media, documents, etc. All Blue Bridge Users Computerized Workplaces (hereinafter referred to as “CWs”) have enabled and operate Centralized Security Group Policy (using Active Directory), including Employee Access Authentication (Passwords) policies. Notebook PC internal data logger is fully encrypted. When employees do not use the computer for more than 15 minutes, it automatically locks their account.
Passwords created by clients or system administrators / engineers are managed in one information system. Login to the password management system is only possible with the use of two-factor authentication, passwords are stored in the encrypted repository, copies are stored in another location of the data center.
Anti-malware protection. All equipment that connects to the organization’s network is protected by antivirus software that is centrally managed and automatically updated on a regular basis. All employees’ computers run a full computer scan from malicious programs once a week. Antivirus software is configured to check not only incoming but also outgoing emails. The virus database is updated before scanning and automatically scans files before opening or launching.
Maintenance accounting. All client calls are locked in the centralized system by specifying the timing of the call. Login to the system is password managed. The system deals with incidents, changes and consultations. It also ensures centralized management of problems and changes. The quality of the operation of customer systems is ensured through continuous monitoring tools where each event is captured and analyzed in a centralized system. Security incidents are managed in accordance with the established process, informing the responsible persons, and, if necessary, creating an emergency management center. Emergency tests and trainings are carried out periodically.
Remote connection to client systems. The client systems are connected through a centralized unified solution that is protected by two-factor authentication and captures (records) all actions performed by administrators both for connecting to client systems and for working with them. Entries are stored for 6 months.
Administrator’s workplace security. All enterprise computers are protected against viruses and malware, and system administrators hard drives are encrypted in order to prevent loss of computer content leakage. Workplace computer software is updated at least once a week, and critical updates are deployed immediately. Workers’ computers work as ordinary users, i.e. has no administrator rights.
Manage passwords for logins in client systems. A centralized solution based on processes and well-known tools’ is used, which allows only authorized individuals to enter the system of two levels of authentication. The roles of system manager and administrators are strictly separate, and client passwords used are logged in logs that can not be modified or changed.
Hardware. Blue Bridge uses hardware supported by official manufacturers (a whole or part of the physical components of the information processing system).
Operating system. The operating environment is a manufacturer-maintained and legal operating system, updated and maintained by a specialized supplier. For administration, separate accounts are used.
Software. All software fixes critical and critical software security vulnerabilities for software installation.