Confidentiality. Employees are guided by a secure table policy and are familiar with signing requirements for data security. Also, all employees have signed confidential information storage contracts, which impose penalties for non-compliance.
Employees. Employees are introduced to the importance of data security, rules and responsibilities assigned to them to ensure the protection of data (including personal). Executions of special social engineering attacks help to scrutinize employees’ awareness and, at the same time, train them to identify possible threats of security breach. There is also a designated employee responsible for data protection in the organization, dissemination of knowledge, and the enforcement of the requirements of the General Data Protection Regulation (“GDPR”) and the ongoing monitoring.
Process control. A management system has been prepared and implemented to help manage data protection and prevent from potentially threatening activities, minimizing the likelihood and impact of incidents and risks. The responsibilities, powers and commitments of employees are set out in process descriptions, procedures and instructions. The processing of personal data for specified purposes is carried out in accordance with the established procedures.
Legislation. Compliance with the laws and regulations of the Republic of Lithuania, as well as agreements between UAB Blue Bridge Code and its customers, suppliers / subcontractors and partners.
Use of Information systems. The information systems necessary for the organization’s activities (hereinafter referred to as the “IS”) are evaluating the impact of data protection on the requirements of the GDPR. Access to data stored in the IS is controlled through consumer rights. Only certified software is used, which is updated in accordance with the established procedure.
Access control. Employees provide services (including data center and maintenance) from the Blue Bridge facilities, access to which is protected by the passage control system.
Infrastructure. Also a firewall is used which skips only returning device session initiated data packets and and only session packets that are exclusively described, and does not send the response packet to the sender by blocking an unauthorized packet.
Hardware. Blue Bridge uses hardware supported by official manufacturers (a whole or part of the physical components of the information processing system).
Operating system. The operating environment is a manufacturer-maintained and legal operating system, updated and maintained by a specialized supplier. For administration, separate accounts are used.
Software. All software fixes critical and critical software security vulnerabilities for software installation.
Maintenance accounting. All client calls are locked in the centralized system by specifying the timing of the call. Login to the system is password managed. The system deals with incidents, changes and consultations.
Password management. The Blue Bridge employee is given a unique login and password for joining the Blue Bridge Group. Employees must keep the access information provided and not disclose it to third parties. The login details are required to access the IT systems or other computer hardware, media, documents, etc. All Blue Bridge Users Computerized Workplaces (hereinafter referred to as “CWs”) have enabled and operate Centralized Security Group Policy (using Active Directory), including Employee Access Authentication (Passwords) policies. Notebook PC internal data logger is fully encrypted. When employees do not use the computer for more than 15 minutes, it automatically locks their account.
Anti-malware protection. All equipment that connects to the organization’s network is protected by antivirus software that is centrally managed and automatically updated on a regular basis. All employees’ computers run a full computer scan from malicious programs once a week. Antivirus software is configured to check not only incoming but also outgoing emails. The virus database is updated before scanning and automatically scans files before opening or launching.
Connecting to customers. Employees connect to client computers with remote specialized software, which has two levels of authentication, so that only approved IT specialists can connect to the computer. Connecting to a client computer screen remotely is only possible with client end-user approval. All connections and duration are recorded in specialized software. The connection to the computer channel is encrypted with specialized software.
Preventing External Intrusion. The levels of external protection are used with the help of known manufacturers for breaking intrusion prevention solutions. The network’s perimeter is protected by the next-generation firewall (NGFW), with its manufacturer’s constantly updated burst-detection analytics. The network infrastructure is duplicated, its maintenance is carried out in 24×7 mode. All security incidents are processed under a security assurance process that is constantly being improved, and systems are updated and maintained in accordance with manufacturers’ requirements.
Case Records. System case records are generated, processed, and stored. The structure of these records is composed of case type, user identifier, date and time, successful and unsuccessful access entry, related system components or resources, network IP address and/ or protocol used.