Security Controls
Implemented controls and security policies protecting our organization.
Total Controls
72
Active
70
Planned
0
Physical
4Cabling Security
Network cabling placed to prevent unauthorized access. Telecom cabinets secured, connection sockets minimized.
Office Physical Security
Physical security perimeters and entry controls for all office locations.
Secure Areas and Zones
Rules for working in secure areas with security zone division. Video surveillance implemented for restricted zones.
UPS and Power Protection
Electrical installations protected against interference. UPS and backup power for critical infrastructure.
Policy
30Acceptable Use of Information
Rules for acceptable use of classified information documented in Information Security Policy.
AI Acceptable Use Policy
Organization-wide policy defining permitted and prohibited uses of AI tools. Specifies which data classifications may be shared with AI services (Public and Internal only — never Confidential or Legally Protected). Lists approved AI platforms (OpenAI, Anthropic, Google Gemini, Mistral, Cursor). Prohibits use of AI for final decisions on hiring, legal matters, or financial approvals without human review. Requires disclosure when AI-generated content is delivered to clients. Covers mandatory human verification of AI-generated output before use in production code, documentation, client deliverables, or decision-making. Defines secure prompt engineering practices and awareness of prompt injection risks. Establishes multi-provider fallback expectations for AI-dependent workflows.
AI Governance Framework and EU AI Act Compliance
Comprehensive AI governance framework aligned with the EU AI Act (Regulation 2024/1689). Maintains a living inventory of all AI systems used across the organization, classified by EU AI Act risk category: Unacceptable Risk (Art. 5 — prohibited practices), High-Risk (Art. 6 & Annex III), Limited Risk (Art. 50 — transparency obligations), and Minimal Risk. Documents each AI system's purpose, data inputs/outputs, provider, data residency, training data opt-out status, and accountable business owner. Addresses key EU AI Act requirements: transparency obligations for general-purpose AI (Art. 52-53), fundamental rights impact assessment for high-risk systems (Art. 27), conformity assessment procedures, and incident reporting obligations. Defines bias monitoring procedures for AI used in sensitive contexts (hiring, assessments, client work). Establishes escalation paths for AI incidents and annual review cycle. Tracks enforcement timeline: prohibited practices (Feb 2025), GPAI rules (Aug 2025), high-risk obligations (Aug 2026). Penalties: up to 35M EUR or 7% of global turnover.
Asset Management Policy
Defines requirements for identifying, classifying, and managing information assets throughout their lifecycle.
Backup Policy
Defines requirements for data backup, storage, retention, and recovery procedures.
Business Continuity Policy
Establishes requirements for maintaining business operations during disruptions and disaster recovery.
Clear Desk and Clear Screen Policy
Workplace security principles minimizing risks through clear desk/screen practices.
Cloud Security Guidelines
Cloud technology security guidelines. Security recommendations for project and service use.
Contact with Authorities and Interest Groups
Procedures for contact with legal, regulatory authorities and professional security forums defined in Information Security Policy.
Employment Terms - Security Obligations
Employment contracts include security responsibilities. Failure to comply may result in disciplinary actions per Information Security Policy.
Encryption and Cryptography Policy
Establishes requirements for the use of encryption and cryptographic controls to protect data.
Endpoint Security Policy
Defines security requirements for workstations, laptops, and other endpoint devices.
Event Monitoring Policy
Defines requirements for security event logging, monitoring, and analysis.
Human Resource Management Policy
Defines security requirements related to human resources including hiring, training, and termination procedures.
Incident Management Policy
Establishes procedures for detecting, responding to, and recovering from security incidents.
Information Classification and Labelling
Information classified into levels (Legally Protected, Confidential, Internal, Public). Labelling and handling rules documented.
Information Security Policy
Establishes the overall direction and principles for information security management across the organization.
ISMS Roles and Responsibilities
Internal allocation of tasks divides responsibilities and roles within ISMS scope. Board representatives are assigned for security and risk oversight.
Legal Compliance Policy
Establishes the framework for ensuring compliance with applicable laws, regulations, and contractual obligations.
Legal Documents and Compliance Management
Legal requirements identified, reviewed and monitored. Organization adjusts to customer requirements and regulatory changes.
NDA and Confidentiality Agreements
Confidentiality provisions used in contracts with clients and suppliers. Dedicated NDAs for cooperation agreements.
Network and Network Services Management Policy
Defines requirements for securing network infrastructure, segmentation, and network services.
Passwords and Identifiers Management Policy
Defines requirements for password complexity, management, and user identification.
Personal Data Protection Policy
Establishes requirements for protecting personal data in accordance with GDPR and applicable data protection regulations.
Physical Security Policy
Establishes requirements for physical access controls and facility security.
Remote Work Security Policy
Establishes security requirements for employees working remotely or from home.
Segregation of Duties - ISMS
ISMS roles documented in the organization's role matrix define separation of responsibilities to prevent conflicts of interest.
Software Licensing Compliance
Cloud services implemented per licensing requirements. Operating systems purchased with hardware to ensure compliance.
Suppliers and Services Management Policy
Establishes security requirements for managing third-party suppliers and external services.
Vulnerability Management Policy
Establishes the process for identifying, assessing, and remediating security vulnerabilities.
Process
17ASVS and Secure Coding Guidelines
Secure application development and ASVS guide. Internal audits check compliance with secure coding standards.
Audit Management Procedure
Periodic security audits organized. ISO compliance reviews maintained.
Data Retention and Deletion Procedure
Process for information deletion and secure equipment disposal/reuse preventing accidental data release.
Employee Screening Process
Background verification checks on candidates carried out in accordance with applicable laws and regulations.
Evidence Collection Procedure
Procedures for collecting and preserving evidence during security incident investigations.
Information Security Awareness and Training
Regular security awareness training for all employees. Phishing simulations conducted quarterly.
IT Change Management Process
Change management implemented and integrated with ISMS. Major changes documented.
IT Equipment Maintenance
Documented inspection and maintenance procedure for periodic IT infrastructure checks.
Offboarding Process - Asset Return
Off-boarding process ensures equipment return and access revocation. Employee accountability measures enforced.
Periodic Access Reviews
Quarterly reviews of user access rights to ensure least-privilege principle and remove stale permissions.
Privileged Access Management
Privileged access rights controlled through onboarding/offboarding process with documented asset and access lists.
Security Event Assessment Process
Incident management policy defines responsibilities for identifying, assessing and handling security events.
Security Recommendations for Projects
Security recommendations for projects and products. Risk analysis procedure for project classification.
Security Testing Procedure
Security Team procedures govern production commissioning rules. Vulnerability testing implemented periodically.
Software Management Procedure
Scope of privileged utilities and software installation controls defined in internal procedures.
Supplier Security Management
Third-party vendor security assessments. Contractual security requirements. Ongoing supplier monitoring.
User and Access Management Procedure
Onboarding/offboarding processes with rules for user registration, deregistration, and access assignment via IdP.
Technical
21Capacity Management - Cloud Resources
Cloud services configured with scalable capacity. Monitoring alerts for resource utilization.
Data Backup and Recovery
Automated backups of critical data with tested recovery procedures. Cloud and on-site backup retention.
Data Loss Prevention
DLP policies on email and cloud storage to prevent unauthorized transfer of classified information.
Data Masking - Production Data
Data masking used selectively for applications processing large data sets or per customer requirements.
Dev/Test/Prod Environment Separation
Technical and organizational solutions separate test and production environments. Test data protected from unauthorized access.
Email Security and Anti-Phishing
Email gateway with anti-spam, antivirus, sandboxing. SPF, DKIM, DMARC configured for all domains.
Encryption at Rest and in Transit
Full-disk encryption on endpoints. TLS for data in transit. Database-level encryption for sensitive data.
Endpoint Antivirus and EDR
Antivirus and endpoint detection/response software deployed on all workstations with real-time monitoring.
ICT Readiness for Business Continuity
ICT continuity plans tested annually. Recovery procedures documented for critical services.
Mobile Device Management
MDM policies controlling removable media, device encryption, and remote wipe capabilities.
Multi-Factor Authentication
MFA enforced on all critical systems, cloud services, and VPN access. Hardware tokens or authenticator apps required.
Network Firewall and IDS/IPS
Next-generation firewall with intrusion detection/prevention. Unified threat management at network perimeter.
Network Segmentation
Network segmented into security zones (VLANs) to contain breaches and limit lateral movement.
NTP Clock Synchronization
Clock synchronization implemented on workstations and internal resources using NTP.
Password Management
Enterprise password manager deployed. Password complexity requirements enforced. Credential sharing prohibited.
Patch and Update Management
Automated patch management for OS and applications. Critical patches applied within defined SLA windows.
SaaS Redundancy - Critical Services
Critical information services operate on SaaS basis ensuring adequate security against loss. Cloud backup for user data.
Security Monitoring and SIEM
Centralized security monitoring with SIEM for log aggregation, correlation, and alerting on security events.
Source Code Access Control
Access to source code repositories regulated based on project assignment and role requirements.
Threat Intelligence and Vulnerability Research
Policies for investigating system vulnerabilities. Detected vulnerabilities addressed per Vulnerability Management Policy.
Web Content Filtering
Network web filtering with blocked category lists to prevent access to malicious or inappropriate content.