Purpose

This information security policy is intended to protect employees, partners, and the Glaut company from illegal or harmful actions by individuals, whether knowingly or unknowingly. Internet/Intranet/Extranet systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts that provide email, web browsing, and file transfers, are the property of the company. These systems must be used for business purposes in the interests of the company and our customers and clients in the course of normal operations.

Effective security is a team effort that requires the participation and support of all company employees or contractors who deal with information and/or information systems. It is the responsibility of each team member to read and understand this procedure and conduct their activities accordingly.

Reporting security incidents

All employees are required to report known or suspected security incidents or events, including policy violations and any observed security vulnerabilities. Incidents must be reported immediately or as soon as possible via email or through a defined escalation process, which includes specific contacts based on the severity of the incident. The report must describe the incident or observation, including all relevant details.

Reporting fraud

Information security policies are intended to encourage and enable employees and others to raise concerns internally so that inappropriate behavior/actions can be addressed and corrected.

It is the responsibility of all parties involved in this policy to report concerns about violations of the company's code of ethics or suspected violations of laws/regulations to which the company is subject.

It is contrary to our values for anyone to retaliate against an employee who, in good faith, reports an ethical violation or suspected violation of the law, or suspected fraud or suspected violation of any regulation. An employee who retaliates against someone who has reported a violation in good faith is subject to disciplinary action, up to and including termination of employment.

Mobile devices

Personal mobile devices (BYOD - Bring Your Own Device)

For all BYOD devices, i.e., devices owned by employees, partners, or collaborators of the company, such as cell phones, tablets, laptops, and which are therefore not considered company assets, users must be aware of the following:

• Users who use such mobile devices for business purposes are subject to the processing of personal data and therefore to the conditions and limitations of EU Regulation 2016/679 (“GDPR”).
• When users use their private devices for professional purposes, additional information protection issues arise, as the same device is used for both personal and company communications. The company is unable to exercise the same level of control over private devices as it does over company devices. For this reason, BYOD devices cannot be used to access company resources (such as company email, cloud, servers, etc.).

In order to ensure information security compliance, if it is necessary to use BYOD for work activities that involve company information, it is important that the Management System Manager and the CTO are involved from the early stages of planning the introduction of BYOD to ensure that the measures taken are compliant with information security, in line with the paragraph “Mobile devices.”

Screen lock and clean desk

Employees shall not leave unprotected confidential materials on their desks or workspaces and shall ensure that screens are locked when not in use.