Alcor-Ukraine LLC, together with its affiliates, associates, and partners (“Alcor”, “we” or “us”) is a company specializing in the provision of operational (back-office) solutions. In the course of its business, Alcor may process some information, in particular store, use and transmit it in all its forms, such as written, spoken, recorded electronically or printed (“Information”). Thus, the Information shall be appropriately secured to protect against the consequences of breaches in confidentiality, failures of integrity, or interruptions in availability, by means of establishing an appropriate level of security over the Information, as well as over equipment and software used to process respective information.
Alcor seeks to monitor and provide control over access rights granted to individuals with regard to the Information and respective systems, services and/or infrastructure, which are used for the processing of Information (“Information Processing Facilities”). In this Information Security Policy we provide guidelines on the classification of Information, as well as impose rules on granting and receiving access to particular classes of this Information.
This Information Security Policy applies to all individuals working for us, whether on a permanent or temporary basis, including full-time and part-time employees, contract workers, agency workers, business partners, consultants and vendors (collectively – “Personnel” and separately – “Member of Personnel”) that use our assets, especially Information Processing Facilities.
Access control responsibilities are as follows:
Alcor’s Manager shall:
- determine and support Alcor’s access control strategy;
- appoint an employee responsible for Information Security Policy (“Information Security Officer”);
- ensure the satisfactory resolution of problems relating to the provision of access to said Information, when in response to the concerns expressed by the Information Security Officer, significant changes are deemed necessary.
The Information Security Officer shall:
- ensure that this Information Security Policy and respective procedures/standards address all our requirements;
- ensure that logon and system access procedures meet defined requirements;
- ensure that data and applications are safe in project development environments;
- assist Personnel in their day-to-day use of Alcor computer systems by performing basic account administration functions, including the unlocking of locked accounts, resetting passwords, and providing instruction;
- investigate all actual or suspected incidents with information security and take measures to restore an appropriate level of information security.
CLASSIFICATION OF THE INFORMATION
All of Alcor’s Information shall be assigned to one of the following classifications:
Information that is freely available and accessible to the public without any restrictions on access to it, such as public records or news reports, does not need to be tracked or monitored. Hence it is not required to implement any specific protection mechanisms for Information of this type.
Information created or bestowed upon Alcor by partners or clients, whose unauthorized disclosure might cause short-term harm to the business reputation of Alcor (“Internal Information”). This Information needs to be kept in secret to protect business interests as well as to ensure continued client trust. Internal Information may be stored in any way except external publicly available sources (e.g. the Web) which should be transmitted through channels and minimally secured by virtual private networks (VPN). This virtual access to Internal Information requires authentication. Physical access shall be given to any Member of Personnel. All third persons, including but not limited to visitors of Alcor, shall be prevented from access to Internal Information.
Business sensitive data, disclosure of which can adversely impact Alcor’s, their partner’s and/or clients’ business position, and their market value (“Confidential Information”) must not be disclosed to unauthorized persons, because they come under the purview of regulations, contracts or business agreements. This type of Information may be stored exclusively on specifically managed and monitored servers and should be transmitted in encrypted form. Virtual access to Confidential Information requires authentication. Physical access shall be given to certain Members of Personnel on a “need to know” basis. Other Members of Personnel and all the third persons, including but not limited to visitors of Alcor, shall be prevented from access to Confidential Information.
Collections of diverse information should be classified to the most secure classification level of an individual information component with aggregated information.
Access rights to a particular class of Information and respective Information Processing Facilities will be strictly restricted to those persons who have a bona fide business need to access the Information. Alcor’s authorization decisions for granting, approval, and review of access are based on the following principles:
- “Need to know”, due to which Personnel will be granted access to systems that are necessary to fulfill their roles and responsibilities;
- “Least privileged”, according to which Personnel permissions and system functionality are carefully evaluated and access is restricted to the resources required for a particular account user to perform their duties. Thus, some persons (e.g. Information Security Officer) shall be granted privileged rights. Exercise of privileged rights shall be strictly limited to program installation and system reconfiguration. For the avoidance of doubt, privileged rights shall not be used for standard activities and not be provided by default. Alcor guards against issuing privilege rights to entire teams to prevent potential losses of Information confidentiality and/or integrity;
- “Default deny”, which denies the transmission of all traffic, and then specifically allows transmission of required traffic based on protocol, port, source, and destination.
Access control methods used by default include:
- explicit logon procedures;
- Windows share and file permissions to files and folders;
- account privilege limitations;
- server and workstation access rights;
- firewall permissions;
- database access rights;
- encryption at rest and in flight;
- any other methods as contractually required by interested parties.
Where possible, we set accounts to automatically expire at a pre-set date. More specifically, when temporary access is required, such access will be removed immediately after the respective person has completed the task for which the access was granted.
We permanently maintain lists of the following persons:
- Persons responsible for granting access to particular Information and respective Information Processing Facilities;
- Persons who are authorized to access specified Information and respective Information Processing Facilities.
Existing accounts and access rights will be reviewed at least annually to detect dormant accounts and accounts with excessive privileges. Examples of accounts with excessive privileges include the following:
- An active account assigned to persons who no longer work for Alcor;
- An active account with access rights which do not correspond to functions of the particular person within Alcor’s business;
- Unknown active accounts.
Access rights which are not necessary to be granted to a respective person (due to a change of their position within Alcor) should be removed immediately upon such change. Alcor takes appropriate measures to cancel/delete accounts and all access rights of those persons whose commitment to Alcor is terminated for any reason.
Visitors who require internal network access will need permission of the Information Security Officer. Visitor use of employee credentials is not permitted under any circumstances.
INFORMATION SYSTEM ACCESS CONTROL
Minimum requirements for information system access control are the following:
- Valid individual identifications and passwords for all computer access;
- Successful and unsuccessful system accesses are to be recorded;
- The last time a user of a particular account was logged on is to be recorded or displayed;
- Account details are to be issued at a formal training session;
- New accounts are to be initially configured to force a change of password upon first logging on.
Access to Alcor computer facilities are to be via a secure logon process.
The relative logon procedure will:
- not display system or application prompts until the logon process has been completed;
- not provide help messages during logon procedures;
- validate the logon information only on completion of all input data;
- allow only three unsuccessful logon attempts before restricting;
- record the unsuccessful attempt;
- force a time delay before further logon attempts are allowed;
- suspend an account to prevent repeated invalid access attempts;
- disconnect and not assist in a rejected attempt to log on;
- limit the time allowed for the logon procedure; if exceeded, the system should terminate the logon;
- display the following information on completion of a successful logon:
- show date and time of the previous successful logon,
- show details of any unsuccessful logon attempts since the last successful logon;
- provide multi-factor identification for administrative access.
This allows the user of the account to check whether it was he/she who was last logged on. If not, the incident should be reported and appropriate actions taken.
We maintain a process for:
- providing reports of invalid logon attempts upon request;
- detecting and reacting to systematic attacks on the server systems that they support.
Alcor enforces strong password standards to reduce the chances of intruders gaining access to Alcor systems through the exploitation of Personnel accounts.
The following password standards are to be adhered to ensure compliance with the basic principles of logical security:
- Use of individual passwords is to be enforced to maintain accountability;
- Sharing of passwords is not permitted;
- Use of any work-related passwords for personal accounts is prohibited;
- Members of Personnel should be able to select and change their password and be required to provide a confirmation to account for typing errors;
- Personnel having system-level privileges must have a unique password, which is used exceptionally to access system-level privileges;
- A password is to have a minimum length of eight characters;
- Passwords are not to be based on any of the following:
- months of the year, days of the week or any other aspect of the date;
- family names, initials, or car registration numbers;
- company names, identifiers, or references;
- telephone numbers or similar all-number groups;
- user identification, user name, group identification, or another system identifier;
- more than two consecutive identical characters;
- all-numeric or all-alphabetic groups;
- any word contained in a dictionary, either English or another language;
- contain number patterns such as “aaabbb”, “qwerty”, “zyxwvuts”, “123321” etc.;
- be some version of “Welcome123”, “Password123”, “Changeme123” etc.
- Maximum password lifetime is to be 90 days for all accounts;
- Personnel are to be forced to change temporary (initial) passwords at the first logon;
- Passwords are not to be displayed while being entered;
- Password files should be stored separately from the main application system data, and any access restricted to the system administrator;
- Password files are to be stored in encrypted form;
- Default IDs and passwords are to be deleted or altered following the installation of software.
- Do not share passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential information;
- Do not write down and/or store a password online without encryption;
- Do not reveal a password in email, chat, or other electronic communication;
- Do not speak about a password in front of others;
- Do not hint at the format of a password (e.g. “my family name”);
- Do not reveal a password on questionnaires or security forms;
- If someone demands a password, refer them to this document and direct them to the Information Security Officer;
- Always decline the use of the “Remember Password” feature of applications.
Transfer of any portion of the Information by means of conversation should always occur only inside those premises which are appropriately secured from any unauthorized access. In particular, the Information cannot be communicated in public places or in the presence of unauthorized persons.
Information must be transmitted exclusively via accounts created and maintained by Alcor.
Confidential and/or Restricted Information must be sent over e-mail with appropriate safeguards:
- Mail should be appropriately titled, i.e. not to include sensitive details in the subject line;
- Browsers should be safely set up (e.g. passwords are not saved, temporary internet files are deleted on exit, etc.);
- Personal use of e-mail should be kept to a minimum,
- Non-work-related e-mails shall be saved in a separate folder from work-related e-mails;
- No Confidential information should be sent as part of, or attached to, an e-mail message unless the information is encrypted;
- E-mail attachments are a common source of malicious software and particular care is to be taken before opening any attachments, especially if the message is not from a trusted source;
- Individual messages that are forwarded by Personnel to others (receivers) should not contain any portion of Alcor’s Information, with regard to which the respective receiver is not granted access rights.
There will be occasions when telephone enquiries are received asking for the disclosure of Information. When this disclosure is legally justified and the caller has a legal right to access that Information, the following rules should be adhered to:
- Verify personal details;
- Obtain and record the enquirer’s telephone number;
- If the caller is part (representative) of any organization, the main switchboard number of that organization (via phone book or directory inquiries) should be obtained and used to call back;
- Conduct the call in an area that is private (where staff/public cannot overhear);
- Any notes made during the calls should be kept in a secure place (locked away) and not left on any desk;
- Any suspect inquiries should be referred immediately to the Information Security Officer;
- Always provide the minimum amount of Information that is necessary;
- If in doubt, the caller should be advised that they will be called back upon clarifying necessary information.
Communication By Post
- Ensure that the incoming post is received in an environment away from public interference (e.g. not left on the receptionist’s desk in a waiting area);
- Open incoming mail away from public areas;
- Ensure that the post is stored securely and picked up frequently.
- Perform a double-check of addresses;
- Mark post clearly with names and addresses;
- For important letters/parcels, ask for confirmation of safe arrival;
- Where it is possible, send the post with a person specially authorized by Alcor for the performance of such functions.
Text messages and telephone conversation:
- Check that the mobile number is correct and be confident that the person using the recipient’s mobile is the person to whom the message is intended;
- Use specifically those types of messengers which maintain up-to-date and appropriately secured encryption methods;
- Never save any files onto the hard drive of your mobile device;
- Always dial in with a secure token when accessing files;
- Make sure to save files to their network drive;
- Never access Internal or Confidential Information on your mobile device;
- Do not leave the mobile device unlocked if you have to leave it unmanned.
When using a telephone as the method of communication, a minimum amount of Information should be sent, due to the fact that mobile phone networks may be open to additional risks of eavesdropping or interception.
TRANSFER OF DOCUMENTS:
Due care must be taken when transferring documents that contain this Information:
- Paper documents that contain the Information must be stored in a lockable cupboard or cabinet;
- Record what Information is taken off-site/from a department, and if applicable, where and to whom the Information has gone;
- Never leave personal/sensitive/confidential records/documents unattended;
- Ensure that the Information is returned as soon as possible;
- Record that the Information has been returned.
Personnel should strictly follow Alcor’s requirements regarding maintaining security issues while obtaining and exploiting remote access to Alcor’s accounts systems:
- Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong passphrases. No uncontrolled external access to Alcor’s network will be permitted;
- At no time should any Member of Personnel provide their login or e-mail password to anyone, not even family members;
- Personnel with remote access privileges must ensure that their owned or personal computer or workstation, which is remotely connected to Alcor’s corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user;
- Personnel with remote access privileges to the corporate network must not use non-corporate e-mail accounts, or other external resources, to conduct Alcor business, thereby ensuring that official business is never confused with personal business;
- Alcor’s Personnel shall install and employ the approved full disk encryption software on their laptops unless an approved exception has been authorized for appropriate business purposes;
- Routers configured for access to the Alcor network must meet minimum authentication requirements;
- Non-standard hardware configurations must be approved by the Information Security Officer, and Alcor must approve security configurations for access to hardware;
- All PCs, laptops and workstations that are connected to Alcor internal networks via remote access technologies must use the most up-to-date anti-virus software, including personal computers;
- Personal equipment that is used to connect to Alcor’s networks must meet the requirements of Alcor-owned equipment for remote access;
- Individuals who wish to implement non-standard remote access solutions to the Alcor production network must obtain prior approval from the Information Security Officer.
All servers must have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system.
If the target system is a mail server, it must have either an external or internal anti-virus scanning application that scans all mail destined to and from the mail server.
All items connected to Alcor’s intranet need to have up-to-date anti-virus products and a firewall installed. All Information Processing Facilities running a Windows operating system must have Microsoft security updates enabled.
Alcor keeps anti-virus products up-to-date with virus definitions and security updates. The Information Security Officer is responsible for notifying Personnel of any credible virus threats, whereas the latter is required to comply with instructions received from the Information Security Officer.
No software is to be downloaded from the Internet without prior approval of the Information Security Officer.
The Information must be regularly backed-up. This ensures that the Information which is lost, stolen or damaged can be restored and its integrity maintained.
- The backup media will be stored in appropriately secured cloud platforms (in particular, Microsoft Azure, West Europe Azure Availability Zone);
- The frequency and extent of backups must be in accordance with the importance of Information and the acceptable risk as determined by the data owner;
- The Information backup and recovery process for each system must be documented and periodically reviewed.
Backup Procedures must be documented. These procedures must include as a minimum for each type of data:
- A definition of the specific data to be backed up;
- The type(s) of backup to be used (e.g. full backup, incremental backup, etc.);
- The frequency and time of data backup (every 12/24 hours);
- The storage media to be used;
- Any requirements concerning backup archives;
- The recovery of backup data.
Backup copies must be stored with a short description that includes the following information:
Backup date / Resource name / type of backup method (Full/Incremental).
- Backup software shall be scheduled to run nightly to capture all data from the previous day;
- Backup logs are to be reviewed to verify that the backup was completed;
- In case of a disaster, backup tapes should be available for retrieval and not subject to destruction;
- Data on hard drives will be backed up daily, and mobile devices shall be brought in to be backed up on a weekly basis (or as soon as practical) if on an extended travel arrangement;
- IT Backup systems have been designed to ensure that routine backup operations require no manual intervention.
CHANGES TO THIS INFORMATION SECURITY POLICY
We may from time to time, modify or update this Information Security Policy, upon which we will also update the Last revised date on this document. You are advised to visit this page regularly for the latest information on our Information Security practices.
If you have any questions regarding this Information Security Policy, please contact us by one of the following means:
Postal address: 01033, Ukraine, Kyiv, Simi Prakhovykh str., 58/10.
Last revised – August 4, 2022