Information Security

Each of us is a person processing various types of data. Processing is not only sharing, modification, preparing or recording, but also mere storage of data. Inadequate protection and handling it can not only be a cause of financial problems, but also lead to enterprise liquidation or unpleasant legal consequences. For this reason, certain entities have special duties concerning data confidentiality – particularly personal information and sensitive data. Protection of this data is also an important element of management control in an entity.
Determining the protection rules for processing personal information and other legally protected information, taking into account all procedures covering technical and organisational means related to proper protection of personal information, is the responsibility of the Data Administrator (DA). Control and supervision of compliance with these rules are the duties of the assigned Information Security Administrator (ISA).

ISA duties include:
• Reporting and updating data sets, and correspondence with Inspectorate General for Personal Information,
• Preparing internal executive regulations concerning the method of processing personal and employee information, and technical and organisational means ensuring its safety, and supervising their deployment and the entire protection system,
• Approving templates of documents related to personal information protection, authorisations for their processing and their scope, declarations of familiarity with regulations and their registering,
• Restriction of unauthorised user access to the personal information processing system and monitoring all users’ access,
• Conducting training on personal information protection.

Proper organisation of such protections must enable processing the information in a manner that is confidential, integral, verifiable and accessible for authorised users.

DA can, by way of a contract, entrust the information processing to another entity. Velvero offers ISA service outsourcing and preparation, deployment and supervision over correct functioning of the personal information protection system.

As Velvero, we offer:

  1. Preparing full documentation describing the method of personal information processing, including:
    • Information Security Policy including description of the area where personal information is processed, list of personal information sets and programs used to process them, manner of storing data between systems and description of technical and organisational means ensuring protection of information processing,
    • IT System Management Manual used for personal information processing, which must include, for example:
      • Procedures for assigning and revoking rights to process information, and for registering these rights in the IT system, as well as indication of the person responsible for these actions, |Utilised methods and means of authentication, and procedures related to their management and use,
      • Work start, suspension and end procedures intended for system users,
      • Data set backup creation procedures, as well as programs and software tools used for their processing,
      • Manner, location and duration of storing electronic data carriers containing personal information and backups,
      • Manner of protecting the It system from effects of software designed to gain unauthorised access to the IT system,
      • Information on personal information data recipients, i.e. anyone who is provided with the personal information,
      • Procedures for performing inspections and maintenance of information systems and carriers used for data processing.
  2. Employee training on personal information security and protection,
  3. Implementation and supervision over personal information protection documentation and safety standards,

Delegating such duties to Velvero will provide you with a guarantee that personal information is stored and processed in a safe manner compliant with current legal regulations. Professional consulting on this subject will enable minimising the risk of data leaking outside the entity’s area and limit the access of unauthorised persons to the data system.