Information Security Policy of Gontard & Cie

1. INTRODUCTION

1.1 This Policy contains the goals and objectives of ensuring information security of the companies constituting the Gontard & Cie Group (hereinafter referred to as Gontard & Cie) and establishes the strategy and principles for building an information security system based on a systematic description of the information security processes and procedures of Gontard & Cie.

1.2 This Policy defines the areas of information security that are relevant to Gontard & Cie, and forms standards in the field of information security aimed at improving the level of security of Gontard & Cie's information assets, ensuring the integrity, availability and confidentiality of information in the course of Gontard & Cie's business.

1.3 This policy applies to all companies that are members of Gontard & Cie.

1.4 The goals of this Policy are:

1.4.1 to define the scope of the information security system;

1.4.2 to formulate the requirements for the information security system;

1.4.3 to regulate the organization of Gontard & Cie’s activities in order to ensure the safety of critical information assets;

1.4.4 to establish the responsibilities of the Gontard & Cie’s employees for organizing information security activities.

1.5 This Policy does not detail all the rules and measures aimed at ensuring information security. Additional private policies are developed on the basis of the provisions of this Policy.

1.6 The necessary information security requirements of Gontard & Cie are binding on all employees of Gontard & Cie and other parties in accordance with the provisions of internal regulatory documents of Gontard & Cie, as well as the requirements of contracts and agreements to which Gontard & Cie is a party.

1.7 The terms, definitions and abbreviations used in this Policy are given in the section "Terms, definitions and abbreviations".

1.8 The Policy is developed taking into account the recommendations and requirements of the General Data Protection Regulation (”GDPR"), Health Insurance Portability and Accountability Act ("HIPAA”) and the Federal law of the Russian Federation dated July 27, 2006 No. 152-FZ “On personal data”, as well as other legal acts of the countries in which Gontard & Cie conducts its business.

2. TERMS, DEFINITIONS AND ABBREVIATIONS

2.1 The following terms are used in this Policy:

Term

Definition

Information system

A set of information contained in databases and information technologies and technical means that process it (an automated system that implements the technology for performing Gontard & Cie its functions)

Automated information system

A system consisting of personnel and a set of automation tools for their activities that implements information technology for performing established functions

Information security audit

A systematic, independent and documented process for obtaining evidence of Gontard & Cie's activities in ensuring information security, establishing the extent to which Gontard & Cie meets the information security criteria, and allowing for the formation of a professional audit judgment on the state of information security of Gontard & Cie

Authentication

Verification of the validity of the identifier presented by the access subject (authentication)

Document

Information recorded on a tangible medium with details allowing to identify it

Availability of information assets

The property of information security of Gontard & Cie which consists in the fact that information assets are provided to an authorized user, in the form and place required by the user, and at the time when he needs it

Identification

The process of assigning an identifier (a unique name); comparison of the presented identifier with the list of assigned identifiers

Information asset

Information with identifying details that is of value to Gontard & Cie, held by Gontard & Cie and presented on any tangible medium in a form suitable for processing, storage or transmission

Information security

The process of ensuring confidentiality, integrity, and availability of information

Information security incident

An event indicating an accomplished, attempted, or probable implementation of an information security threat

Controlled area

The territory of the object where uncontrolled stay of persons without access is excluded

Confidentiality of information assets

The property of information security of Gontard & Cie which consists in the fact that the processing, storage, and transfer of information assets is carried out in such a way that information assets are available only to authorized users, system objects or processes

Scope of the information security system

Set of information assets and elements of the information infrastructure of Gontard & Cie

Personal data Regulator

An organization that independently or jointly with other persons organize and (or) process personal data, as well as determine the purpose of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data

Information security risk assessment

A systematic and documented process for identifying, collecting, using, and analyzing information that allows for the assessment of information security risks associated with the use of information assets of Gontard & Cie at all stages of their lifecycle

Personal data

Any information related to an individual (subject of personal data) who has been identified or is being indentified directly or indirectly

Information security policy

Documentation that defines the high-level goals, content, and main areas of information security activities intended for Gontard & Cie as a whole

Information security risk

The risk associated with the threat to information security

Information security system

It consists of both a system of organizational and technical measures to ensure information security, and an information security management system that ensures the continuous operation of the information security management system

Information security threat

Possible actions or events that may lead to information security breaches (availability, integrity, or confidentiality of information assets of Gontard & Cie)

Integrity of information assets

The property of information security of Gontard & Cie to keep unchanged or to correct detected changes in its information assets

Private information security policy

Documentation detailing the provisions of the information security policy in relation to one or several areas of information security, types and technologies of activities of Gontard & Cie

3. GENERAL PROVISIONS

3.1 This Policy is a publicly available document and represents the system of views officially adopted by the management of Gontard & Cie on the problem of ensuring information security in the unified information telecommunication system of Gontard & Cie.

3.2 The main task in the field of information security is recognized by Gontard & Cie as the development and improvement of measures and tools to ensure information security of information assets of Gontard & Cie in the context of the development of legislation and regulations on information activities.

3.3 Within the framework of its activities, Gontard & Cie undertakes to take all possible measures to protect personnel, information and business reputation from the risk of harm, loss and damage arising from the implementation of information security threats or other illegal actions related to the violation of information security of Gontard & Cie.

3.4 Information security requirements imposed by Gontard & Cie are consistent with the goals of business of Gontard & Cie and are designed to reduce information security risks to an acceptable level.

3.5 The iImplementation and monitoring of the requirements set out in this Policy should be performed by the employees of Gontard & Cie structural division responsible for information security, as well as Data Protection Officer in accordance with their job descriptions and other internal documents of Gontard & Cie on information security.

4. GOALS AND OBJECTIVES OF INFORMATION SECURITY

4.1 The goals of information security of Gontard & Cie are:

- to protect the interests Gontard & Cie, its employees, customers and other subjects of information relations interacting with Gontard & Cie from possible harm to their activities through accidental or deliberate unauthorized interference in the operation of information systems of Gontard & Cie as a result of malfunction of hardware and software, leading to inaccessibility of information, disclosure, distortion, destruction of protected information and its illegal use;

- to comply with the legal regime for the use of arrays and information processing programs;

- to prevent the implementation of security threats to the activities of Gontard & Cie by creating an integrated information security system.

4.2 The objects of information legal relations are:

- information resources with restricted access, personal data, or other information resources that are sensitive to accidental or unauthorized influences and violations of its security, including documented information;

- data reduction processes in Gontard & Cie information systems, information technologies, regulations and procedures for collecting, processing, storing and transmitting information;

- information infrastructure, including information processing, storing and analysis systems, hardware and software tools for its processing, including information exchange and telecommunication channels;

- information security systems and tools, objects and premises where sensitive elements of the information environment are located.

4.3 The subjects of information relations when using Gontard & Cie information systems interested in ensuring information security are:

- Gontard & Cie, as the owner of information resources and personal data Regulator;

- employees of Gontard & Cie as users and suppliers of information to information systems in accordance with their functions;

- legal entities and individuals whose information is processed in the information systems of Gontard & Cie;

- other legal entities and individuals involved in the creation and operation of information systems (government agencies, developers of information systems components, maintenance personnel, organizations involved in the provision of information technology security services, etc.).

4.4 The listed subjects of information relations (clause 5.2) are interested in the following aspects to be provided in the information systems of Gontard & Cie:

- confidentiality (keeping secret) of a certain piece of information;

- integrity (completeness, accuracy, adequacy, reliability) of information;

- timely access (in reasonable time) to the information they need;

- protection against the imposition of false (unreliable, distorted) information (against misinformation);

- delineation of responsibility for violations of the legal rights (interests) of other subjects of information relations and established rules for handling information;

- the possibility of continuous monitoring and control of the processing and transmission of information;

- protection of part of the information from illegal copying and distribution (protection of copyright, rights of the owner of information, etc.).

4.5 In order to achieve the goals of protecting and ensuring the specified properties of information and its processing system (clause 5.4), the information security system of Gontard & Cie must provide an effective solution to the following tasks:

4.5.1 protection against interference in the functioning of information systems of unauthorized persons (only registered users should be able to use the system and have access to its resources);

4.5.2 differentiation of access of registered users to hardware, software and information resources of information systems (the possibility to access only those resources and perform only those operations with them that are necessary for specific users to perform their official duties), that is, protection against unauthorized access to:

- information circulating in information systems;

- means of computer technology;

- hardware and software for information protection;

- Internet resources.

4.5.3 registration of user actions when using protected resources and periodic monitoring of the correctness of their actions;

4.5.4 monitoring the integrity (ensuring that the program execution environment remains unchanged) and restoring it in the event of violation;

4.5.5 protection against unauthorized modification and integrity control of software and data used in Gontard & Cie, as well as protection of the system from unauthorized introduction of malware, including computer viruses;

4.5.6 protection of restricted information stored, processed in Gontard & Cie and transmitted via communication channels from unauthorized disclosure or distortion;

4.5.7 ensuring the authentication of users participating in information exchange (confirming the authenticity of the sender and recipient of information), as well as establishing authorship when creating and modifying information;

4.5.8 ensuring the operability of information security tools used in Gontard & Cie information systems;

4.5.9 timely identification of sources of information security threats, causes and conditions that contribute to damage to interested subjects of information relations, creation of a mechanism for rapid response to information security threats and negative trends;

4.5.10 creating conditions for minimizing and localizing the damage caused by unlawful actions of individuals and legal entities, reducing the negative impact and eliminating the consequences of information security breaches in Gontard & Cie.

4.6 An effective solution of the tasks set by the information security system in Gontard & Cie is achieved by:

4.6.1 keeping record of all resources subject to protection (information, communication channels, hardware and software);

4.6.2 regulation of the processing of information subject to protection, actions of employees of Gontard & Cie and personnel performing maintenance and modification of software and hardware, based on approved organizational and administrative documents on information security;

4.6.3 appointment and training of employees responsible for organizing and implementing information security activities at Gontard & Cie;

4.6.4 giving each employee (user) the minimum necessary permissions to access resources to perform their functional duties;

4.6.5 clear knowledge and strict compliance by all employees who use and maintain hardware and software with the requirements of organizational and administrative documents related to information security;

4.6.6 personal responsibility for the actions of each employee who participates in the processes of automated information processing and has access to the resources of information systems within the framework of their functional responsibilities;

4.6.7 implementation of technological processes of information processing using complexes of organizational and technical measures for software, hardware and data protection;

4.6.8 taking effective measures to ensure the physical integrity of technical means of information systems and continuously maintaining the necessary level of security of their components;

4.6.9 use of physical and technical means to protect the resources of Gontard & Cie and administrative support for their use;

4.6.10 effective monitoring of compliance by users of information systems with information security requirements;

4.6.11 legal protection of the interests of Gontard & Cie when interacting with legal entities and individuals (clients, partners, suppliers of information, software and hardware, etc.) from illegal and unauthorized actions on the part of these persons;

4.6.12 conducting an analysis of the effectiveness of the measures taken and the information security tools used in Gontard & Cie, developing and implementing proposals to improve the information security system in Gontard & Cie.

5. PRINCIPLES OF INFORMATION SECURITY

5.1 Principle of legality

5.1.1 When selecting protective measures implemented by the information security system, Gontard & Cie must ensure that they are consistent with current legislation in the field of information security.

5.1.2 The software and hardware used in Gontard & Cie must have the appropriate licenses, be officially purchased from representatives of the developers of these tools, or be the intellectual property of Gontard & Cie.

5.2 Principle of consistency and complexity

5.2.1 When building an information security system, Gontard & Cie should apply a systematic approach that involves a consistent process of organizing the protection of information resources of Gontard & Cie, and a comprehensive approach that is based on the use of a coordinated application of methods and means of protecting information resources of Gontard & Cie, effective in relation to all attacks when implementing current threats to information security.

5.2.2 When building and further operating the information security system, Gontard & Cie must take into account all interrelated, interacting and time-changing elements, conditions and factors significant for understanding and solving the tasks of ensuring the security of information resources.

5.3 Principle of interaction and coordination

5.3.1 When organizing actions to ensure information security, Gontard & Cie must ensure a clear interaction between the relevant structural divisions, a relationship with representatives of third-party specialized organizations that provide services under contractual obligations, with government authorities and law enforcement agencies.

5.3.2 When building, implementing and operating an information security system, Gontard & Cie must provide conditions for effective coordination of actions of all persons who ensure the implementation of these processes in order to achieve the set goals of information security.

5.4 Principle of friendliness

5.4.1 The information security system in Gontard & Cie should be organized in such a way as to make its functioning as transparent as possible for users of the information systems of Gontard & Cie.

5.4.2 The information security system in Gontard & Cie should be organized in such a way that organizational and technical restrictions imposed on the work of the employees of Gontard & Cie in connection with the implementation of protective measures do not significantly complicate the work with the resources of information systems of Gontard & Cie.

5.5 Principle of prevention

5.5.1 The measures applied by Gontard & Cie to ensure information security should be proactive and, if possible, prevent the implementation of information security threats, since the elimination of consequences of the implementation of threats can lead to significant financial, time and material costs, far exceeding the cost of creating and maintaining the functioning of an information security system.

5.6 Principle of optimality

5.6.1 Gontard & Cie should choose common software and hardware tools to solve similar tasks of ensuring information security of resources in order to reduce the cost of creating and supporting the functioning of components of the information security system.

5.6.2 If it is necessary to use heterogeneous software and hardware security tools, Gontard & Cie must ensure their coordinated application, in order to build a complete information security system and eliminate possible vulnerabilities at the junctions of its individual components.

5.6.3 In order to create different levels of information security, Gontard & Cie at different levels of resource security must use information security tools that have similar functions to each other, are developed by different manufacturers, and have different logic for building security mechanisms.

5.6.4 When choosing the composition of software and hardware components of the information security system, Gontard & Cie should be guided by maximum compatibility with the software and hardware used in the information systems of Gontard & Cie.

5.7 Principle of economic feasibility

5.7.1 When choosing solutions for protecting information resources, Gontard & Cie should:

- apply a differentiated approach based on the importance and degree of criticality of the processed information;

- take into account the frequency and probability of information security threats.

5.7.2 When building and operating an information security system, Gontard & Cie shall evaluate the level of security costs, the value of information resources, and the extent of possible damage to Gontard & Cie in the event of violation of confidentiality, integrity, and availability of information resources.

5.7.3 Based on the assessment, Gontard & Cie must select the necessary and sufficient level of protection of information resources, at which the costs, risk and amount of possible damage would be acceptable.

5.8 Principle of continuity of safe operation

5.8.1 The information security system in Gontard & Cie should be built in such a way that the process of protecting the information systems of Gontard & Cie is carried out continuously and purposefully, throughout the entire life cycle of information systems.

5.9 The principle of mandatory control

5.9.1 In order to detect and prevent attempts to violate information security in a timely manner, Gontard & Cie must ensure that both authorized and unauthorized information security events initiated by the user of the information systems of Gontard & Cie and by the software and hardware tools in its composition are registered.

5.9.2 In order to detect vulnerabilities in the information security system, Gontard & Cie shall monitor the degree of compliance with the established information security requirements and the effectiveness of the measures and means used to ensure information security.

5.10 The principle of specialization and professionalism

5.10.1 To develop and implement an information security system, Gontard & Cie should involve specialized organizations that are best prepared for a particular type of activity and have practical experience in this field.

5.10.2 In order to operate the components of the information security system, Gontard & Cie should provide professional training to its employees.

5.11 The principle of choosing high-tech security solutions

5.11.1 When building an information security system, Gontard & Cie should focus on the use of modern high-tech solutions and software and hardware protection tools that are well-proven, intuitive and not difficult to operate.

5.11.2 The choice of solutions for the protection of information systems of Gontard & Cie should be based on the assessment of the degree of correct functioning and performance of security functions, fault tolerance, checking the consistency of the configuration of various components and the possibility of centralized administration.

5.12 The principle of improvement

5.12.1 Gontard & Cie shall regularly update and enhance the existing information security system and improve the security mechanisms used for the information systems of Gontard & Cie.

5.12.2 When improving the information security system, Gontard & Cie should focus on the continuity of previously adopted security decisions, on the analysis of the functioning of information systems and the information security system itself, as well as on the world experience in the field of information security.

5.13 Principle of personal responsibility and separation of duties

5.13.1 Gontard & Cie shall determine the rights and responsibilities of each individual employee (within the scope of his/her authority) for ensuring the security of the information resources of Gontard & Cie.

5.13.2 The information security system of Gontard & Cie should ensure the separation of powers in information systems, duties and responsibilities between employees, eliminating the possibility of violating processes critical for Gontard & Cie or creating vulnerabilities in the protection of information resources.

5.14 The principle of minimizing user privileges

5.14.1 Information systems of Gontard & Cie must ensure that users are granted privileges that are minimally sufficient for them to perform their functions in Gontard & Cie, in accordance with their official duties.

6. AREAS OF RESPONSIBILITY OF PARTICIPANTS OF THE INFORMATION SECURITY PROCESS

6.1 The Management of Gontard & Cie

6.1.1 creates conditions under which each employee of Gontard & Cie knows his/her duties and tasks in relation to information resources, and ensures the necessary division of functions and powers in order to avoid a conflict of interest;

6.1.2 appoints employees responsible for the creation and use of systems for the protection of information processed in Gontard & Cie, the implementation of information security processes, as well as its control;

6.1.3 ensures the sufficient number and qualification of personnel responsible for building and maintaining information security processes, implementing and managing information security tools, as well as monitoring and control of the current state of the information security system of Gontard & Cie;

6.1.4 initiates, supports and controls all information security processes in Gontard & Cie;

6.1.5 analyzes the results of work in the direction of information security and makes decisions on the basis of this analysis on the need for tactical and strategic improvements to the information security system;

6.1.6 makes decisions on the need to develop the information security system, its adjustment and improvement, on the possibility of taking residual information security risks, on the allocation of resources necessary for the implementation of the Information Security Policy.

6.2 IT Department

6.2.1 prepares proposals for updating and improving the Information Security Policy regarding the technical support of the information systems of Gontard & Cie;

6.2.2 develops procedures for effective management of hardware and software tools of information systems and applies them in practice to all systems operating in Gontard & Cie;

6.2.3 organizes the necessary training of employees of structural divisions in terms of issues of safe operation of information systems;

6.2.4 protects access to all computer and switching equipment and data carriers used in the relevant structural divisions;

6.2.5 authorizes logical access rights to information systems;

6.2.6 implements measures to support the maintenance and use of information systems;

6.2.7 ensures high availability of information processes at the level of software and hardware redundancy and organization of data backup procedures;

6.2.8 ensures fault tolerance of the entire hardware and software complex and the procedure for regulated recovery of performance after single, random, unrelated component failures;

6.2.9 regularly updates software and hardware complexes of information security tools in Gontard & Cie;

6.2.10 supports the functioning of information systems and takes the necessary measures to configure systems to ensure the necessary level of information security of Gontard & Cie;

6.2.11 participates in the processes of identifying, investigating and minimizing the consequences of information security incidents;

6.2.12 monitors the performance of access control devices in premises where information systems critical for Gontard & Cie are located;

6.2.13 monitors the performance of uninterruptible power supply devices of information systems critical for Gontard & Cie at the end of the working day, at night, and during weekends and holidays;

6.2.14 manages and maintains the fully functional condition of the corresponding devices for control of access to the premises of Gontard & Cie;

6.2.15 provides recommendations to the management of Gontard & Cie on all issues related to securing access to the premises of Gontard & Cie;

6.2.16 protects information assets of Gontard & Cie from accidental or intentional destruction, distortion, disclosure, or loss;

6.2.17 ensures compliance with the requirements of current legislation on information security (including protection of personal data and payment information);

6.2.18 assesses information security risks and formulates information security requirements based on its results;

6.2.19 ensures compliance of all information systems with information security requirements in accordance with accepted standards;

6.2.20 controls the implementation of the established rules and procedures for ensuring information security in Gontard & Cie;

6.2.21 organizes training and consulting for the employees of Gontard & Cie on information security issues.

6.3 Heads of structural divisions of Gontard & Cie

6.3.1 are obliged to comply with the requirements of the current legislation of the Russian Federation and internal documents of Gontard & Cie in terms of ensuring information security;

6.3.2 ensure control over compliance with the information security rules and regulations in their structural division and inform the Special Programs Department of any suspicious events or violations of the current information security rules;

6.3.3 ensure that the actions of employees of the division comply with the Information Security Policy, internal documents on information security and any other instructions of the management of Gontard & Cie on information security issues;

6.3.4 organize the necessary training on the implementation of information security rules for all employees of their structural division;

6.3.5 control the implementation by employees of their structural division of the necessary rules in order to ensure the physical security of computer equipment and data carriers that are used in the division;

6.3.6 inform the IT Department in a timely manner about all facts of information security violations or insufficient level of information security;

6.3.7 timely inform the IT Department and communications about all identified failures in the operation of information systems;

6.3.8 provide the necessary information resources to the employees of their structural division in strict accordance with the needs of the latter within the framework of their official duties.

6.4 Employees of Gontard & Cie

6.4.1 comply with the requirements of the Information Security Policy, relevant local acts and documents of Gontard & Cie and other instructions of the management on information security issues;

6.4.2 respect the confidentiality of the data that they have accessed;

6.4.3 ensure the physical security of all technical equipment and data carriers used in the work;

6.4.4 do not allow unauthorized connection and use in the automated information system of personal computer and digital equipment, as well as data carriers;

6.4.5 do not allow unauthorized installation of software on computers that are part of an automated information system;

6.4.6 promptly inform the head of their structural division of all cases of information security breaches and all identified failures in the operation of software and hardware;

6.4.7 exercise caution in relation to any actions that may lead to a decrease in the level of information security.

6.5 Third-party individuals and legal entities

6.5.1 comply with the requirements of the Information Security Policy, relevant local acts and documents of Gontard & Cie and other instructions of the management on information security issues;

6.5.2 comply with all information security requirements when interacting with Gontard & Cie, when performing works and contracts.

7. BASIC REQUIREMENTS FOR THE PROTECTION OF RESTRICTED ACCESS INFORMATION

7.1 General requirements

7.1.1 Gontard & Cie must establish and maintain a security regime that provides for the implementation of organizational and technical measures aimed at ensuring the confidentiality of information that is restricted in accordance with legal requirements.

7.1.2 Gontard & Cie processes and stores the following categories of restricted information:

- confidential information, including personal data;

- medical data;

7.1.3 Gontard & Cie should define the specific content of restricted access information and develop lists of restricted access information for each category specified in clause 8.1.2.

7.1.4 Gontard & Cie, as the owner of restricted access information, may, unless otherwise provided by Federal laws:

- allow or restrict access to information, determine the procedure and conditions for such access;

- use the information, including distributing it, at its own discretion;

- transfer the information to other persons on the basis established by law;

- to protect its rights in the event of illegal receipt of information or its illegal use by other persons by means established by law;

- carry out other actions with the information or authorize such actions, if these actions do not contradict Federal laws and other legal acts of regulators.

7.1.5 Gontard & Cie, as the owner of restricted access information, in the exercise of its rights is obliged:

- to observe the rights and legitimate interests of other persons;

- to take measures to protect information;

- restrict access to information, if such a duty is established by Federal laws.

7.1.6 Gontard & Cie, as the owner of restricted access information that is processed in the information system of Gontard & Cie, is obliged, in cases established by law, to ensure the following:

- prevention of unauthorized access to information and (or) its transfer to persons who do not have the right to access information;

- timely detection of the facts of unauthorized access to information;

- prevention of the possibility of adverse consequences of violation of the order of access to information;

- prevention of influence on technical means of information processing, as a result of which their functioning is disrupted;

- possibility of regulated recovery of information modified or destroyed due to unauthorized access to it;

- constant monitoring of the level of information security.

7.1.7 Protection of restricted access information is the adoption of legal, organizational and technical measures aimed at:

- ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to such information;

- confidentiality of information;

- implementation of the right to access information.

7.2 Organization of personal data protection

7.2.1 When protecting personal data information in Gontard & Cie, it is necessary to be guided by the requirements of the GDPR which regulates relations associated with the processing and storage of personal data of citizens, and defines the requirements for protecting their confidentiality.

7.2.2 When processing personal data, Gontard & Cie is obliged to take measures that are necessary and sufficient to ensure the fulfillment of the obligations stipulated by the GDPR and the regulatory legal acts adopted in accordance with it. Gontard & Cie independently determines the composition and list of measures that are necessary and sufficient to ensure the fulfillment of obligations under the GDPR, unless otherwise provided by other Federal laws.

7.2.3 The list of measures to be implemented by Gontard & Cie as a personal data Regulator should include:

- appointment by Gontard & Cie a person responsible for the organization of personal data processing;

- publication by Gontard & Cie of documents defining its policy on personal data processing, local acts on personal data processing, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation and eliminating the consequences of such violations;

- implementation of internal control and (or) audit of compliance of personal data processing with GDPR, personal data protection requirements, the policy of Gontard & Cie on personal data processing, local acts of Gontard & Cie;

- assessment of the harm that may be caused to personal data subjects in the event of a violation of the GDPR, the ratio for this harm and the measures taken by the Regulator to ensure compliance with the obligations stipulated by the Federal law “On personal data”;

- familiarizing of the employees of Gontard & Cie who directly process personal data with the provisions of personal data legislation, including requirements for personal data protection, documents defining the policy of Gontard & Cie on personal data processing, local acts on personal data processing, and (or) training of these employees.

7.2.4 When processing personal data, Gontard & Cie is obliged to take the necessary legal, organizational and technical measures or ensure its adoption to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.

7.2.5 Ensuring the security of personal data is achieved in particular by the following:

- identification of threats and violators of security of personal data during its processing in personal data information systems (PDIS);

- application of organizational and technical measures to ensure the security of personal data during its processing in the PDIS, necessary to meet the requirements for personal data protection;

- evaluating the effectiveness of measures taken to ensure the security of personal data prior to commissioning of the PDIS;

- keeping record of machine-based personal data carriers;

- discovery of facts of unauthorized access to personal data and taking measures;

- recovery of personal data modified or destroyed as a result of unauthorized access to it;

- establishing rules for access to personal data processed in the PDIS, as well as ensuring registration and recording of all actions performed with personal data in the PDIS;

- control over the measures taken to ensure the security of personal data and the level of protection of PDIS.

7.2.6 Employees of Gontard & Cie must be informed of and acknowledge the documents of Gontard & Cie that establish the procedure for personal data processing, as well as their rights, duties and responsibilities in this area.

7.3 Organization of confidential information protection

7.3.1 When organizing the protection of restricted access information in Gontard & Cie, it is necessary to follow the GDPR requirements that regulate relations associated with the establishment, modification and termination of the protected information processing regime.

7.3.2 Gontard & Cie shall establish a documented regime for the protection of confidential information (CI) and define measures to ensure it, including:

- restriction of access to the information constituting the CI by establishing the procedure for handling this information and monitoring compliance with this procedure;

- keeping record of persons who have gained access to the information constituting the CI, and (or) persons to whom such information was provided or transmitted;

- regulation of relations in terms of use of information constituting the CI by employees on the basis of employment contracts and by counterparties on the basis of civil law contracts;

- use of tangible media containing information constituting the CI in accordance with the approved procedure for the workflow rules in Gontard & Cie, which excludes unauthorized access to it.

7.3.3 To ensure the protection of information constituting the CI, Gontard & Cie is entitled to apply, if necessary, means and methods of technical protection of the confidentiality of this information, and other measures that do not contradict the law.

7.3.4 In order to protect the confidentiality of information constituting the CI, within the framework of the employment relationship, Gontard & Cie is obliged:

- to familiarize on receipt the employees whose access to the information constituting the CI is necessary for them to perform their duties, with the lists of information constituting the CI, and the regime of protection of the CI established in Gontard & Cie, as well as with measures of responsibility for its violation;

- to create the necessary conditions for employees to comply with established in Gontard & Cie regime for the protection of information constituting the CI.

7.3.5 Employees of Gontard & Cie in order to ensure the confidentiality of the information constituting the CI, are obliged to comply with established in Gontard & Cie regime for the protection of information constituting the CI, and not to disclose the information constituting the CI, owned by Gontard & Cie, neither use this information for personal purposes.

8. BASIC REQUIREMENTS FOR INFORMATION SECURITY PROCESSES

8.1 General provisions

8.1.1 It is proposed to task the IT Department of Gontard & Cie with methodological guidance, development of specific requirements for information protection, analytical justification of the need to create an information security system, coordination of the choice of computer and communication tools, hardware and software protection, organization of work to identify the chances of and prevent leakage and violation of the integrity of protected information, during the performance review of information objects.

8.2 Physical security and safety in the workplace

8.2.1 The security system for buildings and premises of Gontard & Cie, objects and technical means of information systems of Gontard & Cie shall provide the following functions:

- differentiation of access of employees to the premises Gontard & Cie in accordance with their powers and functional responsibilities;

- registration of the facts of employees entering the premises with increased requirements for their visiting mode (server rooms, archives, etc.);

- registration of unauthorized persons entering the buildings of Gontard & Cie;

- preventing unauthorized access to premises where hardware and network resources of information systems are located.

8.2.2 The main technical means that ensure the operation of the most important automated information systems must be located in the areas with special control.

8.2.3 The following groups of resources should be assigned to technical means that are allocated to the areas with special control:

- main information servers and means of computer technology, where operational data, information about operations of Gontard & Cie, and information of limited distribution are processed and stored;

- network equipment and servers that support the work of critical systems;

- file servers that store data, including backup data;

- systems and communication equipment critical for the operations of Gontard & Cie that provide external communications of Gontard & Cie.

8.2.4 Controlled areas should be protected by appropriate access control and management systems, ensuring access only to authorized personnel.

8.2.5 Access to controlled areas by third parties or representatives of other organizations is only possible if accompanied by an authorized employee of Gontard & Cie.

8.2.6 The placement and operation workstations, servers and network equipment of Gontard & Cie must be carried out in premises equipped with automatic locks, alarm systems and (if necessary) constantly under guard or supervision.

8.2.7 The technical means of outputs (network printing devices) and display of information (monitor screens) in the premises of Gontard & Cie should be made subject to the exception of visual viewing of information by unauthorized persons and personnel not allowed to work with this information.

8.2.8 Employees of Gontard & Cie at the time of their absence from the workplace are required to exclude the possibility of the presence on the desktop of documents or data carriers with protected information.

8.2.9 Technical means and equipment must be placed and stored in such a way as to reduce the possible risk of damage and the threat of unauthorized access.

8.2.10 The premises of Gontard & Cie must be equipped with fire and smoke detectors, fire extinguishers, air conditioning systems, and security and fire alarm systems. In addition, an automatic fire extinguishing system should be installed in the server rooms.

8.2.11 Essential technical equipment of Gontard & Cie must be protected from power outages by connecting to the power grid using uninterruptible power supplies. Uninterruptible power supply equipment must be regularly tested and checked by authorized employees of Gontard & Cie in accordance with the manufacturer's recommendations.

8.2.12 Persons using official portable technical equipment outside of Gontard & Cie are personally responsible for the safety and security of the equipment, as well as the information, data and programs processed and stored in it.

8.2.13 Users of portable technical equipment must not leave this technical equipment and data carriers unattended.

8.2.14 Portable technical equipment must not remain outside of the controlled area of Gontard & Cie for longer than required by official necessity, unless otherwise determined by the management of Gontard & Cie.

8.3 Security when working with data carriers

8.3.1 Gontard & Cie must develop measures for the safe handling of electronic data carriers in order to control their use to prevent unauthorized copying and disclosure of protected information, making changes or destroying the specified information, as well as making changes to the operation of information systems.

8.3.2 Employees of Gontard & Cie must use electronic data carriers only for the performance of their official duties. The use of electronic data carriers in Gontard & Cie for other purposes is strictly prohibited.

8.3.3 Electronic data carriers must be kept in secure premises that prevent unauthorized access to it. Furthermore, it is necessary to provide the control of access to the data carriers.

8.3.4 In the event of theft or loss of electronic data carriers, as well as other incidents that may lead to the disclosure of protected information, measures should be taken to investigate these incidents.

8.3.5 When removing an electronic data carrier from service, it must be guaranteed that all data stored on it is erased.

8.3.6 When disposing of electronic data carriers, it must be ensured that the information recorded on it cannot be restored.

8.3.7 The fact of destruction of information and disposal of the data carriers must be recorded in accordance with the procedure established in Gontard & Cie.

8.4 Maintenance of equipment

8.4.1 The hardware of all automated systems of Gontard & Cie must be regularly serviced in accordance with the recommendations of the equipment manufacturers.

8.4.2 Repairs and maintenance of equipment must only be performed by qualified personnel authorized by Gontard & Cie to perform these works.

8.4.3 Maintenance of equipment and systems by third parties should not lead to the risk of disclosure of protected information.

8.5 Interaction with third parties

8.5.1 In order to ensure the information security of Gontard & Cie, when interacting with third parties, the current rules and measures for ensuring information security in Gontard & Cie must be observed and at least the following measures should be taken:

- an agreement should be signed on non-disclosure of confidential information;

- whenever possible, third-party actions should be monitored;

- whenever possible, contracts with third parties should stipulate the right of Gontard & Cie to conduct an information security audit of the information that Gontard & Cie transfers to a third party.

8.6 Life-cycle management of information systems

8.6.1 Gontard & Cie should define the stages of the life cycle of information systems (automated information systems) and regulate the information security requirements that should be taken into account at each stage.

8.6.2 The life cycle management system of automated information systems should be aimed at ensuring information security during commissioning, operation, maintenance, modernization, and decommissioning of all information systems that automate the activities of Gontard & Cie.

8.6.3 The basis for selecting or developing information systems should be security tasks containing information security requirements for information systems, the needs of functional divisions of Gontard & Cie, the information technologies used and the methods of information protection applied in Gontard & Cie.

8.6.4 In order to safely upgrade existing information systems to improve the quality of its operation, Gontard & Cie must define the procedure for making changes to the automated information system, installing security updates, and modifying software.

8.6.5 Any planned change to the automated information system must first be tested for compatibility and lack of malfunction of system components used in the industrial environment of Gontard & Cie.

8.6.6 Work on the modernization of the automated information system, including software installation and updates which require the functioning of the automated information system component to be stopped, shall be performed outside working time or during the lightest workload in accordence with the Automated Information System Service Regulations approved by the order of Gontard & Cie.

8.6.7 When decommissioning automated information systems, it must be guaranteed that the information processed and stored in it was deleted using specialized software tools or by physically destroying information carriers.

8.6.8 All information security procedures established in Gontard & Cie in relation to automated information systems must be implemented and monitored by persons responsible for information security.

8.7 Anti-virus protection

8.7.1 In order to prevent, detect and eliminate malicious software, Gontard & Cie must use anti-virus protection on a regular basis.

8.7.2 Any information (text files of any format, data files, executable files) received and transmitted via telecommunication channels, as well as information stored on plug-in removable media, when directly accessed, must be subject to mandatory antivirus control.

8.7.3 When installing software on the servers of the information systems of Gontard & Cie or updating it, the software must be automatically pre-checked for the absence of malicious software.

8.7.4 Malware signature databases and antivirus protection tools should be updated on a regular basis.

8.7.5 Gontard & Cie must ensure periodic monitoring of event logs in order to control timely and regular updates of signature databases of malicious software and antivirus protection tools.

8.7.6 The users of Gontard & Cie information systems should not be able to access the configuration of the antivirus protection tool or its deactivation function.

8.7.7 Gontard & Cie should define a procedure for processing and recovering infected data and, if possible, tracking the source of infection.

8.8 Control of access to information systems

8.8.1 In order to ensure uniform rules for granting, changing, and terminating access to the information systems of Gontard & Cie, as well as to ensure the security of information when granting access, Gontard & Cie must develop and implement relevant regulations.

8.8.2 All employees of Gontard & Cie authorized to work with information systems, as well as IT service personnel, must bear personal responsibility for violations of the established procedure for automated information processing, storage, use and transfer of protected system resources at their disposal.

8.8.3 The level of authority of the user in the information system of Gontard & Cie must be determined in accordance with his/her job responsibilities and production needs.

8.8.4 Information processing in the information systems of Gontard & Cie must be performed in accordance with the approved operating procedures and technological instructions for these systems, which must take into account information protection requirements.

8.8.5 Documented operating procedures should be maintained for the operation of all critical information systems of Gontard & Cie, including main automated system of Gontard & Cie – information system of data processing, information systems and office applications.

8.8.6 The access of users to the information systems of Gontard & Cie must be controlled by the direct administrator of this system and / or the owner of the system.

8.8.7 Gontard & Cie shall regularly monitor the implementation of policies and other documents related to the regulation of access of the employees of Gontard & Cie to information systems.

8.9 Identification and authentication

8.9.1 Users access to information systems should be granted only after successful completion of identification, authentication and authorization procedures.

8.9.2 The internal documents of Gontard & Cie should document and bring to the attention of employees and clients of Gontard & Cie the procedures that determine actions in the event of compromising the information necessary for their identification, authentication and / or authorization, including those that occurred through their fault, including information on how to recognize such cases.

8.9.3 Getting the user's name in the system and password information, which provide user access to system resources, should be performed by HR.

8.10 Password security

8.10.1 In order to ensure protection against unauthorized access to information systems, internal documents of Gontard & Cie must set requirements for the selection of password information that ensure a sufficient degree of password strength.

8.10.2 To ensure the confidentiality of password information, it is strictly prohibited to store the user's password values on paper in open format and in free access.

8.10.3 To ensure the confidentiality of password information, users are strictly prohibited from transmitting their password values to third parties.

8.10.4 When a user enters a password to access the information system of Gontard & Cie, the password information should not be displayed on the monitor screen in open form.

8.10.5 In the information systems of Gontard & Cie, the procedure for changing password information must be initiated automatically on a regular basis.

8.11 Registering events

8.11.1 All components of the information systems of Gontard & Cie that process, store, or transmit protected information must register security events. The list of security events is determined by a working group that includes authorized employees of the IT Department.

8.11.2 Gontard & Cie should develop a procedure for configuring information security event registration, which should contain a list of events required for registration for each system component.

8.11.3 The automated system for monitoring security events should check on a regular basis the event logs for error messages that may result from a malfunction of an information system component, or be an information security incident.

8.11.4 A list of criteria for identifying information security incidents should be compiled for each component of the information system.

8.11.5 In relation to registered information security events, it is necessary to define and implement the functions of its protection, including the separation of access control to registration logs, logging control, integrity control of stored logs, and physical protection of hardware.

8.12 Information network Security

8.12.1 Gontard & Cie must have adequate control over the local area network of Gontard & Cie and all external information communications of Gontard & Cie to ensure data protection and protect the information system of Gontard & Cie from unauthorized use and access.

8.12.2 Gontard & Cie must clearly define and regulate the purposes of using the Internet and the requirements for the procedure for using Internet resources. The use of the Internet by employees for personal purposes must be strictly prohibited.

8.12.3 Access to information services on the Internet should be provided to employees of Gontard & Cie in the event of operational need under specially issued requests.

8.12.4 Connection to the Internet should only be made when the connection is protected by installing firewalls and special security software.

8.12.5 The firewalls used in Gontard & Cie must be securely configured in accordance with an approved configuration standard that describes the settings for these tools and is updated whenever required.

8.12.6 Permissive Internet access policies must be technically implemented by specialized software in accordance with the security Policy when interacting with the Internet.

8.12.7 Control over the use of Internet resources by employees must be carried out by authorized employees of the IT Department on an ongoing basis.

8.13 Using corporate email

8.13.1 The corporate email system should be used in Gontard & Cie for the purpose of organizing the exchange of electronic messages between employees, as well as between employees of Gontard & Cie and external subscribers (representatives of third-party organizations, etc.).

8.13.2 Gontard & Cie should clearly define and regulate the requirements for using the corporate email system.

8.13.3 The provision and termination of access to corporate email resources should be made only on the basis of a properly executed application.

8.13.4 Gontard & Cie must have specialized software installed that monitors all incoming messages for malicious software.

9.13.5 Gontard & Cie should provide mechanisms for archiving and backup of corporate email in automatic mode and set requirements for working with the email archive.

8.14 Data backup and recovery

8.14.1 Backup and restore of all entities in Gontard & Cie is governed by the "Data Backup and Restore Policy in Gontard & Cie", approved by order of Gontard & Cie.

8.14.2 Backup in Gontard & Cie must be performed for all entities, including:

- file servers and application servers that are critical for operations of Gontard & Cie;

- operating systems of file servers and application programs;

- applications that are critical to operations of Gontard & Cie;

- operational data.

8.14.3 The frequency and mode of backup should be set in such a way as to ensure minimal data loss and an acceptable recovery time.

8.14.4 Data backup of the information systems of Gontard & Cie should be performed in order to restore the original data in case of loss of the originals.

8.14.5 Backup and restore of the information system resources of Gontard & Cie must be performed by authorized employees of Gontard & Cie in accordance with the established procedure and requirements for backup and restore of the information system resources of Gontard & Cie.

8.14.6 Gontard & Cie must develop a list of reserved resources of information systems of Gontard & Cie, establish the procedure for performing backup and define requirements for storage and destruction of backups.

8.14.7 Backup should be carried out in automatic mode.

8.14.8 Compliance with the backup procedure rules should be monitored on a regular basis.

9. BASIC REQUIREMENTS FOR INFORMATION SECURITY MANAGEMENT PROCESSES

9.1 Ensuring business continuity

9.1.1 Gontard & Cie shall have documented information security requirements that govern business continuity and business recovery after interruption.

9.1.2 Gontard & Cie shall document a plan for ensuring business continuity and its recovery after a possible interruption, which shall contain instructions and procedures for the employees of Gontard & Cie to restore the functionality of information systems of Gontard & Cie that has been disrupted.

9.1.3 Gontard & Cie should document and perform periodic testing of the plan for ensuring business continuity and its recovery after interruption, which should result in appropriate adjustments to the plan if necessary.

9.1.4 In order to ensure an adequate response of employees in the event of a crisis, Gontard & Cie should develop and maintain procedures for conducting periodic staff training and practical testing of the plan for ensuring business continuity and its recovery after a possible interruption.

9.1.5 The training process should include periodic briefings of the employees of Gontard & Cie on how to ensure business continuity and restore it after a possible interruption.

9.1.6 Regular practical testing of the plan for ensuring business continuity should be conducted to monitor the extent to which employees are aware of the specific actions that they are required to perform in accordance with the plan.

9.1.7 The organization of training sessions and the testing process should be carried out in accordance with the continuity training plans, which should be updated on a regular basis.

9.2 Risk management

9.2.1 The choice of information security requirements and security mechanisms used in the information security system should be based on an analysis of the risks of violation of the main security properties for the most critical information resources of Gontard & Cie.

9.2.2 Gontard & Cie should select and approve an information security risk management policy that should define the technology for conducting an inventory of information resources and systems used by the employees of structural divisions of Gontard & Cie to perform their functional duties, as well as establish methods and procedures for assessing the risks of information security violations.

9.2.3 To solve the problem of implementing a risk-based approach to building an information security system, it is necessary to conduct an inventory of all information assets of Gontard & Cie and categorize it according to the severity of the consequences of losing the security properties of information resources.

9.2.4 Information security risk management should be carried out on an ongoing basis for all categorized information resources of Gontard & Cie.

9.2.5 The basis for risk evaluation should be an assessment of the conditions and factors that may cause violations of the integrity, confidentiality and availability of the resources of the information system of Gontard & Cie.

9.2.6 The information security risk management process should include activities of assessment, analysis and processing of information security risks.

9.2.7 The criteria for accepting information security breach risks and the level of tolerable risk that Gontard & Cie is ready to accept must be documented.

9.2.8 Based on the results of risk assessment activities for each unacceptable risk, a plan for its processing should be formed, including the sequence and timing of implementation of regulatory, organizational and technical protection measures.

9.2.9 The result of the risk analysis should be the determination of a set of countermeasures aimed at reducing the possible negative impact on the main activities of Gontard & Cie in the event of implementation of a particular threat, and ensuring a sufficient level of security of the information system of Gontard & Cie.

9.3 Managing information security incidents

9.3.1 To ensure effective resolution of information security incidents in Gontard & Cie, minimization of losses and reducing the risk of repeated incidents, it is necessary to ensure effective management of information security incidents.

9.3.2 Gontard & Cie shall define and approve the procedure for managing information security incidents and the process of interaction between the divisions of Gontard & Cie in the event of an incident.

9.3.3 To manage information security incidents, it is necessary to establish an incident record system, which is a set of tools and measures for collecting and consolidating information about incidents that should provide the ability to store data obtained as a result of investigation of incidents and document actions taken in response to incidents.

9.3.4 In order to respond effectively to information security incidents, it is necessary to determine the types of possible incidents, the persons to be notified in case of its occurrence, the degree of severity of the incident, and the response time to the incident.

9.3.5 It is necessary to develop and regularly update an information security incident response plan which should contain procedures for responding to typical incidents that may occur or have occurred previously.

9.3.6 In relation to each incident that has occurred, it is necessary to carry out its analysis and develop the effective responses to the incident.

9.3.7 In order to prevent and completely eliminate the consequences of information security incidents, Gontard & Cie must establish a procedure for conducting an incident investigation.

9.4 Monitoring the current level of information security

9.4.1 In order to ensure a high level of control over the information security system, Gontard & Cie must constantly conduct a comprehensive analysis of existing security mechanisms and emerging information security incidents, as well as periodically complete audits of the entire information security system.

9.4.2 The process of monitoring the information security system should include quality control of the functioning of organizational and technical security measures, analysis of configuration parameters and settings of security mechanisms.

9.4.3 In order to ensure the correct functioning of the security measures and mechanisms available in Gontard & Cie, its settings, configuration and operability must be monitored on a regular basis.

9.4.4 Gontard & Cie should develop a procedure for monitoring protective measures, which should include a control plan and a description of control measures.

9.4.5 When conducting control activities related to the assessment of the functioning of protective measures in Gontard & Cie, authorized employees should adhere to the following principles:

- not to disrupt the functioning of the current activities of Gontard & Cie;

- to act in accordance with the internal information security documents of Gontard & Cie;

- not to hide the facts of identified incidents and violations of information security requirements;

- to collect evidence confirming the implementation of measures to ensure information security.

9.4.6 Information obtained in the course of monitoring activities about actions, events and parameters related to the functioning of protective measures should be consolidated and stored in places that prevent unauthorized access to it.

9.4.7 In order to promptly identify information security incidents and actions in information systems that may lead to the implementation of information security threats, Gontard & Cie should define and regularly conduct procedures for monitoring and analyzing data on registered information security events.

9.4.8 Monitoring of data on registered information security events should be carried out using built-in mechanisms for configuring and auditing events in software and hardware used in information systems of Gontard & Cie.

9.5 Audit of the information security system

9.5.1 In order to assess the current level of information security, authorized employees of Gontard & Cie should regularly activate the information security audit process, which includes activities on carrying out information security audits.

9.5.2 The frequency of audits, its provision of resources, and employees responsible for these activities should be defined in the audit programs.

9.5.3 Gontard & Cie should regulate the general procedure for planning, conducting, processing and analyzing the results of information security audits.

9.5.4 The result of information security audits should be detailed reports on the completed information security audit.

9.5.5 Based on the results of the audit, authorized employees and responsible divisions of Gontard & Cie must determine, within a reasonable time, the actions necessary to eliminate the inconsistencies detected during the audit and the reasons that caused it.

9.6 Management of internal information security documents

9.6.1 Gontard & Cie should regulate the management of information security documents and establish responsibility for implementation of the process of management of information security documents.

9.6.2 The management of information security documents should be aimed at ensuring the development, recording, use, storage, verification, updating and modification of documents regulating the activities of Gontard & Cie in matters of information security.

9.6.3 Adjustments to information security documents should be made on a regular basis, as well as when necessary, for example, based on the results of a risk assessment, analysis of the functioning of the information security system, analysis of the relationships of internal documents, audit, as well as changes in legislation and significant changes in business processes in Gontard & Cie.

9.6.4 Gontard & Cie should develop internal documents on information security in accordance with the principle of hierarchical structure of documents, which include:

- top-level policies;

- particular information security policies that set detailed requirements for specific areas of information security;

- documents regulating the procedures for performing certain types of activities related to information security.

9.7 Human resources management

9.7.1 Gontard & Cie should organize the process of human resources management that will ensure trustful attitude to employees, as well as organize a comprehensive response to information security threats emanating from the internal staff of Gontard & Cie.

9.7.2 Gontard & Cie should perform mandatory checks when hiring new employees, both in terms of the reliability of the data they report and in terms of evaluating their professional skills.

9.7.3 Gontard & Cie should organize documented and approved by the management of Gontard & Cie work with employees in the direction of raising awareness and training in the field of information security, including the development and implementation of plans and programs for training and raising awareness in the field of information security and monitoring the results of the implementation of these plans.

9.7.4 The system of raising awareness of the employees of Gontard & Cie in terms of ensuring information security should include developing an understanding among the employees of what kind of information security issues may arise during the day-to-day processing of information in an automated information system, as well as understanding what to avoid and how to act in the event of a particular critical situation.

9.7.5 The information security training process should be based on regular training courses followed by testing of the trainees' knowledge.

9.7.6 The programs of training and raising awareness of the employees of Gontard & Cie should include the following information:

- on existing information security policies of Gontard & Cie;

- on the protective measures applied in Gontard & Cie;

- on the correct use of protective measures in accordance with the internal documents of Gontard & Cie;

- on the significance and importance of the activities of employees for ensuring information security.

10. FINAL PROVISIONS

10.1 In the event of changes to the current legislation and other regulations, as well as internal documents of Gontard & Cie, this Policy and changes to it are applied in the part that does not contradict the newly adopted legislation and other regulations, as well as internal documents of Gontard & Cie.

10.2 This Policy is reviewed and amended on a periodic and unscheduled basis:

- periodic review and changes (if necessary) should be made at least once a year;

- unscheduled revision and changes can be made based on the results of information security risk analysis, analysis of information security incidents, analysis of the relevance, sufficiency and effectiveness of information security measures used, as well as the results of internal and external information security audits and other control measures.

10.3 The Data Protection Officer of Gontard & Cie is charged with responsibility for making changes to this Policy.