Information Security Policy - Article

Policy Statement

Information is one of Eurekos’ most valuable assets. Protecting the confidentiality, integrity, and availability of information entrusted to us is fundamental to maintaining our position as a trusted provider of IT services.

Information faces risks including loss, unauthorized disclosure, fraud, vandalism, cyberattacks, malware, social engineering, denial-of-service incidents, and environmental events such as fire or flood.

Through structured information security management, Eurekos protects information against these threats and preserves:

• Confidentiality — Access is restricted to authorized individuals.
• Integrity — Information remains accurate, complete, and protected from unauthorized modification.
• Availability — Authorized users have reliable access to services and information when required.

Eurekos manages information security risks through proportionate controls that balance risk exposure against mitigation cost and operational impact.

This policy confirms the Company’s commitment to compliance with applicable legal, regulatory, and contractual requirements. It also serves as documented assurance to third parties that required security controls are implemented and maintained.

Scope

This policy applies to all employees, contractors, suppliers, and partners. Every individual has a responsibility to contribute to the secure handling of information and the systems used to manage it.

Legal & Regulatory Framework

GDPR compliance, including data erasure requirements, is governed through documented technical and organizational measures defined in Data Processing Agreements with customers and relevant individuals.

Key Information Security Objectives

Eurekos has established measurable security and privacy objectives aligned with ISO 27001 (§6.2) and ISO 27701 (§5.2) under the ISMS/PIMS framework. These objectives are continuously monitored, audited, and reported to Management to ensure:

• Ongoing privacy awareness and training
• SLA-aligned service availability
• Annual penetration testing and remediation of high-risk findings
• A structured three-year internal audit cycle
• Protection of personal data and prevention of PII breaches
• Business continuity for customers

Management Commitment

Management is responsible for ensuring that information security controls are implemented, maintained, and continuously improved across the organization.

This policy:

• Demonstrates Management’s commitment to continual improvement
• Provides the framework for setting security objectives
• Defines accountability across the ISMS scope
• Includes independent third-party audits for validation

The policy is maintained as controlled documented information, communicated internally, and made available to relevant external stakeholders as appropriate. Compliance is mandatory for all personnel and relevant external parties.

Governance Structure

Information security governance is overseen by the Information Security Steering Group (ISSG). The ISSG:

• Reviews and advances security initiatives
• Assesses and approves risk assessments for system changes
• Monitors audit findings and incident reports
• Recommends improvements to security controls

The ISSG meets at defined intervals to ensure structured oversight.

Human Resource Security

All personnel must comply with information security policies and best practices.

New employees (permanent or temporary) must complete mandatory information security training before receiving access to systems or information assets.

Access Control

Access to confidential information is governed by formal access control policies and procedures. All employees, contractors, and third parties must comply with these controls to ensure least-privilege access and data protection.

Physical & Environmental Security

Physical security measures include:

• Building and alarm systems
• Restricted facility access
• Secure storage (lockers, safes, drawers)
• Clear desk and clear screen policies

Compliance with the Physical and Environmental Security Policy is mandatory.

Operations Security

Operations are governed by coordinated IS policies and structured change management processes to ensure secure and reliable information processing.

Communications Security

Technology use and communications controls are governed by the ISSG, ensuring appropriate safeguards are in place to protect data in transit and operational systems.

Secure System Development & Supplier Security

Information security requirements are integrated into procurement, development, and system change processes.

The Development Policy defines secure coding and structured development practices.

Supplier access risks are formally assessed, documented, and governed through a dedicated Supplier Information Security Policy.

Information Security Incident Management

All employees must understand what constitutes a security incident and how to report it.

Incident oversight rests with the Operational Security Officer. Formal procedures exist for incident handling, breach response, GDPR compliance, and escalation management.

Security by Design

Eurekos applies data minimization principles, limiting the collection of PII to what is necessary, relevant, and proportionate. This reduces risk exposure in the event of unauthorized disclosure.

Compliance

Eurekos avoids breaches of legal, statutory, regulatory, and contractual security obligations by implementing structured technical and organizational safeguards.

The Company ensures that:

• Individuals handling personal data understand their contractual responsibilities
• Personnel are appropriately trained and instructed
• Data processing activities are supervised and controlled