This policy refers to information security aspects of TOTEM Communication based in str. Popa Soare nr. 27, 023981 Bucharest, registered with the Trade Registry under number J40/13710/2003, CUI RO15816821), hereinafter referred to as TOTEM.

Vision

In today’s and especially in the future’s business circumstances and environment, data security is essential for us as well as for our Customers and partners. That is why we are committed to protecting our information and that of our Customers and partners, monitoring, evaluating and improving the adequacy and effectiveness of this protection from a personal point of view, methods and assets, including hardware and software.

Mission

Ensuring the confidentiality, integrity and availability of Company and Client information under conditions of compliance with legal, regulated and other assumed information security requirements, as well as under conditions of ensuring the functionality and availability of computer assets, including hardware and software.

Scope of application

All information processing, transfer and storage activities, all personnel involved and all relevant assets in all departments of the company, including hardware, software, storage media, documents and records.

Purpose

The purpose of the Policy is to protect TOTEM Communication’s information assets from all threats, whether internal or external, deliberate or accidental, respectively identifying and assessing security risks, developing and implementing necessary treatment programs in parallel with the development, monitoring and periodic analysis of associated compliance and effectiveness indicators, as well as establishing, implementing,  monitoring and analysis on this basis of the necessary prevention and improvement measures.

Objectives

•  Preventing breaches and security incidents, especially major incidents.
• Reducing to the minimum permissible interruptions caused by incidents, breakdowns or cataclysms.
• Maintaining integrity and (prompt) availability of information to authorized users.
• Maintaining the integrity, functionality and availability (for authorized users) of hardware and software.
• Developing and maintaining necessary protections against theft, loss, damage or unauthorized modification.
• Specifying and assuming responsibilities and ensuring the necessary involvement at the level of each position.
• Obtaining and maintaining the necessary level of knowledge and awareness on information security.
• Developing and maintaining the necessary response capacity in emergency situations.
• Ensuring the necessary capacity to continue activities in case of major incidents.
• Achieving and maintaining ISO 27001 compliance and certification by an accredited body.

Principles

• Identifying, analyzing, evaluating, recording, communicating and treating information security risks
• Organization of society, establishment of responsibilities and allocation of resources to ensure information security
• Establishing, updating and communicating system and working rules on information security
• Classification of information and security areas
• Controlled access to buildings, rooms, assets, network, documents and files, and storage media
• Establishing, communicating and monitoring access rules for Employees, Customers, Collaborators and other third parties
• Monitoring and recording access to the company – to the registry office and servers
• Monitoring and recording access – remotely and remotely – to company files and servers
• Reporting, investigating and dealing with security incidents and deficiencies, promptly applying the necessary treatment and prevention measures, and analysing the effectiveness of these measures. All security incidents, real or suspected, will be reported to and investigated by RMSI (Information Security Management Representative)
• Development of emergency response plans and capabilities, including business continuity plan
• Identification and analysis of legal and other assumed requirements regarding information security and development on this basis of the necessary compliance measures, including monitoring of this compliance.
• Training staff on information security
• Meeting legislative and regulatory requirements

Final decisions

In order to ensure the success of the information security assurance mission, TOTEM Communication management has established the Information Security Committee as a management and specialty forum where all requirements, risks and news regarding information security are analyzed, being established on this basis the necessary measures, programs, rules and criteria, including this statement and the associated security system documentation.

An Information Security Management Representative (RMSI) has also been appointed, who is directly responsible for carrying out the Policy and providing support and guidance for its implementation;

In order to apply this Policy, internal information security procedures have been put into operation.

Each person with a management position in TOTEM Communication is responsible for the implementation and success of this policy in its management area, including the involvement and performance in this regard of the subordinated staff.

Each Employee has the obligation to know, comply and support this Policy and the applicable provisions of the information security documentation communicated by the Company.

The Information Security Policy of TOTEM Communication will be reviewed periodically.

The Information Security Policy was approved by TOTEM Communication management.

This Information Security Policy was last updated on 23.10.2023.