_General Information Security Requirements for Contractors

1. Familiarize yourself and accept the General Information Security Requirements for Contractors.
2. Fill Security Assessment Questionnaire to assess the security level.

Information security policy regarding supplier relations

Every supplier, contractor, associate or business partner must comply with the security requirements of TT PSC’s. The security level is evaluated by the TT PSC Security Team based on the responses provided in the Security Assessment Questionnaire. If there is any material discrepancy the contractor must conform to TT PSC requirements or present a realistic plan of procuring such a conformity before cooperation begins.

Including security in agreements made with suppliers

The supplier must read and comply with this document as well as conclude a non-disclosure agreement (NDA) and a data processing agreement. In addition, any person representing the supplier, who has access to confidential information, must sign the confidentiality clause. The supplier must protect the confidentiality and integrity of information.

TT PSC also maintains a register of agreements made with third parties. The TT PSC representatives monitors the expiry dates and notifies the persons responsible if the agreement must be extended or terminated.

Information supply chain and telecommunication technologies

The supplier must ensure security in the entire supply chain for which it is responsible under the agreement, which applies in particular to the products or services it offers. The supplier must identify and document the supply chain of tasks carried out for TT PSC. The supplier must make sure that its subcontractors guarantee the same level of security as that provided by the supplier to TT PSC, and define the status of security measures taken for the whole supply chain.

TT PSC employee security

The supplier must have, implement and certify the implementation of policies, which cover the following:

1. Inform its personnel carrying out tasks for TT PSC about the security requirements when cooperating with TT PSC.
2. Ensure an appropriate level of information on the security requirements by arranging adequate training sessions.
3. Make sure that the employees carrying out tasks for TT PSC sign the statement of acknowledgement of security requirements.

Mobile devices

The supplier must make sure that the security of the work rendered for TT PSC using the mobile devices (laptops, smartphones, tablets, and similar) provided by TT PSC or used by the Provider to carry out the assigned tasks complies with relevant rules, which may include, depending on the nature of cooperation:

• Requirements for the physical protection of the portable devices provided by TT PSC.
• The option to check the software installed on the mobile devices.
• Managing the permissions to access the mobile devices.
• Protection of the mobile devices against external interference (screen lock, authentication) and malware.
• Encryption of drives that guarantees the security of the stored data.
• The option of safe remote management of the mobile devices.
• Incorporation of MFA.
• Automatic or cyclical control mechanisms to ensure the software is up-to-date, with an emphasis on the operating system and the most popular applications.
• Password policy requiring at least 12 characters including at least one uppercase letter, one lowercase letter, one number and one special character.
• Legal software.

IT system security

The protective measures for IT systems should provide:

• Authorization and authentication mechanisms.
• The control of data flow to prevent any leakage and unauthorized access to the systems. assuring environment separation based on the work performed, into separate environments (production, development and testing)
• Physical protection of systems
• Security of data shared and resources taken outside the protected area

Information transmission

The access to systems and the transactions processed therein should fulfil two principal security requirements:

• Connections encrypted with an SSL certificate (HTTPS) or another tool that ensures the secure transfer of information. Authentication and
• Authorization mechanisms as well as rules for assigning permissions to employees.

Additionally, information should be exchanged with adequately secured channels. A task that requires access to or processing of confidential information may not be carried out using a public network.

External data carriers

The supplier must:

• Have and implement policies for the secure deletion of data from any carriers that contain data concerning the tasks performed for TT PSC, which ensure effective deletion.
• Have and implement policies for the secure transfer of any carriers that contain data concerning the tasks performed for TT PSC, which ensure effective data protection.

Assets

The supplier should guarantee the proper use of the assets provided by TT PSC, and assure that:

• Their users are aware that they must safely use those assets and the data stored thereon or the possibility to access confidential information.
• Once the assigned tasks are completed, the users return the assets or, if they are data, remove them in an effective manner.

Remote work

1. Remote access to resources may only be used for the purposes and in the scope defined by TT PSC.
2. Remote access is personal and issued individually to each of the supplier’s employees.
3. Any person using resources may not share or transfer them to unauthorised persons.
4. It is not permitted to transmit any confidential information provided by TT PSC via a public network.
5. Persons using remote access must make sure that the remote mobile device used has up-to-date antivirus software and is not connected to any other network which does not meet the security requirements.

Security incidents

In the event of a security incydent or an event that might potentially result in incident, the supplier must report it as soon as possible to TT PSC and take all necessary measures to minimise the impact of the incident on the operations and image of TT PSC. The supplier should use adequate tools that enable the monitoring of events/logs and the prevention of unauthorised access thereto, so as to allow the collection of evidence.

On TT PSC’s request, the Supplier is obliged to present the register of events identified as incidents or potential incidents containing results of actions taken and analysis performed.

Permission management

1. The process of granting permissions to access the systems on which TT PSC data are processed must be documented and controlled.
2. The supplier must make it possible to review and check the persons with access to TT PSC systems.
3. Tools used during the cooperation must allow for the withdrawal of any previously granted permission.

Backup copies

The supplier should ensure the protection of backup copies of the processed information while carrying out tasks for TT PSC. The supplier must guarantee the physical protection of backup copies. For cloud-based systems, the supplier must document such copies, specify the frequency with which they are created and, where possible, their storage location.

Termination of cooperation

The supplier must:

1. Return all assets provided by TT PSC.
2. Ensure the security of all protected information.
3. Effectively destroy any information that requires destruction once the agreement is terminated.
4. Take other actions as specified in the agreement.

Managing supplier services

Monitoring and review of supplier services

The supplier should make it possible for TT PSC to conduct a security audit covering the reports, analyses, plans or tests of the environments used during cooperation with the supplier.

Managing changes in supplier services

Any change in cooperation with the supplier must be analysed by a TT PSC representatives members to identify any potential risks regarding information security.