UAB “Pervesk“ Information Security Policy

1. 1. Overview

   1. Information is a valuable part of the assets of UAB “Pervesk" (hereinafter The Company), therefore its loss, illegal change or disclosure, damage or termination of information processing may cause disruptions in the operation of the Company, and cause damage to the interested parties. Taking this into account, the Company takes measures to ensure information security.
   2. The purpose of information security management is to ensure appropriate and effective information security management and to prevent disruption of operations and the occurrence of damage due to violations of confidentiality, integrity, and availability of information.

2. 2. Scope

   1. The Policy applies to:
      1. all Company activity processes and all structural divisions;
      2. all Company Information, regardless of its form and storage method;
      3. all employees of the Company and Third parties who are subject to legal acts and/or access to Company Information or Information is provided on the basis of contractual relations processing tools to perform the functions (rights) provided for in legal acts or the contract;
      4. services provided by external service providers.

3. 3. Information Security Management System

   1. The security of the information handled by the Company includes three main aspects:
      1. Confidentiality – protection of information from unauthorized disclosure;
      2. Integrity - protection of information against unauthorized or accidental change;
      3. Availability – ensuring that information is available when it is needed.
   2. The Company's Information Security Management System (hereinafter - ISMS) implements this Policy and defines the main principles of information security assurance and management.
   3. The Company's ISMS requirements are determined in accordance with:
      1. Legal acts of the European Union and the Republic of Lithuania regulating Information Security and personal data processing, including the General Data Protection Regulation (EU) 2016/679 (hereinafter - GDPR);
      2. Methodological instructions of the State Data Protection Inspectorate and the European Data Protection Board and other legal sources related to Information processing and security;
      3. Board of the Bank of Lithuania resolution no. 03-174 "On approval of the description of information and communication technologies and security risk management requirements" (TAR, 2020-11-26, No. 2020-25173) and other information security requirements of Bank of Lithuania;
      4. ISO/IEC 27001:2013 Information security management system requirements, and;
      5. Company's ICT strategy.
   4. Company’s objectives defined in The Information and Communication Technology Security Strategy.
   5. The Company undertakes to ensure proper and efficient management of Information Security, in order to avoid disruption of operations due to the disclosure of confidential Information, Information breach of integrity or unavailability of Information due to its loss or system failure.
   6. Information security is managed through consistent planning, implementation, testing, and continuous improvement of the ISMS.
   7. Any violation of Information Security norms is considered an Information Security incident, which may have a negative impact on the continuity of the Company's activities and cause reputation damage.
   8. Company employees and Third parties who have violated ISMS requirements are subject to measures provided for by the laws of the Republic of Lithuania.
   9. ISMS consists of the documents specified in the Appendix A of this Policy. All the documents must be approved by the Company CEO.

4. 4. Final Provisions

   1. The Company reserves the right to change the Policy at any time without prior notice.
   2. In the event that any changes are made, the revised Policy shall be communicated to all employees of the Company.
   3. Information Security Officer ensures that the employees of the Company are informed about the Policy, carries out appropriate security training, conducts an annual review of the Policy and initiates its amendments (if necessary).
   4. The Policy shall be approved by the Board of the Company.