Information Security Policy

As part of Nemetschek Bulgaria we know the importance of sharing common principles based on proven good practices. We're certified against the standards for quality and information security ISO 27001, ISO 9001, as well as the health and safety management standard ISO 45001.

Being Atlassian Silver marketplace Vendor we follow Atlassian's stringent guidelines for security, including:

• App Security Incident Management Guidelines for Atlassian Marketplace Vendors

• Atlassian Cloud Security Program

• Atlassian Cloud App Operations Guide

• Security Guidelines and Best Practices for Atlassian Marketplace Vendors

• We participate in Atlassian's Bug Bounty program

Nemetschek Bulgaria Information Security Policy

Computer information systems and networks are an integral part of business at Nemetschek OOD.

The companies have made a substantial investment in human and financial resources to create these systems.

The enclosed policies and directives have been established in order to:

• Protect investment.

• Safeguard the information contained within these systems.

• Reduce business and legal risk.

• Protect the good name of the companies.

Violations

Violations may result in disciplinary action in accordance with companies policies. Failure to observe these guidelines may result in disciplinary action by the companies depending upon the type and severity of the violation, whether it causes any liability or loss to the companies, and/or the presence of any repeated violation(s).

Administration

The Nemetschek ITS manager is responsible for the administration of this policy.

Statement of responsibility

Management responsibilities

Management of Nemetschek OOD

1. Ensures that all appropriate personnel are aware of and comply with this policy.

2. Creates appropriate performance standards, control practices, and procedures designed to provide reasonable assurance that all employees observe this policy.

Nemetschek ITS manager responsibilities

The Nemetschek ITS manager:

1. Develops and maintains written standards and procedures necessary to ensure implementation of and compliance with these policy directives.

2. Provides appropriate support and guidance to assist employees to fulfill their responsibilities under this directive.

OUs Managers/Leaders

Managers and Leaders of Nemetschek OOD organizational units are responsible for:

• Identification of Information assets

• Definition and analysis of security risks related to those assets

• Definition and conducting of mitigation and contingency planning, corrective actions related to the information assets

Employee responsibilities

Employees are responsible for adherence to all documents related to Information Security. Violation of any of practices documented in those documents is treated as per the rules of Nemetschek Internal Code of Practice.

The Internet and e-mail

The Internet is large, publicly accessible network that has millions of connected users and organizations worldwide. One popular feature of the Internet is e-mail.

Policy

Access to the Internet is provided to employees for the benefit of Nemetschek OOD and their customers. Employees are able to connect to a variety of business information resources around the world.

Conversely, the Internet is also replete with risks and inappropriate material. To ensure that all employees are responsible and productive Internet users and to protect the companies interests, the following guidelines have been established for using the Internet and e-mail.

Acceptable use

Employees using the Internet are representing the companies. Employees are responsible for ensuring that the Internet is used in an effective, ethical, and lawful manner. Examples of acceptable use are:

• Using Web browsers to obtain business information from commercial Web sites.

• Accessing databases for information as needed.

• Using e-mail for business contacts.

Unacceptable use

Employees must not use the Internet for purposes that are illegal, unethical, harmful to the companies, or nonproductive. Examples of unacceptable use are:

• Sending or forwarding chain e-mail, i.e., messages containing instructions to forward the message to others.

• Broadcasting e-mail, i.e., sending the same message to more than 10 recipients or more than one distribution list, unless it is with business purpose.

• Conducting a personal business using company resources.

• Transmitting any content that is offensive, harassing, or fraudulent.

Downloads

File downloads from the Internet are not permitted unless authorized by the Nemetschek ITS manager, ITS authorized personnel or the Team/Department Leader.

Employee responsibilities

An employee who uses the Internet or Internet e-mail shall:

1. Ensure that all communications are for professional reasons and that they do not interfere with his/her productivity.

2. Be responsible for the content of all text, audio, or images that (s)he places or sends over the Internet. All communications should have the employee’s name attached.

3. Not transmit copyrighted materials without permission.

4. Know and abide by all applicable Nemetschek OOD policies dealing with security and confidentiality of companies records.

5. Run a virus scan on any executable file(s) received through the Internet.

6. Avoid transmission of nonpublic customer information. If it is necessary to transmit nonpublic information, employees are required to take steps reasonably intended to ensure that information is delivered to the proper person who is authorized to receive such information for a legitimate use.

Copyrights

Employees using the Internet are not permitted to copy, transfer, rename, add, or delete information or programs belonging to others unless given express permission to do so by the owner. Failure to observe copyright or license agreements may result in disciplinary action by the companies and/or legal action by the copyright owner.

Monitoring

All messages created, sent, or retrieved over the Internet are the property of the companies and may be regarded as public information. Nemetschek OOD reserve the right to access the contents of any messages sent over its facilities if the companies believes, in its sole judgment, that it has a business need to do so.

All communications, including text and images, can be disclosed to law enforcement or other third parties without prior consent of the sender or the receiver. This means don’t put anything into your e-mail messages that you wouldn’t want to see on the front page of the newspaper or be required to explain in a court of law.

Computer viruses, malware

Computer viruses and malware are programs designed to make unauthorized changes to programs and data. Therefore, viruses can cause destruction of corporate resources.

Background

It is important to know that:

• Computer viruses are much easier to prevent than to cure.

• Defenses against computer viruses include protection against unauthorized access to computer systems, using only trusted sources for data and programs, and maintaining virus-scanning software.

ITS responsibilities

Nemetschek ITS shall:

1. Install and maintain appropriate antivirus software on all computers (See QP QP0714).

2. Respond to all virus attacks, destroy any virus detected, and document each incident.

Employees responsibilities

These directives apply to all employees:

1. Employees shall not knowingly introduce a computer virus into companies computers.

2. Employees shall not load portable storage devices of unknown origin.

3. Incoming portable storage devices shall be scanned for malware before they are read.

4. Any associate who suspects that his/her workstation has been infected by a virus/malware shall IMMEDIATELY call the Nemetschek  ITS manager.

Access codes and passwords

The confidentiality and integrity of data stored on both companies computer systems must be protected by access controls to ensure that only authorized employees have access. This access shall be restricted to only those capabilities that are appropriate to each employee’s job duties.

ITS responsibilities

The Nemetchek ITS manager and authorized ITS personnel shall be responsible for the administration of access controls to all companies computer systems. The Nemetschek  ITS authorized personnel will process adds, deletions, and changes upon receipt of a written request from the end user’s supervisor.

Deletions may be processed by an oral request prior to reception of the written request. The Nemetschek ITS manager and Team/Department Leaders will maintain in a secure area access codes and passwords as applicable to the specific practices of each OU.

Employees responsibilities

Each employee:

1. Shall be responsible for all computer transactions that are made with his/her User ID and password.

2. Shall not disclose passwords to others. Passwords must be changed immediately if it is suspected that they may have become known to others. Passwords should not be recorded where they may be easily obtained.

3. Will change passwords at least every 90 days.

4. Should use passwords that will not be easily guessed by others.

5. Should log out when leaving a workstation for an extended period.

Management responsibility

Management (e.g. team Leaders or General Manager from both of the companies) should notify the responsible Nemetschek ITS personnel promptly whenever an employee leaves the company or transfers to another department so that his/her access can be revoked. Involuntary terminations must be reported concurrent with the termination.

Physical security, Removable media usage

It is companies policy to protect computer hardware, software, data, and documentation from misuse, theft, unauthorized access, and environmental hazards.

Employee responsibilities

The directives below apply to all employees:

• All removable media should be stored out of sight when not in use. If they contain highly sensitive or confidential data, they must be locked up.

• Removable media should be kept away from environmental hazards such as heat, direct sunlight, and magnetic fields.

• Removable media and paper document are destroyed when obsolete by persons responsible for the information assets with applicable tools – information on disks deleted, removable media – broken, paper documents with a document shredder.

• Unattended equipment – to minimize risks to information assets when leaving the team/department working place all Nemetschek personnel must implement at least one of the following:

  • Configure password protected screen saver

  • Log of from the computer system

  • Lock out the computer system

  • Any other action that has the same effect

  • Keep its desk space clear from carriers of sensitive information

• User accounts and rights are checked and reviewed  on periodically and on event basis by Nemetschek ITS personnel for company systems and by department managers/team leaders for organizational unit’s systems and results from those reviews are communicated and documented as applicable.

• It is forbidden to use physical media (CDs, DVDs, USB flash memory sticks, Magnetic carriers –diskettes, tapes, etc.)  to transport information outside of Nemetschek’s office. In case such transportation must take place (as contractual obligation) it should be specifically authorized by companies management and/or customer on a case by case basis. In such situations physical media containing information should be:

  • Transported by authorized couriers (chosen and evaluated as per company policies for Purchasing and Evaluation of suppliers

  • Identification of checking of the courier will be performed as by specially defined routine/procedure

  • With suitable protective from environmental and factors, physical damage and unauthorized disclosure packaging – e.g. locked containers, tamper-evident packaging

• Unauthorized copying information from Information systems through ports and devices of company computers – with USB memory, CDs, DVDs, magnetic carriers and other types of removable media is forbidden and this is responsibility of team leaders/department managers for organizational unit’s assets and of ITS personnel for company resources to enforce this into practice and to ensure compliance to this rule

Use of Privileged Utility Programs

Utility computer programmes that might be capable of overriding system and application controls represent significant risk to organization's information assets. Therefore the use of such utilities is generally prohibited company-wide and is allowed only to qualified personnel from ITS department. If such tools and utilities have to be used outside of ITS it is to be done only after special permission from ITS /higher company management by qualified personnel in controlled environments and this usage is controlled and overseen by ITS department.

Cabling Security

Nemetschek ITS responsibilities

To ensure protection of power and communication cabling from interception or damage ITS personnel ensures and enforces the following practices as applicable:

1. Power and communication lines are placed in specialized channel or underground/floor

2. Network cabling should be protected in office spaces

3. Power cables are segregated by communication cables or the latter are suitably isolated to avoid interference

4. Clearly identifiable cable markings are used to avoid handling errors

5. Suitable documentation is prepared and kept actual

6. Cable termination points are kept within locked room and/or places with restricted access

7. Whenever possible cabling which is placed outside of the Nemetschek office is fiber optic.

8. Cabling of the office networks is done with electromagnetic shielding

9. Access to patch panels and cabling termination rooms is controlled by ITS Personnel

Employee responsibilities

Employees should not plug unauthorized devices in plugs and sockets in office space area and in case such devices are detected should to inform immediately ITS personnel.

Usage of System Administrators Access Rights

Appropriate Use of Administrator Access

Administrator Access to Nemetschek computing resources should only be used for official Nemetschek business. While Nemetschek Information Security Policy permits reasonable personal use of computing resources, this is restricted to non-administrative activities.  Use of Administrator Access should be consistent with an individual’s role or job responsibilities as prescribed by management. 

When an individual’s role or job responsibilities change, Administrator Access should be appropriately updated or removed.  In situations where it is unclear whether a particular action is appropriate, and within the scope of current job responsibilities, the situation should be discussed with management.

Inappropriate Use of Administrator Access

In addition to those activities deemed inappropriate in the Nemetschek Information Security Policy and documentation of the Information Security management System, the following constitute inappropriate use of Administrator Access to Nemetschek OOD computing resources unless documented and approved by management:

• Circumventing user access controls or any other formal Nemetschek OOD security controls

• Circumventing bandwidth limits or any other formal Nemetschek OOD computing controls

• Circumventing formal account activation/suspension procedures

• Circumventing formal account access change request procedures

• Circumventing any other Nemetschek OOD procedures that are in written form and/or approved by some level of management

The following constitutes inappropriate use of Administrator Access to Nemetschek OOD computing resources under any circumstances, regardless of whether there is management approval:

• Accessing Non-public Information that is outside the scope of specific job responsibilities

• Exposing or otherwise disclosing Non-public Information to unauthorized persons

• Using access to satisfy personal curiosity about an individual, system, practice, or other type of entity.

Reporting Inappropriate Use of Administrator Access
Any user who suspects a violation of the appropriate use of administrator access should contact the Nemetschek ITS Manager and/or General managers of Nemetschek OOD.