Information security policy for external users
Scope and purpose
This Information Security Policy sets out the minimum requirements and rules of behaviour that apply to external users when working with the SCS IT infrastructure and non-public information. It serves to ensure the integrity, availability and confidentiality of information systems and data. The policy has been drawn up in accordance with the international standard ISO/IEC 27001 for information security management systems (ISMS).
Handling login information (passwords, second factors, keys)
Security of login information
- External users must use strong passwords that are at least 10 characters long and contain a combination of letters, numbers and special characters.
- Login information may not be reused.
- Trivial passwords (1234567890..) must not be used.
- Passwords based on facts (name, date of birth, etc.) may not be used.
Confidentiality
- Accounts are personal and may not be shared.
- Registration information must be treated as strictly confidential and may not be passed on to third parties.
Regular change
- Passwords must be changed every 18 months. If a compromise is suspected, the password must be changed immediately.
Lock / Log out
Automatic lock
- Workstations and devices must be configured so that they lock automatically if they are not used for a set period of time (e.g. 5 minutes).
Manual lock
- Users must lock their workstations manually (e.g. by pressing
Win + L
on Windows orCmd + Ctrl + Q
on MacOS) when they leave their workstation, even if it is only for a short time.
Cancellation
- Users must log out of all systems and applications at the end of each session.
Malware protection
Protective measures
- Up-to-date and recognised antivirus software must be installed on all devices that have access to the SCS IT infrastructure. This software must be configured to perform automatic updates and regular scans.
Handling information and data
- All information and data must be handled in accordance with the NDA agreed separately with SCS.
- If technically possible, all information must be stored in encrypted or physically secured form.
- If the information is no longer required, it must be securely destroyed.
- The user undertakes not to store any personal or strictly confidential data (e.g. test data) in the SCS infrastructure without a corresponding NDA with SCS.
- If it is suspected that the integrity, availability and confidentiality of the information systems and data are no longer guaranteed, SCS must be informed immediately.