Security Principles

Security Principles

Security is one of the most important areas in WCEteam. We always want to be sure, that the environment in which we are working, guarantees us to maintain the highest standards. In the process of selecting and creating our premises, equipment, software and services, we rely on ISO/IEC 27001, ISO/IEC 27002 and TISAX/VDA v. 4.1.1.

Most important security areas to which we paying special attention

In the Information Security area we are focusing mainly on creating and maintaining an Information Security Management System (ISMS) which helps us plan, create, manage and implement efficiently all processes and procedures responsible for maintaining the required level of security in our daily work.

Below you can find our main principles in this area:

1. Information Security Policies are always up to date and well known for all our employees.
2. Responsibilities for information security are defined and assigned. Especially those related to daily project work, using mobile devices, remote access to the organization’s data and areas shared between IT service providers and WCEteam.
3. Clear policies and procedures in the Access Control area related to:
a. user access to network services, IT systems and IT applications in place,
b. the allocation and use of privileged user and technical accounts regulated and is it subject to reviews,
c. policies concerning the creation and handling of confidential authentication information,
d. access to information and applications restricted to authorized persons,
e. separation of data within an environment shared with other organizations.
4. Rules for encryption, including the management of cryptographic keys (complete lifecycle process) for the protection of information during storage and transport existent and have they been implemented
5. In the Operations Security area our focus is on:
a. implementation of protection controls (e.g. endpoint security) against malware (viruses, worms, Trojans, spyware, …),
b. backups created and regularly tested in accordance with an agreed backup policy,
c. event logs (which may contain e.g. user activities, exceptions, errors and security events) created, stored, reviewed and protected against modification,
d. technical vulnerabilities of IT systems acquired at an early stage, evaluated and are appropriate measures taken (e.g. patch management),
e. effects due to critical functions of cloud services been taken into account.
6. In Communications Security area we are aware of the importance of protection of information during exchange or transfer.

In the Connection to 3rd parties area we are focusing mainly on:

1. Our staff (internal and external) are aware of and trained about the risks associated with the handling and processing of information.
2. Existence of procedures for user registration, change and deregistration implemented with the associated access rights and is particularly the authentication information handled confidentially.
3. Secure areas for the protection of sensitive or critical information and information processing facilities defined, protected and monitored.
4. Groups of information services, users and information systems segmented on different networks.

Last but not least, in the area of Data and Prototype protection, we are focusing not only on legal aspects of data protection but we are also aware of the necessity of prototypes security (access to components and parts of not yet been presented to the public and/or published in a suitable form by the OEM).

Below you can find our main principles in this area:

1. Implementation and organization of data protection (processes and procedures) according to local and EU law.
2. Organizational measures are taken to ensure that personally identifiable data is processed in conformance with legislation.
3. We make sure that the internal processes or workflows are carried out according to the currently valid data protection regulations and that these are regularly subjected to a quality check.
4. Relevant processing procedures are documented with regard to their admissibility according to data protection law.
5. We are aware of security requirements for presentations and events involving vehicles, components or parts classified as requiring protection known.

Our tools

Taking into consideration all previous statements, we are using only suppliers wildly known as secure and reliable. We always assess several solutions available on the market and we choose the best one, based on several indicators in which cost is not the most important one.
For the company where quality is one of the most important indicators, we can’t afford the cheapest solutions…