The Information Security Policy (hereinafter referred to as the Policy) is the main document of UAB “Adwisery” (hereinafter Adwisery) Information Security Management System (ISMS), intended to define the principles of Adwisery’s information security management, set effective directions for security assurance, manage information security risks, and ensure compliance with legal acts. Parts of the Policy and ISMS documents may be made available to parties related to Adwisery information in an accessible and understandable form.
The purpose of the Policy is to present Adwisery’s management position on information security and to protect all verbal, written, and electronic information received, sent, created, managed, and used by Adwisery (hereinafter Information) from all possible threats: external, internal, intentional, or accidental, which may impact Adwisery’s operations and reputation.
Legal acts and standards followed in implementing ISMS:
Law on Cyber Security of the Republic of Lithuania;
Resolution No. 818 of the Government of the Republic of Lithuania of August 13, 2018 “On the Implementation of the Law on Cyber Security”;
Order No. V941 of the Minister of National Defence of the Republic of Lithuania of December 4, 2020 “On the Approval of the Methodology for Assessing IT Security Compliance”;
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Lithuanian Standard LST ISO/IEC 27001:2022 “Information Security, Cybersecurity and Privacy Protection. Information Security Management Systems. Requirements”;
Lithuanian Standard LST ISO/IEC 27002:2022 “Information Security, Cybersecurity and Privacy Protection. Information Security Controls”;
Other legal acts regulating cybersecurity.
Information is a strategically important asset for Adwisery, and its loss, unlawful alteration, damage, disclosure, or processing interruption may cause disruptions to Adwisery’s operations. Accordingly, this Policy establishes the main guidelines to be followed by all Adwisery employees, contractors, and other related parties working in risk and business continuity management, IT management, information and cybersecurity management, implementation, maintenance, and development of information systems, consulting and training, and in other business processes where information is managed, transferred, or otherwise processed, regardless of its form or storage method.
The Policy applies to all Adwisery business processes where information is managed, transferred, or otherwise processed, regardless of its form or storage method, and includes verbal and written information, information systems, computer networks, physical environment, employees, related parties, partners, contractors, and other individuals working for Adwisery, including employees working for third parties who lawfully process Adwisery information.
The Policy describes Adwisery’s:
Information security management objectives to protect the confidentiality, integrity, and availability of Adwisery and client Information;
Scope of application of ISMS.
Definitions used in the Policy:
Compliance assessment – assessment of IT security compliance with organizational and technical cybersecurity requirements according to the Law on Cyber Security of the Republic of Lithuania and its subordinate legislation;
Physical security measures – technical and electronic means intended to protect information from unlawful acquisition, disclosure, destruction, and to prevent unauthorized access to protected premises or territories, as well as unauthorized viewing of information stored therein, and to help identify unauthorized entries and prevent their actions;
Information and cybersecurity – preserving the confidentiality, integrity, and availability of information;
IS – information system;
Cyber incident – an event that threatens the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or services provided or accessible through networks and IS;
Corrective action – an action taken to eliminate the cause of a detected non-conformity or other undesirable situation;
KSIS – Cybersecurity Information System;
NKSC – National Cyber Security Centre under the Ministry of National Defence;
Risk – potential loss or disruption that may be caused by a cyber incident. Cybersecurity risk is expressed as a combination of the extent of such a loss or disruption and the likelihood of the cyber incident;
Risk assessment – evaluation of information security risk;
Network and information system – an electronic communications network, any device or group of interconnected or related devices where one or more automatically process digital data, or digital data stored, processed, restored, or transmitted by the specified means for management, use, protection, and monitoring purposes.
Adwisery’s information security is based on the following cybersecurity principles:
Non-discrimination of cyberspace – legal provisions apply equally, and the protection of legally protected interests is ensured in both physical and cyberspace;
Cybersecurity risk management – cybersecurity risk management measures must ensure control over regularly assessed risks in Adwisery;
Proportionality of cybersecurity – cybersecurity risk management measures must not restrict Adwisery’s activities more than is necessary to ensure cybersecurity;
Primacy of public interest – cybersecurity risk management measures must primarily ensure the protection of the public interest, but must not fundamentally violate individual users’ or Adwisery’s rights and legitimate interests or disproportionately restrict their freedoms;
Standardization and technological neutrality – when implementing cybersecurity risk management measures, Adwisery is encouraged to follow national, EU, and other international standards and technical specifications for network and IS security, without requiring or favoring any specific technology;
Subsidiarity – Adwisery is responsible for the cybersecurity of networks and IS and the services provided through them. In areas of Adwisery’s exclusive competence, NKSC intervenes only when Adwisery fails to ensure cybersecurity.
When applying legal provisions regulating cybersecurity, all principles outlined in point 8 of the Policy must be considered together, without assigning priority to any one of them in advance.
The implementation of ISMS objectives seeks to achieve the following information security goals:
Ensure and manage information security in alignment with Adwisery’s (strategic) goals;
Ensure and manage compliance with external and internal information security requirements by conducting periodic compliance assessments of ISMS documentation and addressing identified deficiencies;
Ensure resolution of information security breaches and elimination of their causes by implementing an incident management process;
Ensure proper selection and implementation of information security and processing measures through annual risk assessment and execution of the Risk Management Plan;
Ensure the effectiveness of implemented information security measures through internal ISMS audits and management reviews to address ISMS non-conformities and implement improvements;
Ensure the adequacy of business continuity and recovery plans through regular review and testing;
Ensure sufficient human and operational resources for ISMS;
Ensure competence development for employees involved in ISMS management.
Information and cybersecurity encompass three main aspects:
Confidentiality – protection of information from unauthorized disclosure;
Integrity – protection of information from unauthorized or accidental alteration;
Availability – ensuring that information is accessible when needed to properly perform Adwisery’s activities.
Adwisery ISMS certification scope: Risk and business continuity management, IT management, information and cybersecurity management, implementation, maintenance, and development of information systems, consulting, and training organization.
Requirements of interested parties for Adwisery arise from:
International legal acts;
Legal acts of the Republic of Lithuania;
Contracts and agreements.
Adwisery ensures information and cybersecurity by committing to applicable legal requirements and allocating responsibilities for information and cybersecurity.
Information and cybersecurity management in Adwisery is based on risk management. The assessment of information security risks ensures that the information and cybersecurity measures applied in Adwisery activities meet the core objectives of Adwisery operations and information protection.
Adwisery conducts information security risk assessments at least once per year or following significant organizational changes that may impact information and cybersecurity.
Adwisery performs internal ISMS audits together with compliance assessments at least once per year or after significant organizational changes that may impact information and cybersecurity. Adwisery must undergo a compliance assessment at least once every 3 years by certified auditors recognized by international organizations in accordance with the Law on Cyber Security of the Republic of Lithuania.
Adwisery monitors, measures, analyzes, and evaluates ISMS processes and control measures.
Adwisery conducts management review evaluations.
Any violation of the Policy or other ISMS document provisions is considered a cybersecurity incident that may negatively affect Adwisery’s business continuity and damage its public image.
Adwisery employees and third parties who violate ISMS requirements are subject to the enforcement measures provided by the laws of the Republic of Lithuania, Adwisery’s internal legal acts, contracts, agreements, or other legally binding documents.
The Policy and other ISMS documents are reviewed at least once a year and updated as necessary.