Information security management
Information is an important resource in the key areas of the PGE Group’s operations. It is an asset that, like other important business assets, is of primary importance to the organisation.
Ensuring information security is one of the major areas of the PGE Group’s operations. The proper functioning of the information security policy in the PGE Capital Group has been achieved through the introduction of the General Procedure – Guidelines for Information Security and Classification in the PGE Capital Group, the purpose of which is to define and apply uniform rules and principles according to which information is processed.
The objectives of information security in the PGE Group are the following:
Ensuring that information processed is fully protected
Maintaining the confidentiality, availability and integrity of information
Ensuring an adequate level of security for information processed in either electronic or paper format
Reducing the incidence of information security risks
Introducing uniform standards for the identification and classification of information and the uniform naming of labels assigned to particular protection levels
The guidelines introduced constitute the basis for the development and implementation of internal information security regulations in each PGE Group company.
At PGE S.A., due to the importance of the company’s information assets and the obligation to protect information, which is an important element in the key areas of its operations, the Management Board of PGE S.A. has established an Information Security Management System (ISMS), i.e. a strategy for ensuring adequate information protection. The implementation of the Information Security Management System (ISMS) preserves the confidentiality, integrity and availability of information that represents measurable value to the organisation. The objectives of the activities carried out within the framework of the ISMS are the following:
- ensuring the security of information assets,
- managing information efficiently,
- raising employees’ awareness of information security,
- establishing and applying information processing rules,
- ensuring compliance with applicable laws and internal regulations concerning information security,
- managing risks to information security,
- managing security incidents.
The Information Security Management System consists of the following internal regulations:
- the PGE S.A. Information Security Management Procedure, which defines information security management mechanisms and rules of conduct to ensure the confidentiality, availability and integrity of information processed in PGE S.A. It is an essential document of the ISMS developed taking into account the requirements set out in the Polish Standard PN-ISO/IEC 27001,
- the PGE S.A. Information Security and Classification Procedure, the purpose of which is to ensure an adequate level of protection for information processed in PGE S.A.
PGE S.A. has a number of activities in place to ensure information security, such as:
- education and training activities for employees to improve their knowledge of information security (consultancy, individual and group training, e-learning, etc.),
- information activities, i.e. internal communications concerning secure information handling,
- tools used to support the process of identifying and classifying information,
- the “Information Security” tab maintained on the corporate intranet (IPK),
- legal safeguards (non-disclosure agreements, confidentiality statements) and technical safeguards (e.g. computer encryption with BitLocker, IT system with automatic user log-out when idle, central printing system with proximity card, etc.),
- the introduction of rules related to information security regarding unauthorised access, loss, theft or damage of information, such as: “clean desk and screen rules”,
- verification of compliance with the established rules (checks on the state of security of protected information),
- others, e.g. blocking the possibility of reading and writing data on external media (USB port blocking), increasing the level of ICT security by monitoring, controlling and managing the flow of information inside and outside the company by means of DLP (Data Loss Prevention) software.