Subsection 3.7: Protection of computer systems

In order to comply with the criterion mentioned in Article 25, paragraph 1, letter j) of the AE CAU, you must take appropriate security measures to protect your computer system from intrusion and secure your documentation.

3.7.1

In relation to question a), the measures may consist of the following:

• An updated security plan that includes the measures in place to protect your computer system from unauthorized access, as well as deliberate destruction and loss of information;
• detailed information on whether you operate multiple systems at multiple sites and how those systems are controlled;
• Determination of those responsible for the protection and operation of the company's computer system (responsibility should not be limited to one person, but should fall on several, so that each of them can control the actions of the others),
• Detailed information on firewalls, antivirus, and other protection against malicious software;
• a business continuity and emergency recovery plan when incidents occur;
• backup routines that include restoration of all relevant programs and data after an interruption due to a system failure;
• logs in which each user and their actions are noted;
• whether system vulnerability is managed periodically and by whom.

In relation to question b), please indicate how frequently you test the effectiveness of your system against unauthorized access, how you record the results, and how you deal with the situation when the system is threatened.

3.7.2

• The procedures you establish regarding access rights should include the following:
  Methods for granting access authorizations and level of access to the computer system (access to sensitive information should be limited to personnel authorized to make changes to it),
• Password format, frequency of changes, and the person responsible for providing those passwords, and
• deletion/maintenance/update of user information.