The purpose of the Information Security Policy is to define the key information security objectives, governance principles, and responsibilities; to ensure the ongoing suitability and adequacy of the information security management system to the strategic objectives of the Vičiūnai Group of Companies; and to ensure its effectiveness and maintenance in line with operational, legal, statutory, regulatory, and contractual requirements.
Vičiūnai Group of Companies is committed to ensuring the confidentiality, integrity, and availability of information—regardless of the medium in which it is stored, whether paper or electronic—and to protecting it against unlawful use and disclosure.
SCOPE
This Policy applies to all Group Companies and is mandatory for all Group Company Employees as well as for persons performing work functions on other contractual bases—interns, persons temporarily performing work functions, service providers, and other third parties who use or are directly connected with the Group’s information assets, regardless of their location.
Each Company shall introduce its employees to the Policy and its supporting documents in accordance with the procedures established in the Company.
Third parties shall ensure compliance with the requirements of this Policy on the basis of signed agreements or other legally binding commitments concluded with regard to the provisions of this Policy and the implementing legal acts. Third parties whose employees carry out activities at the Company undertake to ensure that such employees are acquainted with this Policy and are informed of their duty to comply with it.
The Policy and other related documents must be reviewed at least once a year and, where the need arises, the necessary changes must be initiated.
GENERAL PROVISIONS
This Policy has been prepared on the basis of EU and national legal acts, describing their application and implementation in the Group’s activities related to information security and the protection of personal data.
The main legal acts governing information security within the Group are:
- The Law on Cyber Security of the Republic of Lithuania, which transposes into Lithuanian law the requirements of the EU NIS2 (Network and Information Security) Directive;
- The General Data Protection Regulation (GDPR);
- The Law on Legal Protection of Personal Data of the Republic of Lithuania of 30 June 2018 No. XIII-1426.
The Policy has been prepared with reference to the following documents, standards, and good information technology (IT) practices:
- Guidelines on security measures for processed personal data and risk assessment for controllers and processors (State Data Protection Inspectorate guidelines);
- LST EN ISO 27001:2022 “Information technology — Security techniques — Information security management systems — Requirements” (ISO 27001 standard);
- LST EN ISO 27002:2022 “Information technology — Security techniques — Code of practice for information security controls” (ISO 27002 standard).