Information security and cybersecurity are integral to the way the companies in the GasNet Group (hereinafter referred to as “GasNet”) operate. We take a systematic approach to protecting information assets, both in our internal processes and when working with external partners and suppliers.

All persons with access to GasNet’s information assets are bound by contractual information security and cybersecurity obligations. The scope of those obligations is always proportionate to the nature of the cooperation, the applicable legislative requirements, and GasNet’s internal rules. In accordance with its contractual obligations, the Supplier shall ensure that anyone working on its behalf who is granted access to GasNet’s information assets has been trained and made aware of the specific security requirements applicable to their work.

Set out below is a basic overview of the rules and obligations relevant to all external workers. Specific and extended requirements are always set out as binding requirements in the contractual arrangements.

Confidentiality 

Persons who are granted access to GasNet information and related information assets in the performance of their work or contractual duties (hereinafter referred to as “Workers”) shall keep that information confidential. Workers must not disclose the information or otherwise make it available to third parties without GasNet’s prior written consent, unless such disclosure follows directly from the law or a contractual obligation. 

Workers shall handle information in a way that does not jeopardise its confidentiality, integrity, or availability, and shall use only those GasNet information assets, equipment, and resources which are necessary for the due performance of their work or contractual duties and to which GasNet has granted them access. 

Workers who obtain access to GasNet information or information assets are responsible for protecting them and shall act in accordance with these rules, contractual requirements, and GasNet’s internal regulations. 

Security policies 

A Supplier and its Workers must not: 

• circumvent the security mechanisms of GasNet IT resources or prevent the launch of 
1. security tools on GasNet IT resources;
2. tools used for automated checks of installed and launched software; 
• develop, compile, or distribute program code in the GasNet IT environment which is intended to take illegal control, impair availability, confidentiality, or integrity, or obtain data and information in an unauthorised or illegal manner.

Workers with access to GasNet information systems must not interfere with the infrastructure or operation of GasNet’s computer network, or negatively affect or monitor it in any way. In particular, it is prohibited to: 

1. expose GasNet networks to excessive load; 
2. carry out attacks on GasNet information assets and equipment; 
3. connect unapproved devices; 
4. install unauthorised software. 

The only exception is activities expressly included in the performance under the contract between GasNet and the Supplier.

Workers must not install or use the following types of tools on GasNet IT resources: 

1. keylogger – software or hardware which records keystrokes without authorisation for the purpose of compromising the confidentiality of the data and information entered; 
2. sniffer – software or hardware enabling network traffic to be intercepted; 
3. vulnerability scanner – a software or hardware tool enabling searches for vulnerabilities in IT systems and the detection of available network services and ports, running processes, running applications and their versions, etc.; 
4. backdoor – a hidden software or hardware tool which enables approved authentication procedures to be bypassed, installed for the purpose of making future unauthorised access to GasNet IT resources easier; 
5. malware and other malicious software which disrupts, bypasses, or otherwise restricts security measures in the GasNet environment.

Workers must not, on GasNet IT resources: 

• store or share data and information with ethically inappropriate content, content contrary to good morals, or content damaging GasNet’s name; 
• visit websites with ethically inappropriate content; 
• connect unapproved removable media (e.g. CD/DVD, flash drive, memory card) to GasNet IT resources; 
• use, copy, or distribute software without authorisation, for example: 
1. install or run privately acquired software on GasNet IT resources; 
2. install or run software downloaded from the internet on GasNet IT resources (including commercial software, shareware, freeware, public domain software, or software licensed under the GPL – General Public Licence model). This does not apply where the subject matter of the Contract includes such activity. 

Workers must also not: 

• publish or otherwise share GasNet information on social networks or other public platforms, unless such sharing is expressly part of the performance under the contract concluded between the Supplier and GasNet; 
• attempt to gain unauthorised access to GasNet resources or to the resources of other entities; 
• disclose their access credentials for GasNet systems to other persons; 
• record authentication credentials in a way that would allow them to be easily discovered by an unauthorised person (e.g. in electronic documents, Notepad, or by saving them in a web browser); 
• use a private email inbox for activities relating to performance under the contract, except in an exceptional situation which cannot be delayed and where, if the GasNet email service is unavailable or faulty, any delay could be prejudicial; 
• set up automatic forwarding of emails from a GasNet email address outside the GasNet system environment; 
• store non-public information outside storage managed by GasNet or the Supplier, in particular in cloud services (e.g. Google Drive, uschovna.cz, etc.). 

The Supplier and its Workers shall: 

• regularly check and assess whether access remains justified, both physical and logical, for all persons on the Supplier’s side who access the GasNet environment, at least once every six (6) months, and a documented record of the check and assessment performed must exist; 
• ensure that work desks and screens of work devices do not give unauthorised persons free access to information. When leaving a workstation, devices must be locked and documents must be properly secured; 
• protect portable IT devices (e.g. laptops, mobile phones, external storage devices) against loss, theft, and unauthorised access. Devices containing GasNet information must not be left unattended or unsecured; 
• use only approved means to store and share GasNet data and information. If it is necessary to store GasNet information in online repositories, only repositories and tools approved by GasNet may be used for this purpose; 
• use privileged permissions only to the extent strictly necessary and only for the time strictly necessary to perform activities in accordance with the performance of the subject matter of the Contract; 
• dispose of data media and physical documents containing GasNet information by securely overwriting them or by physically destroying them. 

Information classification 

When handling information, the Supplier and its Workers shall comply with the established classification of GasNet information and the following principles for handling GasNet information: 

Public Information – use and sharing are not restricted; 

Internal Information – use and sharing are permitted only for authorised persons, i.e. GasNet employees and third parties with a signed confidentiality agreement or personal data processing agreement; 

Sensitive Information – the sharing conditions correspond to the regime for internal information; where such information is transferred electronically to third parties, it must be encrypted; 

Strategic Information – if such information is made available to the Supplier and its Workers, it is prohibited to share it with any further third parties unless GasNet expressly and demonstrably provides otherwise. 

Access management, authentication, and endpoint security

Workers who access GasNet information systems shall: 

• protect and keep strictly confidential their authentication credentials and authentication means; 
• not store authentication credentials in readable form or make them available to another person; 
• comply with GasNet’s password policy, in particular: 
1. use a password with a minimum length of 12 characters (standard accounts) or 17 characters (privileged and administrator accounts);
2. hoose a password containing characters from at least three of the following categories: lower-case letters, upper-case letters, numbers, and special characters;
• change their password at least once every 18 months, without undue delay when requested to do so by the Security Department, and immediately if there is any suspicion that the password has been compromised. 

Workstations accessing the GasNet IT environment via VPN (Virtual Private Network) must have: 

• advanced, functional antivirus protection installed;
• disk encryption enabled;
• screen locking enabled in the event of inactivity;
• a functional personal firewall;
• functional automatic system updates enabled;
• an installed version of the operating system which is still supported by the manufacturer;
• user rights restricted to the “user” level;
• third-party applications kept up to date on an ongoing basis, in compliance with the licence terms of the manufacturers of those applications.

A Worker with access to GasNet information systems who works with GasNet information outside the premises of the Supplier or GasNet must ensure that GasNet information cannot be obtained by any unauthorised person (e.g. by eavesdropping, viewing, or shoulder surfing). 

The Supplier and its Workers acknowledge that:

• the access of the Supplier’s Workers to selected protected information and GasNet IT systems is continuously recorded, monitored, and evaluated;
• if attempts to authenticate a user (Worker) are unsuccessful, the relevant account may be blocked, the event may be handled as a cybersecurity incident, and the relevant cybersecurity incident management procedures may be applied;
• the allocation of permissions to the Supplier’s Workers in GasNet systems is governed by the principle of least privilege (the need-to-know and need-to-have principles), and no entitlement to such permissions arises.