Information Systems Security Policy for Budimex S.A. Suppliers


The purpose of this document is to communicate duties and responsibilities to all Suppliers rendering their services to Budimex S.A. (and employees thereof) in terms of protection of the information assets the Supplier shall have access to and shall be subject to processing in the framework of the service rendered.



This document is an Information Systems Security Policy to be followed by Suppliers of Budimex S.A., hereinafter referred to as the Policy.
The provisions contained herein shall regulate two basic areas of information protection:
• Services rendered by the Supplier based on information systems entrusted by Budimex and/or information systems connected to the IT infrastructure of Budimex. 
• Services rendered by the Supplier based on their own information systems, however, the data processed are either owned or safeguarded by Budimex (e.g. Budimex employees personal data)



Budimex S.A. makes every effort to ensure the enterprise is run in an efficient and safe manner in order to satisfy the needs of the customers, stakeholders, and company’s employees to the utmost degree. This particular care of the company’s management is demonstrated by minimising the operational risk through ensuring an appropriate level of safety in processing the information assets. To this effect the management of Budimex S.A. decided to implement regulations on information safety.
This document is an expression of the intent to provide security of the information assets implementing the Information Safety Policy for the assets disclosed to, and processed by the Suppliers of Budimex.



Information Assets – information and systems, infrastructure, devices and software used for information processing.
Information Security – secured confidentiality, integrity and availability of information assets.
Personal Data – any information related to an individual whose identity is known or may be determined either directly or indirectly.
Information Security Incident – an undesired event or a series of events that are likely to cause disruption of business operations and may have an impact to information assets security.
Information – any information, regardless of form thereof, i.e. in electronic form, in paper document, or verbally transferred.
Classified Information – the term is defined in the Act of 5 August 2010 on classified information protection. It stands for information that requires protection against unauthorised disclosure as a state or professional secrecy regardless of the way it is expressed.
Information Processing – any process a piece of information may be subject to, be it creating, collecting, recording, storage, reading, modification, disclosing, deleting etc.
User – anyone who has access to information assets of Budimex; this includes employees, temporary employees, consultants, apprentices, clients etc.



5.1 Compliance with the Policy
5.1.1 The Policy forms a part of rules and procedures that regulate the relations between the Parties. The Policy subjects to periodical review. Compliance with the Policy is a precondition of a performance to be found in line with the contract.

5.2 Compliance with Law
5.2.1 The Parties are bound to comply with law and regulations applicable to Information Technology.
5.2.2 Any use of Information Systems resources resulting in breach of Intellectual Property Rights is strictly forbidden.
5.2.3 Any software installation or other data storage in the Information System rendered by Budimex that were obtained in a way that does not make Budimex an authorised user thereof is a violation of the Policy.

5.3 Property Rights and protection of information stored in electronic form.
5.3.1 Data and information stored, processed and/or transferred through the Information Systems owned by Budimex are under constant surveillance. This includes data capture, monitoring, entry to an event recorder and inspection. This constant surveillance is aimed at protecting the interest of both, Budimex and the Supplier.
5.3.2 The data and information are property of Budimex or the Supplier and a similar care is required as it is the case of any other company property.
5.3.3 The data and information referring to Budimex stored in any form or in the Information System cannot be removed without authorisation. Any erasure/ destruction can only take place by a prior consent and in a way agreed upon with the data proprietor.
5.3.4 The data and information entrusted to the Supplier or generated in the course of service rendered to Budimex as well as those being under control of the Supplier have to be properly protected by the Supplier against destruction, damage and unauthorised access by available means.
5.3.5 The Supplier has to ensure appropriate defence mechanisms are engaged at all times basis adequate to systems being under the Suppliers control and with respect to data/information contained therein. The Supplier bears full responsibility the backup copy of Budimex data stored in the mobile IT equipment is created on a regular basis. The data and information shall be stored in a mobile equipment to a minimum extent and only for a time required to complete the scope of service rendered. If possible, data shall be kept on the network discs.
5.3.6 The mobile IT equipment carrying the vital and/or classified data and information related to Budimex have to be equipped with data protection technology against an unauthorised access approved by the Parties.
5.3.7 No data owned by Budimex can be processed or stored in an equipment not owned by Budimex (e.g. home computers) without written consent.
5.3.8 The period and the way the electronic data are stored in the Information System has to comply with the assumptions adopted for the given system (document retention time).
5.3.9 Any equipment that is not approved by Budimex cannot be connected to the Information System of Budimex. Any connection of the company’s or private mobile phones to Information Systems of Budimex is strictly prohibited.
5.3.10 No secret or confidential data can be sent via internet. The vital information (being neither secret nor confidential) received or sent via internet have to be encrypted according to the guidelines of the existing Security Policy.




6.1 IT technology applied for business purposes

6.1.1 The employees of the Supplier being users of the information systems provided by Budimex can occasionally use the aforesaid resources for their private purpose, however, this type of use can never interfere with their business duties and be in any way in contradiction with interest of Budimex.
6.1.2 Any use of the Information Systems resources provided by Budimex for any gainful activity related with an entity other than Budimex is foreclosed.


6.2 Information access control from the electronic sources.
6.2.1 The access control to the data stored in the Information Systems of Budimex is compulsory. Users are granted access to each system in the extent required by the particular job.
6.2.2 Getting access involves individual ID credentials and password to identify a user unambiguously in the Information System and to protect against an unauthorised access.
6.2.3 Passwords are created according to the specific rules defining the number of characters, internal structure and modification frequency.
6.2.4 Passwords have to be kept secret and cannot be disclosed to any third person. Should a user acting on behalf of the Supplier disclose his password to a third person, the Supplier remains fully responsible for integrity and confidentiality of the data entrusted. Password protection is always in good interest of Budimex as well as the Supplier.
6.2.5 A user whose ID’s and password has been used to gain unauthorised access to the Information System shall be deemed an unauthorised user of the information system.
6.2.6 In case a user leaves his workplace temporarily, his computer shall be locked (e.g. in Windows family OS a key combination CTRL-ALT-DEL  +  ENTER shall be used) in order to prevent unauthorised use by third persons.
6.2.7 In order to add new users in the Information System a prior consent of Budimex is compulsory.
6.2.8 Budimex shall modify a User password only by a request of the authorised person; an old password shall not be disclosed.
6.2.9 Any use of the Information Systems owned by Budimex or by third parties is not allowed without a prior consent of a person authorised to grant permissions in this regard.


6.3 Protection of the shared resources of the Information Systems
6.3.1 The Supplier is not allowed to modify any equipment owned by Budimex by e.g. installation of hardware parts or software or in other way without prior written authorisation from an appropriate person in charge of Budimex.
6.3.2 The Supplier shall exercise due care regarding the equipment entrusted by Budimex. In particular protect it against theft, prevent damage in transport and handling, ensure proper storage in right temperature, avoid exposure to strong magnetic field or bad atmospheric conditions.
6.3.3 Particular care and attention shall be exercised in handling the replaceable media (e.g. CD-ROM etc.) created or used externally, beyond the Information System of Budimex. No media from an unproven or unknown source are allowed for use in any equipment owned by Budimex. Any materials of this nature shall first be scanned for viruses and/or tested by the IT Bureau of Budimex.
6.3.4 Any software installation on Budimex computers are handled exclusively by Budimex. Legal software installation for enterprise use by individuals who are not employees of Budimex requires written consent from Budimex.
6.3.5 Any installation and/or use of a private software of the IT equipment entrusted by Budimex is prohibited.
6.3.6 There has to be virus protection always active in computer equipment of Budimex provided by means of the most recent version of antivirus software supplied by Budimex. The virus prevention instructions by Budimex have always to be observed. This also includes cases of possible virus elimination that could infect the information System of Budimex. Should any erratic activity of the antivirus software be found, the user has to notify of the fact the IT Bureau of Budimex immediately.
6.3.7 All identified occurrences of threat, violation, and weakening the security of the Information Systems or operation of software unauthorised by Budimex (security incidents) have to be reported to Budimex’s IT Bureau immediately.


6.4 Electronic message transmission
6.4.1 Corporate mail system of Budimex that may be made available to users acting under the responsibility of the Supplier is a recognised means of communication in Budimex Company and is deemed as an official mail.
6.4.2 Any user acting under the responsibility of the Supplier is not allowed to present in his messages distributed electronically any private views and judgements as being the position of Budimex.
6.4.3 Only the solutions approved by Budimex can be used for electronic messaging on the computers entrusted by Budimex.
6.4.4 No external services provided through the web (e.g. Hotmail, Yahoo, WP, ONET, web chats, instant messaging etc.) can be used on the computers entrusted by Budimex. 
6.4.5 To prevent any malware activity (e.g. viruses) that may infect the Budimex Information Systems any unexpected messages including attachments thereto from an unknown sender must be instantly removed. No attachment to any message of this sort can be opened.
6.4.6 An e-mail message circulation in the Budimex corporate mail system has to be limited only to the recipients who need to know the message or to recipients directly involved in the merit thereof. Mailing lists should not be used unless all recipients meet the above criteria.
6.4.7 Large attachments to messages distributed to a large number of recipients by mailing lists shall be avoided in the Budimex corporate mail system. Compression software delivered by Budimex shall be used in order to limit the size of large attachments and/or several messages shall be sent instead.
6.4.8 The size of a corporate mailbox is limited. A user acting under the responsibility of the Supplier is obliged to remove the obsolete messages on a regular basis.


6.5 The internet
6.5.1 It may prove necessary to provide access to the internet to the Supplier so the services under the Agreement are properly supported by Budimex. The access, however, shall subject to certain constraints imposed by the Budimex SA Information Security Policy. Internet access whether with the equipment and/or via the infrastructure provided by Budimex is allowed only through the solutions provided and approved by Budimex
6.5.2 At no circumstances a user acting under responsibility of the Supplier cannot connect the equipment entrusted to him to the internet or to any other network with cables, dial-up modems or wireless solutions unless equipment is secured by solutions comply with existing Budimex SA Information Security Policy. Any connection of entrusted equipment to computer network not owned by the Budimex Group has to be individually approved by Budimex.
6.5.3 Budimex reserves the right to monitor internet connection, regardless of nature thereof whenever Information Systems of Budimex are involved, and to block the access to web services and pages should they be found contradicting with Budimex SA Information Security Policy.
6.5.4 Listed below are the actions forbidden to users acting under the responsibility of the Supplier:

  • make attempts to by-pass protections, access control or content filtering mechanisms at the internet gateway;
  • deliberately disrupt network functioning by disseminating viruses, hacking practices, and causing large data traffic that may overload the network thus obstructing activity to other users;
  • disclose or publish the secret or classified company information via the internet including financial data, the company-related new ideas and solutions, strategies, marketing plans, databases and records contained therein, lists of customers, software source codes, computer/network access codes and business-related liaisons, etc.;
  • use the internet, electronic mail or other tools in order to establish any legal or contractual bonds without the required powers granted by the Board of Budimex company;
  • otherwise use the resources in an improper way as defined so by Budimex.


6.6 Inappropriate content
6.6.1 The supplier is not allowed to use the IT equipment provided by Budimex, as well as devices or facilities for viewing, processing, production and/or distribution of materials among the employees or anybody beyond Budimex with content falling under any of the categories listed below:

  • discrimination-related (racial or of any other nature),
  • harassment (sexual or of any other nature),
  • posing threats,
  • obscene,
  • pornographic,
  • insulting,
  • illegal.

6.6.2 The supplier is obliged to destroy/ remove immediately any materials defined in item 6.6.1. above, received from any source, and to demand from this sender to discontinue such ill-practices. Budimex Chief Information Security  Officer shall be notified of the fact immediately, including the sender’s e-mail address, the subject, and the actions taken.



In case the Supplier in rendering his service uses an information system other than owned by Budimex and no connection to Budimex infrastructure is established, the following requirements are a minimum before a system can be admitted to support the service:

7.1 The software (the operating system and applications) shall  be installed and used according to law and respective licensing conditions.
7.2 The operating system and all applications have to undergo safety update on a regular basis (at least once a month).
7.3 Any system with any capability to interact with outer environment (computer network, optical drive, USB port, diskette drive) has to be equipped with an up-to-date and active anti-virus software (updated daily). For the Windows-based systems the available anti-virus partners list can be found under the following link: http://windows.microsoft.com/en-US/windows/antivirus-partners#AVtabs=win7
7.4 The system time has to be accurate and kept synchronised on a regular basis (in case of a network access system: through a time server; in case of an off-line system: a documented synchronisation at least once a month).
7.5 The system has to have a working and periodically verified back-up software(data recovery tested at least once a year).
7.6 The entire environment upon which the service rendering to Budimex is based has to have a logic and environmental protection: power supply back-up, unauthorised access protection, both, physical and logic.

7.7 The personnel has to be trained in the system usage and operation.



8.1 The Supplier’s report from organisational and technical controls review.





Last updated: 2017-02-07