IT Security policy

Preamble

This document sets forth the IT Security Policy of Matsuko s.r.o., a company having its registered office at Tomášiková 17, 040 01 Košice - Sever district, Slovakia, incorporated under company ID number 35 886 498 (the “Company” or “we” or “MATSUKO”), registered with the Commercial Register of District Court Kosice I, Section: Sro, Insert No. 26609/V and we have developed MATSUKO application HOLOGRAPHIC COMMUNICATION available on our website (“Application”).

The scope of this IT Security Policy includes amongst other things the protection of the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. It defines the security objectives, commitments and priorities of the Organization in the field of information security in accordance with the legislative requirements in the field of cyber security as well as the mission and business objectives of MATSUKO.

IT Security Policy is the starting document from which the concept of protection of the Organization against threats is derived and followed by related security policies, standards (guidelines), methodological guidelines, rules, procedures, or other tools necessary to ensure the required level of information security of information systems and networks of MATSUKO.

Basic security objectives
Based on the business strategy of the company, we have defined basic security objectives for MATSUKO as follows:

– ensuring the protection of all information, and thus also personal data, which we process in accordance with the legal and contractual requirements;

– define and implement secure development life cycle procedures within the MATSUKO application;

– setting security requirements and rules for the operation, use and maintenance of MATSUKO application to ensure the required level of information security;

– protection of intellectual property of source codes and functionality of the MATSUKO application;

– continuous management and increasing the security of all assets managed by MATSUKO.

The company defines short-term, medium-term and long-term tasks to achieve the stated security goals.


Security roles and responsibilities
Responsibilities and obligations in information security are assigned to the relevant security roles that perform the activities related to the given role. Security roles are split into following categories: Governance, Executive and Control part. The following security roles are assigned in MATSUKO:

– CEO (statutory board)
– Team leaders / managers (Operation, Product, Technology)
– Team members / employee
– Security specialist
– Internal auditor
– Asset owner
– Risk owner
– IT administrator

All employees and contractors are involved in the process of maintaining the information security of the Company by complying with the security policies and the general principles of information security.

Asset management
MATSUKO identifies scope for information security as all assets related to development and maintenance of Application. Everything that has value to the Company (e.g. hardware components, software, data, services, human resources, reputation, etc.) is considered an asset. Combination of processes, organization and technology is called an information system. We have identified following types of assets based on different IT and security methodologies:

– Internal and external processes
– Data and information
– Technology components
– Internal and external people
– Different 3rd parties
– Locations

The environment around the information system is everything that is not part of IS, but has an impact on it. All assets related to MATSUKO are identified and the inventory of these assets is centrally recorded and managed.

Risk management
MATSUKO implements a constantly recurring process of information risk management in the form of vulnerability identification, threat identification, regular risk analysis, identification of risk owners, implementation of organizational and technical security measures to address identified risks and regular review of identified risks. We have identified the following high level types of threats based on different threat catalogs:

– Physical attack (deliberate/intentional)
– Unintentional damage / loss of information or IT assets
– Disaster (natural, environmental)
– Failures / Malfunctions
– Eavesdropping / Interception / Hijacking
– Nefarious activity / Abuse
– Legal

The effectiveness and efficiency of the security measures taken is continuously monitored and regularly evaluated in accordance with the Organization's risk management framework.


Basic principles
The purpose of the security principles is to provide strategic guidance on how MATSUKO protects information systems and data. These security principles are grouped into four key activities: govern, protect, detect and respond (similar to plan, do, check, act).

Govern: Identifying and managing security risks.
1. A Security specialist provides leadership and oversight of information security.
2. The identity and value of systems, applications and data is determined and documented.
3. The confidentiality, integrity and availability requirements for systems, applications and data are determined and documented.
4. Security risk management processes are embedded into company risk management frameworks.
5. Security risks are identified, documented, managed and accepted both before systems and applications are authorized for use, and continuously throughout their operational life.

Protect: Implementing security controls to reduce security risks.
1. Systems and applications are designed, deployed, maintained and decommissioned according to their value and their confidentiality, integrity and availability requirements.
2. Systems and applications are delivered and supported by trusted suppliers.
3. Systems and applications are configured to reduce their attack surface.
4. Systems and applications are administered in a secure, accountable and auditable manner.
5. Security vulnerabilities in systems and applications are identified and mitigated in a timely manner.
6. Only trusted and supported operating systems, applications and computer code can execute on systems.
7. Data is encrypted at rest and in transit between different systems.
8. Data communicated between different systems is controlled, inspectable and auditable.
9. Data, applications and configuration settings are backed up in a secure and proven manner on a regular basis.
10. Only trusted and vetted personnel are granted access to systems, applications and data repositories.
11. Personnel are granted the minimum access to systems, applications and data repositories required for their duties.
12. Multiple methods are used to identify and authenticate personnel to systems, applications and data repositories.
13. Personnel are provided with ongoing cyber security awareness training.
14. Physical access to systems, supporting infrastructure and facilities is restricted to authorized personnel.

Detect: Detecting and understanding cyber security events.
1. Cyber security events and anomalous activities are detected, collected, correlated and analyzed in a timely manner.


Respond: Responding to and recovering from cyber security incidents.
1. Cyber security incidents are identified and reported both internally and externally to relevant bodies in a timely manner.
2. Cyber security incidents are contained, eradicated and recovered from in a timely manner.
3. Business continuity and disaster recovery plans are enacted when required.

Information security management system
Security measures shall be taken in MATSUKO on the basis of recommendations of internationally accepted security standards or other substantively similar procedures and methods, taking into account the latest knowledge and at the same time identifying risks, vulnerabilities and regulatory requirements within the basic service operator sector.It is important that the information security management system is part of and integrated with the organization’s processes and overall management structure and that information security is considered in the design of processes, information systems, and controls.

Declaration of Top management
MATSUKO top management therefore considers ensuring an adequate level of information security of the company as a permanent task with a high priority and is committed to creating appropriate legal, organizational, technical, material and financial conditions for the fulfillment of this task.

Date: 04th March 2022

CEO: Maria Vircikova
CEO: Matus Kirchmayer