Paper

/
Data Protection & Information Security

Due to their overriding importance in an increasingly digital world, we have made data protection and information security a high priority for us and have established individual structures to manage these topics.

/
Data Protection

At SARIA, we handle the data of our business partners and other stakeholders with the utmost care and sensitivity, regardless of where we do business. Since precise legal requirements may vary from country to country, we have implemented a decentralized approach according to which each of SARIA’s international organizational units safeguard the legal integrity of their data independently.

Aimed at establishing a coherent group structure, we have set up a data protection organization comparable to our corporate compliance structure. As an organ of international deliberation, we have created an International Data Privacy Committee, which is composed of the locally responsible data protection managers. Initially convened in autumn 2022, the committee assesses common group data privacy issues, develops recommendations and guidelines and follows a comprehensive reporting procedure.

A cornerstone of our internationally applicable data protection management is our Group Data Protection & Privacy Policy, which entered into force on 1 January 2023. Based on the intention to create a concise and uniform approach to data protection on an international scale, the policy sets out binding obligations in relation to managing personal data as well as numerous checks and balances, including the commencement of reporting and audit procedures.

"Data Protection Power Days 2022"
in Germany

/
International Data Privacy Organization

In accordance with the previously mentioned decentralized approach of safeguarding compliance with domestic data privacy laws within each country-based unit, we will focus below on the progress achieved within the organizational unit in Germany.

Based on our legal obligation to document the processing activities of our video cameras used to monitor the safety of our employees, we conducted an extensive video camera surveillance audit in 2022. As a result of the audit, every processing activity in relation to our video camera surveillance has been properly admitted into our central record within the digital data protection management system.

Additionally, a new major legal framework permitting data exchange between SARIA’s respective legal entities within Germany has been adopted. Due to this agreement, we will henceforth be able to minimize our reliance on individual data protection agreements within SARIA’s data realm.

To complement the creation of meaningful corporate data protection structures and procedures, we have focused our attention on the training of our data privacy managers. In the pursuit of reaching the entirety of our German data privacy staff, we decided to host the training program “Data Protection Power Days” in November 2022. We regarded it as vital to exchange views from different operational angles as well as to provide for the appropriate foundational expertise by presenting some of the most relevant German Data Protection Regulation requirements and developments within the area of EU data protection.

In 2022, we conducted an extensive video camera surveillance audit.

Training our people is a key element of our data protection management.

Based on the positive feedback from trainees and its overall educational success, we have decided to make the “Power Days” a regular annual event. Additionally, in cooperation with our IT, we conduct a campaign to raise further awareness of phishing attacks on our Group. The campaign intends to reinforce our employees’ compliance with the relevant corporate procedures and uses simulated phishing attacks, which comprise email attempting to lure our employees into a false sense of security.

To measure our data protection performance, we use a measurement system comprising eight areas of data protection derived from the European General Data Protection Regulation. Our progress is measured by means of a maturity model, which reflects on the progress in each of the eight areas. Compared to the baseline year 2020, we managed to consistently improve our performance. In terms of the achievements of 2021, we managed to improve by 6 %. As regards the achievements of 2022, we managed to improve another 4 %. Looking ahead, we aim to increase our overall data protection maturity score by an additional 4 % in 2023.

/
Information Security

Similar to our data protection management, we combine a decentralized approach with regular exchange and pooling of expertise through our information security network.

In principle, each organizational unit defines individual focus areas for ensuring information security, taking into account the experience and risk assessment of the IT specialist responsible, knowledge from our IT security network and results from internal or external audits, such as an external security audit conducted in Germany in 2022. Furthermore, it is important to react quickly and appropriately to events and external influences.

Despite these different focus areas, our overall approach to information security rests on three pillars: technological measures, organizational measures and actions to create awareness.

"Protecting our information assets is critical. For this reason, we are working to implement solid cybersecurity governance, which allows us to adequately manage risks and be more resilient. As a result, every year we carry out a series of initiatives to improve the level of cybersecurity in our organization, in order to adequately protect the information of our clients, employees and collaborators, as well as the supply chain systems, so that we can guarantee fulfilment of our commitments to clients and third parties."

/
Information Security Network

While our clear aim here is a zero policy, we are aware that a 100 % guarantee will never exist in the digital realm. Therefore, we continuously work on improving our systems and will expand and further improve our efforts in 2023, too.

The following examples from our German organization illustrate the systematic interplay of a variety of instruments.

Password Handling &
E-mail Security
Password Handling &
E-mail Security

To support our people with handling the multitude of passwords that are necessary in a modern working environment, a password management tool allows to comfortably manage all different passwords used.

At the same time, we try to make working routines easier and protect our systems by implementing powerful tools to filter out spam and viruses being sent through emails.

E-learning
Information Security
E-learning
Information Security

To ensure awareness among all employees, an “Information Security” the e-learning module is mandatory for our people in Germany. Since 2022, all new employees are enrolled automatically.

Active Directory Security &
Multi Factor Authentication
Active Directory Security &
Multi Factor Authentication

To protect our system from unauthorized access, we are using Azure Active Directory and Active Directory Security as central authorization systems. The security of these systems is regularly validated with external audits and penetration tests.

Moreover, we have introduced phishing resistant multi factor authentication (MFA) for our group, requiring our employees to perform an additional authorization step to access a large variety of services.

Procedures & Policies
Procedures & Policies

We will introduce policies and procedures that provide clear guidance on how to set and use passwords, why and when passwords need to be reset automatically, and what to do when there are indications that our systems have been breached.

Extended Detection and Response (XDR), Endpoint Detection and Response (EDR)
Extended Detection and Response (XDR), Endpoint Detection and Response (EDR)

Classically referred to as " virus protection", this measure is about blocking threats on devices. However, the issue now goes far beyond mere virus detection: the programs dig deep into the operating systems and monitor all actions on the devices to detect and block unusual and undesirable behavior by programs. To this end, XDR correlates data from typical work devices such as laptops and PCs with data from the network and the cloud.

IT Security Function & Strengthening of Internal IT Security network
IT Security Function & Strengthening of Internal IT Security network

In response to the rapidly increasing importance of this topic, we have set up a dedicated IT security function within our IT organization and are systematically strengthening cooperation and exchange within SARIA and across the RETHMANN Group.

Security Operations Center & Security Information and Eventmanagement
Security Operations Center & Security Information and Eventmanagement

An external team of specialists - a so-called Security Operations Center (SOC) - will support us in the operation of our IT security components with additional resources and expertise. Among other things, the SOC uses a security information and event management (SIEM) system that screens data from various sources for patterns and unusual activities in order to report anomalies at an early stage and analyze or avert threats.

Network Security
Network Security

In the past, it was common to have different devices, such as servers, PCs, and phones, linked to each other in one network. This permitted intruders to easily move in between the respective systems and do more damage. To protect against such violations, we will introduce segmented networks, in which all devices are grouped according to their importance or function in different IP-networks. Communication between them is only possible through firewalls, which only permit a connection between the respective devices.

Secure Web Access
Secure Web Access

Secure Web Access ensures security when people access the internet. For example, access to pages with undesirable or unauthorized content can be blocked, and in addition, the system checks for viruses and other potential threats.