INFO SECURITY POLICY
FOR EXTERNAL PARTNERS

The purpose of this policy is to outline SKYLOTEC’s requirements towards Information Security at external partners. The rational behind is that our partners process information in the course of their business with SKYLOTEC, which could have sensitive nature and requires sufficient protection from a perspective of information security.

Scope

This policy applies to external partners, whose employees have no direct connection to SKYLOTEC information systems or networks either on-premises or Cloud-based.

! External partners, whose employees have direct connection to SKYLOTEC systems or networks have to adhere to the SKYLOTEC’s Acceptable Use of Information Systems Policy !

Applicable Laws, Regulations, and Industry Standards

ISO 27001:2022

Relevance for this policy: Guidance, definitions

Policy Statements

1. Access & Password

1. User IDs & Passwords

1. Partner ensures, that passwords provided to their users are for their individual use only.
2. Users must not share their login ID(s), account(s), passwords, Personal Identification Numbers (PIN), Security Tokens (i.e. Smartcard), or similar information or devices used for identification and authentication purposes.
3. Providing access to another individual is not allowed.
4. Partner ensures, that all their users employ Multi-Factor-Authentication (MFA) for critical systems like ID management, E-Mail, and VPN, etc.

2. Locking Computers

1. All computers are secured with a password-protected lock screen with the automatic activation.
2. Independent from (1) all users must lock the respective device manually when it will be unattended.

3. Authorized Access

1. Partner ensures, that only those employees and third parties access SKYLOTEC information whose job duties require this access.
2. Letting another person access SKYLOTEC information for which the individual is not authorized is not permitted.

2. System Actuality and Integrity

1. Updating Systems

1. Partner ensures, that their information systems and networks are regularly updated with the latest updates from software & hardware manufacturers.
2. Identified weaknesses and vulnerabilities are remediated in a timely manner by the partner.

2. Malware Control

1. Virus or malware control has to be active at all time. Virus scans must not be deactivated.
2. Virus or malware protection has to be updated on a regular basis.

3. Auditing

1. Partner ensures, that their information systems and networks are regularly audited for weaknesses or vulnerabilities.
2. Identified weaknesses and vulnerabilities are remediated in a timely manner by the partner.

3. Security Incidents

1. Preventing Security Incidents

1. Partner ensures, that their users regularly attend awareness trainings on Information Security (e.g. preventing Cyber Security Attacks, ensuring physical security).

2. Reporting Security Incidents

1. Any security incident (e.g. Cyber Attack, virus) which affect SKYLOTEC information are to be reported immediately to the appropriate SKYLOTEC business contact of the partner.
2. Partner is responsible for promptly reporting the theft, loss, or unauthorized disclosure of SKYLOTEC proprietary information to their SKYLOTEC business contact.
   
   

Neuwied, in May 2025