Pekao Financial Services Sp. z o.o. ensures secure data processing by using multi-level technical and organisational solutions. The Data Security Policy (DSP) adopted by Pekao FS has been developed in cooperation with IBM, the world's recognised leader in IT security, based on the best practices described in the ISO-27001 standard and the Basel Committee's recommendations on dealing with operational risk in the banking sector. Accomplishment of the DSP objectives is supervised by the Data Security Administrator. Further control over the compliance with internal operational procedures and the Policy's objectives is exercised by the Internal Audit Division and the Legal and Compliance Office.

We define security at Pekao Financial Services Sp. z o.o. as ensuring confidentiality, integrity, availability and accountability, which are understood as follows:

• Availability – provision of access to the computer system and its data resources whenever it is needed.
• Integrity – we protect the systems and data against any unauthorised change.
• Confidentiality – data is disclosed only to properly authorised persons and only to the extent of such authorisation.
• Accountability – it is possible to identify unambiguously who is responsible for system and data operations.

• Disaster Recovery Site – in cooperation with IBM, a leader in providing business continuity and recovery services, we have developed and implemented a Business Continuity Plan, and if the provision of our services turns out to be impossible at the existing site, we will be able to continue client care at the Disaster Recovery Site, which is equipped with a few dozen workstations.
• Centrally managed system infrastructure, which enables to eliminate single failure points by using the technology of clusters and mirrored disk arrays.
• Fire safeguards, including an advanced fire-fighting system in the server station.
• Protection against electrical outages by having access to independent sources of power supply.

• Technical and organisational control of access to the system and its data resources.
• Multi-level protection against malicious software.
• Formalised process of making changes to the IT environment which has been developed over many years.
• Central backup system allowing for daily data archiving and quick retrieval of historical data.

• Formalised process of giving access rights to data and programs, supported by system and application software.
• Electronic system for controlling physical access to rooms, supported with an alarm system, round-the-clock building security and CCTV monitoring.
• Separated and properly furnished rooms of the server station.

• System event auditing and logging enabling to reconstruct a history of changes and to ensure system and user monitoring.
• Dedication of personnel to the business and IT operation and use of the systems.