As one of the world’s leading developers and manufacturers of high-precision, application-oriented sealing solutions for the automotive and mechanical engineering industries, KACO is distinguished by its outstanding materials and systems expertise and innovative strength. For this reason, the protection of our confidential data and the protection of confidential data of our customers is of crutial importance.
The reliable availability of our IT and communications systems is significant to ensure a smooth workflow and availability of data.
In particular, the following should be noted:
Importance of information and communication technologies
Information processing plays a key role in the fulfillment of our tasks. All key strategic and operational functions and tasks are significantly supported by information technology (IT). It must be possible to compensate for a failure of IT systems at short notice. The functionality of each subarea must be maintained. Since our core competence lies in the development of innovative products, the protection of this information against unauthorized access and unauthorized modification is of existential importance. We also attach the same importance to the protection of personal data.
The availability of our data and our IT systems in all technical and commercial areas is secured in such a way that the expected downtimes are reduced to a tolerable minimum. Malfunctions and irregularities in data and IT systems shall be avoided as far as possible and are only acceptable in exceptional cases (integrity). The confidentiality requirements are based on the high level of the applicable laws. Highest confidentiality requirements apply to sensitive personal data, development or production data.
The standard security measures must be suitable for the protection of the information concerned and, moreover, must be in an economically justifiable relation to the value of the information and IT systems requiring protection. Financial damage due to lack of IT security or high risks to the personal rights and freedoms of persons must be prevented.
All employees of the Company comply with applicable laws (e.g. Criminal Code, Industrial Constitution Act, Commercial Code, Social Code, laws and regulations on data protection) and contractual provisions. All employees are aware that in the event of a legal offence there are serious financial and immaterial consequences for the company and the responsible persons. Any non-fulfillment of duties will be taken seriously and prosecuted, violations will result in disciplinary action which, depending on the severity of the violation, may lead to extraordinary termination.
All employees and management are aware of their responsibility in dealing with information and communication technologies and support the security strategies to the best of their ability.
Late or incorrect management decisions can have far-reaching consequences. This is why it is important for management to have access to current control data when making important decisions. A high level of security in terms of availability and integrity shall be ensured for this information.
The data protection laws and the interests of our employees require us to ensure the confidentiality of employee data. The data and IT applications of the Human Resources Department are therefore subject to a high level of confidentiality protection. The same applies to the data of our customers and business partners.
Maintaining external communication with customers and business partners and access to the customer database is essential for the Sales Department. Business transactions must not be delayed or even jeopardized. In particular, poor availability of IT systems and data, but also malfunctions, can lead to revenue reductions. The maintenance of communication and the constant access to correct data for the sales staff have a high need for protection.
The data of the research and Development Department are subject to very high confidentiality requirements. Their loss, alteration or theft can result in competitive disadvantages. Technical measures and the high attention of the employees protect confidentiality and prevent manipulation.
Within the Production Department, the availability and faultlessness of the systems are ensured as these can have a negative impact on product quality as well as lead to downtimes which can affect subsequent processes and, ultimately, the revenues. Failures shall be avoided as far as possible.
It goes without saying that we use the Internet to obtain information and to communicate. E-mail serves as a substitute or supplement for other office communication channels. Appropriate measures are taken to reduce the risks of internet use steadily.
Information security and data protection management
A security organization has been set up to achieve the information security and data protection objectives. IT security and data protection officers have been appointed. In their function, the representatives report directly to the General Management.
General Management shall provide sufficient financial and time resources to the delegates and administrators to enable them to receive regular training and information and to achieve the information security and data protection objectives set by General Management.
The administrators and the representative shall be adequately supported in their work by the IT users.
The IT security officer must be involved in all projects at an early stage in order to consider security-relevant aspects already in the planning phase. If personal data are concerned, the same applies to the data protection officer.
The IT users have to follow the instructions of the IT security officer or the data protection officer in security-relevant questions.
Responsible persons are appointed for all procedures, data, information, IT applications and IT systems, who assign access authorizations according to the respective protection requirements determined in a cross-functional team.
Representatives are appointed for all responsible functions.
Buildings and premises are protected by appropriate access controls. Access to IT systems is protected by appropriate access controls either. A restrictive authorization concept regulates the access to data.
Computer virus protection programs are used on all IT systems. All Internet access is secured by a suitable firewall. The protection programs are configured and administered to provide effective protection and prevent tampering. IT users are encouraged to support these security measures by a safety-conscious operation and to inform the correspondingly defined locations in the event of anomalies.
Despite all security measures, data losses can never be completely ruled out. In such a case a comprehensive data backup ensures that IT operations can be resumed at short notice if parts of the operative data stock are lost or are obviously faulty. Information and data are marked uniformly and stored in such a way that they can be found quickly.
In order to limit or prevent major damage as a result of emergencies, security incidents must be dealt with promptly and consistently. Emergency measures are compiled in a separate emergency precaution concept. Our goal is to maintain critical business processes even in the event of a system failure and to restore the availability of the failed systems within a tolerable period of time.
If IT services are outsourced to external parties, we stipulate specific security requirements in the Service Level Agreements. In addition, we reserve the right to control. For extensive or complex outsourcing projects, we create a detailed security concept with concrete measures.
The regulations on information security and data protection are available to all employees on the Intranet and are regularly taught in training courses. Training courses on the correct use of information and communication technologies and the associated security measures are carried out regularly to all IT users. The management supports the need-based further education and training.
The management system is regularly checked for its topicality and effectiveness. In addition, the safety measures are regularly examined to determine whether they are known to the employees concerned, whether they can be implemented and whether they can be integrated into the operating procedure.
The General Management supports the continuous improvement of the safety level. Employees are encouraged to pass on possible improvement suggestions or indications of weaknesses to the appropriate departments.
The desired level of security and data protection is ensured through continuous revision of the regulations and their compliance. Deviations are analyzed with the aim of improving the security situation and keeping it constantly up to date with the latest IT security technology.