1.1 The following Terms and Conditions represent an agreement between the company INTERSPACE DOOEL Skopje (Address: Bul. Jane Sandanski 109A, kat 3, Skopje, North Macedonia; UTN: MK4043014516919) in a role of a service provider (hereinafter “Operator”), and the subject that orders and uses the services (hereinafter “Subscriber”), also hereinafter individually referred to as “Party” or collectively referred to as “Parties".
1.2. Subject of this agreement is the establishing and ascertaining of the subscriber relation between the Operator and the Subscriber for providing services for hosting of virtual private servers, and the rights and obligations for the parties arising out of it.
1.3 We reserve the right, at our sole discretion, to make changes to these Terms and Conditions by giving the Subscriber prior notification.
2.2 The details of the Services are provided in the order form (hereinafter "Order Form"). The Order Form contains information about the type of service, the amount of service charges and other relevant information about the services. In accordance with this agreement, the Operator shall provide the services selected in the Order Form (hereinafter "Services").
2.3. This agreement is concluded for an unlimited time period unless otherwise agreed.
2.4. This agreement may be terminated at any time, as specified in Article 6 and Article 7. The minimum duration of the agreement is one month.
3.1. Subscriber agrees to pay a monthly fee for the Services specified in the Order Form of this agreement, including value added tax.
3.2. The invoices for the monthly subscription specified in the Article 3.1 of this agreement shall be issued by the Operator and sent to the Subscriber in electronic form on the 1st day of the current month, and they shall become due within 12 days from the date of issue. The invoicing of the Services shall commence from the day when the Services are provisioned. The Operator will calculate and add the amount of VAT 18% which will be written separately, and it shall be paid by the Subscriber.
3.3 In the event of payment delay by the Subscriber, the Operator is entitled to charge a penalty in a form of interest specified by the law, calculated from the day the due date is passed until the payment, and the calculated amount of the penalty will be added to the invoice for the following monthly subscription.
4.1. The Operator may, without consent from the Subscriber, temporary limit or terminate access to the Services, in the following cases:
4.2. In case of planned technical works, related to the intervention in the network and equipment, the Operator shall deliver information in a timely manner to the Subscriber, stating the reasons for Services unavailability and the expected time for restoration of their functionality.
5.1. The Operator may limit or disconnect the access to its Services for the Subscriber only in case when the Subscriber failed to fulfill its obligations or did not act in accordance with the conditions stated in this agreement. In case of violation of the provisions of this agreement, the Operator should inform the Subscriber, in written manner, and determine a reasonable period for completion of the contractual obligations. The Operator should not inform the Subscriber in advance regarding the limit or disconnection, if by using the Service the Subscriber:
5.2. If technically possible, the Operator shall be entitled to limit access only to those Services for which the Subscriber did not act according to the conditions stated in this Agreement, except in cases of abuse established by the competent body, and continuous delay with payment or non-payment of the bills.
6.1. The Operator may terminate the agreement within a period determined with this agreement, especially:
7.1. The Subscriber may terminate this Agreement at any time upon previously submitted request for cancellation of the Services.
7.2. The Agreement shall be considered terminated as of the last day of the month in which the written request was received. After the termination of this agreement, the Subscriber will be responsible to pay all the costs incurred by him, which are eventually billed with delay or billed, and not paid by the Subscriber.
8.1. The Operator shall have the following rights:
9.1. The Operator shall have the following obligations:
10.1. The Subscriber shall be entitled to:
11.1. The Subscriber shall have the following obligations:
12.1. Except as otherwise expressly set forth herein, the services are provided "as is", and Operator’s liability for damages arising out of or in connection with the performance of the Agreement shall be limited to wilful acts or gross negligence, and to a maximum amount of the monthly service fee per damaging incident. Neither the Operator nor anyone else involved in creating, producing, delivering (including suspending or discontinuing services) or supporting the services shall be liable to the Subscriber, any representative, or any third party for any indirect, incidental, special, punitive or consequential damages arising out of the services or inability to use the Services, including, without limitation, lost revenue, lost profits, loss of technology, rights or services.
12.2. Тhe Operator shall not be hold responsible for unlawful usage or abuse of the Services, nor for the contents of the information transmitted, by the Subscriber or other parties.
13.1. The use of the Services may be interrupted by the force majeure. Force Majeure shall mean an event independent of the will of the contracting Parties whose performance could not be prevented or foreseen and due to which the fulfillment of the obligations under the Agreement became difficult or impossible, including but not limited to: natural events, social events (strike , riots, war), acts of public authority. The Operator will not bear any liability to the Subscriber due to termination of its services, caused by a Force Majeure Event.
13.2. Neither Party is the agent or legal representative of the other Party, and this Agreement does not create a partnership, joint venture or fiduciary relationship between the Operator and Subscriber. Neither Party shall have any authority to agree for or bind the other Party in any manner whatsoever. This Agreement confers no rights, remedies, or claims of any kind upon any third party, including, without limitation, Subscriber’s subscribers or end-users.
13.3. The communication between the Operator and the Subscriber (notification, invoice, complaint, other type of communication) takes place in writing. Delivery of the written communication is done by personal handover by the Operator/Subscriber or in the electronic form by email. In urgent cases, the Operator may first give only a verbal notice. Such verbal notice shall be followed by a written notification within 1 (one) day at the latest.
13.4. The Subscriber shall contact the Operator at the contact details specified on the web page https://interspace.com/sq/contact. The Operator shall contact the Subscriber at the contact details that the Subscriber entered in the customer control panel My Interspace, which is accessed at the web address https://my.interspace.com. The Subscriber is responsible for the accuracy of the contact details given in My Interspace.
13.5. In case of bankruptcy and liquidation, the Operator is obliged to inform the client by written notice and provide a time frame of thirty (30) days for the customer to retrieve the data from the virtual servers.
14.1. Any disputes between the Parties shall be resolved amicably. If the dispute cannot be resolved in an amicable manner, the Primary Court Skopje II in the republic of North Macedonia shall be competent. This agreement shall be interpreted in accordance with the positive legal provisions of the Republic of North Macedonia.
14.2. By placing the order using the Order Form, the Subscriber affirms and acknowledges that they have read this agreement in entirety and agrees to be bound by the provisions thereof.
1. INTRODUCTION
2. MANAGEMENT OF GENERAL SECURITY RISKS
2.1 Basics of risk management
2.1.1. A threat
2.1.2 Vulnerability
2.1.2 Why is it important to manage risk?
2.2 Risk assessment
2.2.1 Quantitative risk assessment
2.2.2 Qualitative risk assessment
2.2.3 Identification of threats
2.2.4 Identifying vulnerabilities
2.2.4 Risk management
3. PROTECTION OF END USERS
3.1 Technical measures
3.1 Stakeholder notification measures during a security incident
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
3.1.2 Notification from the Operator to the subscriber
4. MAINTAINING NETWORK AVAILABILITY
4.1 Maintenance of high quality and availability of the passive network
4.2 Maintenance of high quality and availability of the active network
4.3 Maintaining availability with an advanced monitoring system
4.4 Maintaining availability with a 24/7 intervention service
4.5 Maintaining Availability Through Redundant Architecture
5. SECURITY AND INTEGRITY OF PERSONAL DATA
5.1 What information is collected
5.2 What the data is used for
5.3 Ensuring security and integrity of personal data
5.3.1 Physical measures
5.3.2 Procedural measures
5.3.3 Technical measures
6. CONTACT INFORMATION
6.1 Name and headquarters of the operator
6.2 Data for the personal data protection officer
6.3 Data for the person responsible for information security and for reporting security breaches
INTERSPACE DOOEL Skopje (hereinafter referred to as "Operator") introduces this security policy in order to properly manage the risks and security of the network and services, as well as the integrity of the network and the continuity of services. In addition, since the Operator cooperates in part of its operations with companies based in the EU, through this security policy it aims to harmonize its operations with the regulations and guidelines of the European Union (hereinafter referred to as "EU"), especially in the section for a secure information society and strengthening the security and resilience of vital infrastructures for information and communication technologies.
Through this security policy, it is necessary to achieve the following goals:
In terms of network security and integrity (and service continuity), the aim is to ensure the following points:
In terms of security when processing personal data, the goal is to ensure the following points:
The security policy will be specified in several chapters, namely:
2.1 Basics of risk management
In the context of security in information and communication technologies ("ICT"), risk management is a process of knowing and reacting to factors that cause loss of privacy, integrity and availability of systems. Risk in ICT systems represents potential damage that may occur to a certain process or information that is part of that process, as a result of intentional or unintentional activity. Risk can be represented as a function of the probability of the occurrence of a certain threat to the realization of a certain potential vulnerability, and the consequence that may arise as a result of that event.
2.1.1. A threat
A threat is the potential for the emergence of a source of threat that can intentionally or unintentionally cause a specific vulnerability. A threat source can be: a) an activity or method aimed at intentionally exploiting a vulnerability, or b) a situation or method that may accidentally cause a vulnerability.
A threat can be presented simply as the potential to exploit a particular vulnerability. Threats in themselves are not an activity. Threats become hazards when combined with a source of threat. This distinction is important to make in risk assessment and management, as each source of threat may be associated with a different environment.
2.1.2 Vulnerability
A vulnerability is defined as a flaw or weakness in system security procedures, design and implementation, or in internal controls that can be intentionally or unintentionally disrupted, resulting in a security breach. A vulnerability can be a flaw or weakness in all aspects of ICT systems.
Vulnerabilities do not always refer to technical protections provided by technical systems. Significant vulnerabilities may also exist in standard operating procedures performed by administrators. For example, the password reset procedure or inappropriate reading of logs by technical support.
2.1.2 Why is it important to manage risk?
The primary objectives of risk management are:
According to the above, risk management is a management-level function, not just a technical function. Understanding the need for risk management allows the Operator to protect and preserve the users of its ICT systems, which in the long run affects the Operator's survival in the market.
2.2 Risk assessment
The risk is assessed through a) identification of threats and vulnerabilities, and b) determination of the probability of occurrence and the consequences of its occurrence. The basic risk assessment process is explained below.
2.2.1 Quantitative risk assessment
Quantitative risk assessment involves assigning values to information, systems, business processes, repair costs, etc., due to which consequences and risks can be measured in direct and indirect costs. Quantitative risk can be mathematically expressed as annual probability of loss, and it represents the expected financial loss due to a certain risk that may occur in a period of one year. The mathematical formula is as follows:
Annual probability of loss = Probability of one occurrence * Annual occurrence rate
2.2.2 Qualitative risk assessment
Qualitative risk assessment assumes that there is a level of uncertainty in determining the probability of occurrence and the consequences of the risk, whereby the probability of risk and consequences are defined through qualitative data, rather than exclusively based on quantitative data.
In general, the qualitative risk assessment results in placing the risk in one of these three levels: high, medium, low. Placing the risk within one of these three levels makes it easy to communicate the risk assessment across the responsible structures of the Operator.
2.2.3 Identification of threats
In order to make an adequate assessment of the risk, it is necessary to identify the threats as well as the sources of the threats. The list below includes a specification of general threats and threat sources.
Name/Description:
Power outage:
Deliberate data alteration Deliberate modification, addition or deletion of data, by an authorized or unauthorized person, which compromises the privacy, availability or integrity of data generated, processed, controlled or stored in data processing systems.
System error:
Telecommunications failure or outage:
Works of nature:
2.2.4 Identifying vulnerabilities
The following methods are used to identify vulnerabilities:
In addition, a list of vulnerabilities is made that are always examined during each risk assessment, thus allowing a minimum level of consistency in the assessment. Also, the vulnerabilities that are revealed in a previous assessment of ICT systems are included in future assessment processes. This way of acting makes it possible to know better the ways of risk management that were effective.
When generating the list of possible vulnerabilities, the Operator consults the archives of known vendors for records of vulnerabilities, namely:
2.2.4 Risk management
Two basic risk management strategies are used: mitigation and avoidance. They are explained below:
The operator uses procedures described in chapter 2 for risk management, in order to prevent incidents that can lead to interruption and abuse of the line that users use for electronic communication.
In addition, the Operator applies the following measures regarding the protection of end users:
3.1 Technical measures
The following measures are applied to protect end users:
3.1 Stakeholder notification measures during a security incident
A security incident is a breach of security that has a significant impact on the operation of an electronic communications network or service. In the event of a security incident that had a significant impact on the functioning of the networks or services, the Operator sends a notification about the same to the interested parties and taking and activities that the operators should take over in the event of a violation of the security of personal data.
These notices cover the following parties:
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
The operator sends a notification to the Directorate for Personal Data Protection immediately, but no later than 24 hours from the moment of security breach or loss of integrity that had a significant impact on the functioning of networks or services. The notification is delivered electronically to the following email [email protected]. The attachment in the e-mail is delivered with an electronic signature by the responsible person of the Operator.
3.1.2 Notification from the Operator to the subscriber
If the violation of the security of personal data may negatively affect the personal data or privacy of the subscriber or another natural person, the Operator additionally informs the respective subscriber (legal or natural person).
In order to better serve users, the Operator is fully committed to ensure stability and consistent quality of services. Within this commitment, the Operator makes every effort to ensure constant availability of the Services. The operator uses the measures and practices described below directly and/or indirectly affect the provision of high availability of services. Using such practices in the passive segment of the network leads to provision of a high percentage of availability and a reduced probability of service interruption.
4.1 Maintenance of high quality and availability of the passive network
Each fiber optic connection is made through a fusion splice and verified by OTDR tests. Mechanical splices are not used because they have a short lifespan and increase the chances of failure. Persons responsible for maintaining the passive network make regular field inspections of the network to ensure that it is in a functional state.
Each subscriber is connected with a point-to-point architecture, where xPON technology and optical splitters are not used. Avoiding optical splitters reduces the likelihood of failure, as there are fewer "links in the chain" that can cause failure.
4.2 Maintenance of high quality and availability of the active network
The operator uses exclusively Ethernet technology for the delivery of services. Lines are verified with the internationally standardized RFC2544 Ethernet test, reducing the chances of overlooking a poorly constructed link when putting the line into service.
4.3 Maintaining availability with an advanced monitoring system
The operator uses a 24/7 constantly active monitoring system, for the interconnection links, for the core of the network as well as for every interface that leads to a subscriber. The monitoring system makes deep analyzes of the links down to the lowest level of verification, and immediately informs the services that are currently responsible for technical support
In terms of checks for links to the global Internet, the following automated tests are performed every minute:
In terms of link checks for the Operator's network core ("Core"), the following automated tests are performed every minute:
In terms of line checks for each subscriber, the following automated tests are performed every minute:
In case of detection of a warning or line failure, including a reduced level of light that may occur due to bending of an optical cable, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.
4.4 Maintaining availability with a 24/7 intervention service
The operator provides 24/7 technical support service. This service uses the 24/7 constantly active monitoring system described in chapter 4.3, for insight and reaction regarding interruptions and failures of services warning signs that can lead to interruptions and failures. If necessary, the technical support service engages field exposure persons to repair a fault in the passive or active segment of the network, who are available 24/7.
4.4 Maintaining Availability Through Redundant Architecture
Our network in Macedonia is based on multiple points of presence, which are protected by geographically independent and protected (redundant) links to the core. They are strategically placed to be as close as possible to subscribers in order to reduce the likelihood.
The operator is committed to the protection of personal data. The necessary information for personal identification is explained below, as well as the way of ensuring its security and integrity. By the term personally identifiable information we mean information that can be used to identify a person.
5.1 What information is collected
We collect and process the following personally identifiable data:
5.2 What the data is used for:
We take the privacy of our users seriously, fully respecting the subscriber's right to privacy. Personally identifiable information will be collected, processed, stored for the following purposes:
5.3 Ensuring security and integrity of personal data
We have in place reasonable physical, technical and organizational measures designed to provide an environment where personal information is secured against accidental loss or unauthorized access. Security measures are in place to ensure protection against the loss, misuse or modification of information under our control. It is good to note that the technology, no matter how advanced, becomes a vulnerable matter over time, which is why it cannot be 100% guaranteed that unauthorized third parties will never be able to break through the security measures and such a break use for inappropriate purposes.
The operator uses the following measures to ensure the security and integrity of personal data.
5.3.1 Physical measures
Physical measures refer to protection measures in terms of theft, intrusion or other unauthorized access to the Operator's facilities, network and other technology. Physical measures are given below:The Operator's facilities where personal data are stored or accessed are restricted to authorized persons only.
5.3.2 Procedural measures
Procedural measures are specified in the list below:
5.3.3 Technical measures
The technical measures are specified in the list below:
6.1 Name and headquarters of the operator
INTERSPACE D.O.O.E.L. SKOPJE
Blvd. Jane Sandanski 109A, floor 3, 1000 Skopje
6.2 Data for the personal data protection officer
Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016
6.3 Data for the person responsible for information security and for reporting security breaches
Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016
1.1 The following Terms and Conditions represent an agreement between the company INTERSPACE DOOEL Skopje (Address: Bul. Jane Sandanski 109A, kat 3, Skopje, North Macedonia; UTN: MK4043014516919) in a role of a service provider (hereinafter “Operator”), and the subject that orders and uses the services (hereinafter “Subscriber”), also hereinafter individually referred to as “Party” or collectively referred to as “Parties".
1.2. Subject of this agreement is the establishing and ascertaining of the subscriber relation between the Operator and the Subscriber for providing services for hosting of Cloud VPN system, and the rights and obligations for the parties arising out of it.
1.3 We reserve the right, at our sole discretion, to make changes to these Terms and Conditions by giving the Subscriber prior notification.
2.2 The details of the Services are provided in the order form (hereinafter "Order Form"). The Order Form contains information about the type of service, the amount of service charges and other relevant information about the services. In accordance with this agreement, the Operator shall provide the services selected in the Order Form (hereinafter "Services").
2.3. This agreement is concluded for an unlimited time period unless otherwise agreed.
2.4. This agreement may be terminated at any time, as specified in Article 6 and Article 7. The minimum duration of the agreement is one month.
3.1. Subscriber agrees to pay a monthly fee for the Services specified in the Order Form of this agreement, including value added tax.
3.2. The invoices for the monthly subscription specified in the Article 3.1 of this agreement shall be issued by the Operator and sent to the Subscriber in electronic form on the 1st day of the current month, and they shall become due within 12 days from the date of issue. The invoicing of the Services shall commence from the day when the Services are provisioned. The Operator will calculate and add the amount of VAT 18% which will be written separately, and it shall be paid by the Subscriber.
3.3 In the event of payment delay by the Subscriber, the Operator is entitled to charge a penalty in a form of interest specified by the law, calculated from the day the due date is passed until the payment, and the calculated amount of the penalty will be added to the invoice for the following monthly subscription.
4.1. The Operator may, without consent from the Subscriber, temporary limit or terminate access to the Services, in the following cases:
4.2. In case of planned technical works, related to the intervention in the network and equipment, the Operator shall deliver information in a timely manner to the Subscriber, stating the reasons for Services unavailability and the expected time for restoration of their functionality.
5.1. The Operator may limit or disconnect the access to its Services for the Subscriber only in case when the Subscriber failed to fulfill its obligations or did not act in accordance with the conditions stated in this agreement. In case of violation of the provisions of this agreement, the Operator should inform the Subscriber, in written manner, and determine a reasonable period for completion of the contractual obligations. The Operator should not inform the Subscriber in advance regarding the limit or disconnection, if by using the Service the Subscriber:
5.2. If technically possible, the Operator shall be entitled to limit access only to those Services for which the Subscriber did not act according to the conditions stated in this Agreement, except in cases of abuse established by the competent body, and continuous delay with payment or non-payment of the bills.
6.1. The Operator may terminate the agreement within a period determined with this agreement, especially:
7.1. The Subscriber may terminate this Agreement at any time upon previously submitted request for cancellation of the Services.
7.2. The Agreement shall be considered terminated as of the last day of the month in which the written request was received. After the termination of this agreement, the Subscriber will be responsible to pay all the costs incurred by him, which are eventually billed with delay or billed, and not paid by the Subscriber.
8.1. The Operator shall have the following rights:
9.1. The Operator shall have the following obligations:
10.1. The Subscriber shall be entitled to:
11.1. The Subscriber shall have the following obligations:
12.1. Except as otherwise expressly set forth herein, the services are provided "as is", and Operator’s liability for damages arising out of or in connection with the performance of the Agreement shall be limited to wilful acts or gross negligence, and to a maximum amount of the monthly service fee per damaging incident. Neither the Operator nor anyone else involved in creating, producing, delivering (including suspending or discontinuing services) or supporting the services shall be liable to the Subscriber, any representative, or any third party for any indirect, incidental, special, punitive or consequential damages arising out of the services or inability to use the Services, including, without limitation, lost revenue, lost profits, loss of technology, rights or services.
12.2. Тhe Operator shall not be hold responsible for unlawful usage or abuse of the Services, nor for the contents of the information transmitted, by the Subscriber or other parties.
13.1. The use of the Services may be interrupted by the force majeure. Force Majeure shall mean an event independent of the will of the contracting Parties whose performance could not be prevented or foreseen and due to which the fulfillment of the obligations under the Agreement became difficult or impossible, including but not limited to: natural events, social events (strike , riots, war), acts of public authority. The Operator will not bear any liability to the Subscriber due to termination of its services, caused by a Force Majeure Event.
13.2. Neither Party is the agent or legal representative of the other Party, and this Agreement does not create a partnership, joint venture or fiduciary relationship between the Operator and Subscriber. Neither Party shall have any authority to agree for or bind the other Party in any manner whatsoever. This Agreement confers no rights, remedies, or claims of any kind upon any third party, including, without limitation, Subscriber’s subscribers or end-users.
13.3. The communication between the Operator and the Subscriber (notification, invoice, complaint, other type of communication) takes place in writing. Delivery of the written communication is done by personal handover by the Operator/Subscriber or in the electronic form by email. In urgent cases, the Operator may first give only a verbal notice. Such verbal notice shall be followed by a written notification within 1 (one) day at the latest.
13.4. The Subscriber shall contact the Operator at the contact details specified on the web page https://interspace.com/sq/contact. The Operator shall contact the Subscriber at the contact details that the Subscriber entered in the customer control panel My Interspace, which is accessed at the web address https://my.interspace.com. The Subscriber is responsible for the accuracy of the contact details given in My Interspace.
14.1. Any disputes between the Parties shall be resolved amicably. If the dispute cannot be resolved in an amicable manner, the Primary Court Skopje II in the republic of North Macedonia shall be competent. This agreement shall be interpreted in accordance with the positive legal provisions of the Republic of North Macedonia.
14.2. By placing the order using the Order Form, the Subscriber affirms and acknowledges that they have read this agreement in entirety and agrees to be bound by the provisions thereof.
1. INTRODUCTION
2. MANAGEMENT OF GENERAL SECURITY RISKS
2.1 Basics of risk management
2.1.1. A threat
2.1.2 Vulnerability
2.1.2 Why is it important to manage risk?
2.2 Risk assessment
2.2.1 Quantitative risk assessment
2.2.2 Qualitative risk assessment
2.2.3 Identification of threats
2.2.4 Identifying vulnerabilities
2.2.4 Risk management
3. PROTECTION OF END USERS
3.1 Technical measures
3.1 Stakeholder notification measures during a security incident
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
3.1.2 Notification from the Operator to the subscriber
4. MAINTAINING NETWORK AVAILABILITY
4.1 Maintenance of high quality and availability of the passive network
4.2 Maintenance of high quality and availability of the active network
4.3 Maintaining availability with an advanced monitoring system
4.4 Maintaining availability with a 24/7 intervention service
4.5 Maintaining Availability Through Redundant Architecture
5. SECURITY AND INTEGRITY OF PERSONAL DATA
5.1 What information is collected
5.2 What the data is used for
5.3 Ensuring security and integrity of personal data
5.3.1 Physical measures
5.3.2 Procedural measures
5.3.3 Technical measures
6. CONTACT INFORMATION
6.1 Name and headquarters of the operator
6.2 Data for the personal data protection officer
6.3 Data for the person responsible for information security and for reporting security breaches
INTERSPACE DOOEL Skopje (hereinafter referred to as "Operator") introduces this security policy in order to properly manage the risks and security of the network and services, as well as the integrity of the network and the continuity of services. In addition, since the Operator cooperates in part of its operations with companies based in the EU, through this security policy it aims to harmonize its operations with the regulations and guidelines of the European Union (hereinafter referred to as "EU"), especially in the section for a secure information society and strengthening the security and resilience of vital infrastructures for information and communication technologies.
Through this security policy, it is necessary to achieve the following goals:
In terms of network security and integrity (and service continuity), the aim is to ensure the following points:
In terms of security when processing personal data, the goal is to ensure the following points:
The security policy will be specified in several chapters, namely:
2.1 Basics of risk management
In the context of security in information and communication technologies ("ICT"), risk management is a process of knowing and reacting to factors that cause loss of privacy, integrity and availability of systems. Risk in ICT systems represents potential damage that may occur to a certain process or information that is part of that process, as a result of intentional or unintentional activity. Risk can be represented as a function of the probability of the occurrence of a certain threat to the realization of a certain potential vulnerability, and the consequence that may arise as a result of that event.
2.1.1. A threat
A threat is the potential for the emergence of a source of threat that can intentionally or unintentionally cause a specific vulnerability. A threat source can be: a) an activity or method aimed at intentionally exploiting a vulnerability, or b) a situation or method that may accidentally cause a vulnerability.
A threat can be presented simply as the potential to exploit a particular vulnerability. Threats in themselves are not an activity. Threats become hazards when combined with a source of threat. This distinction is important to make in risk assessment and management, as each source of threat may be associated with a different environment.
2.1.2 Vulnerability
A vulnerability is defined as a flaw or weakness in system security procedures, design and implementation, or in internal controls that can be intentionally or unintentionally disrupted, resulting in a security breach. A vulnerability can be a flaw or weakness in all aspects of ICT systems.
Vulnerabilities do not always refer to technical protections provided by technical systems. Significant vulnerabilities may also exist in standard operating procedures performed by administrators. For example, the password reset procedure or inappropriate reading of logs by technical support.
2.1.2 Why is it important to manage risk?
The primary objectives of risk management are:
According to the above, risk management is a management-level function, not just a technical function. Understanding the need for risk management allows the Operator to protect and preserve the users of its ICT systems, which in the long run affects the Operator's survival in the market.
2.2 Risk assessment
The risk is assessed through a) identification of threats and vulnerabilities, and b) determination of the probability of occurrence and the consequences of its occurrence. The basic risk assessment process is explained below.
2.2.1 Quantitative risk assessment
Quantitative risk assessment involves assigning values to information, systems, business processes, repair costs, etc., due to which consequences and risks can be measured in direct and indirect costs. Quantitative risk can be mathematically expressed as annual probability of loss, and it represents the expected financial loss due to a certain risk that may occur in a period of one year. The mathematical formula is as follows:
Annual probability of loss = Probability of one occurrence * Annual occurrence rate
2.2.2 Qualitative risk assessment
Qualitative risk assessment assumes that there is a level of uncertainty in determining the probability of occurrence and the consequences of the risk, whereby the probability of risk and consequences are defined through qualitative data, rather than exclusively based on quantitative data.
In general, the qualitative risk assessment results in placing the risk in one of these three levels: high, medium, low. Placing the risk within one of these three levels makes it easy to communicate the risk assessment across the responsible structures of the Operator.
2.2.3 Identification of threats
In order to make an adequate assessment of the risk, it is necessary to identify the threats as well as the sources of the threats. The list below includes a specification of general threats and threat sources.
Name/Description:
Power outage:
Deliberate data alteration Deliberate modification, addition or deletion of data, by an authorized or unauthorized person, which compromises the privacy, availability or integrity of data generated, processed, controlled or stored in data processing systems.
System error:
Telecommunications failure or outage:
Works of nature:
2.2.4 Identifying vulnerabilities
The following methods are used to identify vulnerabilities:
In addition, a list of vulnerabilities is made that are always examined during each risk assessment, thus allowing a minimum level of consistency in the assessment. Also, the vulnerabilities that are revealed in a previous assessment of ICT systems are included in future assessment processes. This way of acting makes it possible to know better the ways of risk management that were effective.
When generating the list of possible vulnerabilities, the Operator consults the archives of known vendors for records of vulnerabilities, namely:
2.2.4 Risk management
Two basic risk management strategies are used: mitigation and avoidance. They are explained below:
The operator uses procedures described in chapter 2 for risk management, in order to prevent incidents that can lead to interruption and abuse of the line that users use for electronic communication.
In addition, the Operator applies the following measures regarding the protection of end users:
3.1 Technical measures
The following measures are applied to protect end users:
3.1 Stakeholder notification measures during a security incident
A security incident is a breach of security that has a significant impact on the operation of an electronic communications network or service. In the event of a security incident that had a significant impact on the functioning of the networks or services, the Operator sends a notification about the same to the interested parties and taking and activities that the operators should take over in the event of a violation of the security of personal data.
These notices cover the following parties:
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
The operator sends a notification to the Directorate for Personal Data Protection immediately, but no later than 24 hours from the moment of security breach or loss of integrity that had a significant impact on the functioning of networks or services. The notification is delivered electronically to the following email [email protected]. The attachment in the e-mail is delivered with an electronic signature by the responsible person of the Operator.
3.1.2 Notification from the Operator to the subscriber
If the violation of the security of personal data may negatively affect the personal data or privacy of the subscriber or another natural person, the Operator additionally informs the respective subscriber (legal or natural person).
In order to better serve users, the Operator is fully committed to ensure stability and consistent quality of services. Within this commitment, the Operator makes every effort to ensure constant availability of the Services. The operator uses the measures and practices described below directly and/or indirectly affect the provision of high availability of services. Using such practices in the passive segment of the network leads to provision of a high percentage of availability and a reduced probability of service interruption.
4.1 Maintenance of high quality and availability of the passive network
Each fiber optic connection is made through a fusion splice and verified by OTDR tests. Mechanical splices are not used because they have a short lifespan and increase the chances of failure. Persons responsible for maintaining the passive network make regular field inspections of the network to ensure that it is in a functional state.
Each subscriber is connected with a point-to-point architecture, where xPON technology and optical splitters are not used. Avoiding optical splitters reduces the likelihood of failure, as there are fewer "links in the chain" that can cause failure.
4.2 Maintenance of high quality and availability of the active network
The operator uses exclusively Ethernet technology for the delivery of services. Lines are verified with the internationally standardized RFC2544 Ethernet test, reducing the chances of overlooking a poorly constructed link when putting the line into service.
4.3 Maintaining availability with an advanced monitoring system
The operator uses a 24/7 constantly active monitoring system, for the interconnection links, for the core of the network as well as for every interface that leads to a subscriber. The monitoring system makes deep analyzes of the links down to the lowest level of verification, and immediately informs the services that are currently responsible for technical support
In terms of checks for links to the global Internet, the following automated tests are performed every minute:
In terms of link checks for the Operator's network core ("Core"), the following automated tests are performed every minute:
In terms of line checks for each subscriber, the following automated tests are performed every minute:
In case of detection of a warning or line failure, including a reduced level of light that may occur due to bending of an optical cable, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.
4.4 Maintaining availability with a 24/7 intervention service
The operator provides 24/7 technical support service. This service uses the 24/7 constantly active monitoring system described in chapter 4.3, for insight and reaction regarding interruptions and failures of services warning signs that can lead to interruptions and failures. If necessary, the technical support service engages field exposure persons to repair a fault in the passive or active segment of the network, who are available 24/7.
4.4 Maintaining Availability Through Redundant Architecture
Our network in Macedonia is based on multiple points of presence, which are protected by geographically independent and protected (redundant) links to the core. They are strategically placed to be as close as possible to subscribers in order to reduce the likelihood.
The operator is committed to the protection of personal data. The necessary information for personal identification is explained below, as well as the way of ensuring its security and integrity. By the term personally identifiable information we mean information that can be used to identify a person.
5.1 What information is collected
We collect and process the following personally identifiable data:
5.2 What the data is used for:
We take the privacy of our users seriously, fully respecting the subscriber's right to privacy. Personally identifiable information will be collected, processed, stored for the following purposes:
5.3 Ensuring security and integrity of personal data
We have in place reasonable physical, technical and organizational measures designed to provide an environment where personal information is secured against accidental loss or unauthorized access. Security measures are in place to ensure protection against the loss, misuse or modification of information under our control. It is good to note that the technology, no matter how advanced, becomes a vulnerable matter over time, which is why it cannot be 100% guaranteed that unauthorized third parties will never be able to break through the security measures and such a break use for inappropriate purposes.
The operator uses the following measures to ensure the security and integrity of personal data.
5.3.1 Physical measures
Physical measures refer to protection measures in terms of theft, intrusion or other unauthorized access to the Operator's facilities, network and other technology. Physical measures are given below:The Operator's facilities where personal data are stored or accessed are restricted to authorized persons only.
5.3.2 Procedural measures
Procedural measures are specified in the list below:
5.3.3 Technical measures
The technical measures are specified in the list below:
6.1 Name and headquarters of the operator
INTERSPACE D.O.O.E.L. SKOPJE
Blvd. Jane Sandanski 109A, floor 3, 1000 Skopje
6.2 Data for the personal data protection officer
Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016
6.3 Data for the person responsible for information security and for reporting security breaches
Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016
1.1 The following Terms and Conditions represent an agreement between the company INTERSPACE DOOEL Skopje (Address: Bul. Jane Sandanski 109A, kat 3, Skopje, North Macedonia; UTN: MK4043014516919) in a role of a service provider (hereinafter “Operator”), and the subject that orders and uses the services (hereinafter “Subscriber”), also hereinafter individually referred to as “Party” or collectively referred to as “Parties".
1.2. Subject of this agreement is the establishing and ascertaining of the subscriber relation between the Operator and the Subscriber for providing services for hosting of Cloud NAT Gateway system, and the rights and obligations for the parties arising out of it.
1.3 We reserve the right, at our sole discretion, to make changes to these Terms and Conditions by giving the Subscriber prior notification.
2.2 The details of the Services are provided in the order form (hereinafter "Order Form"). The Order Form contains information about the type of service, the amount of service charges and other relevant information about the services. In accordance with this agreement, the Operator shall provide the services selected in the Order Form (hereinafter "Services").
2.3. This agreement is concluded for an unlimited time period unless otherwise agreed.
2.4. This agreement may be terminated at any time, as specified in Article 6 and Article 7. The minimum duration of the agreement is one month.
3.1. Subscriber agrees to pay a monthly fee for the Services specified in the Order Form of this agreement, including value added tax.
3.2. The invoices for the monthly subscription specified in the Article 3.1 of this agreement shall be issued by the Operator and sent to the Subscriber in electronic form on the 1st day of the current month, and they shall become due within 12 days from the date of issue. The invoicing of the Services shall commence from the day when the Services are provisioned. The Operator will calculate and add the amount of VAT 18% which will be written separately, and it shall be paid by the Subscriber.
3.3 In the event of payment delay by the Subscriber, the Operator is entitled to charge a penalty in a form of interest specified by the law, calculated from the day the due date is passed until the payment, and the calculated amount of the penalty will be added to the invoice for the following monthly subscription.
4.1. The Operator may, without consent from the Subscriber, temporary limit or terminate access to the Services, in the following cases:
4.2. In case of planned technical works, related to the intervention in the network and equipment, the Operator shall deliver information in a timely manner to the Subscriber, stating the reasons for Services unavailability and the expected time for restoration of their functionality.
5.1. The Operator may limit or disconnect the access to its Services for the Subscriber only in case when the Subscriber failed to fulfill its obligations or did not act in accordance with the conditions stated in this agreement. In case of violation of the provisions of this agreement, the Operator should inform the Subscriber, in written manner, and determine a reasonable period for completion of the contractual obligations. The Operator should not inform the Subscriber in advance regarding the limit or disconnection, if by using the Service the Subscriber:
5.2. If technically possible, the Operator shall be entitled to limit access only to those Services for which the Subscriber did not act according to the conditions stated in this Agreement, except in cases of abuse established by the competent body, and continuous delay with payment or non-payment of the bills.
6.1. The Operator may terminate the agreement within a period determined with this agreement, especially:
7.1. The Subscriber may terminate this Agreement at any time upon previously submitted request for cancellation of the Services.
7.2. The Agreement shall be considered terminated as of the last day of the month in which the written request was received. After the termination of this agreement, the Subscriber will be responsible to pay all the costs incurred by him, which are eventually billed with delay or billed, and not paid by the Subscriber.
8.1. The Operator shall have the following rights:
9.1. The Operator shall have the following obligations:
10.1. The Subscriber shall be entitled to:
11.1. The Subscriber shall have the following obligations:
12.1. Except as otherwise expressly set forth herein, the services are provided "as is", and Operator’s liability for damages arising out of or in connection with the performance of the Agreement shall be limited to wilful acts or gross negligence, and to a maximum amount of the monthly service fee per damaging incident. Neither the Operator nor anyone else involved in creating, producing, delivering (including suspending or discontinuing services) or supporting the services shall be liable to the Subscriber, any representative, or any third party for any indirect, incidental, special, punitive or consequential damages arising out of the services or inability to use the Services, including, without limitation, lost revenue, lost profits, loss of technology, rights or services.
12.2. Тhe Operator shall not be hold responsible for unlawful usage or abuse of the Services, nor for the contents of the information transmitted, by the Subscriber or other parties.
13.1. The use of the Services may be interrupted by the force majeure. Force Majeure shall mean an event independent of the will of the contracting Parties whose performance could not be prevented or foreseen and due to which the fulfillment of the obligations under the Agreement became difficult or impossible, including but not limited to: natural events, social events (strike , riots, war), acts of public authority. The Operator will not bear any liability to the Subscriber due to termination of its services, caused by a Force Majeure Event.
13.2. Neither Party is the agent or legal representative of the other Party, and this Agreement does not create a partnership, joint venture or fiduciary relationship between the Operator and Subscriber. Neither Party shall have any authority to agree for or bind the other Party in any manner whatsoever. This Agreement confers no rights, remedies, or claims of any kind upon any third party, including, without limitation, Subscriber’s subscribers or end-users.
13.3. The communication between the Operator and the Subscriber (notification, invoice, complaint, other type of communication) takes place in writing. Delivery of the written communication is done by personal handover by the Operator/Subscriber or in the electronic form by email. In urgent cases, the Operator may first give only a verbal notice. Such verbal notice shall be followed by a written notification within 1 (one) day at the latest.
13.4. The Subscriber shall contact the Operator at the contact details specified on the web page https://interspace.com/sq/contact. The Operator shall contact the Subscriber at the contact details that the Subscriber entered in the customer control panel My Interspace, which is accessed at the web address https://my.interspace.com. The Subscriber is responsible for the accuracy of the contact details given in My Interspace.
14.1. Any disputes between the Parties shall be resolved amicably. If the dispute cannot be resolved in an amicable manner, the Primary Court Skopje II in the republic of North Macedonia shall be competent. This agreement shall be interpreted in accordance with the positive legal provisions of the Republic of North Macedonia.
14.2. By placing the order using the Order Form, the Subscriber affirms and acknowledges that they have read this agreement in entirety and agrees to be bound by the provisions thereof.
1. INTRODUCTION
2. MANAGEMENT OF GENERAL SECURITY RISKS
2.1 Basics of risk management
2.1.1. A threat
2.1.2 Vulnerability
2.1.2 Why is it important to manage risk?
2.2 Risk assessment
2.2.1 Quantitative risk assessment
2.2.2 Qualitative risk assessment
2.2.3 Identification of threats
2.2.4 Identifying vulnerabilities
2.2.4 Risk management
3. PROTECTION OF END USERS
3.1 Technical measures
3.1 Stakeholder notification measures during a security incident
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
3.1.2 Notification from the Operator to the subscriber
4. MAINTAINING NETWORK AVAILABILITY
4.1 Maintenance of high quality and availability of the passive network
4.2 Maintenance of high quality and availability of the active network
4.3 Maintaining availability with an advanced monitoring system
4.4 Maintaining availability with a 24/7 intervention service
4.5 Maintaining Availability Through Redundant Architecture
5. SECURITY AND INTEGRITY OF PERSONAL DATA
5.1 What information is collected
5.2 What the data is used for
5.3 Ensuring security and integrity of personal data
5.3.1 Physical measures
5.3.2 Procedural measures
5.3.3 Technical measures
6. CONTACT INFORMATION
6.1 Name and headquarters of the operator
6.2 Data for the personal data protection officer
6.3 Data for the person responsible for information security and for reporting security breaches
INTERSPACE DOOEL Skopje (hereinafter referred to as "Operator") introduces this security policy in order to properly manage the risks and security of the network and services, as well as the integrity of the network and the continuity of services. In addition, since the Operator cooperates in part of its operations with companies based in the EU, through this security policy it aims to harmonize its operations with the regulations and guidelines of the European Union (hereinafter referred to as "EU"), especially in the section for a secure information society and strengthening the security and resilience of vital infrastructures for information and communication technologies.
Through this security policy, it is necessary to achieve the following goals:
In terms of network security and integrity (and service continuity), the aim is to ensure the following points:
In terms of security when processing personal data, the goal is to ensure the following points:
The security policy will be specified in several chapters, namely:
2.1 Basics of risk management
In the context of security in information and communication technologies ("ICT"), risk management is a process of knowing and reacting to factors that cause loss of privacy, integrity and availability of systems. Risk in ICT systems represents potential damage that may occur to a certain process or information that is part of that process, as a result of intentional or unintentional activity. Risk can be represented as a function of the probability of the occurrence of a certain threat to the realization of a certain potential vulnerability, and the consequence that may arise as a result of that event.
2.1.1. A threat
A threat is the potential for the emergence of a source of threat that can intentionally or unintentionally cause a specific vulnerability. A threat source can be: a) an activity or method aimed at intentionally exploiting a vulnerability, or b) a situation or method that may accidentally cause a vulnerability.
A threat can be presented simply as the potential to exploit a particular vulnerability. Threats in themselves are not an activity. Threats become hazards when combined with a source of threat. This distinction is important to make in risk assessment and management, as each source of threat may be associated with a different environment.
2.1.2 Vulnerability
A vulnerability is defined as a flaw or weakness in system security procedures, design and implementation, or in internal controls that can be intentionally or unintentionally disrupted, resulting in a security breach. A vulnerability can be a flaw or weakness in all aspects of ICT systems.
Vulnerabilities do not always refer to technical protections provided by technical systems. Significant vulnerabilities may also exist in standard operating procedures performed by administrators. For example, the password reset procedure or inappropriate reading of logs by technical support.
2.1.2 Why is it important to manage risk?
The primary objectives of risk management are:
According to the above, risk management is a management-level function, not just a technical function. Understanding the need for risk management allows the Operator to protect and preserve the users of its ICT systems, which in the long run affects the Operator's survival in the market.
2.2 Risk assessment
The risk is assessed through a) identification of threats and vulnerabilities, and b) determination of the probability of occurrence and the consequences of its occurrence. The basic risk assessment process is explained below.
2.2.1 Quantitative risk assessment
Quantitative risk assessment involves assigning values to information, systems, business processes, repair costs, etc., due to which consequences and risks can be measured in direct and indirect costs. Quantitative risk can be mathematically expressed as annual probability of loss, and it represents the expected financial loss due to a certain risk that may occur in a period of one year. The mathematical formula is as follows:
Annual probability of loss = Probability of one occurrence * Annual occurrence rate
2.2.2 Qualitative risk assessment
Qualitative risk assessment assumes that there is a level of uncertainty in determining the probability of occurrence and the consequences of the risk, whereby the probability of risk and consequences are defined through qualitative data, rather than exclusively based on quantitative data.
In general, the qualitative risk assessment results in placing the risk in one of these three levels: high, medium, low. Placing the risk within one of these three levels makes it easy to communicate the risk assessment across the responsible structures of the Operator.
2.2.3 Identification of threats
In order to make an adequate assessment of the risk, it is necessary to identify the threats as well as the sources of the threats. The list below includes a specification of general threats and threat sources.
Name/Description:
Power outage:
Deliberate data alteration Deliberate modification, addition or deletion of data, by an authorized or unauthorized person, which compromises the privacy, availability or integrity of data generated, processed, controlled or stored in data processing systems.
System error:
Telecommunications failure or outage:
Works of nature:
2.2.4 Identifying vulnerabilities
The following methods are used to identify vulnerabilities:
In addition, a list of vulnerabilities is made that are always examined during each risk assessment, thus allowing a minimum level of consistency in the assessment. Also, the vulnerabilities that are revealed in a previous assessment of ICT systems are included in future assessment processes. This way of acting makes it possible to know better the ways of risk management that were effective.
When generating the list of possible vulnerabilities, the Operator consults the archives of known vendors for records of vulnerabilities, namely:
2.2.4 Risk management
Two basic risk management strategies are used: mitigation and avoidance. They are explained below:
The operator uses procedures described in chapter 2 for risk management, in order to prevent incidents that can lead to interruption and abuse of the line that users use for electronic communication.
In addition, the Operator applies the following measures regarding the protection of end users:
3.1 Technical measures
The following measures are applied to protect end users:
3.1 Stakeholder notification measures during a security incident
A security incident is a breach of security that has a significant impact on the operation of an electronic communications network or service. In the event of a security incident that had a significant impact on the functioning of the networks or services, the Operator sends a notification about the same to the interested parties and taking and activities that the operators should take over in the event of a violation of the security of personal data.
These notices cover the following parties:
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
The operator sends a notification to the Directorate for Personal Data Protection immediately, but no later than 24 hours from the moment of security breach or loss of integrity that had a significant impact on the functioning of networks or services. The notification is delivered electronically to the following email [email protected]. The attachment in the e-mail is delivered with an electronic signature by the responsible person of the Operator.
3.1.2 Notification from the Operator to the subscriber
If the violation of the security of personal data may negatively affect the personal data or privacy of the subscriber or another natural person, the Operator additionally informs the respective subscriber (legal or natural person).
In order to better serve users, the Operator is fully committed to ensure stability and consistent quality of services. Within this commitment, the Operator makes every effort to ensure constant availability of the Services. The operator uses the measures and practices described below directly and/or indirectly affect the provision of high availability of services. Using such practices in the passive segment of the network leads to provision of a high percentage of availability and a reduced probability of service interruption.
4.1 Maintenance of high quality and availability of the passive network
Each fiber optic connection is made through a fusion splice and verified by OTDR tests. Mechanical splices are not used because they have a short lifespan and increase the chances of failure. Persons responsible for maintaining the passive network make regular field inspections of the network to ensure that it is in a functional state.
Each subscriber is connected with a point-to-point architecture, where xPON technology and optical splitters are not used. Avoiding optical splitters reduces the likelihood of failure, as there are fewer "links in the chain" that can cause failure.
4.2 Maintenance of high quality and availability of the active network
The operator uses exclusively Ethernet technology for the delivery of services. Lines are verified with the internationally standardized RFC2544 Ethernet test, reducing the chances of overlooking a poorly constructed link when putting the line into service.
4.3 Maintaining availability with an advanced monitoring system
The operator uses a 24/7 constantly active monitoring system, for the interconnection links, for the core of the network as well as for every interface that leads to a subscriber. The monitoring system makes deep analyzes of the links down to the lowest level of verification, and immediately informs the services that are currently responsible for technical support
In terms of checks for links to the global Internet, the following automated tests are performed every minute:
In terms of link checks for the Operator's network core ("Core"), the following automated tests are performed every minute:
In terms of line checks for each subscriber, the following automated tests are performed every minute:
In case of detection of a warning or line failure, including a reduced level of light that may occur due to bending of an optical cable, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.
4.4 Maintaining availability with a 24/7 intervention service
The operator provides 24/7 technical support service. This service uses the 24/7 constantly active monitoring system described in chapter 4.3, for insight and reaction regarding interruptions and failures of services warning signs that can lead to interruptions and failures. If necessary, the technical support service engages field exposure persons to repair a fault in the passive or active segment of the network, who are available 24/7.
4.4 Maintaining Availability Through Redundant Architecture
Our network in Macedonia is based on multiple points of presence, which are protected by geographically independent and protected (redundant) links to the core. They are strategically placed to be as close as possible to subscribers in order to reduce the likelihood.
The operator is committed to the protection of personal data. The necessary information for personal identification is explained below, as well as the way of ensuring its security and integrity. By the term personally identifiable information we mean information that can be used to identify a person.
5.1 What information is collected
We collect and process the following personally identifiable data:
5.2 What the data is used for:
We take the privacy of our users seriously, fully respecting the subscriber's right to privacy. Personally identifiable information will be collected, processed, stored for the following purposes:
5.3 Ensuring security and integrity of personal data
We have in place reasonable physical, technical and organizational measures designed to provide an environment where personal information is secured against accidental loss or unauthorized access. Security measures are in place to ensure protection against the loss, misuse or modification of information under our control. It is good to note that the technology, no matter how advanced, becomes a vulnerable matter over time, which is why it cannot be 100% guaranteed that unauthorized third parties will never be able to break through the security measures and such a break use for inappropriate purposes.
The operator uses the following measures to ensure the security and integrity of personal data.
5.3.1 Physical measures
Physical measures refer to protection measures in terms of theft, intrusion or other unauthorized access to the Operator's facilities, network and other technology. Physical measures are given below:The Operator's facilities where personal data are stored or accessed are restricted to authorized persons only.
5.3.2 Procedural measures
Procedural measures are specified in the list below:
5.3.3 Technical measures
The technical measures are specified in the list below:
6.1 Name and headquarters of the operator
INTERSPACE D.O.O.E.L. SKOPJE
Blvd. Jane Sandanski 109A, floor 3, 1000 Skopje
6.2 Data for the personal data protection officer
Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016
6.3 Data for the person responsible for information security and for reporting security breaches
Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016
1.1 The following Terms and Conditions represent an agreement between the company INTERSPACE DOOEL Skopje (Address: Bul. Jane Sandanski 109A, kat 3, Skopje, North Macedonia; UTN: MK4043014516919) in a role of a service provider (hereinafter “Operator”), and the subject that orders and uses the services (hereinafter “Subscriber”), also hereinafter individually referred to as “Party” or collectively referred to as “Parties".
1.2. Subject of this agreement is the establishing and ascertaining of the subscriber relation between the Operator and the Subscriber for providing services for hosting of dedicated servers, and the rights and obligations for the parties arising out of it.
1.3 We reserve the right, at our sole discretion, to make changes to these Terms and Conditions by giving the Subscriber prior notification.
2.2 The details of the Services are provided in the order form (hereinafter "Order Form"). The Order Form contains information about the type of service, the amount of service charges and other relevant information about the services. In accordance with this agreement, the Operator shall provide the services selected in the Order Form (hereinafter "Services").
2.3. This agreement is concluded for an unlimited time period unless otherwise agreed.
2.4. This agreement may be terminated at any time, as specified in Article 6 and Article 7. The minimum duration of the agreement is one month.
3.1. Subscriber agrees to pay a monthly fee for the Services specified in the Order Form of this agreement, including value added tax.
3.2. The invoices for the monthly subscription specified in the Article 3.1 of this agreement shall be issued by the Operator and sent to the Subscriber in electronic form on the 1st day of the current month, and they shall become due within 12 days from the date of issue. The invoicing of the Services shall commence from the day when the Services are provisioned. The Operator will calculate and add the amount of VAT 18% which will be written separately, and it shall be paid by the Subscriber.
3.3 In the event of payment delay by the Subscriber, the Operator is entitled to charge a penalty in a form of interest specified by the law, calculated from the day the due date is passed until the payment, and the calculated amount of the penalty will be added to the invoice for the following monthly subscription.
4.1. The Operator may, without consent from the Subscriber, temporary limit or terminate access to the Services, in the following cases:
4.2. In case of planned technical works, related to the intervention in the network and equipment, the Operator shall deliver information in a timely manner to the Subscriber, stating the reasons for Services unavailability and the expected time for restoration of their functionality.
5.1. The Operator may limit or disconnect the access to its Services for the Subscriber only in case when the Subscriber failed to fulfill its obligations or did not act in accordance with the conditions stated in this agreement. In case of violation of the provisions of this agreement, the Operator should inform the Subscriber, in written manner, and determine a reasonable period for completion of the contractual obligations. The Operator should not inform the Subscriber in advance regarding the limit or disconnection, if by using the Service the Subscriber:
5.2. If technically possible, the Operator shall be entitled to limit access only to those Services for which the Subscriber did not act according to the conditions stated in this Agreement, except in cases of abuse established by the competent body, and continuous delay with payment or non-payment of the bills.
6.1. The Operator may terminate the agreement within a period determined with this agreement, especially:
7.1. The Subscriber may terminate this Agreement at any time upon previously submitted request for cancellation of the Services.
7.2. The Agreement shall be considered terminated as of the last day of the month in which the written request was received. After the termination of this agreement, the Subscriber will be responsible to pay all the costs incurred by him, which are eventually billed with delay or billed, and not paid by the Subscriber.
8.1. The Operator shall have the following rights:
9.1. The Operator shall have the following obligations:
10.1. The Subscriber shall be entitled to:
11.1. The Subscriber shall have the following obligations:
12.1. Except as otherwise expressly set forth herein, the services are provided "as is", and Operator’s liability for damages arising out of or in connection with the performance of the Agreement shall be limited to wilful acts or gross negligence, and to a maximum amount of the monthly service fee per damaging incident. Neither the Operator nor anyone else involved in creating, producing, delivering (including suspending or discontinuing services) or supporting the services shall be liable to the Subscriber, any representative, or any third party for any indirect, incidental, special, punitive or consequential damages arising out of the services or inability to use the Services, including, without limitation, lost revenue, lost profits, loss of technology, rights or services.
12.2. Тhe Operator shall not be hold responsible for unlawful usage or abuse of the Services, nor for the contents of the information transmitted, by the Subscriber or other parties.
13.1. The use of the Services may be interrupted by the force majeure. Force Majeure shall mean an event independent of the will of the contracting Parties whose performance could not be prevented or foreseen and due to which the fulfillment of the obligations under the Agreement became difficult or impossible, including but not limited to: natural events, social events (strike , riots, war), acts of public authority. The Operator will not bear any liability to the Subscriber due to termination of its services, caused by a Force Majeure Event.
13.2. Neither Party is the agent or legal representative of the other Party, and this Agreement does not create a partnership, joint venture or fiduciary relationship between the Operator and Subscriber. Neither Party shall have any authority to agree for or bind the other Party in any manner whatsoever. This Agreement confers no rights, remedies, or claims of any kind upon any third party, including, without limitation, Subscriber’s subscribers or end-users.
13.3. The communication between the Operator and the Subscriber (notification, invoice, complaint, other type of communication) takes place in writing. Delivery of the written communication is done by personal handover by the Operator/Subscriber or in the electronic form by email. In urgent cases, the Operator may first give only a verbal notice. Such verbal notice shall be followed by a written notification within 1 (one) day at the latest.
13.4. The Subscriber shall contact the Operator at the contact details specified on the web page https://interspace.com/sq/contact. The Operator shall contact the Subscriber at the contact details that the Subscriber entered in the customer control panel My Interspace, which is accessed at the web address https://my.interspace.com. The Subscriber is responsible for the accuracy of the contact details given in My Interspace.
14.1. Any disputes between the Parties shall be resolved amicably. If the dispute cannot be resolved in an amicable manner, the Primary Court Skopje II in the republic of North Macedonia shall be competent. This agreement shall be interpreted in accordance with the positive legal provisions of the Republic of North Macedonia.
14.2. By placing the order using the Order Form, the Subscriber affirms and acknowledges that they have read this agreement in entirety and agrees to be bound by the provisions thereof.
1. INTRODUCTION
2. MANAGEMENT OF GENERAL SECURITY RISKS
2.1 Basics of risk management
2.1.1. A threat
2.1.2 Vulnerability
2.1.2 Why is it important to manage risk?
2.2 Risk assessment
2.2.1 Quantitative risk assessment
2.2.2 Qualitative risk assessment
2.2.3 Identification of threats
2.2.4 Identifying vulnerabilities
2.2.4 Risk management
3. PROTECTION OF END USERS
3.1 Technical measures
3.1 Stakeholder notification measures during a security incident
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
3.1.2 Notification from the Operator to the subscriber
4. MAINTAINING NETWORK AVAILABILITY
4.1 Maintenance of high quality and availability of the passive network
4.2 Maintenance of high quality and availability of the active network
4.3 Maintaining availability with an advanced monitoring system
4.4 Maintaining availability with a 24/7 intervention service
4.5 Maintaining Availability Through Redundant Architecture
5. SECURITY AND INTEGRITY OF PERSONAL DATA
5.1 What information is collected
5.2 What the data is used for
5.3 Ensuring security and integrity of personal data
5.3.1 Physical measures
5.3.2 Procedural measures
5.3.3 Technical measures
6. CONTACT INFORMATION
6.1 Name and headquarters of the operator
6.2 Data for the personal data protection officer
6.3 Data for the person responsible for information security and for reporting security breaches
INTERSPACE DOOEL Skopje (hereinafter referred to as "Operator") introduces this security policy in order to properly manage the risks and security of the network and services, as well as the integrity of the network and the continuity of services. In addition, since the Operator cooperates in part of its operations with companies based in the EU, through this security policy it aims to harmonize its operations with the regulations and guidelines of the European Union (hereinafter referred to as "EU"), especially in the section for a secure information society and strengthening the security and resilience of vital infrastructures for information and communication technologies.
Through this security policy, it is necessary to achieve the following goals:
In terms of network security and integrity (and service continuity), the aim is to ensure the following points:
In terms of security when processing personal data, the goal is to ensure the following points:
The security policy will be specified in several chapters, namely:
2.1 Basics of risk management
In the context of security in information and communication technologies ("ICT"), risk management is a process of knowing and reacting to factors that cause loss of privacy, integrity and availability of systems. Risk in ICT systems represents potential damage that may occur to a certain process or information that is part of that process, as a result of intentional or unintentional activity. Risk can be represented as a function of the probability of the occurrence of a certain threat to the realization of a certain potential vulnerability, and the consequence that may arise as a result of that event.
2.1.1. A threat
A threat is the potential for the emergence of a source of threat that can intentionally or unintentionally cause a specific vulnerability. A threat source can be: a) an activity or method aimed at intentionally exploiting a vulnerability, or b) a situation or method that may accidentally cause a vulnerability.
A threat can be presented simply as the potential to exploit a particular vulnerability. Threats in themselves are not an activity. Threats become hazards when combined with a source of threat. This distinction is important to make in risk assessment and management, as each source of threat may be associated with a different environment.
2.1.2 Vulnerability
A vulnerability is defined as a flaw or weakness in system security procedures, design and implementation, or in internal controls that can be intentionally or unintentionally disrupted, resulting in a security breach. A vulnerability can be a flaw or weakness in all aspects of ICT systems.
Vulnerabilities do not always refer to technical protections provided by technical systems. Significant vulnerabilities may also exist in standard operating procedures performed by administrators. For example, the password reset procedure or inappropriate reading of logs by technical support.
2.1.2 Why is it important to manage risk?
The primary objectives of risk management are:
According to the above, risk management is a management-level function, not just a technical function. Understanding the need for risk management allows the Operator to protect and preserve the users of its ICT systems, which in the long run affects the Operator's survival in the market.
2.2 Risk assessment
The risk is assessed through a) identification of threats and vulnerabilities, and b) determination of the probability of occurrence and the consequences of its occurrence. The basic risk assessment process is explained below.
2.2.1 Quantitative risk assessment
Quantitative risk assessment involves assigning values to information, systems, business processes, repair costs, etc., due to which consequences and risks can be measured in direct and indirect costs. Quantitative risk can be mathematically expressed as annual probability of loss, and it represents the expected financial loss due to a certain risk that may occur in a period of one year. The mathematical formula is as follows:
Annual probability of loss = Probability of one occurrence * Annual occurrence rate
2.2.2 Qualitative risk assessment
Qualitative risk assessment assumes that there is a level of uncertainty in determining the probability of occurrence and the consequences of the risk, whereby the probability of risk and consequences are defined through qualitative data, rather than exclusively based on quantitative data.
In general, the qualitative risk assessment results in placing the risk in one of these three levels: high, medium, low. Placing the risk within one of these three levels makes it easy to communicate the risk assessment across the responsible structures of the Operator.
2.2.3 Identification of threats
In order to make an adequate assessment of the risk, it is necessary to identify the threats as well as the sources of the threats. The list below includes a specification of general threats and threat sources.
Name/Description:
Power outage:
Deliberate data alteration Deliberate modification, addition or deletion of data, by an authorized or unauthorized person, which compromises the privacy, availability or integrity of data generated, processed, controlled or stored in data processing systems.
System error:
Telecommunications failure or outage:
Works of nature:
2.2.4 Identifying vulnerabilities
The following methods are used to identify vulnerabilities:
In addition, a list of vulnerabilities is made that are always examined during each risk assessment, thus allowing a minimum level of consistency in the assessment. Also, the vulnerabilities that are revealed in a previous assessment of ICT systems are included in future assessment processes. This way of acting makes it possible to know better the ways of risk management that were effective.
When generating the list of possible vulnerabilities, the Operator consults the archives of known vendors for records of vulnerabilities, namely:
2.2.4 Risk management
Two basic risk management strategies are used: mitigation and avoidance. They are explained below:
The operator uses procedures described in chapter 2 for risk management, in order to prevent incidents that can lead to interruption and abuse of the line that users use for electronic communication.
In addition, the Operator applies the following measures regarding the protection of end users:
3.1 Technical measures
The following measures are applied to protect end users:
3.1 Stakeholder notification measures during a security incident
A security incident is a breach of security that has a significant impact on the operation of an electronic communications network or service. In the event of a security incident that had a significant impact on the functioning of the networks or services, the Operator sends a notification about the same to the interested parties and taking and activities that the operators should take over in the event of a violation of the security of personal data.
These notices cover the following parties:
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
The operator sends a notification to the Directorate for Personal Data Protection immediately, but no later than 24 hours from the moment of security breach or loss of integrity that had a significant impact on the functioning of networks or services. The notification is delivered electronically to the following email [email protected]. The attachment in the e-mail is delivered with an electronic signature by the responsible person of the Operator.
3.1.2 Notification from the Operator to the subscriber
If the violation of the security of personal data may negatively affect the personal data or privacy of the subscriber or another natural person, the Operator additionally informs the respective subscriber (legal or natural person).
In order to better serve users, the Operator is fully committed to ensure stability and consistent quality of services. Within this commitment, the Operator makes every effort to ensure constant availability of the Services. The operator uses the measures and practices described below directly and/or indirectly affect the provision of high availability of services. Using such practices in the passive segment of the network leads to provision of a high percentage of availability and a reduced probability of service interruption.
4.1 Maintenance of high quality and availability of the passive network
Each fiber optic connection is made through a fusion splice and verified by OTDR tests. Mechanical splices are not used because they have a short lifespan and increase the chances of failure. Persons responsible for maintaining the passive network make regular field inspections of the network to ensure that it is in a functional state.
Each subscriber is connected with a point-to-point architecture, where xPON technology and optical splitters are not used. Avoiding optical splitters reduces the likelihood of failure, as there are fewer "links in the chain" that can cause failure.
4.2 Maintenance of high quality and availability of the active network
The operator uses exclusively Ethernet technology for the delivery of services. Lines are verified with the internationally standardized RFC2544 Ethernet test, reducing the chances of overlooking a poorly constructed link when putting the line into service.
4.3 Maintaining availability with an advanced monitoring system
The operator uses a 24/7 constantly active monitoring system, for the interconnection links, for the core of the network as well as for every interface that leads to a subscriber. The monitoring system makes deep analyzes of the links down to the lowest level of verification, and immediately informs the services that are currently responsible for technical support
In terms of checks for links to the global Internet, the following automated tests are performed every minute:
In terms of link checks for the Operator's network core ("Core"), the following automated tests are performed every minute:
In terms of line checks for each subscriber, the following automated tests are performed every minute:
In case of detection of a warning or line failure, including a reduced level of light that may occur due to bending of an optical cable, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.
4.4 Maintaining availability with a 24/7 intervention service
The operator provides 24/7 technical support service. This service uses the 24/7 constantly active monitoring system described in chapter 4.3, for insight and reaction regarding interruptions and failures of services warning signs that can lead to interruptions and failures. If necessary, the technical support service engages field exposure persons to repair a fault in the passive or active segment of the network, who are available 24/7.
4.4 Maintaining Availability Through Redundant Architecture
Our network in Macedonia is based on multiple points of presence, which are protected by geographically independent and protected (redundant) links to the core. They are strategically placed to be as close as possible to subscribers in order to reduce the likelihood.
The operator is committed to the protection of personal data. The necessary information for personal identification is explained below, as well as the way of ensuring its security and integrity. By the term personally identifiable information we mean information that can be used to identify a person.
5.1 What information is collected
We collect and process the following personally identifiable data:
5.2 What the data is used for:
We take the privacy of our users seriously, fully respecting the subscriber's right to privacy. Personally identifiable information will be collected, processed, stored for the following purposes:
5.3 Ensuring security and integrity of personal data
We have in place reasonable physical, technical and organizational measures designed to provide an environment where personal information is secured against accidental loss or unauthorized access. Security measures are in place to ensure protection against the loss, misuse or modification of information under our control. It is good to note that the technology, no matter how advanced, becomes a vulnerable matter over time, which is why it cannot be 100% guaranteed that unauthorized third parties will never be able to break through the security measures and such a break use for inappropriate purposes.
The operator uses the following measures to ensure the security and integrity of personal data.
5.3.1 Physical measures
Physical measures refer to protection measures in terms of theft, intrusion or other unauthorized access to the Operator's facilities, network and other technology. Physical measures are given below:The Operator's facilities where personal data are stored or accessed are restricted to authorized persons only.
5.3.2 Procedural measures
Procedural measures are specified in the list below:
5.3.3 Technical measures
The technical measures are specified in the list below:
6.1 Name and headquarters of the operator
INTERSPACE D.O.O.E.L. SKOPJE
Blvd. Jane Sandanski 109A, floor 3, 1000 Skopje
6.2 Data for the personal data protection officer
Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016
6.3 Data for the person responsible for information security and for reporting security breaches
Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016
1.1 The following Terms and Conditions represent an agreement between the company INTERSPACE DOOEL Skopje (Address: Bul. Jane Sandanski 109A, kat 3, Skopje, North Macedonia; UTN: MK4043014516919) in a role of a service provider (hereinafter “Operator”), and the subject that orders and uses the services (hereinafter “Subscriber”), also hereinafter individually referred to as “Party” or collectively referred to as “Parties".
1.2. Subject of this agreement is the establishing and ascertaining of the subscriber relation between the Operator and the Subscriber for providing services for web hosting, and the rights and obligations for the parties arising out of it.
1.3 We reserve the right, at our sole discretion, to make changes to these Terms and Conditions by giving the Subscriber prior notification.
2.2 The details of the Services are provided in the order form (hereinafter "Order Form"). The Order Form contains information about the type of service, the amount of service charges and other relevant information about the services. In accordance with this agreement, the Operator shall provide the services selected in the Order Form (hereinafter "Services").
2.3. This agreement is concluded for an unlimited time period unless otherwise agreed.
2.4. This agreement may be terminated at any time, as specified in Article 6 and Article 7. The minimum duration of the agreement is one month.
3.1. Subscriber agrees to pay a monthly fee for the Services specified in the Order Form of this agreement, including value added tax.
3.2. The invoices for the monthly subscription specified in the Article 3.1 of this agreement shall be issued by the Operator and sent to the Subscriber in electronic form on the 1st day of the current month, and they shall become due within 12 days from the date of issue. The invoicing of the Services shall commence from the day when the Services are provisioned. The Operator will calculate and add the amount of VAT 18% which will be written separately, and it shall be paid by the Subscriber.
3.3 In the event of payment delay by the Subscriber, the Operator is entitled to charge a penalty in a form of interest specified by the law, calculated from the day the due date is passed until the payment, and the calculated amount of the penalty will be added to the invoice for the following monthly subscription.
4.1. The Operator may, without consent from the Subscriber, temporary limit or terminate access to the Services, in the following cases:
4.2. In case of planned technical works, related to the intervention in the network and equipment, the Operator shall deliver information in a timely manner to the Subscriber, stating the reasons for Services unavailability and the expected time for restoration of their functionality.
5.1. The Operator may limit or disconnect the access to its Services for the Subscriber only in case when the Subscriber failed to fulfill its obligations or did not act in accordance with the conditions stated in this agreement. In case of violation of the provisions of this agreement, the Operator should inform the Subscriber, in written manner, and determine a reasonable period for completion of the contractual obligations. The Operator should not inform the Subscriber in advance regarding the limit or disconnection, if by using the Service the Subscriber:
5.2. If technically possible, the Operator shall be entitled to limit access only to those Services for which the Subscriber did not act according to the conditions stated in this Agreement, except in cases of abuse established by the competent body, and continuous delay with payment or non-payment of the bills.
6.1. The Operator may terminate the agreement within a period determined with this agreement, especially:
7.1. The Subscriber may terminate this Agreement at any time upon previously submitted request for cancellation of the Services.
7.2. The Agreement shall be considered terminated as of the last day of the month in which the written request was received. After the termination of this agreement, the Subscriber will be responsible to pay all the costs incurred by him, which are eventually billed with delay or billed, and not paid by the Subscriber.
8.1. The Operator shall have the following rights:
9.1. The Operator shall have the following obligations:
10.1. The Subscriber shall be entitled to:
11.1. The Subscriber shall have the following obligations:
12.1. Except as otherwise expressly set forth herein, the services are provided "as is", and Operator’s liability for damages arising out of or in connection with the performance of the Agreement shall be limited to wilful acts or gross negligence, and to a maximum amount of the monthly service fee per damaging incident. Neither the Operator nor anyone else involved in creating, producing, delivering (including suspending or discontinuing services) or supporting the services shall be liable to the Subscriber, any representative, or any third party for any indirect, incidental, special, punitive or consequential damages arising out of the services or inability to use the Services, including, without limitation, lost revenue, lost profits, loss of technology, rights or services.
12.2. Тhe Operator shall not be hold responsible for unlawful usage or abuse of the Services, nor for the contents of the information transmitted, by the Subscriber or other parties.
13.1. The use of the Services may be interrupted by the force majeure. Force Majeure shall mean an event independent of the will of the contracting Parties whose performance could not be prevented or foreseen and due to which the fulfillment of the obligations under the Agreement became difficult or impossible, including but not limited to: natural events, social events (strike , riots, war), acts of public authority. The Operator will not bear any liability to the Subscriber due to termination of its services, caused by a Force Majeure Event.
13.2. Neither Party is the agent or legal representative of the other Party, and this Agreement does not create a partnership, joint venture or fiduciary relationship between the Operator and Subscriber. Neither Party shall have any authority to agree for or bind the other Party in any manner whatsoever. This Agreement confers no rights, remedies, or claims of any kind upon any third party, including, without limitation, Subscriber’s subscribers or end-users.
13.3. The communication between the Operator and the Subscriber (notification, invoice, complaint, other type of communication) takes place in writing. Delivery of the written communication is done by personal handover by the Operator/Subscriber or in the electronic form by email. In urgent cases, the Operator may first give only a verbal notice. Such verbal notice shall be followed by a written notification within 1 (one) day at the latest.
13.4. The Subscriber shall contact the Operator at the contact details specified on the web page https://interspace.com/sq/contact. The Operator shall contact the Subscriber at the contact details that the Subscriber entered in the customer control panel My Interspace, which is accessed at the web address https://my.interspace.com. The Subscriber is responsible for the accuracy of the contact details given in My Interspace.
14.1. Any disputes between the Parties shall be resolved amicably. If the dispute cannot be resolved in an amicable manner, the Primary Court Skopje II in the republic of North Macedonia shall be competent. This agreement shall be interpreted in accordance with the positive legal provisions of the Republic of North Macedonia.
14.2. By placing the order using the Order Form, the Subscriber affirms and acknowledges that they have read this agreement in entirety and agrees to be bound by the provisions thereof.
1. INTRODUCTION
2. MANAGEMENT OF GENERAL SECURITY RISKS
2.1 Basics of risk management
2.1.1. A threat
2.1.2 Vulnerability
2.1.2 Why is it important to manage risk?
2.2 Risk assessment
2.2.1 Quantitative risk assessment
2.2.2 Qualitative risk assessment
2.2.3 Identification of threats
2.2.4 Identifying vulnerabilities
2.2.4 Risk management
3. PROTECTION OF END USERS
3.1 Technical measures
3.1 Stakeholder notification measures during a security incident
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
3.1.2 Notification from the Operator to the subscriber
4. MAINTAINING NETWORK AVAILABILITY
4.1 Maintenance of high quality and availability of the passive network
4.2 Maintenance of high quality and availability of the active network
4.3 Maintaining availability with an advanced monitoring system
4.4 Maintaining availability with a 24/7 intervention service
4.5 Maintaining Availability Through Redundant Architecture
5. SECURITY AND INTEGRITY OF PERSONAL DATA
5.1 What information is collected
5.2 What the data is used for
5.3 Ensuring security and integrity of personal data
5.3.1 Physical measures
5.3.2 Procedural measures
5.3.3 Technical measures
6. CONTACT INFORMATION
6.1 Name and headquarters of the operator
6.2 Data for the personal data protection officer
6.3 Data for the person responsible for information security and for reporting security breaches
INTERSPACE DOOEL Skopje (hereinafter referred to as "Operator") introduces this security policy in order to properly manage the risks and security of the network and services, as well as the integrity of the network and the continuity of services. In addition, since the Operator cooperates in part of its operations with companies based in the EU, through this security policy it aims to harmonize its operations with the regulations and guidelines of the European Union (hereinafter referred to as "EU"), especially in the section for a secure information society and strengthening the security and resilience of vital infrastructures for information and communication technologies.
Through this security policy, it is necessary to achieve the following goals:
In terms of network security and integrity (and service continuity), the aim is to ensure the following points:
In terms of security when processing personal data, the goal is to ensure the following points:
The security policy will be specified in several chapters, namely:
2.1 Basics of risk management
In the context of security in information and communication technologies ("ICT"), risk management is a process of knowing and reacting to factors that cause loss of privacy, integrity and availability of systems. Risk in ICT systems represents potential damage that may occur to a certain process or information that is part of that process, as a result of intentional or unintentional activity. Risk can be represented as a function of the probability of the occurrence of a certain threat to the realization of a certain potential vulnerability, and the consequence that may arise as a result of that event.
2.1.1. A threat
A threat is the potential for the emergence of a source of threat that can intentionally or unintentionally cause a specific vulnerability. A threat source can be: a) an activity or method aimed at intentionally exploiting a vulnerability, or b) a situation or method that may accidentally cause a vulnerability.
A threat can be presented simply as the potential to exploit a particular vulnerability. Threats in themselves are not an activity. Threats become hazards when combined with a source of threat. This distinction is important to make in risk assessment and management, as each source of threat may be associated with a different environment.
2.1.2 Vulnerability
A vulnerability is defined as a flaw or weakness in system security procedures, design and implementation, or in internal controls that can be intentionally or unintentionally disrupted, resulting in a security breach. A vulnerability can be a flaw or weakness in all aspects of ICT systems.
Vulnerabilities do not always refer to technical protections provided by technical systems. Significant vulnerabilities may also exist in standard operating procedures performed by administrators. For example, the password reset procedure or inappropriate reading of logs by technical support.
2.1.2 Why is it important to manage risk?
The primary objectives of risk management are:
According to the above, risk management is a management-level function, not just a technical function. Understanding the need for risk management allows the Operator to protect and preserve the users of its ICT systems, which in the long run affects the Operator's survival in the market.
2.2 Risk assessment
The risk is assessed through a) identification of threats and vulnerabilities, and b) determination of the probability of occurrence and the consequences of its occurrence. The basic risk assessment process is explained below.
2.2.1 Quantitative risk assessment
Quantitative risk assessment involves assigning values to information, systems, business processes, repair costs, etc., due to which consequences and risks can be measured in direct and indirect costs. Quantitative risk can be mathematically expressed as annual probability of loss, and it represents the expected financial loss due to a certain risk that may occur in a period of one year. The mathematical formula is as follows:
Annual probability of loss = Probability of one occurrence * Annual occurrence rate
2.2.2 Qualitative risk assessment
Qualitative risk assessment assumes that there is a level of uncertainty in determining the probability of occurrence and the consequences of the risk, whereby the probability of risk and consequences are defined through qualitative data, rather than exclusively based on quantitative data.
In general, the qualitative risk assessment results in placing the risk in one of these three levels: high, medium, low. Placing the risk within one of these three levels makes it easy to communicate the risk assessment across the responsible structures of the Operator.
2.2.3 Identification of threats
In order to make an adequate assessment of the risk, it is necessary to identify the threats as well as the sources of the threats. The list below includes a specification of general threats and threat sources.
Name/Description:
Power outage:
Deliberate data alteration Deliberate modification, addition or deletion of data, by an authorized or unauthorized person, which compromises the privacy, availability or integrity of data generated, processed, controlled or stored in data processing systems.
System error:
Telecommunications failure or outage:
Works of nature:
2.2.4 Identifying vulnerabilities
The following methods are used to identify vulnerabilities:
In addition, a list of vulnerabilities is made that are always examined during each risk assessment, thus allowing a minimum level of consistency in the assessment. Also, the vulnerabilities that are revealed in a previous assessment of ICT systems are included in future assessment processes. This way of acting makes it possible to know better the ways of risk management that were effective.
When generating the list of possible vulnerabilities, the Operator consults the archives of known vendors for records of vulnerabilities, namely:
2.2.4 Risk management
Two basic risk management strategies are used: mitigation and avoidance. They are explained below:
The operator uses procedures described in chapter 2 for risk management, in order to prevent incidents that can lead to interruption and abuse of the line that users use for electronic communication.
In addition, the Operator applies the following measures regarding the protection of end users:
3.1 Technical measures
The following measures are applied to protect end users:
3.1 Stakeholder notification measures during a security incident
A security incident is a breach of security that has a significant impact on the operation of an electronic communications network or service. In the event of a security incident that had a significant impact on the functioning of the networks or services, the Operator sends a notification about the same to the interested parties and taking and activities that the operators should take over in the event of a violation of the security of personal data.
These notices cover the following parties:
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
The operator sends a notification to the Directorate for Personal Data Protection immediately, but no later than 24 hours from the moment of security breach or loss of integrity that had a significant impact on the functioning of networks or services. The notification is delivered electronically to the following email [email protected]. The attachment in the e-mail is delivered with an electronic signature by the responsible person of the Operator.
3.1.2 Notification from the Operator to the subscriber
If the violation of the security of personal data may negatively affect the personal data or privacy of the subscriber or another natural person, the Operator additionally informs the respective subscriber (legal or natural person).
In order to better serve users, the Operator is fully committed to ensure stability and consistent quality of services. Within this commitment, the Operator makes every effort to ensure constant availability of the Services. The operator uses the measures and practices described below directly and/or indirectly affect the provision of high availability of services. Using such practices in the passive segment of the network leads to provision of a high percentage of availability and a reduced probability of service interruption.
4.1 Maintenance of high quality and availability of the passive network
Each fiber optic connection is made through a fusion splice and verified by OTDR tests. Mechanical splices are not used because they have a short lifespan and increase the chances of failure. Persons responsible for maintaining the passive network make regular field inspections of the network to ensure that it is in a functional state.
Each subscriber is connected with a point-to-point architecture, where xPON technology and optical splitters are not used. Avoiding optical splitters reduces the likelihood of failure, as there are fewer "links in the chain" that can cause failure.
4.2 Maintenance of high quality and availability of the active network
The operator uses exclusively Ethernet technology for the delivery of services. Lines are verified with the internationally standardized RFC2544 Ethernet test, reducing the chances of overlooking a poorly constructed link when putting the line into service.
4.3 Maintaining availability with an advanced monitoring system
The operator uses a 24/7 constantly active monitoring system, for the interconnection links, for the core of the network as well as for every interface that leads to a subscriber. The monitoring system makes deep analyzes of the links down to the lowest level of verification, and immediately informs the services that are currently responsible for technical support
In terms of checks for links to the global Internet, the following automated tests are performed every minute:
In terms of link checks for the Operator's network core ("Core"), the following automated tests are performed every minute:
In terms of line checks for each subscriber, the following automated tests are performed every minute:
In case of detection of a warning or line failure, including a reduced level of light that may occur due to bending of an optical cable, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.
4.4 Maintaining availability with a 24/7 intervention service
The operator provides 24/7 technical support service. This service uses the 24/7 constantly active monitoring system described in chapter 4.3, for insight and reaction regarding interruptions and failures of services warning signs that can lead to interruptions and failures. If necessary, the technical support service engages field exposure persons to repair a fault in the passive or active segment of the network, who are available 24/7.
4.4 Maintaining Availability Through Redundant Architecture
Our network in Macedonia is based on multiple points of presence, which are protected by geographically independent and protected (redundant) links to the core. They are strategically placed to be as close as possible to subscribers in order to reduce the likelihood.
The operator is committed to the protection of personal data. The necessary information for personal identification is explained below, as well as the way of ensuring its security and integrity. By the term personally identifiable information we mean information that can be used to identify a person.
5.1 What information is collected
We collect and process the following personally identifiable data:
5.2 What the data is used for:
We take the privacy of our users seriously, fully respecting the subscriber's right to privacy. Personally identifiable information will be collected, processed, stored for the following purposes:
5.3 Ensuring security and integrity of personal data
We have in place reasonable physical, technical and organizational measures designed to provide an environment where personal information is secured against accidental loss or unauthorized access. Security measures are in place to ensure protection against the loss, misuse or modification of information under our control. It is good to note that the technology, no matter how advanced, becomes a vulnerable matter over time, which is why it cannot be 100% guaranteed that unauthorized third parties will never be able to break through the security measures and such a break use for inappropriate purposes.
The operator uses the following measures to ensure the security and integrity of personal data.
5.3.1 Physical measures
Physical measures refer to protection measures in terms of theft, intrusion or other unauthorized access to the Operator's facilities, network and other technology. Physical measures are given below:The Operator's facilities where personal data are stored or accessed are restricted to authorized persons only.
5.3.2 Procedural measures
Procedural measures are specified in the list below:
5.3.3 Technical measures
The technical measures are specified in the list below:
6.1 Name and headquarters of the operator
INTERSPACE D.O.O.E.L. SKOPJE
Blvd. Jane Sandanski 109A, floor 3, 1000 Skopje
6.2 Data for the personal data protection officer
Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016
6.3 Data for the person responsible for information security and for reporting security breaches
Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016
For the rest of the services, the legal documents are not published on the website, because they are prepared for each order separately and are adapted depending on the country of origin of the client, the location where the service is delivered and other parameters.
These legal documents are delivered by email when ordering the services.
The following rules apply to the electronic messages sent by email addresses under the domain "interspace.com" (hereinafter together referred to as "Email"), by a mail server that is authorized to send emails on behalf of the domain "interspace.com" and the company Interspace (hereinafter collectively referred to as "Organization").
To verify that the Email indeed comes from the mail server authorized to send messages from "interspace.com", please inspect whether the DKIM signature is valid and that the email is signed by "interspace.com".
The Email and any files transmitted with it are confidential and intended solely for the use of the individual(s) or entity to whom they are addressed. If you have received the Email in error, please notify the email system manager on the email address [email protected]. The Email message contains confidential information and is intended only for the individual(s) named.
If you are not the named addressee, you should not disseminate, distribute or copy the Email. Please notify the sender immediately by email if you have received the Email by mistake and delete the Email from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of the email is strictly prohibited.
Computer viruses can be unintentionally transmitted via the Email. The recipient should check the Email and any attachments for the presence of viruses. Email transmission cannot be guaranteed to be secure or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of thе Email message which arise as a result of email transmission. The organization accepts no liability for any damage caused by any virus transmitted by this email.
The Organization accepts no liability for the content of the Email, or for the consequences of any actions taken on the basis of the information provided, unless that information is subsequently confirmed in writing.