Classification: Public

Date: 01/09/2024

Aretaeio Private Hospital Information Security Policy

The protection of information and its processing systems is of strategic importance to the Company to achieve its short-term and long-term goals and at the same time to ensure the confidentiality of the data of customers who receive its services.

Recognizing the criticality of information and information systems in the performance of its operational functions, Aretaeio Private Hospital implements an Information Security Policy with the goal to:

1. ensuring the confidentiality, integrity, and availability of the information it manages
2. Ensuring the correct operation of information systems
3. the timely response to incidents that may end anger operational ones
4. Functions of the Company
5. the satisfaction of legislative and regulatory requirements
6. The continuous improvement of the level of Information Security.

For this purpose:

1. the organizational structures necessary for monitoring issues related to Information Security are defined
2. the technical measures to control and restrict access to information and information systems are defined
3. the way of classifying the information according to its importance and value is determined
4. the necessary actions to protect the information during the processing stages, storage and handling
5. The methods of informing and training the company's employees and partners in Information Security matters.
6. The ways of dealing with Information Security incidents are determined
7. Describe the ways in which the safe continuity of the Company's operational operations is ensured in cases of malfunctioning of information systems or in cases of disasters.

The Company carries out assessments of the risks related to Information Security at regular intervals and takes the necessary measures to address them. It implements a framework for evaluating the effectiveness of Information Security procedures through which they are determined performance indicators, their measurement methodology is described, and periodic reports are produced which are reviewed by the Management in order to continuously improve the system.

The Information Security Officer is responsible for controlling and monitoring the policies and procedures related to Information Security and taking the necessary initiatives to eliminate all those factors that can jeopardize the availability, integrity, and confidentiality of information the company.

All employees of the Company and its partners with access to information and information systems of the Company, have the responsibility of observing the rules of the applied Information Security Policy.

Aretaeio Private Hospital committed to the continuous monitoring and observance of the regulatory and legislative framework and to the continuous implementation and improvement of the effectiveness of the Information Security Management System.