1. Purpose of the Document
This Information Security Policy defines the principles, rules, and responsibilities for the protection of information within the company Mibral d.o.o. Sarajevo. The purpose of this policy is to ensure the confidentiality, integrity, and availability of information owned, used, or processed by the company, and to reduce the risk of data loss, unauthorized access, or misuse.

2. Scope of Application
This Policy applies to all employees, associates, subcontractors, and third parties who have access to the company’s information; all information systems, databases, networks, email accounts, and physical documents owned by the company; as well as all forms of information (electronic, paper-based, verbal, audio-video recordings, etc.).

3. Basic Principles of Information Security
a) Confidentiality – Information is accessible only to authorized persons.
b) Integrity – Data must be accurate and protected against unauthorized modification.
c) Availability – Information must be available when needed.
d) Accountability – Each employee is responsible for the secure handling of data.
e) Legality – The processing of personal data must comply with the Law on the Protection of Personal Data of Bosnia and Herzegovina.

4. Responsibilities
The Director approves this Policy and ensures the resources necessary for its implementation.
The IT Department is responsible for technical security measures (antivirus protection, backups, access control).
Department managers implement the Policy within their teams.
All employees are required to comply with the rules and report information or data security incidents.

5. Information Classification
Information is classified according to sensitivity:
– Public Data – Freely available information (e.g. promotional materials).
– Internal Data – Intended for employees only (e.g. forms, procedures).
– Confidential Data – Personal data, financial information, contracts, project documentation.

6. Protection of Electronic Information
– Employees use individual passwords that are changed regularly.
– Access to networks and servers is restricted.
– The IT Department performs regular data backups.
– Installation of unauthorized software is prohibited.
– Email is used exclusively for business purposes.

7. Protection of Physical Information
– Documents containing confidential data are stored in locked premises.
– Only authorized persons have access to archives.
– Documents that are no longer needed are destroyed in a secure manner.
– Visitors must not have access to confidential documents without approval.

8. Video Surveillance and System Monitoring
Clear and visible notices regarding video surveillance are displayed. Recordings are stored for up to 30 days. Only authorized persons have access to the recordings.

9. Reporting and Management of Security Incidents
Employees are required to immediately report data loss, loss of devices, or any suspicion of misuse. Incidents must be reported to a supervisor.

10. Employee Training
All employees receive information security training upon employment and at least once per year thereafter.

11. Policy Violations
Violation of this Policy may result in disciplinary measures in accordance with internal regulations and applicable laws.

12. Review and Maintenance
This Policy is reviewed at least once per year or in the event of changes in legislation or technology.The updated version is approved by the Director of Mibral d.o.o. Sarajevo.

November 2025