This statement provides an overview of JRC's approach to Cybersecurity. It gives information on our security best practices and the way we manage information to ensure that we meet the industries best practices.
Safety and security are important to JRC. Therefore, we follow and apply the industry guidelines and IMO regulations. Our policies cover a wide range of topics, from handling personal and confidential information to physical security of our products. All policies are communicated with all employees. The organization receives a signed acknowledgement from its employees that indicate that they have read, understood and agree to follow the policies. The policies are regularly audited and reviewed and updated where necessary.
In addition to policies, we have a cybersecurity team in place. This team ensures compliance with rules and regulations and manages the cybersecurity within JRC. They define and implement control measures, raise awareness, audit internal and external policies, track incidents, perform vulnerability assessments, mitigate threats and risks. This advisory team ensures that information is available for employees, customers and vendors.
All employees have to act according to the company guidelines. We regularly raise awareness for this topic through employee training and awareness campaigns. Furthermore, employees sign a document during the onboarding process which states that they will follow and respect the company guidelines and regulations. Violations of our policies may result in disciplinary actions.
We install antivirus and malware detection on the employee's laptops and make sure employees are security-aware.
Security requirements and design are considered for all projects and products, and we follow secure development practices. We have access controls on source code, and access is managed. All releases are tested. Our release checklist includes considering security issues. We have a standard starters and leavers process. We centrally manage access to many services. Furthermore, we use two-factor authentication wherever possible. Where we do store user credentials (passwords) they are hashed. Disaster recovery backups are in place and our IT infrastructure is protected by state-of-the-art security measures.
All our remote network connections are secured based on state-of-the-art standards. We use secure protocols to set up remote connections. Our internal network and external remote connections are completely segregated. We comply to all IMO regulations and cybersecurity best practices.
We have a cybersecurity incident response plan in place. These plans describe the responsibilities, required actions and escalation parties in case of an incident. The policies are regularly reviewed and tested. Incidents can be reported through our website and in case of emergency through our 24/7 phone number.
JRC is currently monitoring developments and updates related to the recently released Apache advisory. Apache has confirmed that a critical Remote Code Execution vulnerability (CVE-2021-44228) exists in their Log4j utility. Log4j is an open source, Java-based logging utility. Vulnerable versions of Log4j include 2.0-beta9 to 2.14.1.
As part of the company’s product security policy and protocols, our Cybersecurity Team is investigating the use of Apache’s Log4j utility within our products and services, evaluating the potential impact from this reported vulnerability and validating actions.
The list below provides assist our customers in identifying any products within the JRC product range that could be vulnerable to CVE-2021-44228. However, the list below is not comprehensive and may be updated as necessary if more products are identified.