ANNEX. Organizational and technical measures

Similar documents
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Agreement on Commissioned Data Processing between. hereinafter Controller. and

Juniper Vendor Security Requirements

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Annex 2 to the Agreement on Cooperation in the Area of Trade Finance & Cash Management Terms and Conditions for Remote Data Transmission

SECURITY & PRIVACY DOCUMENTATION

EU Data Protection Agreement

Status: February IT Security Directive External Service Providers

Fallstudie zur BDSG-compliance Dr. Philip Groth IT Business Partner Oncology & Genomics. AWS Enterprise Summit 24. März 2015, Frankfurt

HPE DATA PRIVACY AND SECURITY

Checklist: Credit Union Information Security and Privacy Policies

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Terms and Conditions for Remote Data Transmission

Employee Security Awareness Training Program

Morningstar ByAllAccounts Service Security & Privacy Overview

ClearPath OS 2200 System LAN Security Overview. White paper

Sparta Systems TrackWise Digital Solution

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

April Appendix 3. IA System Security. Sida 1 (8)

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Data Processing Amendment to Google Apps Enterprise Agreement

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Data Processing Clauses

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Data Processing Agreement

Baseline Information Security and Privacy Requirements for Suppliers

Physical and Environmental Security Standards

ADIENT VENDOR SECURITY STANDARD

PS Mailing Services Ltd Data Protection Policy May 2018

7.16 INFORMATION TECHNOLOGY SECURITY

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

DATA PROCESSING AGREEMENT

University of Pittsburgh Security Assessment Questionnaire (v1.7)

HIPAA Security Checklist

HIPAA Security Checklist

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

AUTHORITY FOR ELECTRICITY REGULATION

AGREEMENT FOR RECEIPT AND USE OF MARKET DATA: ADDITIONAL PROVISIONS

IPM Secure Hardening Guidelines

Information Security for Mail Processing/Mail Handling Equipment

Trust Services Principles and Criteria

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

DATA PROCESSING AGREEMENT

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Learning Management System - Privacy Policy

CLIQ Remote - System description and requirements

Sparta Systems TrackWise Solution

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

Data Processing Agreement for Oracle Cloud Services

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Fabric Data Processing and Security Terms Last Modified: March 27, 2018

Information Security at the IEA DPC. IEA General Assembly October 10 12, 2011 Malahide, Ireland

Accredited Certification Authority's Facilities and Equipment Assessment Criteria

ICT Security Policy. ~ 1 od 21 ~

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

Terms and Conditions for Remote Data Transmission

Sparta Systems Stratas Solution

Data protection is important to us

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Information Security Policy

HIPAA Security Rule Policy Map

Data Protection Policy

Keeper Data Processing Agreement

DATA PROCESSING ADDENDUM

ANNEXES TO THE TERMS AND CONDITIONS valid from 13. January 2018

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Terms and Conditions for Allegion Data Processing and Transfer

GM Information Security Controls

Google Cloud & the General Data Protection Regulation (GDPR)

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Privacy Policy Effective May 25 th 2018

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Google Ads Data Processing Terms

Eco Web Hosting Security and Data Processing Agreement

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

HIPAA Federal Security Rule H I P A A

General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:

User s Guide [Security Operations]

Data Processor Agreement

HIPAA / HITECH Overview of Capabilities and Protected Health Information

1. Type of personal data that we collect and process?

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

QuoVadis Trustlink Schweiz AG Teufenerstrasse 11, 9000 St. Gallen

Network Security Policy

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

GDPR Compliant. Privacy Policy. Updated 24/05/2018

simply secure IncaMail Information security Version: V01.10 Date: 16. March 2018 Post CH Ltd 1 / 12

Deloitte Audit and Assurance Tools

Privacy Policy. Effective date: 21 May 2018

ngenius Products in a GDPR Compliant Environment

Security Policies and Procedures Principles and Practices

EXHIBIT A. - HIPAA Security Assessment Template -

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

Information Security Management Criteria for Our Business Partners

PCI DSS Compliance. White Paper Parallels Remote Application Server

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Transcription:

ANNEX Organizational and technical measures The Data Processor has implemented the measures as described in this exhibit insofar as the respective measure contributes or is capable of contributing directly or indirectly to the protection of the personal data under the DPA entered into between the Parties. The technical and organizational security measures shall be subject to technical progress and future developments of Data Processor s Service(s). As such, the Data Processor shall be permitted to implement alternative adequate measures. In such event, the security level may not be lower than the measures memorialized here. Material changes are to be coordinated with the Data Controller and documented. 1. Entry controls Unauthorized persons are to be denied entry to the data processing facilities in which personal data are processed or used. The Data Processor has implemented the following entry control measures insofar as Personal Data are processed in the rooms/buildings of the Data Processor or access to such data from these rooms/buildings cannot be precluded: 1. restricting entry authorizations to office buildings, computer centers, and server rooms to the necessary minimum. 2. effective entry authorization controls through an adequate locking system (e.g., security key with documented key management, electronic locking systems with documented authorizations management). 3. documented and comprehensible processes for obtaining, changing, and rescinding entry authorizations. 4. routine and documented review whether the granted entry authorizations are up-to-date. 5. reasonable prophylactic and detection measures regarding unauthorized entry and entry attempts (e.g., routine checks of burglary security system for doors, gates, and windows, burglar alarm, video monitoring, guard service, security patrol) 6. written rules for employees and visitors for dealing with technical entry security measures. 2. Access controls Potential use of data processing systems by unauthorized persons is to be prevented. The Data Processor has implemented the following access control measures for systems and networks, in which contract data are processed or through which access to contract data is possible: 1. restricting access authorizations to DP systems and non-public networks to the necessary minimum. 2. effective access authorization controls through personalized and unambiguous user identification and a secure authentication process. 3. for password authentications:

a. specifications are to be made that ensure continuous password quality of at least twelve (12) characters, four (4) degrees of complexity (upper case, lower case, numbers, special characters), and a change cycle of a maximum of ninety (90) days. b. technical test procedures are to be used to ensure password quality. 4. in the event that asymmetric key procedures (e.g., certificates, private-public-key-method) are used for authentication, it is to be assured that secret (private) keys are at all times protected by a password (passphrase). The requirements contemplated under Sect. 3b above are to be complied with. 5. documented and comprehensible processes for obtaining, changing, and rescinding access authorizations. 6. routine and documented review whether the granted access authorizations are up-to-date. 7. reasonable measures for securing network infrastructure (e.g. intrusion detection systems, use of 2-factor authentication for remote access, separation of networks, encrypted network protocols, and so forth.) 8. written rules for employees for dealing with the security measures above and the secure use of passwords. 9. ensuring that critical or material security updates/patches shall be installed according to Processor s Patch Management Policy: a. in client operating systems; b. in server operating systems reachable via public networks (e.g., webservers); c. in application programs (incl. browser, plugins, PDF-reader, etc.); d. in security infrastructure (virus scanner, firewalls, IDS-systems, content filters, routers, and so forth.); and e. in server operating systems of internal servers. 3. Access controls Persons authorized to use a data processing system shall be able to access only the data underlying their access authorization and that personal data shall be incapable of being read, copied, changed, or removed without authorization during the processing and use of the data and after the data have been stored. The Data Processor has implemented the following access control measures insofar as he is responsible for Personal Data access authorizations: 1. restricting access authorizations to contract data to the necessary minimum 2. effective access authorization controls through an adequate rights and roles concept. 3. documented and comprehensible processes for obtaining, changing, and rescinding access authorizations. 4. routine and documented review whether the granted access authorizations are up-to-date. 5. reasonable measures for the protection of end-devices, servers, and other infrastructure elements against unauthorized access (such as multi-level virus protection concept, content filters, application firewall, intrusion detection systems, desktop firewalls, system hardening, content encryption).

6. data carrier encryption with state of the art algorithms to be classified as secure for the protection of mobile devices (notebooks, tablet PCs, smartphones, etc.) and data carriers (external hard drives, USB sticks, memory cards, and so forth). 7. recording of access, even by administrators. 8. technical security measures for export and import interfaces (hardware and applicationrelated). The Data Processor shall have the following cooperation duties for access controls insofar as it does not manage the access authorizations to the Personal Data itself: 1. documented and comprehensible processes for obtaining, changing, and rescinding access authorizations in its area of responsibility 2. routine and documented review whether the granted access authorizations are up-to-date to the extent possible. 3. notifying the Controller without undue delay, if existing access authorizations are no longer needed. 4. Sharing controls The Data Controller shall provide the data to be processed in a transmission procedure to be defined in the agreement/mandate. The results of the processing shall also be transferred back to the Data Controller in a defined transmission procedure. The nature of the transmission and the transmission security measures (transmission controls) are to be determined in a manner that does justice to the requirements; in particular, the use of encryption technology commensurate with the state-of-the-art to be prescribed. Personal data shall be incapable of being read, copied, changed, or removed during electronic transmission or during transport for storage on data carriers and there is the possibility to review and determine at what points a transmission of personal data by data transfer equipment is prescribed. The Data Processor has implemented the following sharing control measures insofar as contract data shall be received, transferred, or transported by the Processor: 1. reasonable measures for securing network infrastructure (e.g., intrusion detection systems, use of 2-factor authentication for remote access, separation of networks, encrypted network protocols, and so forth.) 2. data carrier encryption with state of the art algorithms to be classified as secure for the protection of mobile devices (notebooks, tablet PCs, smartphones, etc.) and data carriers (external hard drives, USB sticks, memory cards, and so forth). 3. using current state-of-the-art encrypted transfer protocols classifiable as secure (e.g., TLSbased protocols). 4. written rules for employees for dealing with and security of mobile devices and data carriers. 5. Input controls There is a possibility to subsequently review and determine whether and by whom Personal Data was entered into, altered in, or removed from data processing systems. The Data Processor has implemented the following input control measures on its systems, which are used for processing the contract data or which enable or convey access to such systems:

1. creation and audit-proof storage of processing protocols. 2. securing log files against manipulation 3. recording and evaluating unauthorized and failed login attempts 4. ensuring that no group accounts (including administrators or root) are used 6. Contract controls Personal Data, which is processed under contract, shall be capable of being processed only in accordance with the instructions of the Data Controller. The Data Processor has implemented the following contract control measures: Data Processes and documentation for 1. selecting (sub)processors with due consideration for technical aspects contemplated under applicable data protection law 2. ensuring (i) the statutorily prescribed initial audit of (sub)processors and (ii) routine subsequent inspections 3. ensuring that the in-house data protection officers shall be notified in timely manner whenever new personal data processing procedures are being introduced or existing personal data processing procedures are being changed 4. obligating all persons commissioned with the processing of personal data to data secrecy 5. routine review that the data processing programs, with the help of which the personal data is processed, are being used in due and proper manner 6. ensuring that the persons commissioned with data processing are familiar with the relevant data protection law and Controller-specific rules and regulations 7. maintaining the expertise of the in-house data protection officer (if appointed) 8. ensuring that the Controller shall be notified without undue delay in the event that personal or otherwise protected information has been unlawfully disclosed 9. ensuring that contract data shall, upon the instructions of the Controller, be corrected, frozen, and deleted without undue delay 7. Availability controls Personal Data shall be protected against accidental destruction or loss. The Data Processor has implemented the following availability control measures insofar as the contract processing is required for maintaining productive services: 1. operation and routine maintenance of fire alarms in server rooms, computer centers, and material infrastructure rooms. 2. creating sufficient backups 3. ensuring backup storage in a separate fire compartment 4. routine backup integrity reviews 5. systems and data restoration processes and documentation

8. Separation controls Personal Data collected for different purposes shall be capable of being processed separately. The Data Processor has implemented the following contract data separation measures insofar as such is within its area of responsibility: 1. logical and/or physical separation of test, development, and production systems 2. separation of controller data from other data sets including, but not limited to, its own, within the processing systems, and at interfaces 3. ensuring that contract data are constantly identifiable on account of suitable labels; in the event that such are processed for different purposes, including information specifying the respective purpose. 9. Deletion of data Personal Data is to be deleted, if it is processed for purposes as soon as the knowledge thereof is no longer necessary for the fulfillment of the purpose of the saving in accordance with Fyber s data retention policy. Deletion is the obfuscation of stored Personal Data. The Data Processor has implemented the following measures ensuring data deletion insofar as such is within its area of responsibility: 1. ensuring that the contract data are capable of being deleted at any time upon request of the Data Controller 2. processes, tools, and documentation for secure deletion in a manner, such that recovery of the data is not possible given today s state of technology (e.g., through overwriting) 3. specifications for employees regarding how and when data are to be deleted.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback