TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Similar documents
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

SECURITY & PRIVACY DOCUMENTATION

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

The Common Controls Framework BY ADOBE

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

HIPAA Security and Privacy Policies & Procedures

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

QuickBooks Online Security White Paper July 2017

ANNEX. Organizational and technical measures

Morningstar ByAllAccounts Service Security & Privacy Overview

Employee Security Awareness Training Program

Juniper Vendor Security Requirements

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

Information Technology General Control Review

Information Security Policy

Data Processing Amendment to Google Apps Enterprise Agreement

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Sparta Systems TrackWise Digital Solution

Data Security and Privacy Principles IBM Cloud Services

Standard: Event Monitoring

Oracle Data Cloud ( ODC ) Inbound Security Policies

University of Pittsburgh Security Assessment Questionnaire (v1.7)

ADIENT VENDOR SECURITY STANDARD

Daxko s PCI DSS Responsibilities

Baseline Information Security and Privacy Requirements for Suppliers

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

ISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.

Access to University Data Policy

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Security Standards for Electric Market Participants

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

ISSP Network Security Plan

HIPAA Federal Security Rule H I P A A

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

HPE DATA PRIVACY AND SECURITY

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

HIPAA Controls. Powered by Auditor Mapping.

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

FairWarning Mapping to PCI DSS 3.0, Requirement 10

General Information System Controls Review

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

Security Policies and Procedures Principles and Practices

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Information Security Management Criteria for Our Business Partners

Information Security Controls Policy

Information Security in Corporation

Security+ SY0-501 Study Guide Table of Contents

IBM Security Intelligence on Cloud

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

I. PURPOSE III. PROCEDURE

Watson Developer Cloud Security Overview

Data Processing Agreement

State of Colorado Cyber Security Policies

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

Internal Audit Report DATA CENTER LOGICAL SECURITY

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

IBM Case Manager on Cloud

Fabric Data Processing and Security Terms Last Modified: March 27, 2018

Google Cloud & the General Data Protection Regulation (GDPR)

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Checklist: Credit Union Information Security and Privacy Policies

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

W H IT E P A P E R. Salesforce Security for the IT Executive

Information Security Incident Response Plan

Security Architecture

Cyber Security Requirements for Electronic Safety and Security

EU Data Protection Agreement

INFORMATION TECHNOLOGY POLICY

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Remote Access Policy

Data Protection Policy

Privacy Policy Effective May 25 th 2018

Standard CIP Cyber Security Electronic Security Perimeter(s)

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

Sparta Systems TrackWise Solution

Agilent ICP-MS ChemStation Complying with 21 CFR Part 11. Application Note. Overview

Projectplace: A Secure Project Collaboration Solution

Red Flags Program. Purpose

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

The Honest Advantage

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Trust Services Principles and Criteria

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Post-Class Quiz: Access Control Domain

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

WORKSHARE SECURITY OVERVIEW

Transcription:

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control to Data Processing Systems (Logical)... 3 Availability Control... 5 Transmission Control... 5 Input Control... 6 Separation of Processing for Different Purposes... 6 Documentation... 7 Monitoring... 7 Definitions... 7 Document History... 8 Technical and Organizational Data Security Measures v.2 Page 2 of 8

Introduction This Technical and Organizational Data Security Measures articulates the technical and organizational security measures implemented by Citrix Systems, Inc. ( Citrix ) in support of its Security Program including the Citrix Global Security Framework. The Technical and Organizational Data Security Measures Citrix has implemented and maintains a security program that leverages the ISO/IEC 27000-series of control standards as its baseline. Access Control of Processing Areas (Physical) Web applications, communications and database servers of Citrix are located in secure data centers. Citrix has implemented suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where Personal Data are processed or used. Establishing security areas; Protection and restriction of access paths; Securing the data processing equipment and personal computers; Establishing access authorizations for employees and third parties, including the respective documentation; Regulations/restrictions on card-keys; Restricting physical access to the servers by using electronically-locked doors and separate cages within co-location facilities; Access to the data center where Personal Data are hosted is logged, monitored, and tracked via electronic and CCTV video surveillance by security personnel; and Data centers, where Personal Data may be hosted, are protected by security alarm systems, and other appropriate security measures, such as user-related authentication procedures, including biometric authentication procedures (e. g., hand geometry), and/or electronic proximity identity cards with users photographs. Access Control to Data Processing Systems (Logical) Citrix has implemented suitable measures to prevent its data processing systems from being used by unauthorized persons. Establishing the identification of the terminal and/or the terminal user to the Citrix systems; Technical and Organizational Data Security Measures v.2 Page 3 of 8

Automatic time-out of user terminal if left idle, identification and password required to reopen; Automatic lock out of the user ID when several erroneous passwords are entered. Events are logged and logs are reviewed on a regular basis; Utilizing firewall, router and VPN-based access controls to protect the private service networks and back-end-servers; Continuously monitoring infrastructure security; Regularly examining security risks by internal employees and third party auditors; Issuing and safeguarding of identification codes; and Role-based access control implemented in a manner consistent with principle of least privilege. Remote access to Citrix s services delivery network infrastructure is secured using two-factor authentication tokens. Access to host servers, applications, databases, routers, switches, etc., is logged. Access and account management requests must be submitted through internal approval systems. Access must be approved by an appropriate approving authority. In most cases, the approval for a request requires two approvals at minimum: the employee's manager and the role approver or owner for the particular system or internal application. Passwords must adhere to the Citrix password policy, which includes minimum length requirements, enforcing complexity and set periodic resets. Password resets are handled via Citrix ticketing system. New or reset passwords are sent to the employee using internal secure, encrypted email system or by leaving a voicemail for the employee. Citrix s intrusion detection systems include signature-based network IDS, host-based IDS, and security incident and event management (SIEM) systems. Citrix also uses commercial and custom tools to collect and examine its application and system logs for anomalies. Access Control to Use Specific Areas of Data Processing Systems Persons entitled to use the data processing system are only able to access Personal Data within the scope and to the extent covered by their respective access permission (authorization) and that Personal Data cannot be read, copied, modified or removed without authorization. Employee policies and training in respect of each employee s access rights to the Personal Data; Technical and Organizational Data Security Measures v.2 Page 4 of 8

Users have unique log in credentials -- role based access control systems are used to restrict access to particular functions; Monitoring activities that add, delete or modify the Personal Data; Effective and measured disciplinary action against individuals who access Personal Data without authorization; Release of Personal Data to only authorized persons; Controlling access to account data and customer Personal Data via role-based access controls (RBAC) in compliance with the security principle of leastprivilege ; Internal segmentation and logical isolation of Citrix's employees to enforce leastprivilege access policies; Requirements-driven definition of the authorization scheme and access rights as well as their monitoring and logging; Regular review of accounts and privileges (typically every 3-6 months depending on the particular system and sensitivity of data it provides access to); Control of files, controlled and documented destruction of data; and policies controlling the retention of back-up copies. Availability Control Citrix has implemented suitable measures to ensure that Personal Data is protected from accidental destruction or loss. Global and redundant service infrastructure that is set up with full disaster recovery sites; Constantly evaluating data centers and Internet service providers (ISPs) to optimize performance for its customers in regards to bandwidth, latency and disaster recovery isolation; Situating data centers in secure co-location facilities that are ISP carrier neutral and provide physical security, redundant power, and infrastructure redundancy; Service level agreements from ISPs to ensure a high level of uptime; Rapid failover capability; and Citrix maintains full capacity disaster recovery (DR) sites and annually tests its DR centers by shutting down its primary site for at least 24 hours. Transmission Control Citrix has implemented suitable measures to prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. Technical and Organizational Data Security Measures v.2 Page 5 of 8

Use of adequate firewall and encryption technologies to protect the gateways and pipelines through which the data travels; Sensitive Personal Data is encrypted during transmission using up to date versions of TLS or other security protocols using strong encryption algorithms and keys; Certain types of customer sensitive Personal Data and other confidential customer data (e.g. payment card numbers) are encrypted at rest within the system; Protecting web-based access to account management interfaces by employees through encrypted TLS End-to-end encryption of screen sharing for remote access, support, or real time communication; Use of integrity checks to monitor the completeness and correctness of the transfer of data. Input Control Citrix has implemented suitable measures to ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems or removed. An authorization policy for the input of Personal Data into memory, as well as for the reading, alteration and deletion of such stored data; Authentication of the authorized personnel; Protective measures for Personal Data input into memory, as well as for the reading, alteration and deletion of stored Personal Data, including by documenting or logging material changes to account data or account settings; Segregation and protection of all stored Personal Data via database schemas, logical access controls, and/or encryption; Utilization of user identification credentials; Physical security of data processing facilities; Session time outs. Separation of Processing for Different Purposes Citrix has implemented suitable measures to ensure that Personal Data collected for different purposes can be processed separately. Technical and Organizational Data Security Measures v.2 Page 6 of 8

Documentation Citrix keeps documentation of technical and organizational measures in case of audits and for the conservation of evidence. Citrix takes reasonable steps to ensure that persons employed by it and other persons at the place of work, are aware of and comply with the technical and organizational measures set forth in this document. Citrix, at its election, may make non-confidential portions of audit reports available to customers to verify compliance with the technical and organizational measures undertaken in this Program. Monitoring Citrix does not access Customer Personal Data, except to provide services to the Customer which Citrix is obligated to perform, in support of the Customer experience, as required by law, or on request by Customer; Citrix has implemented suitable measures to monitor access restrictions of Citrix s system administrators and to ensure that they act in accordance with instructions received. Individual appointment of system administrators; Adoption of suitable measures to register system administrators' access logs to the infrastructure and keep them secure, accurate and unmodified for a reasonable period of time; Regular audits of system administrators activity to assess compliance with assigned tasks, the instructions received by Controller and applicable laws; Keeping an updated list with system administrators identification details (e.g. name, surname, function or organizational area) and responsibilities. Definitions Citrix means Citrix Systems, Inc., and all of its direct and indirect subsidiaries. Customer means any purchaser of any Citrix offering. Personal Data means any information directly or indirectly relating to any identified or identifiable natural person. Security Framework refers to the collection of Citrix s policies and procedures governing information security, including, but not limited to, policies, trainings, education, monitoring, investigation and enforcement of its data management and security efforts. Technical and Organizational Data Security Measures v.2 Page 7 of 8

Document History Version Revision Date Author Notes 1.0 6/30/2015 Stacey Simson 2.0 20 May 2016 Lisa Hall Technical and Organizational Data Security Measures v.2 Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback