Last updated – October 2023
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Security Governance and Management
- Data Importer uses a documented security control framework based upon accepted industry standards for governing the information security practices SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018. These frameworks utilize a standard set of controls and include widespread use of commercially available protective measures.
- Data Importer developed and is maintaining a comprehensive Information Security Policy (“Policy”) and enforcement procedures based on the adopted Policy and the security control frameworks mentioned in this Annex.
- Data Importer reviews the Policy not less than annually or whenever there is a material change in practices or regulatory requirements.
- Data Importer has a designated group of employees who maintain the Policy and procedures of enforcement.
- Data Importer monitors its Policy and procedures to ensure that the program described therein is operating in a manner reasonably required to prevent a security breach.
Identification and Authorization
- Data Importer implemented a formal user registration and deregistration procedure for granting and revoking access to its personnel to processing resources and personal data. Upon termination of any of Data Importer’s personnel, the Data Importer ensures that such personnel’s access to personal data is revoked. In the event of an involuntary termination, the Data Importer ensures all access is revoked immediately.
- Data Importer maintains appropriate access control mechanisms to enable access to personal data and/or Data Importer’s processing resources only by Data Importer personnel who have a “need to access” to support Data Importer’s processing. Additionally, the actual access is granted on “just in time” (JIT) basis, logged and regularly reviewed.
- Data Importer ensures that segregation of duties exists such that the individual or system granting access is not the same individual or system which approves such access.
- Authentication to Data Importer systems managed in the centralized Identity and Access Management solution which enforces strong passwords, Single Sign-on (SSO) and mandatory Multi-Factor Authentication (MFA). The connection to Data Importer systems is restricted to Virtual Private Network (VPN) only.
Protection of Data during Transmission (Encryption in Transit)
- Data Importer encrypts all data, records, and files containing personal data that shall be transmitted wirelessly or travel across public networks.
- TLS v1.2 or higher protocol is used for data transmission.
Protection of Data during Storage (Encryption at Rest)
- Data Importer encrypts all personal data regardless of its location at rest and in transit.
- All encryption keys are protected against modification; secret and private keys are protected against unauthorized disclosure.
- Industry acceptable cryptographic algorithms commensurate with key size are used whenever cryptographic services are applied.
- Data Importer implements full disk encryption on built-in or removable storage media in Data Importer’s controlled end points which may access, store, process, transmit, or create personal data. All such encryption meets the Advanced Encryption Standard with a 256-bit cypher key (“AES-256”).
- Data Importer does not use tapes or other removable media for system backup.
Availability and Disaster Recovery
- Data Importer developed and maintained resilient design and architecture of the Services.
- In order to measure the resiliency and continuously improve Services architecture, Data Importer implemented and regularly tests Disaster Recovery drills.
- Data Importer maintains appropriate physical security controls and environmental controls to Data Importer controlled facilities, to prevent unauthorized physical access to its controlled facilitates from which personal data can be accessed. Such measures include, but not limited to use of personal access cards identification, door sensors, video surveillance and monitoring.
- Data Importer maintains appropriate mechanisms and processes for detecting, recording, analysing, and resolving unauthorized attempts to access personal data or Data Importer’s systems.
- Data Importer reviews access logs not less than quarterly to ensure that access permissions are appropriate and necessary.
- Data Importer’s operating system security mechanisms are configured to support appropriate security procedures, and capable to:
- Identify and verify the identity of each authorized user; and
- Record successful and failed system accesses.
- All permitted and authorized remote sessions that may entail access to personal data are only performed via a secure remote access solution that ensures end to end encryption and secure authentication methodology.
Vulnerability Management and Penetration Testing
- Data Importer conducts comprehensive scans for known vulnerabilities on all externally facing systems no less than one time per month.
- Vulnerabilities are prioritized based on severity and mitigated in accordance with Data Importer’s Policy.
- Annual penetration tests on Internet facing assets performed by reputable testing company or on material change.
- Data Importer utilizes and keeps current reputable, commercially available anti-malware software on Data Importer’s end points used in accessing, storing, processing, transmitting, or creating personal data.
- Data Importer developed and is using risk assessment methodology based on industry standard frameworks.
- Data Importer conducts regular risk assessments and reviews the assessments on a regular basis to ensure controls are properly operating.
- Data Importer documents the results of all risk assessments, develops action plans for the mitigation of findings, and tracks the progress of such action plans.
- All media containing personal data is disposed via appropriate methodology, driven by industry standard guidance on appropriate minimum destruction techniques and procedures.
Third-Party Subprocessor Management
- Data Importer conducts risk assessments and reviews on all subprocessors that have access to personal data on an annual basis or receives copies of external third-party audits conducted for those subprocessors.
- Data Importer monitors corrective actions if required due to such risk assessments and terminates the relationship with third party subprocessors that are not in compliance.