Supplier agrees to implement the following Security Measures as referenced in Paragraph 5.2 of the DPA. Supplier, at its option, may attach or reference additional information regarding its Security Measures. Notwithstanding any additional information that may be provided, Supplier agrees that it shall implement Security Measures that at least meet the requirements set forth in this Annex B.
Where appropriate, Supplier may note in the space provided at the end of Annex B that certain specified Security Measures are inapplicable to the Services Supplier is providing to Company with a corresponding explanation.
Physical Access control
Unauthorized persons shall be prevented from gaining physical access to premises, buildings or rooms, where data processing systems are located which Process Personal Data. Exceptions may be granted for the purpose of auditing the facilities to third party auditors as long as they are supervised by the Supplier and do not get access to the Personal Data themselves.
This includes, without limitation, the following Access Controls:
- Controls to specify authorized individuals permitted to access Personal Data
- Implementation of an access control process to avoid unauthorized access to the Supplier’s premises
- Implementation of an access control process to restrict access to data centres/rooms where data servers are located
- Use of video surveillance and alarm devices with reference to access areas
- Ensuring that personnel without access authorization (e.g. technicians, cleaning personnel) are accompanied all times when accessing areas where Personal Data is Processed
System Access Control
Data processing systems must be prevented from being used without authorization.
This includes, without limitation, the following System Access Controls:
- Ensuring that all systems Processing Personal Data (this includes remote access) are password protected:
- after boot sequences;
- when left even for a short period; and
- to prevent unauthorized persons from accessing any Personal Data
- Providing dedicated user IDs for authentication against systems and user management for every individual.
- Assigning individual user passwords for authentication
- Ensuring that access control is supported by an authentication system
- Controls to grant access only to authorized personnel and to assign only the minimum permissions necessary for those personnel to access Personal Data in the performance of their function.
- Implementing a password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password and requires the regular change of passwords
- Ensuring that passwords are always stored in encrypted form
- Implementing a proper procedure to deactivate a user account when a user leaves the company or function
- Implementing a proper process to adjust administrator permissions when an administrator leaves the company or function
- Implementing a process to log all access to systems and review those logs for Security Incidents
Data Access Control
Persons entitled to use a system that is Processing Personal Data shall gain access only to the data to which they have a right of access, and Personal Data must not be read, copied, modified or removed without authorization in the course of Processing.
This includes, without limitation, the following Data Access Controls:
- Restricted access to files and programs based on a "need-to-know-basis”
- Storing physical media containing Personal Data in secured areas
- Controls to prevent use/installation of unauthorized hardware and/or software
- Establishing rules for the safe and permanent destruction of Personal Data that are no longer required
- Controls to grant access only to authorized personnel and to assign only the minimum permissions necessary for those personal to access Personal Data in the performance of their function
- Establishing protocols for the temporary removal of a user’s access privileges following repeated attempts to log onto the Supplier’s network or any system or device using incorrect access credentials
Data Transmission Control
Personal Data must not be read, copied, modified or removed without authorization during transfer or storage, and it shall be possible to establish to whom Personal Data was transferred.
This includes, without limitation, the following Data Transmission Controls:
- Encrypting data during any transmission
- Transporting physical media containing Personal Data in sealed containers
- Maintaining shipping and delivery notes
Data Entry Control
The Supplier shall be able retrospectively to examine and establish whether and by whom Personal Data have been entered into data processing systems, modified or removed.
This includes, without limitation, the following Data Entry Controls:
- Controls to log administrators' and users' activities
- Controls to permit only authorized personnel to modify any Personal Data within the scope of their function
Personal Data being Processed in the performance of the Services for the Company shall be Processed solely in accordance with the Contract(s) and in accordance with the instructions of the Company.
This includes, without limitation, the following Job Controls:
- Establishing controls to ensure Processing of Personal Data only for performance under the Contract(s)
- Implementing controls to ensure staff members and contractors comply with written instructions or contracts
- Ensuring that data is always physically or logically separated so that, in each step of the Processing, the client from whom Personal Data originates can be identified.
- Imposing data protection terms which are substantially similar those in the DPA to any Sub-processor(s).
- Performing reasonable and appropriate due diligence on any Sub-processors or other third party service providers.
Personal Data shall be protected against disclosure, accidental or unauthorized destruction or loss.
This shall include, without limitation, the following Availability Controls:
- Arrangements to create back-up copies stored in specially protected environments
- Arrangements to perform regular restore tests from those backups
- Contingency plans, business continuity strategies and disaster recovery plans
- Controls to ensure that Personal Data is not used for any purpose other than for the purposes it has been contracted to perform
- Controls to prevent removal of Personal Data from Supplier’s business computers or premises for any reason (unless Company has specifically authorized such removal for business purposes).
- Where portable media has been authorized by Company, Supplier shall require that all portable media, including but not limited to laptops, smart phones, tablets and USB drives that contain Personal Data be encrypted.
- Encrypting Personal Data when stored on Supplier’s network
- Implementing intrusion detection and data loss prevention programs
- Controls to use only business equipment that is authorized by Supplier to perform the services
- Controls to ensure that whenever a staff member leaves his/her desk unattended during the day and prior to leaving the office at the end of the day, he/she places materials containing Personal Data in a safe and secure environment such as a locked desk drawer, filing cabinet, or other secured storage space (clean desk)
- Implementing processes for the secure disposal of documents or data carriers containing Personal Data
- Implementing network firewalls to prevent unauthorized access to systems and services
- Ensuring that each system used to Process Personal Data runs an up to date antivirus solution and malware detection program that protects Supplier’s network as well as all devices that have access to Supplier’s network
- Performing an annual assessment of Supplier’s vulnerabilities
The internal organization of Supplier shall meet the specific requirements of data protection. In particular, Supplier shall take technical and organizational measures to avoid the accidental mixing of Personal Data.
This includes, without limitation, the following Organizational Requirements:
- Designating a Data Protection Officer (or a responsible person if a data protection officer is not required by law)
- Designating an information security oversight function that provides clear direction and visible management support for security initiatives
- Implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Personal Data.
- Obtaining the written commitment of employees to maintain confidentiality
- Training staff on data privacy and data security
- Implementing a formal security incident response process that is consistently followed for the management of Security Incidents that includes documentation of the actions Supplier took in response to a Security Incident and is sufficient to comply with Applicable Privacy Laws
- Training staff in the security incident responder roles on the security incident process
- Implementing a written information security program (a “WISP”), including disciplinary measures to be imposed against personnel who violate the requirements of the WISP