TECHNICAL AND ORGANIZATIONAL DATA PROTECTION MEASURES
1. ACCESS CONTROL (PHYSICAL SECURITY MEASURES ARE REQUIRED)
Which technical and organizational measures are in place in order to control physical access to the Data Processor’s premises and to identify authorized persons?
- All employees and guests are always required to wear visible identification cards.
- Office locations are secured with a lock and require a Personal ID card (smartcard) and a personal code to access the premises.
2. CONTROLLED ADMITTANCE (UNAUTHORIZED PERSONS ACCESSING DATA PROCESSING SYSTEMS MUST BE PREVENTED)
Which measures are in place with regard to user identification and authentication technically (password protection) and organizationally (user master record)?
- The Identification of users is validated through Active Directory.
- Passwords are protected through policies of complexity and must be changed on regular intervals as defined in the policy.
- Network security is managed by the internal IT Team and physical and logical access to datacenters is restricted to authorized employees responsible for the job.
3. ACCESS CONTROL (UNAUTHORIZED WORK IN DATA PROCESSING SYSTEMS BEYOND THE GRANTED AUTHORITIES MUST BE PREVENTED
Are the authorization concept and the access rights adjusted to the requirements? How is monitoring and logging ensured?
- User name and password is required to access the Data Processor’s systems and individual computers/accounts.
- Security of the password and account and its acceptable use is governed by the policy.
- Idle client systems are locked automatically after defined time and can be unlocked by the user using the password.
- Differentiated authorizations are used so that each individual user’s access is limited to a certain extent. Unauthorized users are blocked from access.
- SharePoint access is restricted. The principle of least privilege is followed when granting access and access is governed by a project manager.
- All employees are bound by confidentiality obligations via their employment contracts.
4. DISCLOSURE CONTROL (ANY AND ALL ASPECTS OF THE TRANSMISSION OF PERSONAL DATA: ELECTRONIC TRANSMISSION, DATA TRANSPORT, TRANSMISSION CONTROL)
Which security measures are in place for the transport, transfer and transmission and storage on data storage devices (whether manual or electronic) as well as for the subsequent inspection?
- Data is transferred electronically using VPN.
- All internal email communication is secure and over encrypted channel.
- Endpoints hard disk encryption.
- Data is encrypted while sharing files via URL link or email.
- All internal critical web applications are accessed by authorized persons over secure and encrypted channel.
5. INPUT CONTROL (TRACEABILITY, DOCUMENTATION OF DATA ADMINISTRATION AND MAINTENANCE)
Which measures are in place for a subsequent inspection, if and by whom data have been entered, amended or removed (deleted)?
- Logging is done separately in the respective systems which handle data.
6. CONTROL OF INSTRUCTIONS (WARRANTY THAT THE CONTRACT DATA PROCESSING COMPLIES WITH THE INSTRUCTIONS)
Which measures are in place to differentiate between the competences of the Data Controller and the Data Processor?
- The Data Processor will amend, remove or delete any Personal Data if specifically instructed hereto by the Data Controller.
- Upon receiving a written instruction from the Data Controller, the Data Processor will set up a procedure to ensure compliance with specifically requested traceability requirements.
7. AVAILABILITY CONTROL (DATA SHALL BE PROTECTED AGAINST ACCIDENTAL DESTRUCTION OR LOSS?
Which measures are in place for data protection (physically/ logically)?
- Perimeter security is in place.
- Central antivirus and security software
- The critical and sensitive data stored on the servers are located in a secured and certified datacenters.
- Measures in place to ensure the availability of the data, network for maximum uptime.
- Backup and re-establishment procedures are in place for all centralized and critical data.
8. SEPARATION CONTROL (DATA COLLECTED FOR DIFFERENT PURPOSES SHALL BE PROCESSED SEPARATELY)
Which measures are in place for a separate data processing (storing, alteration, deletion, transmission) of data with different contract purposes?
- The Data processing is done using separate environments for production, testing and development purposes, and all documents are separated using Share Point privileges to secure that customer’s data is protected.
Should you have any questions regarding Columbus’ Data Protection Measures, please feel free to contact us.