TECHNICAL AND ORGANIZATIONAL DATA PROTECTION MEASURES
- ACCESS CONTROL (PHYSICAL SECURITY MEASURES ARE REQUIRED)
Which technical and organizational measures are in place in order to control physical access to the Data Processor’s premises and to identify authorized persons?
- All major office has locked doors and a staffed reception.
- For the Data Center only authorized staff has access and key fobs are used as a second method of authentication (Also Visits must be pre booked).
- CONTROLLED ADMITTANCE (UNAUTHORIZED PERSONS ACCESSING DATA PROCESSING SYSTEMS MUST BE PREVENTED)
Which measures are in place with regard to user identification and authentication technically (password protection) and organizationally (user master record)?
- Password system, encryption system, automatic blocking after certain time, password-protected screen-saver.
- All clients are accessed by using passwords with strong rules for how to set-up password.
- All client computers have encrypted hard drives.
- ACCESS CONTROL (UNAUTHORIZED WORK IN DATA PROCESSING SYSTEMS BEYOND THE GRANTED AUTHORITIES MUST BE PREVENTED)
Are the authorization concept and the access rights adjusted to the requirements? How is monitoring and logging ensured?
- All major systems authenticate against the AD except Maconomy which has its own separate authentication mechanism.
- The system owner/administrator authorize access to the system based on the job role and function.
- Security logs are automatically scanned and crucial servers are being monitored.
- DISCLOSURE CONTROL (ANY AND ALL ASPECTS OF THE TRANSMISSION OF PERSONAL DATA: ELECTRONIC TRANSMISSION, DATA TRANSPORT, TRANSMISSION CONTROL)
Which security measures are in place for the transport, transfer and transmission and storage on data storage devices (whether manual or electronic) as well as for the subsequent inspection?
- All communication between offices and to the DataCenter are done through encrypted VPN-tunnels/Private network
- When using the VPN-client to access iStone Network strong authentication is implemented.
- Web service and web applications exposed to Internet are all SSL based with a certificate.
- INPUT CONTROL (TRACEABILITY, DOCUMENTATION OF DATA ADMINISTRATION AND MAINTENANCE)
Which measures are in place for a subsequent inspection, if and by whom data have been entered, amended or removed (deleted)?
- Logs and operations management tool in place to log the different logs.
- CONTROL OF INSTRUCTIONS (WARRANTY THAT THE CONTRACT DATA PROCESSING COMPLIES WITH THE INSTRUCTIONS)
Which measures are in place to differentiate between the competences of the Data Controller and the Data Processor?
- There is agreement and extended guidelines in place for all cases where we are the Data Processor to ensure that the processing is carried out as per the instructions.
- AVAILABILITY CONTROL (DATA SHALL BE PROTECTED AGAINST ACCIDENTAL DESTRUCTION OR LOSS?
Which measures are in place for data protection (physically/ logically)?
- Perimeter security is in place.
- Central antivirus and security software
- The critical and sensitive data stored on the servers are located in a secured and certified datacentres.
- Measures in place to ensure the availability of the data, network for maximum uptime.
- Backup and re-establishment procedures are in place for all centralized and critical data.
- Secure DNS service installed on all DNS-servers
- SEPARATION CONTROL (DATA COLLECTED FOR DIFFERENT PURPOSES SHALL BE PROCESSED SEPARATELY)
Which measures are in place for a separate data processing (storing, alteration, deletion, transmission) of data with different contract purposes?
- The Data processing is done using separate environments for production, testing and development purposes, and all documents are separated using share point privileges to secure that customer’s data is protected.