TECHNICAL AND ORGANIZATIONAL DATA PROTECTION MEASURES
1. ACCESS CONTROL (PHYSICAL SECURITY MEASURES ARE REQUIRED)
Which technical and organizational measures are in place in order to control physical access to the Data Processor’s premises and to identify authorized persons?
- Integrated security system of building and the rooms of the Data Processor (integrated technical surveillance services with patrol unit responding and fire alarm system)
- Personalized access system (electronic door cards) to rooms.
- Welcome desk
- Locked safe with limited access.
2. CONTROLLED ADMITTANCE (UNAUTHORIZED PERSONS ACCESSING DATA PROCESSING SYSTEMS MUST BE PREVENTED)
Which measures are in place with regard to user identification and authentication technically (password protection) and organizationally (user master record)?
- Central authentication and authorization solution (Active Directory)
- Password policy is in place (length and formation requirements, rotation etc.)
- Network security is managed by the internal IT Team and physical and logical access datacentres is restricted to authorized employees responsible for the job.
- Some cloud services are protected with Multi-factor authentication (MFA)
3. ACCESS CONTROL (UNAUTHORIZED WORK IN DATA PROCESSING SYSTEMS BEYOND THE GRANTED AUTHORITIES MUST BE PREVENTED
Are the authorization concept and the access rights adjusted to the requirements? How is monitoring and logging ensured?
- Access controller by security groups
- Central security groups management
- Password-protected screen-saver
- Regular security groups and access rights review and analyses
- Internal systems are accessed only by VPN
- Authentication and file activities auditing and logging
4. DISCLOSURE CONTROL (ANY AND ALL ASPECTS OF THE TRANSMISSION OF PERSONAL DATA: ELECTRONIC TRANSMISSION, DATA TRANSPORT, TRANSMISSION CONTROL)
Which security measures are in place for the transport, transfer and transmission and storage on data storage devices (whether manual or electronic) as well as for the subsequent inspection?
- All the sites are connected via VPN
- Sensitive data is transported in encrypted security containers.
- All internal email communication is secure and over encrypted channel.
- Endpoints hard disk encryption
- Data is encrypted while sharing files via URL link or e-mail
- All internal critical web applications are accessed by authorized persons over secure and encrypted channel.
5. INPUT CONTROL (TRACEABILITY, DOCUMENTATION OF DATA ADMINISTRATION AND MAINTENANCE)
Which measures are in place for a subsequent inspection, if and by whom data have been entered, amended or removed (deleted)?
- Authentication and file activities auditing and logging (add, change, delete, forward, download, upload etc)
6. CONTROL OF INSTRUCTIONS (WARRANTY THAT THE CONTRACT DATA PROCESSING COMPLIES WITH THE INSTRUCTIONS)
Which measures are in place to differentiate between the competences of the Data Controller and the Data Processor?
- When signing a contract, there is the so-called "four eyes" control within the Data Processor (vice versa)
- Involvement of the data protection expert in data protection issues.
- Register of Processing Data (ROPD) in the Data Processor and internal procedures for its renewal
- Written instructions from the Data Controller are executed only by authorized persons
- All employment contracts and co-operation agreements contain mandatory confidentiality clauses.
- All the employees of the Data Processor are subject to mandatory internal rules and data processing rules and other appropriate instructions and rules (including procedures for the use of computers and equipment)
- Internal audits over terms and regulation of the contracts and their implementation
- Project Council/Project Board role in development projects control and supervision of project implementation
7. AVAILABILITY CONTROL (DATA SHALL BE PROTECTED AGAINST ACCIDENTAL DESTRUCTION OR LOSS?
Which measures are in place for data protection (physically/ logically)?
- Perimeter security is in place.
- Central antivirus and security software
- The critical and sensitive data stored on the servers are located in.
- Measures in place to ensure the availability of the data, network for maximum uptime.
- Systems and data backup, backup and recovery plan in place, regular backup testing and continuous monitoring
8. SEPARATION CONTROL (DATA COLLECTED FOR DIFFERENT PURPOSES SHALL BE PROCESSED SEPARATELY)
Which measures are in place for a separate data processing (storing, alteration, deletion, transmission) of data with different contract purposes?
- All data is processed according to the instructions given by the Data Controller and strictly for the purposes, methods and means provided in the main services contract.
Should you have any questions regarding Columbus’ data protection measures, please feel free to contact us.