TECHNICAL AND ORGANIZATIONAL DATA PROTECTION MEASURES
1. ACCESS CONTROL (PHYSICAL SECURITY MEASURES ARE REQUIRED)
Which technical and organizational measures are in place in order to control physical access to the Data Processor’s premises and to identify authorized persons?
- Office locations are secured with a lock and requires personal RFID card;
- Office locations are equipment with alarm systems;
- All employees are required to have identification cards/RFID.
2. CONTROLLED ADMITTANCE (UNAUTHORIZED PERSONS ACCESSING DATA PROCESSING SYSTEMS MUST BE PREVENTED)
Which measures are in place with regard to user identification and authentication technically (password protection) and organizationally (user master record)?
- The Identification of users is validated through Active Directory.
- Passwords are protected through policies of complexity and must be changed frequently.
- Network security is managed by the internal IT Team and physical and logical access datacentres is restricted to authorized employees responsible for the job.
3. ACCESS CONTROL (UNAUTHORIZED WORK IN DATA PROCESSING SYSTEMS BEYOND THE GRANTED AUTHORITIES MUST BE PREVENTED
Are the authorization concept and the access rights adjusted to the requirements? How is monitoring and logging ensured?
- User name and password is required to access the Data Processor’s systems and individual computers/accounts.
- Security of the password and account and its acceptable use is governed by the policy.
- Idle client systems are locked automatically after defined time and can be unlocked by the user using the password.
- Differentiated authorizations are used so that each individual user’s access is limited to a certain extent. Unauthorized users are blocked from access.
- SharePoint access is restricted. And principle of least privilege is followed while granting access and access is governed by responsible person.
- All employees are bound by confidentiality obligations via their employment contracts.
4. DISCLOSURE CONTROL (ANY AND ALL ASPECTS OF THE TRANSMISSION OF PERSONAL DATA: ELECTRONIC TRANSMISSION, DATA TRANSPORT, TRANSMISSION CONTROL)
Which security measures are in place for the transport, transfer and transmission and storage on data storage devices (whether manual or electronic) as well as for the subsequent inspection?
- Data is transferred electronically using VPN.
- All internal email communication is secure and over encrypted channel.
- Endpoints hard disk encryption
- All internal critical web applications are accessed by authorized persons over secure and encrypted channel.
5. INPUT CONTROL (TRACEABILITY, DOCUMENTATION OF DATA ADMINISTRATION AND MAINTENANCE)
Which measures are in place for a subsequent inspection, if and by whom data have been entered, amended or removed (deleted)?
- Logging is done separately in the respective critical systems which handle data.
6. CONTROL OF INSTRUCTIONS (WARRANTY THAT THE CONTRACT DATA PROCESSING COMPLIES WITH THE INSTRUCTIONS)
Which measures are in place to differentiate between the competences of the Data Controller and the Data Processor?
- The Data Processor will amend, remove or delete any Personal Data if specifically instructed hereto by the Data Controller.
- Upon receiving a written instruction from the Data Controller, the Data Processor will set up a procedure to ensure compliance with specifically requested traceability requirements.
7. AVAILABILITY CONTROL (DATA SHALL BE PROTECTED AGAINST ACCIDENTAL DESTRUCTION OR LOSS?
Which measures are in place for data protection (physically/ logically)?
- Office perimeter security is in place.
- Central antivirus and security software is in place
- The critical and sensitive data stored on the servers, which are located in a secured datacentres.
- Measures are in place to ensure the availability of the data, network for maximum uptime.
- Backup and re-establishment procedures are in place for all centralized and critical data.
8. SEPARATION CONTROL (DATA COLLECTED FOR DIFFERENT PURPOSES SHALL BE PROCESSED SEPARATELY)
Which measures are in place for a separate data processing (storing, alteration, deletion, transmission) of data with different contract purposes?
- The Customer data processing is done using min 2 separate environments: (i) for production and (ii) testing/ development purposes
- All Customer documents are separated using Active Directory privileges.
Should you have any questions regarding Columbus’ data protection measures, please feel free to contact us.