Technical and Organizational Measures

Technical and organizational measures including technical and organizational measures to ensure the security of the data

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall implement the measures outlined below to ensure an appropriate level of security for the provision of the Services:

A.     User Authentication

Management has established and approved an information security program.
A framework of information security policies and standards has been developed, which supports the objectives of the information security program.
Procedures exist for and to ensure adherence to, authenticating and authorizing users to systems.
Procedures exist for and to ensure adherence to policies for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon role using the concept of least privilege.
A process is in place to monitor failed login attempts. Identified security violations are resolved.
Access to the Processor production environment by Processor employees is granted based on business need. A two-factor authenticated VPN is utilized.
Controls are in place to restrict implementation of changes to production only to authorized individuals.

Type of access

The various types of customer end user access are documented in the service-specific Administrator Guides and are controlled by customer administrators through the service dashboard, user interface or SAML integration.

B.     Execution of Backup Copies

Customer configuration and report data are backed up on a regular basis and stored on spinning disk.

Procedures for backup and retention of data and programs have been documented and implemented.

C.     Computers and Access Terminals

Computers used by t Processor employees to access the Processor infrastructure are required to use a secure VPN tunnel to access the Processor infrastructure. All employee endpoints are required to run up to date anti-virus software and policies exist to restrict software that may be installed on these machines. All Processor employees are required to authenticate to a centralized authentication system in order to access the Processor corporate and production networks.

D.     Data Processor Controls

New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
New employees also receive a copy of Processor’s Security Code of Conduct, a summary of Processor’s information security program, which they are required to acknowledge receipt of.
Access to the Processor production environment by Processor employees is granted based on business need. A two-factor authenticated VPN is utilized.
Centralized configuration management tools are used to ensure employee endpoints are appropriately configured.

E.     Access Logs

In relation to the Services, access logs take at least two different forms:

All access attempts to Data Processor computer systems are centrally logged and unusual activity is automatically reported to Processor’s Global Information Security group. In addition, Processor enforces account lockout policies and password requirements. Logs of customer access to the Services are generated and retained as applicable for each Service.

Procedures exist for and to ensure adherence to, authenticating and authorizing users to systems.
A control process exists and is followed to periodically review and confirm access privileges remain authorized and appropriate.
A process is in place to monitor failed login attempts. Identified security violations are investigated and resolved.
Application event data are retained to provide chronological information and logs to enable the review, examination, reconstruction of systems and data processing and application events.

F.     Telecommunication Systems

All Processor production facilities have redundant internet feeds from diverse bandwidth providers.

G.     Instruction of Personnel

All Processor personnel are required to complete an annual online Security and Awareness training program. In addition, personnel may receive on-going training specific to their roles. This training may be provided by Proofpoint or other third-party organizations.

Processor has an organization plan, which separates incompatible roles and duties of relevant personnel.
Separate management roles and responsibilities have been designed to segregate the roles of computer operations, system development and maintenance, and general Processor corporate functions.
Personnel roles and responsibilities are clearly defined.

H.     Use of Computers

Remote access to Processor production networks is restricted to systems running Processor-approved and managed security software. All Processor systems provided to personnel are managed by a centralized configuration system. All Processor employees are made aware of Processor’s acceptable use policies for Processor computers, internet access and email communications. Processor employees must acknowledge these policies and agree to abide by them.

New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
New employees review and acknowledge Processor’s Security Code of Conduct.

I.     Printing of Data

Customer data is processed in memory and is not available for printing. In addition, there are no printers available within the Processor production environment and all print services are disabled by default on all production servers.

J.     Physical Access Control

Data Processor Controls

With products hosted from Processor’s co-location providers, Processor maintains controls over physical access to the Processor infrastructure. With products hosted from hosting providers AWS, Azure or Google Cloud, physical access is controlled by the hosting provider.

K.     Physical Security Measures for Data Centers

Co-location facilities’ physical security controls are aligned with Tier-III data center standards, including 24x7 on-site security, staffed points of access, anti piggy-backing mechanisms, dual-factor authentication and monitored CCTV. Facilities used by AWS, Azure or Google Cloud are aligned with Tier-III data center standards.

L.     Access Control to IT systems

Data Processor Controls

Data Processor controls access to systems providing Services in the following ways:

  1. All Data Processor employees and contractors are provided with unique user IDs. Account sharing is not permitted.
  2. Password requirements are defined and enforced by a password synchronization tool. Requirements include:
    1. Minimum of 12 characters
    2. Must not appear on public lists of breached passwords
    3. History of 23
    4. Required to change every 180 days
    5. Account locked out after five (5) failed login attempts
  3. Logical access is granted based on role.
  4. Audit logging is in place on the VPN to the Data Processor production environment.
  5. Audit logs are monitored in near real-time by a log aggregation and alerting tool. Alerts are configured to be sent to the Data Processor Global Information Security group.

M.     Access Control to Data

Customer data is not permitted to reside in the Processor corporate environment. Access to systems hosting the Services are controlled in the following ways:

  1. Access is based on role at Processor.
  2. Only authorized Processor personnel are permitted to have privileged access to a Processor Production Environment.

N.     Audit logging

Audit logging is in place on the VPN and on systems in the Processor Production Environment.

O.     Implement Least Privilege Access Control

Access to the Processor Production Environment is granted based on role.

P.     Security while Transferring and Processing

Processor does not permit Customer data to reside in the Processor Corporate Environment, where Processor employees and contractors reside. The Processor Production Environment is logically and physically separated from the Processor Corporate Environment:

  1. Access to the Processor Production Environment is via a two-factor authenticated VPN using Processor-approved devices and is only provided to Processor employees and contractors whose role requires access.
  2. Industry-standard firewalls are in place and configured to only permit traffic on ports necessary for the functioning of the Services with all others denied by default.
  3. All Administrator access to the Services hosted web interfaces is encrypted using HTTPS/TLS.

Q.     System Access Controls

  1. LDAP is used to authenticate Processor personnel to the production environments.
  2. Privileged access is only granted to authorized Processor personnel.

R.     Endpoint Security

  1. Endpoints used to access the Data Processor production environment are centrally managed, have applicable security patches installed, run standardized security software and are regularly scanned for vulnerabilities.

S.     Server Security

  1. Applicable security patches are applied based on criticality.
  2. Unnecessary services are disabled.
  3. Default passwords are changed.

T.     Security while Transmitting Data over Public Networks

  1. All Administrative access by Processor to the Services is encrypted using HTTPS/TLS.

U.     Implementation and Operations Phase Controls

The functionality provided by the Services is performed automatically and does not require human intervention, except for analytic purposes and in order to troubleshoot issues with the Services. The Services are designed to function as described in the Services Agreement.

V.     Traceability of any Access, Change and Deletion

Access to systems used by the Services are controlled in the following ways:

  1. Access is granted based on role at Processor.
  2. Only authorized personnel are permitted to have privileged access to the Processor Production Environment.
  3. Audit logging is in place on the VPN and on systems in the Processor Production Environment.
  4. Service-generated audit logs capture access to Services by Data Controller personnel.

W.     Ensuring Compliant Data Processing

Except for analytic purposes and to troubleshoot issues with the Services Processor personnel do not manually process customer data. All customer data is automatically processed by the Services, as described in the Services documentation.

X.     Ensuring Availability

This is accomplished in the following way:

  1. Infrastructure in each production facility is configured in high-availability mode, including dual power feeds and a minimum of two diverse network connections.
  2. Co-location facilities are aligned with Tier-III data center standards, including redundant power and redundant environmental controls.
  3. Co-location facilities have on-site generators with a minimum of two (2) day fuel supply.
  4. A Business Continuity Action Plan for the protection of Data Processor personnel and the recovery of Data Processor business processes is documented and tested annually.
  5. A distributed monitoring infrastructure monitors for availability and performance.

Y.     Data Separation

The Services maintain separation of customer data. This is accomplished in the following way:

  1. Logical separation is maintained by the service using some or all of the following:
    1. Unique Client IDs for each client that are used to tag client data within the service;
    2. Unique IPs; or
    3. Unique encryption keys.

© 2024. All rights reserved. The content on this site is intended for informational purposes only.
Last updated December 05, 2023.