General
The conditions described in this document specify Security Obligations for services provided by the Supplier. If Personal Data is processed as part of this service, then these Security Obligations include the technical and organizational measures (TOM) that the Supplier as Data Processor of Personal Data shall, as a minimum, maintain to protect the security of Personal Data created, collected, received, or otherwise obtained under the Agreement.
In the event of any conflict or inconsistency between the provisions of the DPA and these Security Obligations, these Security Obligations shall prevail.
Section 1: Definitions
For the purposes hereof:
“Agreement” means the agreement (including all annexes, appendixes, amendments) to which these Information Security Conditions are attached to.
“GDPR“ means the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Beneficiary Information” means all information, data, records, software, hardware, equipment, media and Personal Data provided or made accessible by the Beneficiary, by any Beneficiary personnel or agents or by a third party to the Supplier pursuant to the Agreement.
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Special Categories of Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; genetic data, biometric data processed for the purpose of uniquely identifying a natural person; data concerning health or data concerning a natural person’s sex life or sexual orientation.
“Data Privacy” means the protection of Personal Data, especially from unauthorized access, use, processing, or misappropriation.
“Security Obligations” means those processes, technical and organizational measures designed to protect data, including Beneficiary Information, against accidental or unauthorized destruction or accidental loss, alteration, unauthorized disclosures, or access and against all other unauthorized forms of processing as set out in this document.
“Supplier” means a body which provides a service which processes or hosts data, including Beneficiary Information, on behalf of Beneficiary. When Personal Data is managed, the Supplier is Data Processor ((data) processor as defined by GDPR or other applicable law).
“Subcontractor/Consultant” means any supplier engaged by the Supplier to assist in the processing or hosting of data, including Beneficiary Information (e.g., a data sub-processor).
Section 2: Risk Assessment and Treatment
General: To undertake regular information risk management for key aspects of the service in a rigorous and consistent manner using a structured methodology.
The Supplier will:
- Be responsible for identifying security risks, including risks in the Supplier’s business as well as risks identified by the Supplier in its own supply chain relating to the assignment/service performed for Beneficiary, and taking necessary actions to control and mitigate such risks.
- Be responsible for determining and assessing cross border/multi-jurisdictional legislative and regulatory requirements including those relating to privacy, data protection, encryption export and data breach notification
Section 3: Security and Data Privacy Policies
General: Develop and distribute comprehensive and approved Information Security and Data Privacy Policies to all individuals with access to Beneficiary Information and systems related to this Agreement.
The Supplier will:
- Implement best practice in relation to information security and Data Privacy.
- Possess formal policies for information security and Data Privacy which are approved by management, available to all employees and any associated external parties.
- Undertake general security and Data Privacy awareness training as part of its information security and Data Privacy program.
Section 4: Organization of Information Security
General: Provide a top-down management structure and mechanism for coordinating security activities and supporting the Information Security and Data Privacy program/approach.
The Supplier will be able to demonstrate:
- Information security and Data Privacy responsibilities within the Supplier’s organization shall be clearly defined.
- Have the requisite information security and Data Privacy expertise to implement the security measures set forth in these Security Obligations. Such resource(s) shall cooperate with the security staff of Beneficiary as necessary.
- Supplier will duly inform Beneficiary in advance of any changes in its major subcontractors such as the hosting services.
Unless otherwise follows from the Agreement, Supplier’s use of Subcontractors requires Beneficiary’s prior written consent
Section 5: Asset Management and Confidentiality Controls
General: Document and agree confidentiality obligations for information associated with the Agreement and determine appropriate level of protection that should be applied to prevent any unauthorized disclosure.
- Any obligations for confidentiality or nondisclosure agreements are identified, met, and regularly reviewed.
The Supplier will:
- Not disclose or use any Beneficiary Information which may be considered as business or professional secrets, except to the extent necessary for the performance of its assignment under the Agreement and with acceptance of the Beneficiary.
- Collect, process, store or otherwise handle any Beneficiary Information for the sole purpose of fulfilling its obligations under the Agreement. Accordingly, the Supplier will not sell, share, or otherwise transfer or disclose any Beneficiary Information to any third party, without the prior written consent from the Beneficiary.
- Not collect, process, store or otherwise handle Special Categories of Personal Data, unless expressly required to by the Agreement with the Beneficiary.
- Act diligently when handling Beneficiary Information.
- Ensure the security, integrity and consistency of Beneficiary Information handled by the Supplier whether hardcopy or electronic.
- Not copy or reproduce Beneficiary Information on data files, hard-copy or other tangible media in such a way that allows for unauthorized removal of owner’s information or classification.
- Return or destroy, only as requested by Beneficiary all Beneficiary Information related to the Agreement immediately after the Agreement has expired or been terminated, unless it is necessary for the Supplier to retain Beneficiary Information for legal or regulatory reasons in which case point i) below shall be applicable. If the Beneficiary Information has been encrypted, Supplier will hand over all encryption keys necessary to decrypt the Beneficiary Information. If return is impossible but alternatively, destruction is possible, Supplier will have a process in place for the secure destruction of media containing Beneficiary Information – g., shredding of paper documents or physical destruction (media sanitization) of hard drives.
- Store securely any Beneficiary Information that needs to be retained for legal or regulatory reasons (survival of obligations, g., data retention) as long as is legally or regulatory required and only used for the purposes thus required.
- Have policies controlling the retention of back-up copies.
Section 6: Human Resources Security
General: Ensure staff behaves in a manner that supports the Information Security and Data Privacy policy and strategy and that adequate protection is provided in the handling of any Personal Data.
The Supplier will:
- Ensure that any and all Beneficiary Information is only made available to personnel, Subcontractors and consultants who have a legitimate business need to access the Beneficiary Information.
- Ensure all Supplier personnel, Subcontractors and consultants are given adequate training and clear instructions to meet the needs of providing the agreed services to Beneficiary, particular for the scope of any processing of Personal Data.
- Ensure that those of its personnel, Subcontractors and consultants performing tasks for Beneficiary are aware of the Supplier’s confidentiality obligations under the Agreement as well as the accepted use of Beneficiary Information, facilities and systems and have signed appropriate agreements.
- Release of Beneficiary Information to only authorized persons.
- Have effective and measured disciplinary action against individuals who access Personal Data without authorization.
- Be able to certify and attest at any given time the names of, and the contact information (such as telephone number and e-mail address) to, all of its employees, consultants, Subcontractors and other individuals working under the Supplier’s responsibility who are performing services under the Agreement. This information may only be used by Beneficiary in audit situations as reference to verify the validity of issued access rights towards IT systems or premises of Beneficiary.
- Keep an updated list with system administrators’ identification details (e.g., name, surname, function, or organizational area) and tasks assigned and providing it promptly to Beneficiary upon request in case of an audit.
- Be responsible to inform Beneficiary without undue delay about any changes regarding its key personnel who work on the assignment or are part of the Agreement including function as contact persons for Beneficiary.
- Allow Beneficiary to transfer parts of the Supplier’s personnel information to a third party if that party hosts a service on behalf of Beneficiary to which the Supplier needs access.
- Agree that Beneficiary is entitled to request and receive individual commitments from the Supplier’s employees, consultants, Subcontractors, and other representatives, stating that the individual in question has understood and will comply with certain obligations and accepted use of systems and facilities.
Section 7: Physical and Environment Security
General: Protect IT facilities equipment and services against malicious attack, accidental damage, natural hazards and unauthorized physical access thus ensuring critical equipment is available when required and prevent important services from being disrupted by loss of, damage to equipment or facilities.
Supplier’s Premises
The Supplier will:
- Adhere to all applicable laws and regulations, including but not limited to Data Privacy laws and regulations, and ensure that any required approvals are obtained from the relevant authorities when carrying out its assignment under the Agreement.
- Adhere to the following provisions to secure Beneficiary Information or assets if they are processed or stored in the premises of the Supplier, of the Supplier’s Subcontractor and/or consultant:
- Ensure any data center hosting Beneficiary Information, applications and infrastructure has appropriate physical and environmental protection in place, as set forth by applicable legislation, regulations and industry best practice.
- Have adequate perimeter and entry controls in line with standards and local regulations to ensure that only authorized personnel are allowed access.
- Preventing unauthorized persons from gaining access to the data processing equipment where Beneficiary Information are processed or used shall be accomplished by:
- Protection and restriction of access paths.
- Establishing access authorizations procedures for employees and third parties, including the respective documentation.
- All access to the data centers where Beneficiary Information are hosted is logged and monitored.
- Establishing security areas in data centers for e.g., telephones and personal computers.
- Regulations and restrictions on cardkeys.
- Authentication credentials must be individual.
- Providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked.
- The data centers where Beneficiary Information are hosted is secured by a security alarm system, and other appropriate security measures.
- Ensure any Beneficiary Information is protected from theft, manipulation, or destruction.
Beneficiary’s Premises
The Supplier will (if applicable):
- Ensure that all employees and Subcontractors be aware of and comply with Beneficiary safety and security arrangements whilst performing work on Beneficiary’s premises. The Supplier is responsible to inform itself, its employees and its Subcontractors of the safety and security regulations applicable on Beneficiary’s premises from time to time.
- Ensure admission to Beneficiary’s premises and property is subject to the specific rules:
- Local regulations for Beneficiary’s premises shall be observed when the Supplier performs services under the Agreement.
- When working within Beneficiary’s premises, Supplier personnel shall carry an ID card or a visitor’s badge visible at all time.
- Application procedures and responsibility conditions for admission to Beneficiary’s premises are stipulated by Beneficiary and are to be handled according to Beneficiary’s procedures if no other arrangements are specifically agreed.
- After completing its assignment under the Agreement, or when the Supplier’s personnel are transferred to other tasks, the Supplier will without delay inform Beneficiary of the change, and return, or change the distribution of, keys, key cards, certificates, visitor’s badges, and any other material handed out.
- Loss of Beneficiary keys or key cards shall be reported without delay to Beneficiary according to the instructions defined in the Agreement, or, if not specifically agreed, according to Beneficiary general access rights procedures.
- In the event of the Supplier’s noncompliance with the Agreement, Beneficiary is entitled to deny, with immediate effect, access to Beneficiary’s premises and to request all keys, key cards, etc., handed out to be returned without undue delay.
Section 8: Communications and Operations Management
General: Protect critical and sensitive Beneficiary Information when being handled by the Supplier or when being transmitted between Beneficiary and Suppliers.
The Supplier will:
- Have appropriate information security protection and Data Privacy in place for all locations processing Beneficiary Information, as set forth by applicable legislation, regulations, and industry best practice. This includes but is not limited to: security administration routines, access control, malware protection, incident detection, log management, vulnerability scanning, penetration testing, disaster recovery, key management, network security management, state-of-the-art firewalls, and physical protection of IT-resources.
- Implement suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by:
- Individual appointment of system administrators.
- Adoption of suitable measures to register system administrators’ access logs and keep them secure, accurate and unmodified for at least six months.
- For system administrators with potential access to highly critical Beneficiary Information including Special Categories of Personal Data; perform bimonthly audits of the administrators’ activities to assess compliance with assigned tasks, the instructions received from Beneficiary or Beneficiary’s deputy and applicable laws.
- Keep Beneficiary Information classified by Beneficiary as strictly confidential including Special Categories of Personal Data strongly encrypted by means of state-of-the-art encryption when in transit and at rest.
- Not provide any services or software harmful to the handling of Beneficiary Information or system(s).
- Possess a formal and well-defined change management process including security patch management, that as a minimum contains a formal “Request for Change” (RFC) procedure, a structured method of testing changes before moving them into production, a formal approval procedure for proposed changes, communication of change to all relevant persons and stakeholders and a defined set of procedures to recover from unsuccessful changes and unforeseen events.
- Perform data communication of Beneficiary Information in a secure manner (e.g. by using end-to-end strong encryption during transmission or by using communication links trusted by Beneficiary). Exception from this rule requires Beneficiary’ written consent.
- Avoid storing Beneficiary Information on mobile storage media for transportation purposes and on laptops or other mobile devices or only with strong encryption protection.
- As far as possible, all transmissions of data, including Beneficiary Information, are logged to allow monitoring.
- Allow access to Beneficiary Information purely to the Supplier’s personnel who are responsible for the assignment. If any of the Supplier’s personnel gets unauthorized access to Beneficiary Information, this shall promptly be reported to Beneficiary.
- Make sure storage of Beneficiary Information is adequately segregated to avoid any accidental mixing with other customer’s data on various media types and that the service provides for resilience, this is also applicable to back-ups. Furthermore, Supplier shall implement suitable measures to ensure that Personal Data collected for different purposes can be processed separately. This is accomplished by:
- Access to Personal Data is separated through application security for the appropriate users.
- Modules within the Supplier’s database separate which Personal Data is used for which purpose (i.e., by functionality and function).
- At the database level, Personal Data is stored in different normalized tables, separated per module, or function they support.
- Ensure interfaces, batch processes and reports are designed for only specific purposes and functions, so that Personal Data collected for specific purposes is processed separately.
- Ensure that back-ups of the Beneficiary Information processed on behalf of Beneficiary are taken and such back-ups are restorable when the Beneficiary Information is handled in the Supplier’s environment.
- Ensure back-up copies shall be handled with the same confidentiality as the original Beneficiary Information.
- Ensure back-up copies shall be stored separately from the original Beneficiary Information to prevent possible simultaneous destruction of both the original data and the back-up copy in a disaster situation.
- Ensure daily back-ups shall be retained for a minimum of 180 days if not specifically stipulated by the Agreement.
- Ensure systems and networks operated by the Supplier and related to its assignment under the Agreement are configured in a consistent, accurate manner with approved security settings applied to ensure that systems and networks function as intended, are available when required and do not reveal unnecessary technical details.
- Ensure that the environment used for functions specified in the Agreement is monitored in such a way to provide for the detection and traceability of any events violating Beneficiary Information and/or IT security.
- Maintain the necessary audit trails as required by applicable law or as otherwise stated in the Agreement.
- On request by Beneficiary, provide audit trails and security event logs affecting Beneficiary Information.
Section 9: Access Control
General: Only authorized individuals gain access to business applications, information systems, networks and computing devices, ensure individual accountability is assured and to provide authorized users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority.
Authentication
The Supplier will:
- Access Beneficiary Information, functions, or premises only to the extent outlined in the obligations specifically agreed in writing between Beneficiary and the Supplier and following the requisite approval.
- Ensure strong password policy applies to all IT services used as part of this Agreement.
- Provide remote access with 2-factor authentication for IT administrator and for every user accessing Beneficiary Information.
- Automatically suspend access rights after several failed login attempts or submit a captcha after a few failed login attempts.
- Log successful and unsuccessful login attempts and make these logs available for monitoring and tracking.
- Automatic logout of user ID’s that have not been used for a substantial period.
Authorization
The Supplier will:
- Have an authorization policy for access and the input of Beneficiary Information into the services, as well as for the reading, alteration, and deletion of stored Beneficiary Information.
- Ensure that access to specific functions is based on roles and/or attributes assigned individually to each user account.
User Administration for the Supplier’s IT Resources
The Supplier will:
- Ensure the extent of access is always based on the principle “least privilege needed”.
- Maintain records of each change in its access rights and retain such records for at least 18 months from the day the access right was changed.
- Provide upon request an up-to-date list of all individuals that have access to Beneficiary Information or functionality and which access rights are controlled by the Supplier.
- Possess a documented procedure and ensure that all access to Beneficiary Information or functionality is controlled on an individual basis and that all activities are logged according to applicable law and industry best practice.
- Have event logs related to user administration of access to Beneficiary Information available for Beneficiary.
- Ensure all access rights related to Beneficiary Information or functionality is reviewed at least every six months.
- Ensure all user IDs shall be personal and used only by the appointed individual(s).
- Possess a procedure for controlling administrator access rights.
- Be responsible for ensuring that any access to IT resources utilized under the Agreement is conducted in a secure manner.
- Allow Beneficiary at any point in time, to revoke or initiate revocation of access rights to Beneficiary Information in the event where the Supplier is not compliant with these Security Obligations or with the Agreement or for any other legitimate reason.
User Administration for Beneficiary’s IT resources
- Access rights to Beneficiary IT resources shall only be granted to those of the Supplier’s personnel assigned for the services as specified in the Agreement.
- Access rights to Beneficiary IT resources are granted and revoked for the Supplier’s personnel according to Beneficiary procedures.
- The methods to be used for remote access to Beneficiary environment shall be specified in the Agreement. No other form of remote access to Beneficiary equipment or services is allowed.
Specific Application Controls related to Personal Data
The Supplier shall ensure correct access to Personal Data by:
- Protective measures for the Personal Data input into applications, as well as for the reading, alteration, and deletion of stored Personal Data.
- Implementing suitable measures to ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems or removed.
- Providing monitoring capability in respect of individuals who delete, add or modify the Personal Data.
- Enabling Beneficiary to check and establish whether and by whom Personal Data have been input into, modified in or deleted from the data processing systems
Section 10: Information Systems Acquisition, Development and Maintenance
General: Ensure Information Security Obligations are treated as an integral part of business obligations, fully considered and approved as part of Systems acquisition, development and maintenance activities.
The Supplier will:
- Use a structured and approved system development methodology to build required information security and Data Privacy functionalities into systems during development.
- Request for and use Beneficiary approved system development methodology in case systems or applications are developed directly for Beneficiary.
- Ensure that appropriate controls are designed into applications used for the delivery of IT related services to Beneficiary including own developed applications to ensure correct processing. These controls shall include authentication, session management, access control and authorization, input validation, output encoding/escaping, cryptography, error handling, logging, data protection, communication security, and security configuration.
- Use suitable encryption techniques for protection of Beneficiary Information classified as confidential and strictly confidential (where encryption cannot be implemented, appropriate compensating controls must be implemented to reduce the risk of unauthorized disclosure).
- Be responsible for ensuring encryption key management is in place to support authorized encryption techniques to be applied.
- Support the use of cryptography with procedures and protocols for generation, change, revocation, destruction, distribution, certification, storage, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorized disclosure.
- Changes to existing systems shall follow a formal process of documentation, specification, testing, and quality control and managed implementation.
- Ensure that verification testing is performed whenever major changes to the application take place and that such verification testing also includes security testing of the application.
- Ensure that when using live information from a production environment for test purposes in connection with system development, the information shall be made non-identifiable (i.e., impossible to be associated with an individual or user) if possible. Making Personal Data non-identifiable shall be a one-way process, i.e., it shall not be possible to generate the original Personal Data by any means from Personal Data made non-identifiable. If non-identifiable test information cannot be used, instructions issued by Beneficiary shall be followed in the processing of the test information. Obtaining information for test purposes from a production environment always requires Beneficiary prior written consent.
- If required by Beneficiary prior to signing of the Agreement, guarantee Beneficiary access to any source code developed or maintained as a delivery or result under the Agreement through an escrow arrangement with a trusted external party (e.g., a law firm or a chamber of commerce).
Section 11: Information Security Incident Management
General: Identify and resolve security incidents quickly and effectively, minimize their impacts and reduce the risk of similar incidents occurring in future.
The Supplier will:
- Provide information on incidents.
- Record any detected security incident, alongside the followed data recovery procedures, and the identification of the person who carried them out.
- Without undue delay report any serious incidents including fraud that may include or affect Beneficiary or its employees, customers, or business partners. The Supplier will in consultation with Beneficiary take all necessary steps to mitigate the possible harm such incidents may cause.
- Cooperate with Beneficiary in the handling of any such incident as described in the above paragraph and give Beneficiary the full insight of the cause and consequences of the incident.
- Deliver a written report stating the cause of the incident, the consequences of the incident and the steps taken to avoid similar events.
- Without undue delay, report any request to access any Beneficiary Information, including Personal Data, from any third person, including any government official or data supervisory authority.
Provide assistance and reasonable support to Beneficiary in the event of legal action which involves or requires Beneficiary Information (e.g., e-discovery requests or forensic investigations).
Section 12: Business Continuity Management
General: Preparedness for disturbances under normal circumstances and for states of emergency. Help align business continuity goals to provide resilience against disruption and minimize impact to Beneficiary in the event of a disaster or emergency.
The Supplier will:
- Ensure its ability to continue operations and the sufficiency of its resources in the event of disturbances under normal circumstances and for states of emergency.
- Develop continuity arrangements, including business continuity planning, as appropriate in relation to the Agreement and according to security best practices.
- Conduct risk assessments to identify any events with a potential to interrupt business processes and to a reasonable extent establish thorough continuity arrangements to mitigate the effects of such events.
- Mitigate any substantial risk of dependency of key personnel (e.g., through knowledge transfer to other personnel) to ensure continuity.
- Regularly test measures securing the delivery of services where such measures are put in place.
- Ensure that a test schedule exists which details how and when each element of the continuity arrangements shall be and has been tested. Evidence from performed tests shall be kept by the Supplier and made available to Beneficiary upon request, demonstrating that operations/services can resume within the agreed time frames.
Ensure that continuity arrangements relating to any additional Subcontractors exist as specified in the continuity plan.
Section 13: Compliance
General: To manage a compliance program designed to provide assurance as to the effectiveness of the controls as defined in the Agreement.
The Supplier will:
- Ensure all Supplier employees as well as Subcontractors and consultants, and their employees, comply with these Security Obligations and any additional Security Obligations set forth in the Agreement.
- Provide Beneficiary with an annual compliance notification in relation to these Security Obligations, including emerged incidents with any risks to Beneficiary Information.
- Agree if the Supplier is not in compliance with these Security Obligations, or any additional Security Obligations set forth in the Agreement, and such non-compliance is not resolved within 30 days after receipt of a written notice, that Beneficiary may, without penalty, upon further notice to the Supplier, partially or entirely terminate the Agreement or any purchase order issued thereunder.
- Allow Beneficiary to perform audits to verify the Supplier’s conformity with these Security Obligations and any additional Security Obligations set forth in the Agreement, including the appointment of an independent third party.
- As alternative to d): The Supplier can demonstrate compliance with these Security Obligations by providing independent third-party audit reports to Beneficiary.
- Maintain processes for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures set out in these Security Obligations for ensuring the security of the processing of Beneficiary Information.