Vendor Security Measures

The Supplier has implemented and shall maintain the following technical and organizational measures, or it shall provide a level of protection at least equivalent to the following measures (note that measures are grouped under logical headings, but some measures could be listed under multiple headings but are not to avoid unnecessary duplication):  

• Personal Data stored on Supplier’s network are encrypted using recommended AES-256 algorithm.   If a particular application does not support 256-bit keys, then 128-bit keys can be as a documented exception. If a particular application cannot be encrypted due to performance reasons, it should run in an isolated environment that protects the information without a control.
• Employee laptops are encrypted using full disk AES-256 encryption.
• Supplier shall require that all portable media, including but not limited to, laptops, smart phones, tablets, and USB drives that contain Personal Data shall be encrypted using AES-256 encryption.
• HTTPS encryption on every web login interface, using industry standard algorithms and certificates.
• Secure transmission of credentials using by default TLS 1.2.
• Access to operational environments requires use of secure protocols such as HTTPS.

• Controls to prevent removal of Personal Data from Supplier’s business computers or premises for any reason (unless Company has specifically authorized such removal for business purposes).
• Implementing intrusion detection and data loss prevention programs.
• Controls to use only business equipment that is authorized by Supplier to perform the services.
• Controls to ensure that whenever a staff member leaves his/her desk unattended during the day and prior to leaving the office at the end of the day, he/she places materials containing Personal Data in a safe and secure environment such as a locked desk drawer, filing cabinet, or other secured storage space (clean desk).
• Implementing processes for the secure disposal of documents or data carriers containing Personal Data.
• Implementing network firewalls to prevent unauthorized access to systems and services
• Virtual Private Network (VPN) for access to production resources.
• Strong access controls based on the use of the 'Principle of Least Privilege'.
• Differentiated rights system based on security groups and access control lists.
• Segregation of responsibilities and duties to reduce opportunities for unauthorized or unintentional modification or misuse.
• Confidentiality requirements imposed on employees.
• Mandatory security trainings for employees, which covers data privacy and governance, data protection, confidentiality, social engineering, password policies, and overall security responsibilities.
• Non-disclosure agreements with third parties.
• Separation of networks based on trust levels.
• Authorization requests and provisioning is logged, tracked, and audited.
• Customer-generated OAuth tokens are stored in an encrypted state.
• Keys required for decryption are stored in a secure, managed repository (such as AWS KMS) that employs industry-leading hardware security models that meet or exceed applicable regulatory and compliance obligations.
• Access keys used by production applications (e.g., AWS Access Keys) are accessible only to authorized personnel. They are rotated (changed) as required (e.g., pursuant to a security advisory or personnel departure) and at least yearly.
• User activity in operational environments including access, modification or deletion of data is being logged.
• Web Application Firewall (WAF), in addition to the network-based firewalls.

• Arrangements to create back-up copies stored in specially protected environments.
• Arrangements to perform regular restore tests from those backups.
• Contingency plans, business continuity strategies and disaster recovery plans.
• Restore Time Objective of 8 hours.
• Recovery Point Objective (RPO) of 24 hours.

• Performing an annual assessment of Supplier’s vulnerabilities (including penetration testing).
• Ensuring that each system used to Process Personal Data runs an up-to-date antivirus solution and malware detection program that protects Supplier’s network as well as all devices that have access to Supplier’s network.
• Implementing a process to log all access to systems and review those logs for Security Incidents.

• Ensuring that all systems Processing Personal Data (this includes remote access) are password protected after boot sequences; when left even for a short period and to prevent unauthorized persons from accessing any Personal Data.
• Providing dedicated user IDs for authentication against systems and user management for every individual.
• Assigning individual user passwords for authentication.
• Ensuring that access control is supported by an authentication system.
• Implementing a password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password and requires the regular change of passwords.
• Ensuring that passwords are always stored in encrypted form in transit and at rest.
• Implementing a proper procedure to deactivate a user account when a user leaves the company or function.
• Implementing a proper process to adjust administrator permissions when an administrator leaves the company or function.
• Establishing protocols for the temporary removal of a user’s access privileges following repeated attempts to log onto the Supplier’s network or any system or device using incorrect access credentials.
• Employee is granted only amount of access necessary to perform job functions.
• Unique accounts and role-based access within operational and corporate environments.
• Access to systems restricted by security groups and access-control lists.
• Authorization requests are tracked, logged, and audited on regular basis.
• Enforcement of Multi-factor Authentication (MFA) for access to critical and production resources.
• Strong and complex passwords required. Initial passwords must be changed after the first login.
• Network segmentation and interconnections protected by firewalls.
• Account provisioning and de-provisioning processes.

• Transporting physical media containing Personal Data in sealed containers
• Maintaining shipping and delivery notes.
• Remote access to the network via VPN tunnel and end-to-end encryption.  

• In certain vendor instances, the protection of data during storage are logically separated and attempts to access data outside allowed domain boundaries are prevented and logged. Measures are in place to ensure executable uploads, code, or unauthorized actors are not permitted to access data - including one customer accessing files of another customer.
• Endpoint security software.
• System inputs recorded via log files.
• Access Control Lists (ACL).
• Multi-factor Authentication (MFA).
• Restricted access to files and programs based on "Principle of Least Privilege”.
• Storing physical media containing Personal Data in secured areas.

• Physical access to all restricted facilities is documented and managed.
• Controls to specify authorized individuals permitted to access Personal Data.
• Implementation of an access control process to avoid unauthorized access to the Supplier’s premises.
• Use of video surveillance and alarm devices with reference to access areas.
• Ensuring that personnel without access authorization (e.g., technicians, cleaning personnel) are accompanied all times when accessing areas where Personal Data is Processed.
• All information resource facilities (e.g., data centers/rooms where data servers are located) are physically protected in proportion to the criticality or importance of their function.
• Access to information resource facilities is granted only to company personnel and contractors whose job responsibilities require access to those facilities.
• The process for granting card and/or key access to information resource facilities includes the approval of the person responsible for physical facility management. Access cards and/or keys must not be shared or loaned to others.
• Access cards and/or keys that are no longer required are returned to the person responsible for physical facility management. Cards must not be reallocated to another individual, bypassing the return process.
• Lost or stolen access cards and/or keys must be reported to the person responsible for physical facility management as soon as practical.
• Cards and/or keys must not have identifying information coded into them.
• All information resource facilities that allow access to visitors will track visitor access with assign-in log.
• Card access records and visitor logs for information resource facilities are kept for routine review based upon the criticality of the information resources being protected.
• The person responsible for information resource physical facility management removes the card and/or key access rights of individuals that change roles within the organization or are separated from their relationship with the organization.
• Visitors in card access-controlled areas of information resource facilities must always be accompanied by authorized personnel.
• The person responsible for physical facility management reviews access records and visitor logs for the facility on a periodic basis and investigate any unusual access.
• Signage for restricted access rooms and locations is practical, yet minimally discernible evidence of the importance of the location is displayed.
• Only individuals authorized by asset owners are permitted to move assets off-site. Details of the individual’s identity and role is documented and returned with the asset.
• Equipment is protected to reduce the risks from environmental threats, hazards, and opportunities for unauthorized access.

• Implementing a process to log all access to systems and review those logs for Security Incidents
• Remote logging.
• A central Security Information and Event Management (SIEM) system and other product tools monitor security or activities.
• All logs can be accessed only by authorized employees and access controls are in place to prevent unauthorized access.
• Write access to logging data is strictly prohibited. Logging facilities and log information are protected, and interconnections protected by firewalls.
• Event reports are enabled and can be periodically downloaded.
• User activity including logins, configuration changes, deletions and updates are written automatically to audit logs in operational systems.

• Controls to prevent use/installation of unauthorized hardware and/or software
• A Change Management Policy is in place.
• Changes to in-scope systems are monitored to ensure that changes follow the process and to mitigate the risk of un-detected changes to production. Changes are tracked in the change platform.
• Access Control Policy and Procedures.
• Mobile device management.

• Information Security Management System (ISMS) in accordance with the ISO 27001 standard.
• Written information security policy in place, including supporting documentation.
• Designating a Data Protection Officer (or a responsible person if a data protection officer is not required by law).
• Designating an information security oversight function that provides clear direction and visible management support for security initiatives.
• Implementing a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Personal Data.
• Obtaining the written commitment of employees to maintain confidentiality.
• Training staff on data privacy and data security.
• Implementing a formal security incident response process that is consistently followed for the management of Security Incidents that includes documentation of the actions Supplier took in response to a Security Incident and is sufficient to comply with Applicable Privacy Laws.
• Training staff in the security incident responder roles on the security incident process.
• Implementing a written information security program (a “WISP”), including disciplinary measures to be imposed against personnel who violate the requirements of the WISP.

• Detailed privacy assessments are performed related to implementation of new products / services and processing of personal data by third parties.  
• Data collection is limited to the purposes of processing (or the data that the customer or vendor chooses to provide).
• Security measures are in place to provide only the minimum amount of access necessary to perform required functions.

• Process that allows individuals to exercise their privacy rights (including a right to amend and update information).
• Controls to log administrators' and users' activities.
• Controls to permit only authorized personnel to modify any Personal Data within the scope of their function.
• Controls to ensure that Personal Data is not used for any purpose other than for the purposes it has been contracted to perform.

• Establishing rules for the safe and permanent destruction of Personal Data that are no longer required.

• Establishing controls to ensure Processing of Personal Data only for performance under the Contract(s).
• Implementing controls to ensure staff members and contractors comply with written instructions or contracts.
• Ensuring that data is always physically or logically separated so that, in each step of the Processing, the client from whom Personal Data originates can be identified.
• Imposing data protection terms which are substantially similar those in the DPA to any Sub-processor(s).
• Performing reasonable and appropriate due diligence on any Sub-processors or other third-party service providers.

• Ability to export data to portable format.
• Process in place that allows individuals to exercise their privacy rights (e.g., right of erasure or right to data portability).