Annex II

Annex II – Technical and Organizational Measures including Technical and Organizational Measures to Ensure the Security of the Data

Description of the technical and organizational measures implemented by the data importer (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.


Security Management

Recipient maintains a written information security management system (ISMS), in accordance with this Annex, that includes policies, processes, enforcement and controls governing all storage/processing/transmitting of Personal Data, designed to (a) secure Personal Data against accidental or unlawful loss, access or disclosure; (b) identify reasonable foreseeable and internal risks to security and authorized access to Recipient Network, and (c) minimize security risks, including through risk assessment and regular testing. The information security program will include the following measures:
  • Recipient actively follows information security trends and developments as well as legal developments with regards to the services provided and especially with regards to Personal Data and uses such insights to maintain its ISMS, as appropriate.
  • To the extent Recipient process cardholder or payment data (such as payment or credit cards), Recipient will maintain its ISMS in accordance with the PCI DSS standard, augmented to cover Personal Data, or such other alternative standards that are substantially equivalent to PCI DSS for the establishment, implementation, and control of its ISMS. Additionally, Recipient will be assessed against PCI DSS annually by an on-site assessment carried out by an independent QSA (Qualified Security Assessor) and upon Company’s request, not to exceed once annually, Recipient will provide Company with PCI DSS attestation of compliance.


Maintain an Information Security Policy

Recipient’s ISMS is based on its security policies that are regularly reviewed (at least yearly) and maintained and disseminated to all relevant Parties, including all personnel. Security policies and derived procedures clearly define information security responsibilities including responsibilities for:
  • Maintaining security policies and procedures;
  • Secure development, operation and maintenance of software and systems;
  • Security alert handling;
  • Security incident response and escalation procedures;
  • User account administration;
  • Monitoring and control of all systems as well as access to Personal Data.

Personnel is screened prior to hire and trained (and tested) through a formal security awareness program upon hire and annually. For service providers with whom Personal Data is shared or that could affect the security of Personal Data a process has been set up that includes initial due diligence prior to engagement and regular (typically yearly) monitoring.

Personal Data has implemented a risk-assessment process that is based on ISO 27005.


Secure Networks and Systems

Recipient has installed and maintains a firewall configurations to protect Personal Data that controls all traffic allowed between Recipient’s (internal) network and untrusted (external) networks, as well as traffic into and out of more sensitive areas within its internal network. This includes current documentation, change control and regular reviews.

Recipient does not use vendor-supplied defaults for system passwords and other security parameters on any systems and has developed configuration standards for all system components consistent with industry-accepted system hardening standards.


Protection of Personal Data

Recipient keeps Personal Data storage to a minimum and implements data retention and disposal policies to limit data storage to that which is necessary, in accordance with the needs of its customers.

Recipient uses strong encryption and hashing for Personal Data anywhere it is stored. Recipient has documented and implemented all necessary procedures to protect (cryptographic) keys used to secure stored Personal Data against disclosure and misuse. All transmission of Personal Data across open, public networks is encrypted using strong cryptography and security protocols.


Vulnerability Management Program

Recipient protects all systems against malware and regularly updates anti-virus software or programs to protect against malware – including viruses, worms, and Trojans. Anti-virus software is used on all systems commonly affected by malware to protect such systems from current and evolving malicious software threats.

Recipient develops and maintains secure systems and applications by:

  • Having established and evolving a process to identify and fix (e.g. through patching) security vulnerabilities, that ensures that all systems components and software are protected from known vulnerabilities.
  • Developing internal and external software applications, including web-applications, securely using a secure software development process based on best practices, e.g. such as code reviews and OWASP secure coding practices, that incorporates information security throughout the software-development lifecycle.
  • Implementing a stringent change management process and procedures for all changes to system components that include strict separation of development and test environments from production environments and prevents the use of production data for testing or development.


Implementation of Strong Access Control Measures

“Recipient Network” means the Recipient’s data center facilities, servers, networking equipment, and host software systems (e.g. virtual firewalls) as employed by the Recipient to process or store Personal Data.

The Recipient Network will be accessible to employees, contractors and any other person as necessary to provide the services to the Company. Recipient will maintain access controls and policies to manage what access is allowed to the Recipient Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Recipient will maintain corrective action and incident response plans to respond to potential security threats.

Recipient strictly restricts access to Personal Data on a need to know basis to ensure that critical data can only be accessed by authorized personnel. This is achieved by:

  • Limiting access to system components and Personal Data to only those individuals whose job requires such access;
  • Establishing and maintaining an access control system for system components that restricts access based on a user’s need to know, with a default “deny-all” setting.

Recipient identifies and authenticates access to all systems components by assigning a unique identification to each person with access. This ensures that each individual is uniquely accountable for its actions and any actions taken on critical data and systems can be traced to known and authorized users and processes. Necessary processes to ensure proper user identification management, including control of addition/deletion/modification/revocation/disabling of IDs and/or credentials as well as lock out of users after repeated failed access attempts and timely termination of idling session, have been implemented.

User authentication utilizes at least passwords that have to meet complexity rules, which need to be changed on a regular basis and which are cryptographically secured during transmission and storage on all system components. All individual non-console and administrative access and all remote access use multi-factor authentication.

Authentication policies and procedures are communicated to all users and group, shared or generic IDs/passwords are strictly prohibited.


Restriction of Physical Access to Personal Data

Any physical access to data or systems that house Personal Data are appropriately restricted using appropriate entry controls and procedures to distinguish between onsite personnel and visitors. Access to sensitive areas is controlled and includes processes for authorization based on job function and access revocation for personnel and visitors.

Media and backups are secured and (internal and external) distribution is strictly controlled. Media containing Personal Data no longer needed for business or legal reasons is rendered unrecoverable or physically destroyed.


Regular Monitoring and Testing of Networks

All access to network resources and Personal Data is tracked and monitored using centralized logging mechanisms that allow thorough tracking, alerting, and analysis on a regular basis (at least daily) as well as when something does go wrong. All systems are provided with correct and consistent time and audit trails are secured and protected, including file-integrity monitoring to prevent change of existing log data and/or generate alerts in case. Audit trails for critical systems are kept for a year.

Security of systems and processes is regularly tested, at least yearly. This is to ensure that security controls for system components, processes and custom software continue to reflect a changing environment. Security testing includes:

  • Processes to test rogue wireless access points.
  • Internal and external network vulnerability tests that are carried out at least quarterly. An external, qualified party carries out the external network vulnerability tests.
  • External and internal penetration tests using Recipient’s penetration test methodology that is based on industry-accepted penetration testing approaches that cover the all relevant systems and include application-layer as well as network-layer tests

All test results are kept on record and any findings are remediated in a timely manner.

Recipient does not allow penetration tests carried out by or on behalf of its customers.

In daily operations IDS (intrusion detection system) is used to detect and alert on intrusions into the network and file-integrity monitoring has been deployed to alert personnel to unauthorized modification of critical systems.


Incident Management

Recipient has implemented and maintains an incident response plan and is prepared to respond immediately to a system breach. Incident management includes:

  • Definition of roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of customers.
  • Specific incident response procedures.
  • Analysis of legal requirements for reporting compromises.
  • Coverage of all critical system components.
  • Regular review and testing of the plan.
  • Incident management personnel that is available 24/7.
  • Training of staff.
  • Inclusion of alerts from all security monitoring systems.
  • Modification and evolution of the plan according to lessons learned and to incorporate industry developments.

Recipient has also implemented a business continuity process (BCP) and a disaster recovery process (DRP) that is maintained and regularly tested. Data backup processes have been implemented and are tested regularly.


Physical Security

Physical Access Controls

Physical components of the Recipient Network are housed in nondescript facilities (“Facilities”). Physical barrier controls are used to prevent unauthorized entrance to Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.


Limited Employee and Contractor AccessRecipient provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of Recipient of its affiliates.


Physical Security Protections

All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Recipient also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, etc.) with door contacts, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.


Continued Evaluation

Recipient will conduct periodic reviews of the Security of its Recipient Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. Recipient will continually evaluate the security of its Recipient Network to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.