Technical and Organizational Measures
1. Facilities Admission Control
The term “admission control” refers to the physical access by individuals to buildings and facilities in which IT systems used for personal data processing are operated and used. These can be, for example, data centers where web servers, application servers, databases, mainframes, and storage systems are operated, and office rooms where employees use desktop computers.
Technical Measures
|
Organizational Measures
|
• Suitable technical measures (eg intrusion detection systems, singleperson security entry systems, and locking systems) are taken to safeguard security areas and their admittance points |
• The protection requirement of a building or a room is determined based on the data processing systems located in it • A group of persons with general admittance authorization is defined and the authorizations for admittance to security-relevant areas limited to absolute necessity (“principle of minimal authorization”); admittance is denied to anyone without authorization • A process has been established for requesting, approving, issuing, managing, and accepting the return of means of admittance, or for withdrawing admittance rights (including management of keys, visual IDs, transponders, chip cards, etc.); all keys are registered • A process has been established for governing the admittance of people external to the company, such as guests and suppliers; external visitors are registered; if there is a need for enhanced protection, non-company personnel shall be accompanied and supervised during the performance of their work |
2. Hardware Access Control
Measures to prevent unauthorized persons from accessing or using hardware used to process personal data:
Technical Measures
|
Organizational Measures
|
• Access to data processing systems on which data is processed is possible only after the authorized person has been identified and successfully authenticated (eg with a username and password or chip card / PIN), using state-of-the-art security measures • Strong authentication is always based on multiple (at least 2) factors, such as something owned, something known, or based on a one-time factor that is specific to the user (usually biometric processes); examples include:
• Chip card with certificates and PIN
• One-time passwords (OTP generator, SMS TAN, chip TAN) and user password
• Security questions
• All successful and rejected access attempts are logged (user ID, computer, IP address used) and archived in an audit compliance form for 1 year; to detect improper use, regular evaluations through sampling is carried out • The authentication credentials (such as user ID and password) must never be transmitted unprotected over the network • Access is blocked after repeated incorrect authentication attempts; a process has been established for resetting or unlocking blocked access IDs; user IDs that are not used for a long period of time • (a maximum of 180 days) are automatically blocked or set to inactive
|
• The group of people authorized to access IT systems must be limited to the absolute minimum necessary in order to perform the person’s specific duties or functions within the ongoing operational organization • Passwords must obey appropriate minimum rules (eg a minimum password length and complexity); passwords have to be changed at regular intervals; initial passwords must be changed immediately; the implementation of the requirements for password length, password complexity, and validity are ensured by technical settings |
3. Data Access Control (Limited Access)
3.1. Limited Access Rights
Measures to ensure that access to systems and data is limited to authorized personnel acting within the scope of its authorization:
Technical Measures
|
Organizational Measures
|
• The person authorized to access the data must also identify and authenticate himself to the data processing system on the basis of unique, verifiable factors, such as ID and password • All computer and device screens are set to automatic password- protected screen saver mode • To the extent that data of multiple parties is stored in the same database or is processed with the same data processing system, logical access restrictions are provided that are aimed exclusively at processing the data for the party concerned (multi-tenancy) • Additional measures according to the foregoing sections |
• An authorization concept (user and administration rights) ensures that access to the data in the system is enabled only to the extent required for the user to complete the relevant task according to the user’s internal task distribution and separation of functions; rules and procedures for creating, changing, and deleting authorization profiles and user roles in compliance with data protection rules are defined; responsibilities are regulated • Access rights are restricted on several levels on a need-to-know basis according to a written access rights policy • Irrespective of technical restrictions, employees are instructed not to access any data not required for their function • Passwords must obey appropriate minimum rules (eg a minimum password length and complexity); passwords have to be changed at regular intervals; initial passwords must be changed immediately; the implementation of the requirements for password length, password complexity, and validity are ensured by technical settings • Data and files are regularly destroyed or deleted in accordance with a data retention and deletion policy in such manner that a reconstruction is impossible or not possible without disproportionate efforts; destruction and deletion are protocolled; such protocols do not contain personal data but only references to dockets or files • Additional measures according to the foregoing sections |
3.2. Data Media Control
Measures to prevent unauthorized access to data media:
Technical Measures
|
Organizational Measures
|
• Data are encrypted or password protected in transport, sensitive data are also encrypted or password protected in use • Additional measures according to the foregoing sections |
• There are records of all data media • Data media are stored in locked cabinets outside of business hours • Data media are transported securely • Data media and documents are disposed of in accordance with DIN 66399 internally or by a certified service provider • Additional measures according to the foregoing sections |
3.3. Change Control
Measures to prevent unauthorized access to, or processing of data:
Technical Measures
|
Organizational Measures
|
• Data access is logged; sample log files are reviewed regularly • Additional measures according to the foregoing sections |
The following is recorded: • Changes of passwords / access rights / roles • Writing access with the following details: user, data, file, and software
• For sensitive data, also reading access
• There is a written policy on the scope and nature of logging, and the retention and review of logs • Additional measures according to the foregoing sections
|
3.4. Export Control
Measures to prevent unauthorized export of data out of the IT systems:
Technical Measures
|
Organizational Measures
|
• The internal network is secured by implementation of security gateways at the network transfer points (eg a firewall, and Intrusion Detection (IDS)) • Data are only transmitted by email or encrypted (VPN, SSL) • Emails are protocolled in a secure manner • Additional measures according to the foregoing sections |
• Use of clouds or other processing services requires that a processing agreement has been concluded and the processor audited • Additional measures according to the foregoing sections |
4. Transmission and Transport Control
To ensure that personal data cannot be read, copied, altered, or removed without authorization during electronic transfer or transport, or while being recorded onto data storage media. Simarlarly, to make it possible to ascertain and check which bodies are to be transferred personal data using data transmission facilities.
4.1. Transmission Control
Measures to ensure that the recipients of all data exports are recorded:
Technical Measures
|
Organizational Measures
|
• Measures according to the foregoing sections |
• All access rights and transmissions are documented in records of processing activities • Additional measures according to the foregoing sections |
4.2. Transport Control
Measures to ensure that data are protected in transmission and transport:
Technical Measures
|
Organizational Measures
|
• If personal data is transmitted to external systems, encryption is absolutely necessary • Measures according to the foregoing sections |
• Measures according to the foregoing sections |
5. Processing Protocols
Measures to ensure that any recording or change of personal data is protocolled:
Technical Measures
|
Organizational Measures
|
• Measures according to the foregoing sections |
• Measures according to the foregoing sections |
6. Processor Compliance Control
Measures to ensure that processors or additional processors process data only in accordance with the controller’s instructions:
Technical Measures
|
Organizational Measures
|
• Physical or logical separation of data • Additional measures according to the foregoing sections |
• Training of employees, employees are required to sign formal undertakings • Written documentation of instructions • Selection of (sub-) processors and drafting of (sub-) contracts with due diligence; initial and regular auditing of technical and organizational measures • External service providers must be subject to ongoing supervision when working on IT systems • Additional measures according to the foregoing sections |
7. Damage Control
7.1. Availability Control
Measures to ensure that data are secured against destruction or loss:
Technical Measures
|
Organizational Measures
|
• All server rooms have climate control, smoke detection, and fire extinguishers; temperature and humidity are regularly checked • All servers have an uninterruptible power supply (UPS) and are protected against electric overcharge; all servers are configured to automatically shut down in the event of an extended power blackout • Additional measures according to the foregoing sections |
• Backup and recovery protection, users, log files, and virus scan of servers are reviewed on a daily basis • The following is regularly reviewed:
uninterruptible power supply (UPS), server room locks
• There is a disaster recovery and business continuity plan in place to continue business in the event of a foreseeable (electricity, fire, water, etc) adverse event • Additional measures according to the foregoing sections
|
7.2. System Recovery
Measures to ensure that systems are quickly restored following an adverse event:
Technical Measures
|
Organizational Measures
|
• All data are subject to regular backup • Important backups are stored off-site • Additional measures according to the foregoing sections |
• There is a written backup policy specifying scope, intervals, and methods of backing up, number of generations, data media, trans- port, and storage as well as internal responsibilities with respect to backup procedures • Backups are regularly reviewed • Additional measures according to the foregoing sections |
7.3. Reliability
Measures to ensure that all systems function properly and errors are detected:
Technical Measures
|
Organizational Measures
|
• The systems conduct automatic plausibility and integrity checks (eg check sum procedures) to detect errors • The systems protocol errors and overloads of applications (eg storage problems or aborted processes) • Additional measures according to the foregoing sections |
• All software is checked and approved by the IT department prior to installation • There is a regular manual review process of systems, data attributes, and process information as well as other material configurations in order to detect errors • There is a policy in place that requires all errors of the IT or communication systems to be reported and documented (except for errors detected and corrected automatically by the systems) • There is a policy in place providing that errors may only be corrected by IT personnel and that major changes are tested in a sandbox prior to implementation • Additional measures according to the foregoing sections |
7.4. Data Integrity
Measures to ensure that data are not corrupted by malfunctions of the system:
Technical Measures
|
Organizational Measures
|
• Data integrity checks are included and enabled per default by backup strategy and toolset • Penetration test and security audits performed • Measures according to the foregoing sections |
• Security policies and procedures in place • Training for employees covering rules for entering and maintaining data • Measures according to the foregoing sections |
8. Separation Control
Measures to ensure that data collected for different purposes are clearly separated:
Technical Measures
|
Organizational Measures
|
• Physical or logical separation of data • Company files are separated based on dedicated storage location, both on premises and in cloud • Storage locations are only visible and/or accessible by individuals with an authorization to access respective data • Additional measures according to the foregoing sections |
• Security policies and procedures in place • Additional measures according to the foregoing sections |
9. General Organization
- A Data Protection Officer has been appointed to the extent required by law. One or more persons in the management or directly reporting to the management have assumed responsibility for data protection and data security compliance. One or more persons within the IT department have assumed responsibility for implementation of all technical and organizational measures including the ongoing maintenance of respective policies. There are clear regulations on respective responsibilities within the IT department.
- There is a written, documented risk assessment and determination of appropriate measures with respect to data protection (incl. Privacy by Design) and data security for all systems and systems and processes.
- In addition to the foregoing requirements, there are written documented policies and regulations that ensure that all processing complies with the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality of processing. The Processor complies with all statutory accountability and / or documentation requirements.
- All employees have been instructed and trained on the basic requirements of data protection and data security, and have undertaken to observe
- There are written documented procedures to ensure that (a) data subjects may exercise their statutory rights with respect to their data; and (b) incidents or breaches are promptly reported.
- The IT department, in cooperation with the Data Protection Officer, regularly (at least once per year) conducts a full risk and security analysis of all technical and organizational measures, and submits a written report to the management. The management may order additional audits if required. Where non-compliance is detected, measures to resolve the non-compliance are also documented.