Schedule C of the EFGI intra-group Data Sharing Framework Agreement (TOMs)

Schedule C
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The technical and organisational measures are those described in the following General Directives:

  • POL 500-001, Information Security Policy
  • GD 11 01 001, Organization of Information Security
  • GD 11 02 001, Acceptable Use of ICT Assets and Services
  • GD 11 03 001, Information Access Control
  • GD 11 04 001, Software and Application Security
  • GD 11 05 001, Information System Implementation

and are at least the following:

Control of physical access to the premises and equipment used for data processing
Objective: prevent unauthorised access to the premises and equipment used for/in data processing

  • Anti-intrusion system (locked rooms, security alarm)
  • Backup power supply to guarantee security of physical devices
  • Authentication mechanism when entering premises (badge, key, etc.)
  • Badge with specific access authorisation
  • Procedure on the handling of authentication mechanism when entering premises
  • Additional measures restricting access to critical technical areas:
    • locked rooms,
    • access badge with specific authorisation justified by a legitimate professional need
  • Backup devices stored in secured location
  • Video surveillance
  • Specific modalities for guest access (signing of a record, temporary badge, etc.)
  • Logging of badge activity

Control of access to IT systems
Objective: prevent unauthorised access to IT systems on which data are processed

  • Access logging for IT systems
  • User authentication through registered, unique, and personal user accounts
  • Limitation of failed login attempts (blocking of user account)
  • Strong password policy (users/administrators)
  • Auditable, binding procedure to reset forgotten passwords
  • Access policy for IT systems with a periodically reviewed procedure for granting authorisations
  • Secure remote access to IT systems (VPN, strong authentication, etc.)
  • Server systems can only be administered with console password or via password-protected and encrypted connection
  • IT administrators have an additional, privileged account for administration tasks
  • Secure wireless network
  • Mobile terminal devices encrypted
  • Automatic password-protected screen and computer locking when temporarily not in use

Control of data access
Objective: prevent any access or illegal/unauthorised activity on the data

  • Data access restricted to persons with an operational need
  • Predefined access profile in function of business role.
  • Logging of data access
  • Policy describing access authorisation

Control of data transfer
Objective: ensure a secure transmission of data and prevent any unauthorised transmission

  • Data transmitted through the internet is encrypted (email encryption, SSL encryption)
  • Logging of data transfer and log retention
  • Data transfer only to 3rd parties with whom a contractual relationship exists.
  • Prevent/control the use of removable storage devices
  • Block data upload to file sharing sites such as WeTransfer, DropBox, etc.
  • Block access to webmail interfaces
  • Inspect outflowing information and block if in violation of policy

Control of data integrity
Objective: protect data against any alteration and ensure tracking of any input, modification or deletion of data

  • Logging of system administrators’ activity
  • Formal change management procedures

Control of data availability
Objective: prevent any loss/destruction, even if momentary, of data, whether it is accidental or intentional

  • Data backup on a regular basis with control over carrying out and verifying theses backups
  • Emergency and restore procedures
  • Storing backup devices externally
  • Maintain redundant backup media
  • Secure technical setups:
    • UPS with inverters
    • temperature control
    • Redundant power supply
    • Redundant layout of the network
    • Redundant layout of computing resources (CPU, Storage)
  • Business continuation plan with regular testing
  • Disaster recovery plan with regular testing
  • Proper, state of the art usage of system protection solutions

Organisational measures

  • Security policy
  • Defined and established Information Security Governance
  • Procedure for testing, analysing and assessing the efficiency of technical and organisational measures (penetration tests, scans for internal and external vulnerabilities, etc.)
  • Periodic patching cycle
  • Install critical updates for operating systems without delay
  • Install applications updates in case of critical breach
  • Procedure for managing security incidents
  • Raising user awareness in terms of security
  • Training employees whose tasks consist in processing personal data
  • Assessment of sub-processors

Assurance of System Integrity

  • Anti-Virus on workstations
  • EDR / NGAV on workstations
  • Malware scan in user mailboxes
  • Malware interception on Internet gateways
  • Filtering of potentially dangerous filetypes on the intent gateways
  • Ethical phishing campaign to raise security awareness
  • Regular update of antiviruses
  • Detection of anomalous system behaviour

Separation control

  • Physical/logical separation of data in case of numerous clients

Control in case of IT development

  • IT development tests carried out on fictitious or anonymised data

Procedures for regular testing, assessment and evaluation

  • Data Protection Management
  • Cyber Security Management
  • Incident Response Management
  • Data Protection by Design & by Default
  • Order or Contract Control
  • No third-party data processing without corresponding instructions from the Controller, e.g.
    • Clear and unambiguous contractual arrangements
    • Strict controls on the selection of the Service Provider
    • Duty of pre-evaluation