Alia Technical and Security Measures

Security Measures

Vendor and Data Importer will implement, or ensure that its trusted service providers implement, the following types of security measures:

Physical access control

Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data is Processed, include:

• Establishing security areas, restriction of access paths;
• Establishing access authorizations for employees and third parties;
• Access control system (ID reader, magnetic card, chip card);
• Key management, card-keys procedures;
• Door locking (electric door openers etc.);
• Security staff, janitors;
• Surveillance facilities, video/CCTV monitor, alarm system; and
• Securing decentralized data processing equipment and personal computers.

Virtual access control

Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

• User identification and authentication procedures;
• ID/password security procedures (special characters, minimum length, change of password);
• Automatic blocking (e.g. password or timeout);
• Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
• Creation of one master record per user, user-master data procedures per data processing environment;
• Encryption of archived data media; and
• Multi-factor authentication.

Data access control

Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include:

• Internal policies and procedures;
• Control authorization schemes;
• Differentiated access rights (profiles, roles, transactions and objects);
• Monitoring and logging of accesses;
• Disciplinary action against employees who access Personal Data without authorization;
• Background Verification;
• Training & Awareness;
• Reports of access;
• Access procedure;
• Change procedure;
• Deletion procedure; and
• Encryption.

Disclosure control

Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include:

• Encryption/tunneling;
• Logging; and
• Transport security.

Entry control

Technical and organizational measures to monitor whether Personal Data has been entered, changed or removed (deleted), and by whom, from data processing systems, include:

• Logging and reporting systems; and
• Audit trails and documentation.

Availability control

Technical and organizational measures to ensure that Personal Data is protected against accidental destruction or loss (physical/logical) include:

• Backup procedures;
• Mirroring of hard disks (e.g. RAID technology);
• Uninterruptible power supply (UPS);
• Remote storage;
• Anti-virus/firewall systems; and
• Disaster recovery plan.