Security Measures

Itadel Security Measures

Below is a description of Itadels technical and organisational measures to safeguard Customer Data. This page is last updated on Friday the 25th of May, 2018.

Domain   Pratices

1. Organization of Information Security

 
  • Organization of Information Security
  • Itadel assigned a dedicated function to respond to requests related to Personal Data.
  • Itadel has implemented a process for handling such requests taking into account the regulative requirements for a timely response.
  • Itadel has appointed an information security department to be responsible for internal control and compliance with rules and regulations.
  • Itadel also implemented a risk management program to ensure risk transparency and appropriate risk responses.

2. Asset Management

 
  • Itadel maintains a register for all media holding customer data.
  • Customer data and systems for processing of customer data are classified to identify the appropriate protection levels.
  • Access to customer data is allowed only if there is a work related requirement. Such access will be logged, cf. 5 Communications and Operations Management

3. Human Resources Security

 
  • Itadel has implemented a process for screening of personnel prior to employment.
  • All personnel are subject to confidentiality obligations.
  • Itadel personnel has been informed about their roles and information security responsibilities at employment and in connection with changes.
  • All personnel are made aware of possible disciplinary measures upon breaching the security rules and procedures.

4. Physical and Environmental Security

 
  • Physical access to data processing facilities is limited to identified and authorized persons.
  • Physical user access privileges are revoked after having not been used for a period of six months.
  • Physical access is logged, and the log is retained for 12 months.
  • Employees and visitors are required to wear visible identification cards an any time in Itadel’s facilities.
  • The use of photography is prohibited in the support infrastructure facilities.
  • CCTV coverage is maintained at the support infrastructure facilities. CCTV activity is recorded.
  • To counter against eavesdropping, a clear screen and clear desk policy has been implemented.
  • Itadel handles disposal of physical data media following a formal process using industry best practices.
  • Itadel maintains records of incoming and outgoing media containing customer data.
  • Shredders are used for disposal of paper assets.
  • During system decommissioning, logical data deletion activities are recorded for later documentation.
  • Redundant communication lines are provided in order to minimize the impact of disruptions.
  • To protect against disruptions from power failures that could lead to loss of data, Itadel uses industry standard power emergency systems as well as lightning protection.
  • Backups are stored on a different physical site from where the primary customer data processing systems are located with a physical distance of at least 10 kilometres.

5. Communications and Operations Management

  a. Operational procedures
  • Itadel maintains operational procedures to ensure a uniform security level.
  • Changes are done in a controlled manner following Itadel’s Change Management process. Prior to a change, a risk assessment is carried out and approved by a responsible appointed by management.
b. Backup
  • To ensure backup consistency, backup records are monitored on a daily basis for failed backup attempts.
  • Data recovery ability is checked on a sample basis every month.
  • Data recovery activities are logged (cf. Logging).
c. Logging
  • Itadel logs relevant system events and administrator activities, including data processing activities. Logs are retained for 6 months and deleted there after (unless a customer specific retention time is specified). Logs are stored in a dedicated and protected log management system.

The following events are logged in Itadel’s systems:

Hypervisor and operating systems:

  • Authorization accept or reject events
  • Access to, change of, and deletion of files, including data backup and restoration activities
  • Changes in access controls lists
  • All log entries contain at least user ID, time and date, as well as the activity. 

Database:

  • SQL statements on specific tables after customer specifications.
  • Upon Customer request, system supported log analysis may be implemented to identify and follow up on irregularities. Such request is handled in accordance with Itadel’s change procedure.
d. Encryption
  • Customer data in transit over public networks are encrypted.
e. Protection against malicious software
  • On servers and clients, Itadel utilizes centrally managed anti-malware software from a widely recognized vendor.

6. Access Control

 
  • Itadel implemented formalised processes for user registering and de-registering as well as assigning and revoking access rights.
  • Principles for segregation of duties and management approval are implemented in these processes.
  • Remote access to customer systems is encrypted and protected by a two-factor authentication mechanism.
  • Access to customer data is approved on the basis of a work related need.
  • Access rights granted to Itadel’s administrators are reviewed periodically.
  • User registers and user privileges are maintained.
  • Repeated unsuccessful logon attempts triggers an alarm and a temporary lock down of the particular account.
  • Itadel deactivates user credentials that have not been used for three months.
  • Deactivated personal user IDs are not granted to other individuals.

Passwords

  • Unique and personal user IDs and passwords with complexity settings are enforced.
  • Password length for administrative accounts are at least 12 characters long.
  • Periodic password renewal is enforced.
  • The use of generic accounts is limited and documented.
  • When accessing customer systems using higher privileges, two-factor authentication is enforced.
  • Passwords are stored in an encrypted format.

Erasure

  • Itadel handles deletion of customer data following a formal process using industry best practices.

7. Information Security Incident Management

 
  • Itadel manages information security incidents according to a formalised management approved process.
  • When incidents are identified, a record is created with incident description, time and date, impact, and the incident is evaluated by a security responsible. Follow up activities are tracked as well.
  • In case of Customer data disclosure, the Customer will be notified without undue delay.
  • The notification includes a description of the incident, an estimate of the extent of the data breach and the likely consequences, together with contact details of the contact point at Itadel. Accordingly, without undue delay, Itadel will analyse and inform the Customer of the root cause of such incident and the measures taken to prevent re-occurrences.

8. Business Continuity Management

 
  • Itadel’s contingency planning contains measures to prevent crisis situations and measures to minimise the impact in case of disaster situations.
  • Itadel’s disaster recovery plans are tested periodically.
  • In order to minimise data loss, Itadel utilizes storage technology with built in redundancy and performs data backup every 24 hours.

9. Disclosure of personal data

 
  • Itadel has appointed a dedicated function with special training and focus to handle requests for Personal Data. The dedicated function and a formal process ensures that Itadel will not hand out any personal data unless required by law, cf. clause 10 (Data Processor Agreement).

10. Privacy by design

 
  • Itadel is dedicated to protecting customer data. Therefore, Itadel takes information security requirements into consideration during the design phase of new IT services.
  • Customers hosted in Itadel’s IT environment are logically separated in virtual data centres. One virtual data centre for every customer. Every customer server is a logically separated virtual instance connected to a virtual and logical separated network.