Annex 2 – Description of the implemented organizational and technical measures for Personal Data protection
A. Organizational security measures.
I. Information Security Management System.
1. A general security policy has been developed, along with specific security pilicies regarding organization security, information security, IT system security and security of people and property, all of them defining the basic objectives of the actions related to implementation of the policies.
2. General and specific security standards have been defined that implement the assumptions of the security policies in terms of information security, IT system security, and security of people and property.
3. Specific procedures and operating instructions have been developed for the implementation of the security standards in terms of information security, IT system security, and security of people and property.
4.The policies, standards, procedures, and instructions are subject to periodic reviews and revisions, to be approved by GetResponse’s top management.
5. A system to monitor changes in Personal Data Processing legislation has been developed and put in place, and the continuity of its operations has been ensured.
II. Roles and tasks.
1. The roles and tasks in security management processes have been defined. The individuals responsible for compliance with each respective security policy have been appointed.
2. For every resource (whether physical or electronic) that is of value for the organization, a responsible person (Resource Owner) has been appointed as being in charge of managing the security of that resource.
3. To ensure proper level of Personal Data protection, an independent Data Protection Officer, has been designated and appointed.
4. The Data Protection Officer answers directly to the GetResponse’s top management.
5. The Data Protection Officer has been included in all the processes connected with Personal Data Processing.
6. The Data Protection Officer has been granted sufficient access to any and all information and documentation connected with Personal Data Processing.
7. Those who process Personal Data at the request and on behalf of the GetResponse have been specifically indicated by name and registered (if required by Applicable Law) as authorized to process Personal Data.
8. All the individuals authorized to process Personal Data have been included in the internal Personal Data security and protection training scheme.
9. All the individuals authorized to process Personal Data have been obliged to comply with data confidentiality throughout the term of their employment and thereafter.
III. Access rights management
1. Access rights management procedures have been developed for access to data storage devices, rooms, zones, buildings, IT systems and elements of the IT infrastructure and network.
2. It has been assured that the individuals authorized to process Personal Data are assigned with minimum access rights, depending on the performed tasks.
3. A procedure of monitoring and checking the access rights ad hoc and periodically has been provided.
4. It has been assured that keys, access codes and access rights in the access control system for access to buildings, zones, rooms or part of rooms where Personal Data is processed are provided to specific individuals authorized to process Personal Data in accordance with the scope of the authorization and the scope of tasks performed within the job position.
5. It has been assured that buildings, zones, rooms or parts of rooms where Personal Data is processed are secured against unauthorized access in the absence of the individuals authorized to be in these rooms. Anyone who is not authorized to be in the rooms used for Personal Data Processing may only stay there under the supervision of authorized persons.
6. A process of granting and withdrawing access rights to Personal Data, in particular IT systems, has been developed and implemented.
7. It has been assured that for every person authorized to access the IT system or an element of the IT infrastructure or network a unique ID is assigned that cannot be assigned to anyone else.
8. Periodic access reviews and monitoring of all users, access by such users, physical access, system accounts, test accounts and accounts are carried out and fully documented.
9. It has been assured that for every person authorized to access the IT system or an element of the IT infrastructure or network, authorization which takes place, is carried out using secure methods of transmitting the authentication data.
10. It has been assured that password assigned to every person authorized to access the IT system or an element of the IT infrastructure or network is subject to audit procedures and must be changed at predetermined intervals.
11. A standard for secure transmission of passwords has been developed and implemented in case of the need to provide the IT system user with a temporary password.
12. A standard for creating secure passwords for IT system users has been developed and implemented.
13. Upon termination of the employment of employees having such access rights, the access rights of such employees will also be terminated.
IV. Security of the Service.
1. Elements of the network infrastructure used to process Personal Data are secured against the loss of accessibility through application and provision of maintenance services provided by producers and distributors.
2. Periodical independent tests of the vulnerability of IT systems that process Personal Data to threats are carried out.
3. Security gaps are periodically scanned on the platforms and in the networks that process Personal Data so that general security standards connected specifically with system reinforcement are complied with.
4. As a result of penetration tests, vulnerability scanning and compliance assessment, a corrective program is run on a periodic basis according to a risk-based approach to make effective use of the tests’ results.
5. A training program regarding the rules of secure software has been developed and provided.
6. A software security testing program has been developed and provided.
7.The subcontractor and provider selection rules that have been developed guarantee adequate level of technical and organizational security of the services provided and the tasks performed.
8. The sub-processors and other service providers auditing standards and mechanisms have been developed and their implementation has been guaranteed.
V. Change and incident management.
1. A documented change control policy has been put in place which includes requirements for approving, classifying and testing the back-out plan and the division of responsibilities between request, approval and implementation.
2. A standard regarding software production security has been developed and put in place.
3. Procedures for managing and responding to security breach incidents have been put in place to allow reasonable detection, testing, response, mitigation of consequences, and notification of any events that involve a threat to the confidentiality, integrity, and availability of Personal Data. The response and management procedures are documented, checked and reviewed at least on an annual basis.
VI. Privacy security.
1. A standard regarding the analysis of the risk of violating the basic rights and freedoms of Data Subjects and the risk of loss of Personal Data confidentiality, availability and integrity at every product life cycle stage has been developed and put in place.
2. A standard regarding compliance with the privacy protection principle at the software design stage has been developed and put in place (privacy by design).
3. A standard regarding compliance with the privacy protection principle in default settings at the software design stage has been developed and put in place (privacy be default).
B. Technical security measures.
I. Security of Personal Data Processing operations.
1. A minimum scope of technical security measures that needs to be implemented to ensure protection of Personal Data has been established. Type and scope of the applied additional technical measures for the protection of Personal Data is established on a case-by-case basis, depending on the identified threats, the required degree of protection and the technical possibilities.
2. The buildings and areas with the rooms used for Personal Data Processing are secured against unauthorized access through application of access control systems, a burglar and attack alarm system, and surveillance by physical security guards, mechanical or code locks.
3. The buildings and areas with the rooms used for Personal Data Processing are secured against fire through application of doors of an increased fire resistance class.
4. The buildings and areas with the rooms used for Personal Data Processing are secured against destruction as a result of fire or flooding through application of a fire alarm and a burglar or attack alarm system.
5. The buildings and areas with the rooms used for Personal Data Processing are secured to monitor and identify any threats or undesired events through the application of CCTV.
II. Data transmission security.
1. Personal Data transferred through teletransmission are secured against loss of confidentiality and integrity using cryptographic data protection measures (data encryption in transit).
2. Personal Data transferred through teletransmission are secured against loss of confidentiality through segmentation of ICT networks (network segmentation).
3. Encryption keys used to secure teletransmission of data are stored in a secure place with management of access to them and with the possibility of key recovery.
III. Security of storage devices.
1.Personal Data stored in data storage devices at rest is secured against loss of confidentiality and integrity using cryptographic data protection measures (data encryption at rest).
2. Personal Data stored in data storage devices is secured against loss of confidentiality through physical or logical data separation (data separation).
3. Personal Data stored in data storage devices is secured against loss of availability and integrity through real-time data copying mechanisms (data replication).
4. Personal Data stored in data storage devices is secured against loss of availability and integrity through mechanisms of creating incremental or full data backups at predetermined time intervals (data backup).
5. Personal Data stored in data storage devices is secured against loss of availability through mechanisms and procedures for data recovery, data source switching and backup restoration.
6. The data storage devices used for Personal Data Processing are secured against unauthorized access before they are installed in the hardware through access restriction and control using safes.
7. The data storage devices used for Personal Data Processing are secured against loss of data confidentiality through the application of embedded procedures of cryptographic data protection (cryptographic protection of data storage devices).
8. The data storage devices used for Personal Data Processing are secured against loss of availability through the application of systems for automated monitoring of performance, capacity utilization and availability time.
9. The data storage devices used for Personal Data Processing are secured against unauthorized use with the procedures for use and configuration of IT infrastructure elements (configuration management).
10. The data storage devices intended for reuse are secured against data disclosure to any unauthorized person or IT system through the application of secure data deletion methods.
11. The data storage devices used for Personal Data Processingintended for elimination are secured against reuse through permanent and deliberate mechanical destruction.
IV. Data storage security.
1. Personal Data stored in databases is secured against loss of integrity through the application of consistency rules in terms of semantics (definition of data type), in terms of entities (definition of basic keys) and in terms of reference (definition of foreign keys).
2. Personal Data is secured against loss of accountability through application of solutions that tie specific actions to a specific person or IT system.
V. Security of network infrastructure.
1. Personal Data is secured against loss of confidentiality through application of secure access authentication methods for people and IT systems.
2. Personal Data is secured against loss of confidentiality and availability through monitoring of correct functioning and use of secure access authentication methods for people and IT systems.
3. Personal Data is secured against loss of availability through application of additional, backup and emergency sources of power for the IT infrastructure used to process Personal Data.
4. Elements of the network infrastructure used for Personal Data Processing (computers, servers, network equipment) are secured against access by unauthorized persons and IT systems through secure access authentication methods.
5. Elements of the network infrastructure used for Personal Data Processing are secured against access by unauthorized persons and IT systems and against loss of availability through monitoring of the validity of the operating system and the installed software.
6. Elements of the network infrastructure used for Personal Data processing are secured against access by unauthorized persons and IT systems and against loss of availability with use of such software as Firewall, Intrusion Detection Systems, Intrusion Prevention Systems, Anti DDOS.
7. Elements of the network infrastructure used for Personal Data Processing are secured against loss of availability through the application of replication, virtualization and automated scaling procedures.
8. Elements of the network infrastructure used for Personal Data Processing are secured against loss of availability through the application of automatic availability, load and performance monitoring processes.
9. Elements of the network infrastructure used for Personal Data Processing are secured against loss of availability through the application of backup power sources and automatic power source switching procedures.