Physical security and access control

☒

☒

Access controls (key, badge)

Keys/badges are assigned to individuals

User and access control (identity and access management)

☒

All access require authentication

☒

Rules for password complexity and renewal

☒

Role-based identity and access management

☒

Tools are locked when not in use

☒

Multi-factor authentication for external access

☒

Least privilege principle

☒

Privileged Access Management (PAM);

☒

Access logging

☒

Use of admin accounts only when necessary

☒

Authorization concept (need-to-know principle)

Confidentiality, integrity, availability and traceability

☒

Encryption of data "at rest"

☒

Backup concept

☒

Encryption of end devices

☒

BCM concept, emergency plan

☒

Encryption of data "in transit"

☒

Regular review of the backup

☒

State-of-the-art encryption

☒

Inventory of hardware and software

☒

Penetration tests, external security audits

☒

Hardware and software continuously checked/updated

☒

Staff signs non-disclosure agreement (clause in the employment contract)

☒

Technical redundancy (e.g. RAID, two systems)

☒

Logged changes of data/systems

☒

Logical separation of the data processed as an processor from other data

Measures to comply with data protection principles and data subject rights

☒

Privacy Policy for all applications

☒

Responsibility for data subject rights established

☒

Separation of productive data/test data

☒

List of processing activities

☒

Responsibility for edits defined

Organisation, monitoring and certifications

☒

TOMS are regularly checked/adjusted

☒

Internal or external data protection representative

Instructions and training

☒

Information security training

☒

Training on data protection

☒

Awareness measures data protection