(1) Type of data: personal data within the meaning of 3 BDSG (including name, address, date of birth, address).
|
|
- Bethanie Briggs
- 7 years ago
- Views:
Transcription
1 Agreement on contract data processing within the meaning of 11 para 2 of Bundesdatenschutzgesetz (BDSG) [German Federal Data Protection Act] Preamble This agreement sets out the obligations of the Contracting Parties regarding data protection arising from the supplier & service relationship. Under this contractual relationship, The Team Enablers GmbH (hereinafter TTE ) is deemed to be a contractor within the data protection context of order data processing according to 11 BDSG; Please enter your company name here: (hereinafter referred to as Customer) is the client within the data protection context of order data processing according to 11 BDSG. This agreement applies to all activities relating to the contract and involving employees of TTE or TTE representatives who deal with Customer personal data. 1 Object, duration and specifications of order data processing This agreement covers the subject and duration of the contract as well as scope and type of data collection, processing or use. In particular, the following data form part of the data processing: (1) Type of data: personal data within the meaning of 3 BDSG (including name, address, date of birth, address). (2) Purpose of data collection, processing or use: TTE operates the online software application Surwayne which is designed to facilitate anonymous in-house surveys and suggest methods of improving the evaluated projects and general team work. With Surwayne TTE enables businesses (hereinafter referred to as costumers) to analyse and evaluate the improvement methods taken and their immediate effects e.g. on team spirit and efficiency, in order to optimise projects and team work individually and effectively. To use Surwayne TTE s costumers transfer personal data (e.g. the respective ad-dresses used for the surveys) to TTE. TTE processes its costumer s personal data to a data processing centre. The data processing centre processes and stores TTE s costumer s data on behalf of TTE. (3) Group of persons affected: Customer s employees, freelancers or others involved in the survey process whose data is shared with TTE for the purpose of operating the Surwayne service. The term of this agreement depends on the term of validity of the supplier & service relationship, unless the provisions of this document give rise to obligations beyond this term. 2 Scope and responsibility (1)TTE processes personal data and special personal data on behalf of Customer. This includes activities that are specified in the contract and in the service description. In
2 connection with this agreement, Customer is solely responsible for the legality of the data transfer to TTE, as well as for the legality of the processing of data and for the observance of the legal regulations of data protection laws ( responsible authority within the sense of 3 para 7 BDSG). 3 Obligations of TTE (1) TTE must collect, process or use data from those persons affected only in the context of the contract and in accordance with Customer instructions. (2) Within their area of responsibility, TTE will organise internal structures so that they meet the special requirements of data protection. They will implement technical and organizational measures for the adequate protection of Customer data that satisfy the requirements of the Federal Data Protection Act (appendix to 9 BDSG). These measures are as follows: a) Access control b) Admission control c) Controlled accessibility d) Transfer control e) Input control f) Order control g) Availability control h) Separation control TTE s right to make changes to the security measures taken remains reserved, it must however be ensured that the contractually agreed-upon level of protection does not fall short. (3) Upon request, TTE shall supply Customer with an overview in accordance with 4 para 2 p.1 BDSG, of the necessary information available, insofar as they cannot retrieve it themselves. (4) TTE ensures employees involved in the processing of Customer data and other people acting on behalf of TTE, are forbidden to collect the data, process or use it unless they have the necessary authorization (data privacy according to 5 BDSG). Data secrecy remains even after the termination of the contract. (5) TTE will immediately inform Customer of serious infringements by TTE or the persons employed by him within the framework of the agreement of provisions concerning the protection of Customer personal data or the stipulations set out in the contract. They must take all necessary steps to secure the data and reduce the potential for adverse consequences of those affected and discuss this immediately with Customer. TTE supports Customer in the fulfilment of the information obligations according to 42a of the BDSG. (6) TTE names Customer as the point of contact for data protection questions within the framework of the contract.
3 (7) TTE guarantees that he complies with his duties under 4f 4 g BDSG comply ( 11 para 2, no. 5 in connection with 11 para 4 BDSG), such as, for example, a duty to appoint a data protection officer as far as is prescribed by law. (8) TTE does not use the provided data for any purposes other than the performance of the contract. (9) TTE corrects, deletes, or stops the contractual data when Customer requests it. TTE undertakes the privacy-compliant destruction of disks and other materials on the basis of an individual order from Customer, unless already agreed in the contract. In particular cases to be determined by Customer, a retention or transfer can take place. (10) Data, data carriers, and all other materials are to be either returned to Customer or deleted once the order has been completed. Additional costs arising from different specifications for the return or deletion of the data are borne by the client. 4 Customer s obligations (1) Customer has to inform TTE immediately and completely when the order results in errors or irregularities concerning data protection provisions. (2) The obligation to keep the public procedure directory (Jedermannverzeichnis) in accordance with 4g para 2S 2 BDSG lies with Customer. 5 Requests of affected parties (1) If, on the basis of data protection laws, Customer is obliged towards an individual to provide information on the collection, processing or use of data relating to this person, TTE will help Customer to provide this information. This assumes that Customer has requested this from TTE in writing or in text form, and that Customer refunds the costs incurred by TTE in support of this request. TTE will not answer any requests for information and will refer those affected to Customer. (2) Should an affected party with demands for rectification, deletion or stoppage contact TTE, TTE will refer those parties in question to Customer. 6 Supervisory duties (1) Prior to commencing data processing and subsequently on a regular basis, Customer will satisfy itself of the technical and organisational measures of TTE and will document the results. For this purpose they may obtain, for example, information from TTE, and if necessary, demand an existing opinion of an expert or after timely consultation may personally inspect or request a qualified third party to inspect, during normal business hours, without disturbance of the business operation, insofar as they are not in a competitive relationship with TTEs.
4 (2) Upon written request, TTE commits himself to provide to Customer within a reasonable time, all information and evidence that is required to carry out an inspection. 7 Subcontracting (1) TTE is permitted to use subcontractors within the framework of activities agreed within the contract (e.g. data processing centres). (2) TTE will make arrangements with such third parties to the extent necessary to provide adequate data protection. 8 Information obligations, written form clause, choice of the applicable law (1) Should the data from Customer be jeopardised when it is with TTE as a result of seizure of goods or confiscation of property, or through insolvency or conciliation procedures, or as a result of other events or measures taken by third parties, TTE has to immediately inform Customer. TTE will inform all relevant responsible people immediately so that the sovereignty and ownership of the data lies exclusively with Customer as the responsible authority within the meaning of the Federal Data Protection Act. (2) Changes and additions to this supporting document and all its components - including any assertions of TTE - shall require a written agreement and the explicit mention that it pertains to a modification or addition to these terms and conditions. This also applies to the waiver of this formal requirement. (3) In case of objections the regulations of this document take priority over those of the contract. Should individual parts of this supporting document be invalid, this will not impact upon the effectiveness of the document overall. (4) German law shall apply. Place, date Customer name (person s name signing) / signature Date (Processor)
5 Attachment on technical and organisational measures pursuant to section 9 BDSG 1. Physical Access Control (Zutrittskontrolle) Measures to prevent unauthorized persons from gaining access to data processing systems with which personal data are processed: All TTE (and/or subcontractor) sites at which an information system that uses or houses personal data is located have reasonable security systems. TTE reasonably restricts access to such personal data appropriately. Physical access control has been implemented for all Processor data centres. Unauthorized access to the data centres is prohibited through 24x7 monitoring and access limitation. Surveillance camera on data centres entry door is installed and security monitoring by building management is implemented. Offices and work areas where personal information is processed are secured through clear desk and clear screen requirements, office lock-up procedures and the use of secure cabinets and containers. Delivery and loading areas are controlled and isolated from information processing facilities to avoid unauthorized access. Secured areas are protected with appropriate entry controls to ensure that only authorized personnel are allowed access. The measures to protect such secure areas shall include pass and badge controls, visitor sign-in and employee requirements to challenge any unbadged or unknown persons. Technical controls are implemented to ensure the physical security of information systems components against security threats. Network and server equipment including LAN servers, bridges, and routers are physically secured from unauthorized access by placing them in locked rooms or closets. Security policies are in place to direct overall security approach for securing systems and data. 2. Volume Control (Zugangskontrolle) Measures to prevent storage media from being read, copied, modified or removed without authorization: Equipment, information or software is not removed from the TTE s (and/or subcontractor s) premises without approval and/or logging. When media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of the information stored on them.
6 When media are to leave the premises at which the files are located as a result of maintenance operations, procedures have been implemented to prevent undue retrieval of the information stored on them. Processing performed in accordance with standard procedures and Instructions. Encryption methods are employed to protect the confidentiality of information when being transmitted. Access is restricted to information by defining procedures for handling, labeling, copying, distributing, storing, transporting, disposing and printing information in hard copy form. Storage devices containing information are physically destroyed or securely overwritten rather than using a standard delete function prior to disposal or re-use. The TTE (and/or subcontractor) has designated and secured areas for storage of collected media. 3. Storage Control (Zugriffskontrolle) Measures to prevent unauthorized input into the memory and the unauthorized examination, modification or erasure of stored personal data: Security policies are in place to direct overall security approach for securing systems and data. Only authorized staff can grant, modify or revoke access to an information system that uses or houses personal data. User administration procedures define user roles and their privileges, how access is granted, changed and terminated; address appropriate segregation of duties; and define the logging/monitoring requirements and mechanisms. All employees of the TTE (and/or subcontractor) are assigned unique User-IDs. Access rights are implemented adhering to the least privilege approach. Users are assigned the most restrictive set of privileges necessary to perform their respective job functions. There is a formal user registration process for granting and prohibiting access to information resources. Systems enforce configurations to promote sound passwords and minimize the potential for unauthorized usage of accounts. TTE (and/or subcontractor) employees are positively identified and follow a strict login process before they can gain access to information resources. System access is removed when an employee leaves the TTE (and/or subcontractor). Logging mechanisms are implemented to ensure the individual and timing of access to data can be subsequently checked. Separate and distinct production and test environments are maintained by the TTE (and/or subcontractor).
7 Data collections and handling are performed in accordance with standard procedures and Instructions. Encryption methods are employed to protect the confidentiality of information when being transmitted. Access is restricted to information by defining procedures for handling, labeling, copying, distributing, storing, transporting, disposing and printing information in hard copy form. 4. User Control (Weitergabekontrolle) Measures to prevent data processing systems from being used by unauthorized persons with the aid of data transmission facilities: Only authorized staff can grant, modify or revoke access to an information system that uses or houses personal data. User administration procedures define user roles and their privileges how access is granted, changed and terminated; address appropriate segregation of duties; and define the logging/monitoring requirements and mechanisms. All employees of the TTE (and/or subcontractor) are assigned unique User-IDs. Access rights are implemented adhering to the least privilege approach. Users are assigned the most restrictive set of privileges necessary to perform their respective job functions. There is a formal user registration process for granting and prohibiting access to information resources. Systems enforce configurations to promote sound passwords and minimize the potential for unauthorized usage of accounts. TTE (and/or subcontractor) employees are positively identified and follow a strict login process before they can gain access to information resources. System access is removed when an employee leaves the TTE (and/or subcontractor). Secure data transmission methods are established. Logging mechanisms are implemented to ensure the individual and timing of access to data can be subsequently checked. The TTE (and/or subcontractor) has established data backups schedules and utilizes automated backup systems for data management. Data backups are securely stored. 5. Logical Access Control (Zugriffskontrolle) Measures to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access: TTE (and/or subcontractor) has implemented security policies and procedures to classify information assets, clarify security responsibilities and promote awareness for employees. All personal data security incidents are managed in accordance with appropriate incident response procedures.
8 Access rights are implemented adhering to the least privilege approach. Users are assigned the most restrictive set of privileges necessary to perform their respective job functions. A password management system has been implemented for validating user authority to access information resources. Systems enforce configurations to promote sound passwords and minimize the potential for unauthorized usage of accounts. All employees of the TTE (and/or subcontractor) are assigned unique User-IDs. Remote access to systems and data requires dual levels of authentication. Periodic reviews are conducted of user accounts to ensure the appropriate minimum privileges are granted and accounts of unauthorized users have been removed. 6. Communication Control (Weitergabekontrolle) Measures to ensure that it is possible to check and establish to which bodies personal data can be communicated by means of data transmission facilities: Authorized routes between users and services are channeled and restricted. An intrusion detection system is in place to monitor and log security events. Remote access to systems and data requires dual levels of authentication. Logging mechanisms are implemented to ensure the individual and timing of access to data can be subsequently checked. Secure data transmission methods are established. Encryption methods are employed to protect the confidentiality of information when being transmitted. Equipment, information or software is not removed from the TTE (and/or subcontractor) 's premises without approval and/or logging. 7. Input Control (Eingabekontrolle) Measures to ensure that it is possible to check and establish which personal data have been input into data processing systems by whom and at what time: Logging mechanisms are implemented to ensure the individual and timing of access to data can be subsequently checked. Audit logs are secured from modification and independently reviewed. Authorized routes between users and services are channeled and restricted. Equipment, information or software is not removed from the TTE (and/or subcontractor) 's premises without approval and/or logging.
9 When media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of the information stored on them. When media are to leave the premises at which the files are located as a result of maintenance operations, procedures have been implemented to prevent undue retrieval of the information stored on them. The TTE (and/or subcontractor) has implemented internal procedures to support that processing is performed in accordance with Instructions. 8. Job Control (Auftragskontrolle) Measures to ensure that, in the case of commissioned processing of personal data, the data are processed strictly in accordance with the Instructions: Personal data is used for internal purposes and only as necessary for the provisions of the services detailed in the Agreement (including amendments, if any) and this annex pursuant to section 11 German Federal Data Protection Act dated April TTE (and/or subcontractor) acts in compliance with the terms regarding processing as set forth in the Agreement and this annex. The TTE (and/or subcontractor) has implemented internal procedures to support that processing is performed in accordance with Instructions. 9. Transport Control (Weitergabekontrolle) Measures to prevent data from being read, copied, modified or erased without authorization during the transmission of personal data or the transport of storage media: Data collections and handling are performed in accordance with standard procedures and Instructions. Encryption methods are employed to protect the confidentiality of information when being transmitted. Access is restricted to information by defining procedures for handling, labeling, copying, distributing, storing, transporting, disposing and printing information in hard copy form. Hard copy media is distributed in a controlled fashion. Storage devices containing information are physically destroyed or securely overwritten rather than using a standard delete function prior to disposal or re-use. Equipment, information or software is not removed from the TTE s (and/or subcontractor s) premises without approval and/or logging. When media are to leave the premises at which the files are located as a result of maintenance operations, procedures have been implemented to prevent undue retrieval of the information stored on them. The TTE (and/or subcontractor) has implemented anti-virus and anti-malware protections to support security and availability of systems. 10. Separation Control (Trennungskontrolle)
10 Measures which ensure that Personal Data collected for different purposes can be processed separately: Access rights are implemented adhering to the least privilege approach. To protect information, large networks are segregated into separate logical domains. All matters are logically segregated at the application layer utilizing separated containers with controls including access and authorization controls. All data is stored in separate logical database containers with access controls. All files are stored in separate logical access structures with access controls. 11. Organizational Control (Organisationskontrolle) Measures to arrange the internal organization of authorities or enterprises in such a way that it meets the specific requirements of data protection: The TTE (and/or subcontractor) has designated a Privacy Officer and has established a privacy policy. The TTE (and/or subcontractor) has appropriate disaster recovery and business resumption plans. TTE (and/or subcontractor) reviews both business continuity plan and risk assessment regularly. Business continuity plans are being tested and updated regularly to ensure that they are up to date and effective. Monitoring systems are used to manage system capacity and usage. The TTE (and/or subcontractor) has established data backups schedules and utilizes automated backup systems for data management. Data backups are securely stored. The TTE s (and/or subcontractor s) data center facilities maintain redundant power and network systems as well as sound environmental controls to ensure continuity of system availability. The TTE (and/or subcontractor) has implemented anti-virus and anti-malware protections to support security and availability of systems. The TTE (and/or subcontractor) has implemented internal procedures to support that processing is performed in accordance with Instructions. A password management system has been implemented for validating user authority to access information resources. Systems enforce configurations to promote sound passwords and minimize the potential for unauthorized usage of accounts. Periodic reviews are conducted of user accounts to ensure the appropriate minimum privileges are granted and accounts of unauthorized users have been removed. The TTE (and/or subcontractor) has designated and assigned responsibility for management of compliance and supporting functions.
11 The TTE (and/or subcontractor) considers segregation of duties in designing organizational structures and assigning functional responsibilities. The TTE (and/or subcontractor) has established software development and change management policies. The TTE (and/or subcontractor) has centralized management of purchasing for hardware and software.
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationINFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7
Information Technology Management Page 357-1 INFORMATION TECHNOLOGY MANAGEMENT CONTENTS CHAPTER A GENERAL 357-3 1. Introduction 357-3 2. Applicability 357-3 CHAPTER B SUPERVISION AND MANAGEMENT 357-4 3.
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More information<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129
Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationThis Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.
Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationTechnical Standards for Information Security Measures for the Central Government Computer Systems
Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...
More informationDEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY
DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationUNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationManagement Standards for Information Security Measures for the Central Government Computer Systems
Management Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...
More informationPACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )
PRIVACY POLICY (Initially adopted by the Board of Directors on November 16, 2007) PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) The Corporation is committed to controlling the collection,
More informationNeutralus Certification Practices Statement
Neutralus Certification Practices Statement Version 2.8 April, 2013 INDEX INDEX...1 1.0 INTRODUCTION...3 1.1 Overview...3 1.2 Policy Identification...3 1.3 Community & Applicability...3 1.4 Contact Details...3
More informationLeonardo Hotels Group Page 1
Privacy Policy The Leonardo Hotels Group, represented by Sunflower Management GmbH & Co.KG, respects the right to privacy of every individual who access and navigate our website. Leonardo Hotels takes
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationISO 27002:2013 Version Change Summary
Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category
More informationECSA EuroCloud Star Audit Data Privacy Audit Guide
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationDDV Declaration Commissioned Data Processing and Data Treatment (Version: 09/2009)
DDV Declaration Commissioned Data Processing and Data Treatment (Version: 09/2009) Service provider: (in the following Service Provider ) Street, number ZIP code, city E-mail address Internet addresses
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationMicrosoft Online Services - Data Processing Agreement
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID This Amendment consists of
More informationState HIPAA Security Policy State of Connecticut
Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.
More informationAccess Control Policy
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More information6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information
More informationManagement Standards for Information Security Measures for the Central Government Computer Systems
Management Standards for Information Security Measures for the Central Government Computer Systems April 26, 2012 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...
More informationRAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER
RaySafe S1 SECURITY WHITEPAPER Contents 1. INTRODUCTION 2 ARCHITECTURE OVERVIEW 2.1 Structure 3 SECURITY ASPECTS 3.1 Security Aspects for RaySafe S1 Data Collector 3.2 Security Aspects for RaySafe S1 cloud-based
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationName: Position held: Company Name: Is your organisation ISO27001 accredited:
Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:
More informationGuidelines on Data Protection. Draft. Version 3.1. Published by
Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...
More informationopenqrm Enterprise Server and Client Licenses Agreement
openqrm Enterprise Server and Client Licenses Agreement (1) This openqrm Enterprise Server and Client License Agreement ( Agreement ) is by and between openqrm Enterprise GmbH, Berrenrather Strasse 188c,
More informationGeneral Terms and Conditions of Trade for the use of the Bitplaces management platform and the Bitplaces software
General Terms and Conditions of Trade for the use of the Bitplaces management platform and the Bitplaces software I. Definitions, application area / conclusion of contract 1. Definitions 1.1 "App" in the
More informationStandards for Information Security Measures for the Central Government Computer Systems (Fourth Edition)
Standards for Information Security Measures for the Central Government Computer Systems (Fourth Edition) February 3, 2009 Established by the Information Security Policy Council Table of Contents Standards
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationInformation Security Management Criteria for Our Business Partners
Information Security Management Criteria for Our Business Partners Ver. 2.0 October 1, 2012 Procurement Group, Manufacturing Enhancement Center, Global Manufacturing Division Information Security Group,
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationDHHS Information Technology (IT) Access Control Standard
DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of
More informationInformation Technology General Controls Review (ITGC) Audit Program Prepared by:
Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationDelphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11
Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2
More informationBRING YOUR OWN DEVICE
BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe 3. BYOD and existing Policies 4. Legal issues
More informationIT - General Controls Questionnaire
IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow
More informationMike Casey Director of IT
Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date
More informationFORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY
FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationBERKELEY COLLEGE DATA SECURITY POLICY
BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data
More informationDDV Declaration (VE 12/2009) Commissioned Data Processing and Data Treatment
DDV Declaration (VE 12/2009) Commissioned Data Processing and Data Treatment Service provider: (in the following Service Provider ) Street, number: Country: ZIP code, city: E-mail address: Website: www...
More informationHow To Protect Your Data In European Law
Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationM E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General
M E M O R A N D U M To: From: IT Steering Committee Brian Cohen Date: March 26, 2009 Subject: Revised Information Technology Security Procedures The following is a revised version of the Information Technology
More informationMusic Recording Studio Security Program Security Assessment Version 1.1
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationU.S. Department of the Interior's Federal Information Systems Security Awareness Online Course
U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior
More information1 Terms and Conditions Cloud + Managed Hosting
Cloud + Managed Hosting 1 1 Terms and Conditions Cloud + Managed Hosting 1. General - Scope The following terms and conditions apply to all business relationships between the customer and aixzellent -
More informationAproved by: doron berger Data Security Manager - National Security unit
Israel Electric Corporation National Security unit Data Security Security of critical project performed by vendor abroad Aproved by: doron berger Data Security Manager - National Security unit Project
More informationDeciphering the Safe Harbor on Breach Notification: The Data Encryption Story
Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story Healthcare organizations planning to protect themselves from breach notification should implement data encryption in their
More informationInformation Shield Solution Matrix for CIP Security Standards
Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability
More informationDecision on adequate information system management. (Official Gazette 37/2010)
Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)
More informationCalifornia State University, Sacramento INFORMATION SECURITY PROGRAM
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
More informationPolicy Rules for Business Partners of Siemens
Information Security Policy Rules for Business Partners of Siemens Basic rules regulating access to Siemens-internal information and systems Policy Rules for business Partners of Siemens Edition P-RBP-2007-02-05-E
More informationNational Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016
National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy Version 1.1 February 2, 2016 Copyright 2016, Georgia Tech Research Institute Table of Contents TABLE OF CONTENTS I 1 INTRODUCTION
More informationICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen
ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationHIPAA Security. assistance with implementation of the. security standards. This series aims to
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationMCOLES Information and Tracking Network. Security Policy. Version 2.0
MCOLES Information and Tracking Network Security Policy Version 2.0 Adopted: September 11, 2003 Effective: September 11, 2003 Amended: September 12, 2007 1.0 POLICY STATEMENT The Michigan Commission on
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationDEPARTMENT OF MENTAL HEALTH POLICY/PROCEDURE
2 of 10 2.5 Failure to comply with this policy, in whole or in part, if grounds for disciplinary actions, up to and including discharge. ADMINISTRATIVE CONTROL 3.1 The CIO Bureau s Information Technology
More informationPCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
More informationIntel Enhanced Data Security Assessment Form
Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationUniversity of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary
University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary This Summary was prepared March 2009 by Ian Huggins prior to HSC adoption of the most recent
More informationRecommendations for companies planning to use Cloud computing services
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationWritten Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.
Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR
More informationINFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.
INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE
More informationPolicy on the Security of Informational Assets
Policy on the Security of Informational Assets Policy on the Security of Informational Assets 1 1. Context Canam Group Inc. recognizes that it depends on a certain number of strategic information resources
More information