TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Similar documents
Retention & Destruction

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

GE Measurement & Control. Cyber Security for NEI 08-09

Information Technology Branch Access Control Technical Standard

Data Processing Agreement for Oracle Cloud Services

Projectplace: A Secure Project Collaboration Solution

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

HIPAA Privacy & Security White Paper

Security from a customer s perspective. Halogen s approach to security

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Autodesk PLM 360 Security Whitepaper

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Supplier IT Security Guide

FormFire Application and IT Security. White Paper

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Access Control Policy

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Keyfort Cloud Services (KCS)

BKDconnect Security Overview

IBX Business Network Platform Information Security Controls Document Classification [Public]

Data Compliance. And. Your Obligations

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Information Security Basic Concepts

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

ECSA EuroCloud Star Audit Data Privacy Audit Guide

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

FINAL May Guideline on Security Systems for Safeguarding Customer Information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Music Recording Studio Security Program Security Assessment Version 1.1

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

CHIS, Inc. Privacy General Guidelines

Security Controls for the Autodesk 360 Managed Services

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Client Security Risk Assessment Questionnaire

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Complying with PCI Data Security

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

PCI DSS Requirements - Security Controls and Processes

SRA International Managed Information Systems Internal Audit Report

Security Policy JUNE 1, SalesNOW. Security Policy v v

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Achieving PCI-Compliance through Cyberoam

Central Agency for Information Technology

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Supplier Information Security Addendum for GE Restricted Data

Intel Enhanced Data Security Assessment Form

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Standard: Event Monitoring

HIPAA Security Alert

join.me architecture whitepaper

How To Manage Security On A Networked Computer System

Security Controls What Works. Southside Virginia Community College: Security Awareness

CTS2134 Introduction to Networking. Module Network Security

SonicWALL PCI 1.1 Implementation Guide

Newcastle University Information Security Procedures Version 3

e-governance Password Management Guidelines Draft 0.1

Attachment D System Hardware & Software Overview & Recommendations For IRP System

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Is Your IT Environment Secure? November 18, Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

Hardware/Software Deployment Strategies. Introduction to Information System Components. Chapter 1 Part 4 of 4 CA M S Mehta, FCA

1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established

HMIS SECURITY PLAN of the PHILADELPHIA CONTINUUM OF CARE

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

CYBER SECURITY POLICY For Managers of Drinking Water Systems

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Decision on adequate information system management. (Official Gazette 37/2010)

Security and Data Protection for Online Document Management Software

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Guidelines on Data Protection. Draft. Version 3.1. Published by

Salesforce & HIPAA Compliance

University of Limerick Data Protection Compliance Regulations June 2015

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

Cloud Management. Overview. Cloud Managed Networks

Monitoring DoubleTake Availability

Security Whitepaper: ivvy Products

State of Texas. TEX-AN Next Generation. NNI Plan

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

INCIDENT RESPONSE CHECKLIST

Transcription:

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control to Data Processing Systems (Logical)... 3 Availability Control... 5 Transmission Control... 6 Input Control... 6 Separation of Processing for Different Purposes... 7 Documentation... 7 Monitoring... 7 Definitions... 7 Document History... 8 Technical and Organizational Data Security Measures Page 2 of 8

Introduction This Technical and Organizational Data Security Measures articulates the technical and organizational security measures implemented by Citrix Systems, Inc. ( Citrix ) in support of its Security Program including the Citrix Global Security Framework. The Technical and Organizational Data Security Measures Citrix has implemented and maintains a security program that leverages the ISO/IEC 270020-series of control standards as its baseline. Access Control of Processing Areas (Physical) Web applications, communications and database servers of Citrix are located in secure data centers. Citrix has implemented suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where Personal Data are processed or used. Establishing security areas; Protection and restriction of access paths; Securing the data processing equipment and personal computers; Establishing access authorizations for employees and third parties, including the respective documentation; Regulations/restrictions on card-keys; Restricting physical access to the servers by using electronically-locked doors and separate cages within co-location facilities; Access to the data center where Personal Data are hosted is logged, monitored, and tracked via electronic and CCTV video surveillance by security personnel; and Data centers, where Personal Data may be hosted, are protected by a security alarm system, and other appropriate security measures, such as user-related authentication procedures, including biometric authentication procedures (e. g., hand geometry), and/or electronic proximity identity cards with users photographs. Access Control to Data Processing Systems (Logical) Citrix has implemented suitable measures to prevent its data processing systems from being used by unauthorized persons. Establishing the identification of the terminal and/or the terminal user to the Citrix systems; Technical and Organizational Data Security Measures Page 3 of 8

Automatic time-out of user terminal if left idle, identification and password required to reopen; Automatic lock out of the user ID when several erroneous passwords are entered. Events are logged and logs are reviewed on a regular basis; Utilizing firewall, router and VPN-based access controls to protect the private service networks and back-end-servers; Continuously monitoring infrastructure security; Regularly examining security risks by internal employees and third party auditors; Issuing and safeguarding of identification codes; and Role-based access control implemented in a manner consistent with principle of least privilege. Remote access to Citrix s services delivery network infrastructure is secured using twofactor authentication tokens. Access to host servers, applications, databases, routers, switches, etc., is logged. Access and account management requests must be submitted through internal approval systems. Access must be approved by an appropriate approving authority. In most cases, the approval for a request requires two approvals at minimum: the employee's manager and the role approver or owner for the particular system or internal application. Passwords must adhere to the Citrix password policy, which includes minimum length requirements, enforcing complexity and set periodic resets. Password resets are handled via Citrix ticketing system. New or reset passwords are sent to the employee using internal secure, encrypted email system or by leaving a voicemail for the employee. Citrix s intrusion detection systems include signature-based network IDS, host-based IDS, and security incident and event management (SIEM) system. Citrix also uses commercial and custom tools to collect and examine its application and system logs for anomalies. Access Control to Use Specific Areas of Data Processing Systems Persons entitled to use the data processing system are only able to access Personal Data within the scope and to the extent covered by their respective access permission (authorization) and that Personal Data cannot be read, copied, modified or removed without authorization. Employee policies and training in respect of each employee s access rights to the Personal Data; Technical and Organizational Data Security Measures Page 4 of 8

Users have unique log in credentials -- role based access control systems are used to restrict access to particular functions; Monitoring activities that add, delete or modify the Personal Data; Effective and measured disciplinary action against individuals who access Personal Data without authorization; Release of Personal Data to only authorized persons; Controlling access to account data and customer Personal Data via role-based access controls (RBAC) in compliance with the security principle of leastprivilege ; Internal segmentation and logical isolation of Citrix's employees to enforce leastprivilege access policies; Requirements-driven definition of the authorization scheme and access rights as well as their monitoring and logging; Regular review of accounts and privileges (typically every 3-6 months depending on the particular system and sensitivity of data it provides access to); Control of files, controlled and documented destruction of data; and policies controlling the retention of back-up copies. Availability Control Citrix has implemented suitable measures to ensure that Personal Data is protected from accidental destruction or loss. Global and redundant service infrastructure that is set up with full disaster recovery sites; Constantly evaluating data centers and Internet service providers (ISPs) to optimize performance for its customers in regards to bandwidth, latency and disaster recovery isolation; Situating data centers in secure co-location facilities that are ISP carrier neutral and provide physical security, redundant power, and infrastructure redundancy; Typically maintaining a minimum of 50 percent more bandwidth than needed in case of increased usage; Service level agreements from ISPs to ensure a high level of uptime; Rapid failover capability; and Major services are run in an N+2 configuration, meaning that the full network is replicated twice for added insurance. Citrix maintains full capacity disaster recovery (DR) sites and annually tests its DR centers by shutting down its primary site for 24 hours. Technical and Organizational Data Security Measures Page 5 of 8

Transmission Control Citrix has implemented suitable measures to prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. Use of adequate firewall and encryption technologies to protect the gateways and pipelines through which the data travels; Sensitive Personal Data is encrypted during transmission using up to date versions of SSL or other security protocols using strong encryption algorithms and keys; Certain types of customer Sensitive Personal Data and other confidential customer data (e.g. payment card numbers) are encrypted at rest within the system; Protecting web-based access to account management interfaces by employees through encrypted SSL or TLS End-to-end encryption of screen sharing for remote access, support, or real time communication; Use integrity checks to monitor the completeness and correctness of the transfer of data. Input Control Citrix has implemented suitable measures to ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems or removed. An authorization policy for the input of Personal Data into memory, as well as for the reading, alteration and deletion of such stored data; Authentication of the authorized personnel; Protective measures for Personal Data input into memory, as well as for the reading, alteration and deletion of stored Personal Data, including by logging material changes to account data or account settings; Segregation and protection of all stored Personal Data via database schemas, logic access controls and encryption; Utilization of user identification credentials; Physical security of data processing facilities; Session time outs. Technical and Organizational Data Security Measures Page 6 of 8

Separation of Processing for Different Purposes Citrix has implemented suitable measures to ensure that Personal Data collected for different purposes can be processed separately. Documentation Citrix keeps documentation of technical and organizational measures in case of audits and for the conservation of evidence. Citrix takes reasonable steps to ensure that persons employed by it and other persons at the place of work concerned, are aware of and comply with the technical and organizational measures set forth in this document. Citrix, at its election, may make non-confidential portions of audit reports available to customers to verify compliance with the technical and organizational measures undertake in this Program. Monitoring Citrix does not access Customer Personal Data, except to provide services to the Customer which Citrix is obligated to perform, in support of the Customer experience, as required by law, or on request by Customer; Citrix has implemented suitable measures to monitor access restrictions of Citrix s system administrators and to ensure that they act in accordance with instructions received. Individual appointment of system administrators; Adoption of suitable measures to register system administrators' access logs to the infrastructure and keep them secure, accurate and unmodified for a reasonable period of time; Regular audits of system administrators activity to assess compliance with assigned tasks, the instructions received by Controller and applicable laws; Keeping an updated list with system administrators identification details (e.g. name, surname, function or organizational area) and tasks assigned. Definitions Citrix means Citrix Systems, Inc., and all of its direct and indirect subsidiaries. Customer means any purchaser of any Citrix offering. Personal Data means any information directly or indirectly relating to any identified or identifiable natural person. Technical and Organizational Data Security Measures Page 7 of 8

Sensitive Personal Data means Personal Data (1) revealing the racial or ethnic origin of a natural personal, his or her political opinions or religious, philosophical or other beliefs, membership in trade unions, and his or her health, sexual life and criminal convictions; or (2) consisting of an individual s first name and last name, or first initial and last name, in combination with some other data element that could lead to identify theft or financial fraud, such as a government issued identification number, financial account number, payment card number, date of birth, mother s maiden name, biometric data, electronic signature, health information, or (3) consisting of log-in credentials, such as a username and password or answer to security question, that would permit access to an online account or an information system. Security Framework refers to the collection of Citrix s policies and procedures governing information security, including, but not limited to, policies, trainings, education, monitoring, investigation and enforcement of its data management and security efforts. Document History Version Revision Date Author Notes 1.0 6/30/2015 Stacey Simson Technical and Organizational Data Security Measures Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information