Technical and organizational measures (TOM)

Version: 01.08.2023

This documentation contains the technical and organizational measures in accordance with Art. 8 revDSG and Art. 24, 32 (1) DSGVO. The categories of measures are subordinated to the protection requirement objectives of confidentiality, availability, integrity and resilience, whereby resilience is considered a subcategory of availability.

1. confidentiality

1.1 Access control

Measures office space:

Video surveillance
Automatic access control system
Electronic locking system with authorization management
Doors with knob outside
Bell system with camera
Visitor regulation
Visitor escort by employees
Contractual protection of service personnel (cleaning)

Measures Data Centers:

Video surveillance
Automatic access control system
Electronic locking system with authorization management
Biometric access barriers
Restrictive access policies
Security guards
Visitor escort exclusively by authorized employees
Alarm system inputs
Contractual safeguarding with service providers (maintenance)
Security locks

1.2 Access control

Measures:

strict remote access policies
Two-factor authentication where possible
Firewall
Regular verification of authorizations
Mandatory encryption of data connections
Conduct guidelines for employees in dealing with sensitive data
Password policy
Central password management
Restrictive authorization rules for data requiring special protection
Mobile and Telework Policy

1.3 Access control

Measures:

professional, external destruction of data media
Logging of accesses to applications, specifically when entering, changing and deleting data
Deployment authorization concepts
Minimum number of administrators
Behavioral Guidelines Administrators
Management of user policies by administrators

1.4 Separation control

Measures:

Separation of productive and test environment
Physical separation (systems / databases / data carriers)
Multi-client capability of relevant applications
Control via authorization concept
Setting database rights
restrictive authorization concept

1.5 Pseudonymization

Measures:

Internal instruction to anonymize / pseudonymize personal data as far as possible in the event of disclosure or even after expiry of the statutory deletion period.
Pseudonymization of personal data for analytical purposes in cooperation with third parties

2. integrity

2.1 Transfer control

Measures:

Deployment VPN
Logging of accesses and retrievals
Encrypted transmission of data
Documentation of the data recipients and the duration of the planned transfer or deletion periods.
Disclosure in anonymized or pseudonymized form
Supplier management according to ISO 27001

2.2 Input conrole

Measures:

Technical logging of data entry, modification and deletion
Traceability of input, modification and deletion of data through individual user names (not user groups)
Assignment of rights to enter, change and delete data on the basis of an authorization concept
Clear responsibilities for deletions

3. availability and resilience

3.1 Availability control

Measures:

Additional security standard through ISO 27001 certification
Fire and smoke detection system
Automatic fire extinguishing system
Climate monitoring server rooms
UPS
Emergency generator
Redundant power supply
RAID systems
Video surveillance
Alarm system
Backup and recovery concept (business continuity policy)
Monitoring systems
Offsite backups
Existence of an emergency plan
Redundant power supply line
Regular review and testing of emergency plans
Incident Management Policy

4. procedures for regular review, assessment and evaluation.

4.1 Data protection measures

Measures:

Central documentation of all procedures and regulations on data protection with access for employees according to need / authorization
ISO 27001 security certification
Regular review of the effectiveness of technical protection measures
Internal data protection officer
Data privacy policy for employees and awareness training
Sensitization of employees
CISO / internal information security officer
External audits
The organization complies with the information obligations according to Art. 13 and 14 DSGVO

4.2 Incident response management

Measures:

Firewall use
Regular update
Regular check for security vulnerabilities
Risk Management
Spam filter
Virus scanner
Documented process for detecting and reporting security incidents / data breaches (also with regard to reporting obligation to supervisory authority)
Documented procedure for handling security incidents
Incident Management Policy

4.3 Privacy-friendly default settings

Measures:

No more personal data is collected than is necessary for the respective purpose

4.4 Order control

Measures:

Prior review of the safety measures taken by the contractor and their documentation.
Selection of the contractor under due diligence aspects (especially with regard to data protection and data security)
In the case of longer cooperation: Ongoing review of the contractor and its level of protection.
Care in the selection of suppliers

Benefit from 25 years of experience in solution development in the IT sector.

I would like to...

Netstream AG

Technical and organizational measures (TOM)

1. confidentiality

1.1 Access control

1.2 Access control

1.3 Access control

1.4 Separation control

1.5 Pseudonymization

2. integrity

2.1 Transfer control

2.2 Input conrole

3. availability and resilience

3.1 Availability control

4. procedures for regular review, assessment and evaluation.

4.1 Data protection measures

4.2 Incident response management

4.3 Privacy-friendly default settings

4.4 Order control

Round and your services

Links

Benefit from 25 years of experience in solution development in the IT sector.

I would like to...