Security

Technical and organizational security measure

Description of relevant controls

Information security policies (A.5)

– iController has a  formal and up to date Information Security Policy which is drafted and reviewed in line with the overall direction of iController’s information security practices.

– iController’s information security policy is made available to all relevant parties on a continuous basis

– There is a clear support from the highest management to engage, control, maintain and adjust the implementation of information security within iController

Organisation and information security (A.6)

– iController has assigned responsibilities for specific information security related tasks.

– iController has established a framework to adequately implement and maintain information security practices (e.g. in the context of internal project management).

– iController has set up a separate policy regarding the use of mobile devices and remote working. Employees who use mobile devices are trained so that they are (1) aware of the additional risks that the use of mobile devices and remote working entails and (2) know what control measures should be taken.

– iController has implemented the necessary controls to allow mobile computer use (including other mobile media) and teleworking to take place in a secure manner. These measures include:

* cryptographic techniques;
* protection against malware;
* access security for external access to personal data;
* physical security of portable computing devices (including mobile media) and of the telework site against theft.

Human resource security (A.7)

– iController has ensured that employees and contractors are made aware of, and understand their responsibilities in the context of handling personal data. This is achieved through awareness campaigns and appropriate training.

– iController has addressed individuals’ responsibilities in relation to IT security in all stages of employment (before, during, and after employment).

– iController employees are required to sign an employment agreement containing provisions relating to their responsibilities for IT security and personal data protection.

– iController contractors involved in processing personal data are informed on and bound by appropriate confidentiality obligations.

– iController has communicated tasks and responsibilities in relation to IT security that remain in force after termination or alteration of the employment relationship, and monitors the proper compliance on such obligations.

– iController has implemented all appropriate measures to prevent personal data from leaving the organisation uncontrolled and falling into unauthorised hands. In particular by:

* protecting assets from unauthorised access, disclosure, alteration, destruction or disruption;
* carrying out certain security processes or activities;
* ensuring that the responsibility for actions taken is always clearly assigned to a person;
* reporting (potential) security events or other security risks.

Asset Management (A.8)

– iController has identified its information assets and distinguishes the following data types:

* Anonymous data: these are data that cannot be linked to an identified or identifiable person and are therefore not personal data;
* Personal data: a personal data is any information about an identified or identifiable natural person.
* Sensitive personal data: this concerns data about race, political opinions, religious or philosophical convictions, membership of a trade union, health, sexual life, suspicions, prosecutions, criminal or administrative convictions. It is in principle forbidden to process such data;
* Coded or sensitive personal data: these are personal data that can only be linked to an identified or identifiable person by means of a code.

– iController has classified information assets in terms of risk and has attributed appropriate security measures in light of this risk.

– iController ensures that sensitive data is not subject to unauthorised disclosure, modification, removal or destruction.

– iController has determined the necessary measures to protect physical media (including paper documents) containing personal data during transport from unauthorised access, misuse or corruption.

– iController maintains an updated inventory of relevant assets relating to personal data processing in cooperation with the operational departments concerned. Relevant assets include:

* information;
* software programmes;
* physical assets;
* services;
* all users (including access rights).

– In this inventory, each relevant business asset related to personal data processing is linked to a well-defined function/person within the organisation (responsibility).

– Upon termination of employment, contract or agreement, a formal procedure is applied for the return of all relevant issued company assets (such as software, company documents, equipment and access cards). In case of the use of personal equipment, appropriate measures are applied for the transfer of all relevant information to the organisation and for the correct removal of the information from the equipment.

Access control (A.9)

– iController has an approved and updated access security policy regarding the granting, changing and deleting of access rights to applications and systems that use/process personal data. This policy is determined, documented and assessed on the basis of the classification of personal data.

– With regard to networks or network services, iController has determined the appropriate security measures to ensure that any person can only access the personal data for which they have been expressly authorised.

– iController has appointed a person responsible for managing all requests relating to access to personal data.

– Users are informed about their responsibility in ensuring effective access security, including the use of passwords and security of user equipment on which personal data are used/processed.

– iController has determined the appropriate security measures to restrict access to personal data.

– iController has restricted access for information administrators (system administrators, also known as “superusers”) to systems and applications on which personal data are used/processed.

Cryptography (A.10)

– Following a risk-based approach, iController has developed a policy for the correct and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of personal data.

– iController has developed a policy for the use, protection and longevity of cryptographic keys throughout their life cycle.

Physical and environmental security (A.11)

– Following a risk-based approach, iController has secured areas and determined the appropriate access safeguards to secure all areas in which information and data processing facilities containing personal data are located.

– iController has determined the necessary measures with regard to the secure areas in order to avoid any kind of damage that could endanger the personal data. Appropriate measures are taken to avoid damage by fire, flooding, explosion, … or other forms of natural or man-made calamity.

– Following a risk-based approach, iController has determined the appropriate controls over the equipment, cabling and supporting facilities to prevent loss, damage, theft and accidental alteration of personal data. In doing so, special attention is paid to equipment located or used outside the organisation’s premises.

– Protective measures are taken for equipment against physical threats and external dangers. Attention is paid, inter alia, to:

* the location and protection of equipment so that it is protected against risks of damage and interference from outside and access by unauthorised persons is prevented;

* the protection against power failures and other disturbances caused by interruptions to utility services
* securing power and telecommunications cables against interception or damage;
* the maintenance of the equipment.

– iController developed a specific procedure for the disposal or reuse of any equipment with storage media on which personal data are used/processed.

– All equipment containing storage media is checked before removal or reuse to ensure that all personal data have been securely overwritten or deleted. If this equipment contains sensitive personal data, specific measures are taken to physically destroy this equipment or to delete the information using techniques that make it impossible to retrieve.

Operations security (A.12)

– iController has determined the necessary procedures and responsibilities when changes in the organisation, business processes, information processing facilities and systems affect the information security of personal data.

– iController provides for a segregation of duties to prevent a single person from obtaining exclusive control over a personal data processing operation.

– iController has implemented controls to address malware, ensuring that iController has the necessary defences to mitigate infection risk and to create awareness amongst system-users and end-users.

– iController has installed and regularly updates anti-malware and recovery software, scanning computers and media as a precautionary measure or routinely. The scan includes where relevant:

* all files received via networks or any form of storage medium for malware before use;
* attachments and downloads for malware before use at various critical points in your network configuration (mail servers, computers, network access…);
* web pages.

– iController has established and follows an appropriate back-up policy to ensure adequate recovery after loss, damage, theft or accidental change of personal data.

Communications security (A.13)

– iController has integrated network security as part of its overall information security plan with special attention to the information flows where personal data can leave iController’s systems.

– iController has a formal, up-to-date policy on means of communication (such as e-mail, Internet, video and telephone), approved by iController’s highest decision-making body, which is communicated on a regular basis to all relevant parties and which pays particular attention to the use of personal data.

– iController establishes, regularly reviews and documents the requirements for confidentiality or non-disclosure agreements that reflect its needs for protecting personal data.

System acquisition, development and maintenance (A.14)

– iController has ensured that the security requirements for personal data remain unaffected when acquiring or developing new information systems or when expanding existing information systems. Information systems means applications, services, IT resources or other information processing components.

– iController has procedures in place for the development of new systems or major upgrades to existing systems so that the necessary security requirements relating to the protection of personal data are taken into account by the relevant project owner.

– iController applies clear formal change procedures to minimise the risk of unwarranted changes or personal data leaks.

Supplier relationships (A.15)

– In case of cooperation with suppliers, iController makes sure that the supplier offers sufficient guarantees regarding the information security of personal data and that the obligations regarding the use and processing of personal data are laid down in a contract.

– iController requires that such suppliers maintain an appropriate level of information security and service delivery;

Information security incident management (A.16)

– Responsibilities and procedures are defined for the detection and handling of information security incidents and vulnerabilities involving personal data. Reporting mechanisms are provided where needed.

– iController ensures that the information security cell/processing manager is always informed immediately of events and incidents that could compromise or have compromised the information security of personal data.

– iController ensures that the Chief Information Security Officer is always promptly informed of any detected or suspected security weaknesses in the systems or services related to personal data processing.

– iController has a formal and up-to-date procedure for reporting information security events combined with a response and escalation procedure for personal data incidents.

– The information security cell/processing manager is systematically informed of all measures taken to deal with information security incidents and personal data vulnerabilities.

Information security aspects of business continuity management (A.17)

– On the basis of a risk assessment, iController has determined the necessary measures to ensure the continuity of the information security of personal data.

– Information processing facilities are provided with sufficient redundancy to ensure the availability of personal data. Additional information security risks due to redundancy are taken into account.

Compliance (A.18)

– iController monitors regulatory developments to help understand and implement applicable legal and contractual requirements and to mitigate risk of non-compliance