| 2.8 Compliance
02. GDPR Article 26 Due Diligence | |
|---|
| 28.02 GDPR Article 26 Due Diligence: | | 1. This public information is provided as part of a formal Application Service Provider (ASP) reply to the author and company requesting the twenty questions. The company name has been excluded from this document for privacy reasons. This reply is in the context of the Application Service Provider (ASP) acting as the Data Processor to the company acting as the Data Controller. The Application Service Provider is structured and operate in compliance with Information Technology Infrastructure Library (ITIL). This includes compliance with: ISO/IEC 27001 Information Security Standard (ISS); ISO/IEC 14001 Environmental Management Standard (EMS); ISO/IEC 31000 Risk Management Standard (RMS); ISO/IEC 9001 Quality Management Service; ISO/IEC 45001 Occupational Health and Safety Standard; and ISO/IEC 22301 Business Continuity Standard. | | 2. The application service involved has been fully operational since 2004 using dedicated racks of servers in many secure data centers. All business data is encrypted when stored and encrypted when communicated. Encrypted business data is continually replicated to a large number of secure data centers. Business continuity is designed into the application service to never stop and cannot be stopped. Not one minute of downtime has been experienced for more than a decade. | | 3. CSA due diligence 20 questions in compliance with GDPR Article 26 follow: |
| Glossary: | | ASP means Application Service Provider acting as the data processor and may be known as the "service organization". | | ISO means International Standards Organisation. | | ITIL means Information Technology Infrastructure Library that defines the organizational structure of the ASP. | | ISS means Information Security Standard as ISO/IEC 27001. | | EMS means Environmental Management Standard as ISO/IEC 14001. | | RMS means Risk Management Standard as ISO/IEC 31001. | | QMS means Quality Management Standard as ISO/IEC 9001. | | OHS means Occupational Health and Safety Standard as ISO/IEC 45001. | | BCS means Business Continuity Standard as ISO/IEC 22301. | | SOC means Service Orgnization Controls based on Trust Services Principles to focus on non-financial reporting controls. | | SSAE means Statement on Standards for Attestation Engagements is a SOC auditing standard. | | DBS means Disclosure and Barring Service with regular recertification. | | DPIA means Data Protection Impact Assessment in conformance with ICO requirements. | | ICO means Information Commissioners Office. | | User shall be identified as an "approved person" by the ASP. | | DBA means Database Administrator as a type of authentication role. | | CSA means Cloud Security Alliance with a cloud control matrix that may replicate some SOC controls. |
| 1. Recruitment Policy: | | Q. Does your company have a pre-employment screening policy that includes criminal background checks? | | A. Yes people are recruited to the quality needed by health and social service businesses with "Experian" background and criminal record checking with Disclosure and Barring Service (DBS) registration and annual verification for front-line staff. |
| 2. Information Security Plan: | | Q. Does your company have a written controls plan that contains the administrative, technical and physical safeguards you use to collect, process, protect, store, transmit, dispose or otherwise handle business data (E.G., Information Security Plan)? | | A. Yes the data processor complies with international security standards with a focus on data-protection-by-design using excessive encryption in many replicated data centers. | | *. The Application Service Provider is compliant with ISO/IEC 27001 Infomation Security Standard (ISS). This includes the provision of a Data Protection Officer (DPO) to continually manage the Data Protection Impact Assessment (DPIA). | | *. The Application Service Provider has imposed a mission to do whatever is needed to ensure that a reportable data breach is not possible. This mission is managed by continually replicating encrypted business data to a large number of secure data centers. |
| 3. Access Control Management: | | Q. Does the system or application which will be storing business data provide access control mechanisms (e.g., unique user identities, passwords standards, role based access)? | | A. Yes a strong authentication service is provided for approved people to sign-in using multiple-factors and continual monitoring to help real people in difficulty while blocking criminal attacks. |
| 4. Privileged User Access: | | Q. Are privileged system or application account controlled, audited and tracked (e.g., "root", "administrator", "dba", "super user")? | | A. Yes all privileged access demands to concurrent cooperation of at least three approved people using approved devices on approved networks. | | *. A privileged person only has access to unreadable encrypted business data and would have little knowledge of the many encryption methods used at the field, record, table, file, partition and disk level. The privileged role of "dba" has been eliminated as normal application services have evolved to manage excessive encryption. The privileged role of "super user" has been eliminated as normal business roles have evolved to manage all application services. |
| 5. International Standards: | | Q. Is your company compliant with International Standards? | | A. Yes the organisation is founded on ISO/IEC 20001 Information Technology Infrastructure Library. | | *. ISO/IEC 27001 Information Security Standard compliance is critical to data center operations and GDPR compliance. | | *. ISO/IEC 22301 Business Continuity Standard is built into the how the business deploys Bespoke Application Services so they never stop and cannot be stopped. | | *. ISO/IEC 9001 Quality Management Standard drives every project with documented procedures and non-conformance reporting. | | *. ISO/IEC 31000 Risk Management Standard has identified the threats and has been used as the framework for DPIA reporting. | | *. ISO/IEC 14001 Environmental Management Standard is part of the social contract to make the world a better place. | | *. ISO/IEC 45001 Ocupational Health and Safety Standard is mandated to protect people working in data centers and offices. |
| 6. Multi-Tenancy: | | Q. Does the system or application provide multitenant controls for separation of users and data within the service? | | A. Yes the application service has a multi-tenancy architecture where a multi-site group of approved people may share common business data. | | *. Where the data controller is identified as a tenant, then dedicated racks of servers in many data centers are assigned to process that one and only tenant. Where the data controller is identified as a set of people in one site or a multiple site group, then the architecture is designed to support multiple tenants sharing dedicated servers in many data centers. | | *. Virtualization is not deployed. A three-tier-architecture is deployed. |
| 7. Excessive Encryption: | | Q. Does your company utilize encryption methods for data in transit and data at rest where technically possible and legally permissible? | | A. Yes all business data is encrypted before it is stored, Personally Identifiable Information (PII) is excessively encrypted before it is encrypted, web page data is encrypted in transit and replicated data is encrypted when communicated. | | *. Stored data is encrypted using different methods at the field level, table level, database level, file level, partition level and disk level. |
| 8. Data Protection Act: | | Q. Are files and records reviewed, retained and purged in accordance with legal requirements, contractual obligations and service level agreements? | | A. Yes all business data has a formal documented purpose and life cycle that includes the automatic destruction of business data when it is no longer needed. | | *. All business data is encrypted and stored in many secure data centers. No backup copies of business data is stored on a local computer. No paper copies of business data exist. |
| 9. Change Control Manager: | | Q. Does your company follow a formal change control procedure (e.g., software development, hardware maintenance, operational updates)? | | A. Yes the Change Control Manager using the Quality Management Service manages the deployment of application services. Software development is being replaced with artificial intelligent knowledge management. | | *. Hardware maintenance tend to be scheduled recycling of a rack in one decommissioned data center while many other data centers continue to provide the application service. Many operational updates tend to be scheduled into the hardware recycling plan. |
| 10. Test Environments: | | Q. If your company requires use of business production data in a non-production environment, will the data be masked, scrambled or encrypted? | | A. Yes all production data is encrypted and when copied to any other data center it would remain meaningless. | | *. User Acceptance Testing (UAT) is undertaken using multi-tenancy facilities in a production environment with designed test data that must be fully encrypted at all times. |
| 11. Business Continuity Manager: | | Q. Does your company have written Business Continuity / Disaster Recovery Plans, which are tested on a periodic basis? | | A. Yes The Business Continuity Manager using ISO/IEC Business Continuity Standards manages and verifies the business continuity plan. | | *. No Disaster Recovery Plan exists because backup-restart-recovery plans will always loose some business data and the loss of some business data may become a reportable data breach. Continually replicated encrypted business data to a swarm of secure data centers are periodically tested when one data center becomes not available and other data centers continue to provide the application service. |
| 12. Three Tier Architecture: | | Q. Does your company ensure adequate steps are taken to guard against unauthorized access to business data (e.g., firewall, IDS, IPS)? | | A. Yes the infrastructure deployed in each data center includes; Load-balanced Firewall and Intrusion Detection Server, Set of Web Servers, Set of Application Servers, Database Server. | | *. Only the IDS is connected to the public Internet that balances traffic to the Web servers. Application servers are not connected to the public Internet, but are connected to each Web server. Database server is not connected to the public Internet, but is connected to each Application server. A bastion server is connected to the public Internet and connected to the set of Application servers and Database server for secure administrative purposes only. |
| 13. ITIL Operations Manager: | | Q. Does your company maintain up-to-date versions of anti-virus software, anti-malware, anti-spyware ad operating systems security patches? | | A. Yes the ITIL Operations Manager is responsible to manage all installed software and ensure that it is automatically maintained up-to-date at all times. | | *. Dedicated servers are hardened to exclude all services that are not needed so each server can provide one and only one service. |
| 14. ITIL Incident Manager: | | Q. Does your company have a written plan to promptly identify, report and respond to breaches of security related to business data (e.g., incident response plan)? | | A. Yes the ITIL Incident Manager is responsible to monitor all services to identify incidents that could escalate up to the ITIL Problem Manager. | | *. Continual monitoring using artificial intelligence has created a safe and secure environment over the last decade to the point where a data breach could not happen. |
| 15. Information Ownership: | | Q. Would the data controller retain ownership of its data at all times? | | A. Yes the data controller is the data owner and the data processor shall use its best endevours to ensure that the data controller has access to their business data at all times. | | *. Personally Identifiable Information could be said to be owned by the data subject who has the right to provide a Subject Access Request, has the right to have data corrected and has the right to ask for data to be forgotten. |
| 16. Service Orgnization Controls: | | Q. Does your company hire an external audit firm to perform a compliance review of your operational controls (e.g., SOC 2 Type 2 report)? | | A. Yes external security auditors and enginees are contracted twice a year to undertake both internal and external penetration tests following the path of a criminal with reporting based on the following seven topics: | | *. Organization and Management is based on ITIL. | | *. Communications is by built in documentation and guides that are continually available to approved people. | | *. Risk management and Design and Implementation of Controls is managed by the Data Protection Officer with the Data Protection Impact Assessment. | | *. Monitoring of Controls is focused on "Monica" the artificial intelligent assistant that continually checks for incidents, requests, errors, warnings and sign-in attempts. This may be a replication of regular imternal and external penetration testing and audit documentation. | | *. Logical and Physical Access Controls is driven by principals of no physical access and at least three people cooperating together to gain logical access. | | *. System Operations is a set of proven procedures that continually monitor all application services against service level agreements. This may be a replication of regular Cloud Security Alliance (CSA) audit documentation. | | *. Change Mangement is driven by a proven quality management service. |
| 17. Third Parties: | | Q. Will third party vendors (e.g., subcontractor, managed shared hosting) used by your company be restricted from having access to the system or application data? | | A. Yes because no third parties can have access to any business data and no managed shared hosting is deployed. All business data is excessively encrypted so anybody with physical access to any machine would find encrypted data meaningless and worthless. |
| 18. SOC Report: | | Q. Does your company provide assurance (in the form of a written report) of you and your third party vendors security and controls while customer data is being collected, processed and retained (e.g., SOC 2 Type 2 Report)? | | A. Yes a standard Service Organization Controls written report is available subject to a non-disclosure agreement to approved people and may be audited. |
| 19. IT Assessment: | | Q. Will your company allow an onsite IT Assessment prior to the final award of business? | | A. Yes any kind of audit and pentration test may be scheduled, however it should be noted that no physical access to any secure production data center is possible. |
| 20. IT Assessment: | | Q. Would your company and any relevant third party service provider your company contracts with, permit the business to perform security audits? | | A. Yes regular internal and external penetration test are conducted by approved audit firms for and on behalf of customers. |
| In-House Data Center: | | 1. ASP phased out the last in-house server rack in 2004 as a duty of care for staff, because the data center was like a honeypot to attract criminal attacks. | | 2. When a drug induced gang of criminals think that valuable computers can be stolen from an office, then that office will be attacked both by day and by night. | | 3. Physical computers can be replaced, but the valuable business data stored on those computers is much harder to replace and the threat to staff and their families has to be eliminated. |
| Document Control: | | 1. Document Title: GDPR Due diligence. | | 2. Reference: 162802. | | 3. Keywords: GDPR Due diligence. | | 4. Description: GDPR Due diligence. | | 5. Privacy: Public information service to who it may concern. | | 6. Issued: 11 Feb 2018. | | 7. Edition: 1.8. |
|
|