Access Control. Data Processor shall limit access to information and information processing facilities. Minimum requirements: An access control policy shall be established, documented and reviewed based on business and information security requirements Users shall only be provided with access to the network and network services that they have been specifically authorized to use Data Processor shall ensure authorized user access only and prevent unauthorized access to systems and services. Minimum requirements: A formal user registration and de-registration process shall be implemented to enable assignment of access rights A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services The allocation and use of privileged access rights shall be restricted and controlled Asset owners shall review users’ access rights at regular intervals The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change Data Processor shall define a robust and comprehensive set of attributes for passwords to be used on all accounts. All systems users shall be authenticated through state of the art authentication means. Minimum requirements: Minimum number of 12 digits Combination of three types characters Prohibition of common terms Frequent renewal Data Processor shall ensure the protection of information in networks and its supporting information processing facilities. Minimum requirements: Networks shall be managed and controlled to protect information in systems and applications Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced Groups of information services, users and information systems shall be segregated on networks Data Processor shall record events and generate evidence. Minimum requirements: Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed Logging facilities and log information shall be protected against tampering and unauthorized access System administrator and system operator activities shall be logged and the logs protected and regularly reviewed Data Processor shall ensure that all endpoints are protected. Minimum requirements: All endpoints shall be installed with managed Anti-malware with up to date versions that will ensure up to date protection All endpoints shall be protected with personal firewall and host based intrusion prevention system Any external storage devices shall be not be used to store Controller data unless the device is fully encrypted All endpoints shall be installed with latest Operating System and application updates/patches All endpoints shall be managed with clear registration and decommissioning process. If the endpoints are decommissioned or reallocated to other personnel, then the data needs wiped in such a manner that it is not recoverable All unnecessary and insecure services shall be disabled on endpoints Data Processor shall establish a framework for classifying data. It will provide a way to ensure sensitive information is handled according to the risk it poses to the organization. Most sensitive and critical data shall be monitored and protected at all times. Data Processor shall ensure a consistent and effective approach to the management of information security incidents. Minimum requirements: Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents Information security events shall be reported through appropriate management channels as quickly as possible Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services Information security events shall be assessed and it shall be decided if they are to be classified as information security incident Information security incidents shall be responded to in accordance with the documented procedures Data Processor shall establish a back-up and recovery plan for Products and Services aimed at being used by Data Controller. Minimum requirements: Complete records of the backup copies Documented restoration procedures Remote location to store backup Regular tests to restore backed-up data Data Processor shall implement business continuity management systems. Minimum requirements: Data Processor shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster Data Processor shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation Data Processor shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations The Data Processor security resource will certify that the Products and Services meet the security requirements, all security activities have been performed, and all identified security issues have been documented and resolved. Any exceptions to the certification status shall be fully documented prior to delivery and provided to Data Controller for consideration and discussion.
Appears in 3 contracts
Sources: Data Processing Agreement, Data Processing Agreement, Data Processing Agreement
Access Control. Data Processor shall limit access to information and information processing Processing facilities. Minimum requirements: An access control policy shall be established, documented and reviewed based on business and information security requirements Users shall only be provided with access to the network and network services that they have been specifically authorized to use Data Processor shall ensure authorized user access only and prevent unauthorized access to systems and services. Minimum requirements: A formal user registration and de-registration process shall be implemented to enable assignment of access rights A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services The allocation and use of privileged access rights shall be restricted and controlled Asset owners shall review users’ access rights at regular intervals The access rights of all employees and external party users to information and information processing Processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change Data Processor shall define a robust and comprehensive set of attributes for passwords to be used on all accounts. All systems users shall be authenticated through state of the state-of-the-art authentication means. Minimum requirements: Minimum number of 12 digits Combination of three types characters Prohibition of common terms Frequent renewal Data Processor shall ensure the protection of information in networks and its supporting information processing Processing facilities. Minimum requirements: Networks shall be managed and controlled to protect information in systems and applications Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced Groups of information services, users and information systems shall be segregated on networks Data Processor shall record events and generate evidence. Minimum requirements: Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed Logging facilities and log information shall be protected against tampering and unauthorized access System administrator and system operator activities shall be logged and the logs protected and regularly reviewed Data Processor shall ensure that all endpoints are protected. Minimum requirements: All endpoints shall be installed with managed Anti-malware with up to date versions that will ensure up to date protection All endpoints shall be protected with personal firewall and host host-based intrusion prevention system Any external storage devices shall be not be used to store Controller data unless the device is fully encrypted All endpoints shall be installed with latest Operating System and application updates/patches All endpoints shall be managed with clear registration and decommissioning process. If the endpoints are decommissioned or reallocated to other personnel, then the data needs wiped in such a manner that it is not recoverable All unnecessary and insecure services shall be disabled on endpoints Data Processor shall establish a framework for classifying data. It will provide a way to ensure sensitive information is handled according to the risk it poses to the organization. Most sensitive and critical data shall be monitored and protected at all times. Data Processor shall ensure a consistent and effective approach to the management of information security incidents. Minimum requirements: Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents Information security events shall be reported through appropriate management channels as quickly as possible Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services Information security events shall be assessed and it shall be decided if they are to be classified as information security incident Information security incidents shall be responded to in accordance with the documented procedures Data Processor shall establish a back-up and recovery plan for Products and Services aimed at being used by Data Controller. Minimum requirements: Complete records of the backup copies Documented restoration procedures Remote location to store backup Regular tests to restore backed-up data Data Processor shall implement business continuity management systems. Minimum requirements: Data Processor shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster Data Processor shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation Data Processor shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations The Data Processor security resource will certify that the Products and Services meet the security requirements, all security activities have been performed, and all identified security issues have been documented and resolved. Any exceptions to the certification status shall be fully documented prior to delivery and provided to Data Controller for consideration and discussion.
Appears in 2 contracts
Sources: Data Processing Agreement, Data Processing Agreement
Access Control. Data Processor shall limit access to information and information processing facilities. Minimum requirements: An access control policy shall be established, documented and reviewed based on business and information security requirements Users shall only be provided with access to the network and network services that they have been specifically authorized to use Data Processor shall ensure authorized user access only and prevent unauthorized access to systems and services. Minimum requirements: A formal user registration and de-registration process shall be implemented to enable assignment of access rights A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services The allocation and use of privileged access rights shall be restricted and controlled Asset owners shall review users’ access rights at regular intervals The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change Data Processor shall define a robust and comprehensive set of attributes for passwords to be used on all accounts. All systems users shall be authenticated through state of the state-of-the-art authentication means. Minimum requirements: Minimum number of 12 digits Combination of three types characters Prohibition of common terms Frequent renewal Data Processor shall ensure the protection of information in networks and its supporting information processing facilities. Minimum requirements: Networks shall be managed and controlled to protect information in systems and applications Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced Groups of information services, users and information systems shall be segregated on networks Data Processor shall record events and generate evidence. Minimum requirements: Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed Logging facilities and log information shall be protected against tampering and unauthorized access System administrator and system operator activities shall be logged and the logs protected and regularly reviewed Data Processor shall ensure that all endpoints are protected. Minimum requirements: All endpoints shall be installed with managed Anti-malware with up to date versions that will ensure up to date protection All endpoints shall be protected with personal firewall and host host-based intrusion prevention system Any external storage devices shall be not be used to store Controller data unless the device is fully encrypted All endpoints shall be installed with latest Operating System and application updates/patches All endpoints shall be managed with clear registration and decommissioning process. If the endpoints are decommissioned or reallocated to other personnel, then the data needs wiped in such a manner that it is not recoverable All unnecessary and insecure services shall be disabled on endpoints Data Processor shall establish a framework for classifying data. It will provide a way to ensure sensitive information is handled according to the risk it poses to the organization. Most sensitive and critical data shall be monitored and protected at all times. Data Processor shall ensure a consistent and effective approach to the management of information security incidents. Minimum requirements: Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents Information security events shall be reported through appropriate management channels as quickly as possible Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services Information security events shall be assessed and it shall be decided if they are to be classified as information security incident Information security incidents shall be responded to in accordance with the documented procedures Data Processor shall establish a back-up and recovery plan for Products and Services aimed at being used by Data Controller. Minimum requirements: Complete records of the backup copies Documented restoration procedures Remote location to store backup Regular tests to restore backed-up data Data Processor shall implement business continuity management systems. Minimum requirements: Data Processor shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster Data Processor shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation Data Processor shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations The Data Processor security resource will certify that the Products and Services meet the security requirements, all security activities have been performed, and all identified security issues have been documented and resolved. Any exceptions to the certification status shall be fully documented prior to delivery and provided to Data Controller for consideration and discussion.
Appears in 2 contracts
Sources: Data Processing Agreement, Data Processing Agreement
Access Control. Data Processor Cvent shall maintain reasonable access controls to authorize, limit and monitor Cvent employee and Cvent contractor access to Customer Data maintained in Cvent’s information and information processing facilitiessystems. Minimum requirementsControls shall include: An access control policy shall be established, documented and reviewed based on business and information security requirements Users shall only be provided with access multi-factor authentication over a secured VPN connection to the network and network services that they have been specifically authorized any systems hosting Production Data; processes to use Data Processor shall ensure authorized provision user access only with formally approved authorization using unique authentication IDs per individual; managing and prevent unauthorized access to systems and services. Minimum requirements: A formal reviewing privileged user registration and de-registration process shall be implemented to enable assignment of access rights A formal on a quarterly basis and performing a full review on an annual basis; and prompt removal of user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services The allocation and use of privileged access rights shall be restricted and controlled Asset owners shall review users’ access rights at regular intervals The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract employee or agreement, or adjusted upon change Data Processor shall define a robust contractor status with Cvent. User passwords and comprehensive set of attributes for passwords other login information used to be used on all accounts. All systems users shall be authenticated through state of the art authentication means. Minimum requirements: Minimum number of 12 digits Combination of three types characters Prohibition of common terms Frequent renewal Data Processor shall ensure the protection of information in networks facilitate user identification and its supporting information processing facilities. Minimum requirements: Networks shall be managed and controlled access to protect information in systems and applications Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced Groups of information services, users and Cvent information systems shall be segregated on networks Data Processor shall record events and generate evidence. Minimum requirements: Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed Logging facilities and log information shall be protected against tampering and from unauthorized access System administrator and system operator activities shall be logged and the logs protected and regularly reviewed Data Processor shall ensure that all endpoints are protectedby secure login mechanisms. Minimum requirements: All endpoints shall be installed with managed Anti-malware with up to date versions that will ensure up to date protection All endpoints shall be protected with personal firewall and host based intrusion prevention system Any external storage devices shall be not be used to store Controller data unless the device is fully encrypted All endpoints shall be installed with latest Operating System and application updates/patches All endpoints shall be managed with clear registration and decommissioning process. If the endpoints are decommissioned or reallocated to other personnel, then the data needs wiped in such a manner that it is not recoverable All unnecessary and insecure services shall be disabled on endpoints Data Processor shall establish a framework for classifying data. It will provide a way to ensure sensitive information is handled according to the risk it poses to the organization. Most sensitive and critical data shall be monitored and protected at all times. Data Processor shall ensure a consistent and effective approach to the management of information security incidents. Minimum requirements: Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents Information security events shall be reported through appropriate management channels as quickly as possible Employees and contractors using the organization’s information systems and services Passwords shall be required to note be changed every ninety (90) days and report any observed or suspected information security weaknesses in systems or services Information security events accounts shall be assessed and it disabled after a specific number of invalid login attempts. Role-Based Access Controls shall be decided if they in place to ensure that only authorized Employees have access to any systems that could store or transmit Customer Data. Customer Data Protection. Cvent shall maintain reasonable controls to safeguard Customer Data maintained in Cvent systems from unauthorized access, exposure, modification, and/or loss. Controls to protect Customer Data may include, but are to be classified not limited to, the following: Protecting Customer Data in transit and while at rest, as information security incident required by Cvent’s Information security incidents Classification standard, by implementing strong cryptography controls using AES-256 for specifically handling PII and Customer financial data. All backups containing Customer Data shall be responded to in accordance with the documented procedures Data Processor shall establish a back-up encrypted and recovery plan for Products and Services aimed at being used by Data Controller. Minimum requirements: Complete records of the backup copies Documented restoration procedures Remote location to store backup Regular tests to restore backed-up data Data Processor shall implement business continuity management systems. Minimum requirements: Data Processor shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster Data Processor shall establish, document, implement and maintain processes, procedures and controls all databases logically separated to ensure the required level confidentiality of continuity Customer Data. Procedures shall be in place for information security during an adverse situation maintaining encrypted backups of Customer Data Processor in a secure area(s) and securely disposing or destroying Customer Data using techniques consistent with NIST 800-88, “Guidelines for Media Sanitization” or other similar industry standards. Network and System Security. Cvent shall verify the established maintain reasonable controls to operate Information Systems that maintain Customer Data. Controls include, but are not limited to: logical and/or physical network segmentation for Development and/or Production regions, network segregation between DMZs and implemented information security continuity controls at regular intervals in order to ensure that they are valid systems hosting sensitive data, controlling and effective during adverse situations The Data Processor security resource will certify that the Products and Services meet the security requirementsmonitoring network access, all security activities have been performednetwork filtering devices, firewalls, intrusion detection systems, anti-virus & anti-malware solutions, and all identified logging capabilities to detect and respond to unauthorized or suspicious activity. Cvent shall actively monitor for known security issues have been documented events and resolvedanomalies that may pose a threat to Customer Data. Any exceptions Additionally, Cvent shall also maintain a Change Management process to the certification status shall be fully documented prior control significant planned and unplanned changes to delivery and provided to Data Controller for consideration and discussionCvent’s Information Systems.
Appears in 2 contracts
Sources: GDPR Data Protection Addendum, Data Processing Addendum