Minimum Information Security Requirements
The present document describes the minimum security requirements that must be taken into consideration by the Processors of European Reliance General Insurance Co. S.A. (the Company) for the protection of personal data and information processed within the framework of their cooperation with the Company. The main purpose is the fulfillment of the minimum determined requirements of the applicable legislation on personal data and privacy protection.
The compliance with these minimum security controls does not guarantee an appropriate level of protection- the Processors must apply a holistic and comprehensive assessment of the security level, according to the circumstances, the categories of personal data and the type of processing that will take place.
Moreover, the Company may include in the applicable contracts with the Processors advanced security requirements.
The information security techniques, as well as the security threats, are always evolving. Therefore, security must constantly undergo assessment, according to the forthcoming special circumstances, in order to determine the appropriate level of protection.
Information Security Officer
1. The person responsible on behalf of the Processor for the total compliance with the minimum security requirements is the Information Security Officer. The Information Security Officer must have sufficient professional skills and experience to ensure the security of information and have the adequate resources for the effective assurance of compliance.
2. The contact details of the Information Security Officer must be communicated to the Company and any modification to the data must be notified immediately.
Security Plan - Documents
3. The controls established for the compliance with the minimum security requirements, that is the “Security Plan”, must be recorded as “Security Documents”, must be updated and modified when significant changes occur in the IT Systems of the Processor or when anything else occurs that may impact the Security of the administered Information. Indicatively, the security controls that must be included in the “Security Plan” (where applicable) are the following:
4. Security Controls related to the modification, development and maintenance of the systems and applications (data bases, digital files, etc.), including the security of the buildings or premises in which the processing and storage of data, the security of data equipment, telecommunications infrastructure and environmental audits take place.
5. Data security mechanisms for the assurance of data integrity, confidentiality and classification.
6. Security of the computer and telecommunications systems, including the procedures for the management of backup copies, procedures for handling computer viruses, procedures for the administration of trade marks/ passwords, security of the software implementation, security related to data bases, connection of the systems with the Internet, audit of the circumvention of the data system, mechanisms for the constant recording of breach attempts of the security system or acquisition of unauthorized access to the system.
7. Recovery plan in case of disruption, which shall define the following: Controls for the minimization of the interruptions in the normal operation of the systems, limitation of the extension of any damages and destructions, smooth transition of Personal Data from one computer system to another, provided this is necessary, provision of alternative operation methods for the computer system, training, exercise and familiarization of the personnel with the emergency procedures, assurance of a fast and smooth system for financial recovery and for the minimization of the financial consequences in case of a destruction incident.
8. Emergency plan, that must address the following potential risks of the systems and the appropriate indicators in order to determine when the Plan shall be activated: The critical operations and systems, the strategy for the protection of the systems and priorities in case that the Plan is activated, a list of the members of the personnel called in case of emergency, as well as telephone numbers of other related parties, all the procedures needed for the calculation of the current damage, action plans for time management for the restoration of the systems, clear allocation of the duties of the personnel, potential use of alarms and special devices (i.e. air filters, noise filters), in case of fire, a special equipment must be available (i.e. extinguisher, water pumps, etc), appliances or methods for the determination of temperature, humidity and other environmental factors (i.e. Air conditioning devices, thermometers, etc.), special security software for the monitoring of the security breach attempts, special generators for the handling of interruption of electrical power, backup of the software or materials in all protected buildings to avoid unintentional loss.
9. The “Security Documents” must be available to the personnel of the Processor that has access to the Personal Data, IT systems and the hard copy and must cover at least the following aspects:
10. The “Security Plan”, the “Security Documents” and all relevant files and documents must be kept at least for five (5) years after the end of the processing.
Tasks and Obligations of the Personnel of the Processor
11. Only the personnel of the Processor, which has presented honesty, integrity and discretion, may be Authorized Users or have access to the premises in which the Informational Systems are hosted, the media that include the Personal Data and the data storage rooms. The personnel must be bound by the obligation of non-disclosure (NDA) regarding the access to the Data and especially the Personal Data and Special Categories of personal data.
12. The Processor implements all appropriate measures for the preparation and awareness of the personnel with the minimum security requirements, the relevant policies and applicable legislation for the implementation of the tasks on the Processing of Personal Data and the consequences of any noncompliance with these requirements.
13. The duties and obligations of the personnel that have access to the Personal Data and the IT systems must be defined and verified in a clear manner.
14. The Authorized Users must be informed that the electronic equipment and the data storage rooms must not remain unattended and accessible to unauthorized personnel.
15. The physical access to Personal data storage rooms must be limited only to the Authorized Users.
16. The disciplinary measures for the noncompliance with the “Security Plan” must be determined, verified and disclosed to the personnel in a clear manner.
Security Incident Reporting
17. The procedure for the reporting, management and response in case of security incidents should be reviewed at least annually by the Processor.
18. Only the personnel of the Processor with a lawful professional need to access the IT systems and the data storage rooms or need to perform any Processing on Personal Data is authorized to proceed to actions (“Authorized Users”).
19. Every Authorized User must own a personal and unique identification code for this purpose (“User ID”).
20. Each User ID cannot be granted to another person, even in a later date.
21. The list of the Authorized Users, the authorized accesses, the identification and certification procedures must be updated and determined for each case of access to the IT systems and data storage rooms or for every case of processing of Personal Data.
22. The passwords must be forced to change at least every three (3) months.
23. The software, firmware and hardware installed in the IT systems must be reviewed at least every six (6) months in order to identify the vulnerabilities and defects of the IT systems and proceed to their resolution.
24. Mechanisms must be created in order to allow the clear, personalized identification of every user that tries to access the IT system, as well as an audit to verify the authorization of the user.
25. The establishment of limitations is necessary for the repeated efforts, in order to avoid granting unauthorized access to the IT system. The User ID must lock after at least five (5) failed attempts for authorization.
26. The Authorized Users may process Personal Data, provided they have received the certification credentials, in order to successfully complete a procedure for ID verification associated either to one specific Processing procedure or with a set of Processing procedures.
27. Authentication should be based on a secret password associated with the User ID which will be disclosed only to the Authorized User. Alternatively, the certification is performed via an authentication device, which is used and owned exclusively by the person responsible for the Processing and may be associated either with an identification code or a password or biometric attribute associated with the person responsible for the Processing and may be related with one identification code or with a password.
28. An Authorized User may own or use more than one certification credential.
29. The system must have a procedure that guarantees the confidentiality and integrity of the password. The passwords must be stored with a method that keeps them incomprehensible, for as long as they are in force. There must be an appropriate procedure for the assignment, distribution and storage of the passwords.
30. The passwords must consist of at least eight (8) characters, or if this is technically impossible by the IT Systems, the password must consist of the maximum permissible number of characters. The passwords must not contain any information that could easily be associated with the Authorized User, that is responsible for the Processing and must change in regular intervals. After being used for the first time, the passwords must be modified by the Authorized User. This is an action that must be repeated at least every three (3) months.
31. The guidelines provided to the Authorized Users determine the obligation, as a prerequisite for the access to the IT Systems, to decision making for the necessary precautions for the assurance of the confidentiality of the credentials, as well as for the verification that the devices used and owned exclusively by the Authorized Users are kept with due diligence.
32. The certification credentials must be deactivated, if they have not been used for at least six (6) months, except for those approved exclusively for purposes of technical administration and support.
33. The certification credentials must be also deactivated if the Authorized User is excluded or is not authorized with access to the IT systems or Processing of Personal Data.
34. Only the Authorized Users of the Processor have access to the Data (digital or hard copy) of the Company, including those stored in any digital or portable media or those transmitted or physically transferred. The Authorized Users have approved access only to the data and sources that are necessary for the fulfillment of their duties.
35. A system should be used to grant Authorized Users access to the determined data and sources.
36. The authorization profile of every Authorized User or homogenous groups of Authorized Users must be created and configured prior of any Processing in a way that only allows the access to data and resources necessary for the fulfillment of the duties of the Authorized Users.
37. The validity of the conditions for the authorization profiles must be verified regularly, at least annually. The verification may also include the list of the Authorized Persons, consisting of homogeneous categories of duties and authorization profiles.
38. Appropriate controls must be established, in order to avoid the unauthorized access (hard copy or digital) or use of the IT systems by any user. More specifically, the IT systems must include state of the art firewalls and intrusion detection systems for the protection against unauthorized access, and must also include alarms and cameras, etc. Controls must be established in order to detect any unauthorized access to the IT systems or Processing of Personal Data, or if these types of unsuccessful attempts occur.
39. The operating system or the access controls of the databases must be configured in a way that they ensure the authorized access.
Administration and Distribution of Media
40. The IT Systems, the physical media of Data Storage and the hard copy must be stored in a physically secure environment. Controls must be taken into consideration in order to prevent the unauthorized physical access to the premises that host the IT Systems and the hard copy of the Processor.
41. Organizational and technical guidelines must be issued regarding the compliance and use of removable media, in which data are stored, in order to avoid the unauthorized access and Processing.
42. When the media are about to be used or reused, all necessary controls must be taken into consideration in order to prevent any future retrieval of Personal Data, as well as any other information stored therein, or the understanding of the information with any other way or the reconstitution of the information with other technical means, before they are withdrawn.
43. Media that include Personal Data must be deleted or become unidentifiable if they are no longer in use or before they become available.
44. Print outs or copies of hard copy are prohibited, unless in cases where there is a written authorization of the Company and only by Authorized Users.
45. The encryption or other equivalent form of protection must be used for the protection of Data transmitted digitally via the Internet or stored on a portable device, or where the storage or Processing of Personal Data in a secure physical environment is required.
46. When the media that contain the Personal Data of the Company or the hard copy of the Company is to be transferred from designated premises as a result of maintenance operations, the necessary controls must be taken into consideration to prevent any unauthorized recovery of these Data, as well as of any other information stored therein.
47. When the Data are transmitted or transferred via a network of electronic communications, specific controls must be established to monitor the flow of data and record the time for the transmission or transfer of the transmitted or transferred Data, the destination of every transmitted or transferred Data, as well as credentials of the Authorized User that conducts the transmission or the transfer.
Assurance, Backup copies and Restoration
48. There must be tools for the prevention of any unintentional modification or erasure of Data of any form (digital or hard copy).
49. Procedures must be defined and established for the creation of backup copies and their restoration in digital form. These procedures must guarantee that the Record of digital data may be restored in the same state as when they were lost or destroyed.
50. The backup copies must be created at least once a week, unless the digital data have not been updated over that period.
51. The backup copy, as well as the data recovery procedures must be kept in a different location than this of the IT Systems that process Data. The Security Requirements must also apply for backup copies.
52. The Anti-virus software and intrusion detection systems must be installed to the IT Systems for the protection against attacks or other unauthorized attempts to the IT Systems. The Anti-virus software and the intrusion detection systems must be updated on a regular basis according to the latest technological developments and the best practices for the applicable IT Systems at least every six (6) months.
53. Only the authorized personnel must have physical access to the premises where the data of the Company are stored and the Processor must keep an archive of the list of the personnel with access to these premises, including the name, date and time of access.
Record of Incidents
54. The Company must establish a process for the reporting, response and handling of security incidents, such as breaches of data security or attempts for unauthorized access.
55. Regular audits for the compliance with minimum security requirements, at least every two years must be conducted and provided in the form of an audit report.
56. The Audit report must include findings regarding the extent where the security measures and the controls adopted comply with the minimum security requirements, omissions are identified and, when necessary, corrective or supplementary controls are recommended. Moreover, the audit report must include data, facts and comments on which the findings and recommendations must be based.
57. The Audit Report should be provided upon request to the Information Security Officer of European Reliance.