سياسة متطلبات أمن معلومات الموردين

صالحة من: 17.06.2020
المالك: Tarmo Randel، مدير أمن المعلومات

النطاق

وتنطبق هذه الاشتراطات على أي أطراف ثالثة تستطيع الوصول إلى بيانات بولت. وتجمع بعض المتطلبات على أساس تصنيف البيانات التي يعالجها الطرف الثالث. يرجى الرجوع إلى سياسة تصنيف البيانات للحصول على شرح مفصل لفئات التصنيف. يرجى ملاحظة أنه قبل تجربة أي خدمة أو منتج، ويجب إجراء فحص مناسب للتأكد من أن الطرف الثالث يستطيع الوفاء بهذه الشروط.

1- المتطلبات العامة

ويُشترط أن تكون أي بيانات يتم تجهيزها من قبل طرف ثالث مصنَّفة على أنها داخلية أو مقيدة أو سرية. وفي حالة تبادل البيانات الشخصية مع طرف ثالث، يتم التوقيع على اتفاق لتجهيز البيانات قبل أن يتم أي تبادل للبيانات.

ويجب على أي مورد أن ينفذ جميع الممارسات المتفق عليها، فضلا عن الممارسات الفضلى المتعلقة بأمن المعلومات في جميع المكونات والمواد الموردة، بما في ذلك البرمجيات والمعدات والمعلومات من أجل الحفاظ على سرية بيانات بولت وتوافرها وسلامتها. ويقدم المورد، حيثما ينطبق ذلك، وثائق كاملة تتعلق بتنفيذ ضوابطه الأمنية.

The following items must be implemented and verified:

  • in cases where personal data is being exchanged, a GDPR compliant Data processing agreement is required.
  • adequate technical and organisational level measures to be implemented on the connected systems. For purposes of clarity, the absolute minimum required is as follows:
    • in cases where personal data is being exchanged, a GDPR compliant Data processing agreement is required.
    • adequate technical and organisational level measures to be implemented on the connected systems. For purposes of clarity, the absolute minimum required is as follows:
    • access control rules and mechanisms.
    • securing exposed endpoints.
    • securing development and test environments.
    • demonstrating how data is secured at rest and in-transit.
    • demonstrating existence of vulnerability management capabilities.
    • demonstrating existence of incident management and software update process.
    • PI secrets and password management.
    • log collection and monitoring.
    • clearly defined service level agreement with contact data.

Any Supplier having proven HIPAA, PCI DSS, GDPR, ISO27001 certification/validation demonstrates usually that they have implemented these requirements, nevertheless this must be verified. Reference to the relevant security controls should also be included in the supplier contract.

For all information-processing equipment providers and communication providers, a proper risk assessment must be carried out to assess possible risks and take the necessary remedial steps as may be required.

Detailed requirements

Detailed information security requirements are to be checked after any agreement has been signed and before real data processing happens by the member of Internal IT or Information Security team. In addition to the requirements presented here, the third party must have access to and agree in writing to comply with the Bolt Information Security Policy. Detailed requirements are presented in checklist format in Appendix A.

Audit

On reasonable notice or information, and during normal working hours, Bolt shall have the right, but not the obligation, to review periodically the Supplier's operations, processes and systems insofar as they relate to the Services, for the purpose of monitoring the Supplier's compliance with the terms and conditions of this Policy.

Review and update

These requirements must be reviewed at least once a year by the document owner.

Appendix A

Checklist for common requirements of processing confidential,restricted and internal information

  • Access control
    • are user accounts centrally managed
    • are user accesses regularly reviewed
    • are there enforced requirements for password length and complexity
    • are access failures being registered, alerted and investigated
    • is there multi-factor authentication
    • is the PKI being used in access control
    • are systems being accessed over public Internet directly
    • is there work-from-home policy or practice in place
  • Incident prevention and vulnerability management
    • is the software in workstations regularly, centrally managed and updated
    • is there centrally managed and monitored endpoint security software
    • is there requirement or practice to apply encryption to data at rest
    • is there requirement or practice to apply encryption to data in transit
    • are the workstations centrally manageable
    • is there “acceptable use” type of policy which addresses common cyber hygiene topics
    • are there any data backup policy or procedures
    • is the external and internal network perimeter regularly scanned
  • Incident handling policy and procedures
    • is there incident classification and prioritisation matrix
    • is there incident resolution escalation process
    • in case data breach type classification exists for incidents -how many data breaches have been registered in past 6 months

Checklist for processing confidential information

  • Incident handling policy and procedures
    • ماهية البيانات الإضافية التي تنفذ آليات المنع

قائمة مرجعية لتجهيز المعلومات العامة

  • سلامة البيانات
    • هل هناك أي إجراءات قائمة لضمان سلامة البيانات