Tarnija teabeturvalisuse nõuete poliitika

Valid from: 17.06.2020
Omanik: Tarmo Randel, teabeturvalisuse juht

Scope

These requirements apply to any third parties who have access to Bolt data. Some requirements are grouped based on the data classification of data processed by the third party. Please refer to the Data Classification Policy for a detailed explanation of the classification categories. Please note that before any service or product is trialed, a proper check must be made to ensure that the third party can satisfy these requirements.

General requirements

A signed NDA is required whenever any data that will be processed by a third party is classified as internal, restricted or confidential. If personal data is exchanged with a third party then a Data Processing Agreement MUST be signed before any data exchange can occur.

Iga tarnija peab rakendama kõiki kokkulepitud ja üldisi teabeturvalisuse parimaid tavasid kõigi tarnitud komponentide ja materjalide, sealhulgas tarkvara, riistvara ja teabe osas, et tagada Bolti andmete konfidentsiaalsus, kättesaadavus ja terviklikkus. Vajaduse korral esitab tarnija Boltile täieliku dokumentatsiooni oma turvakontrollide rakendamise kohta.

The following items must be implemented and verified:

  • in cases where personal data is being exchanged, a GDPR compliant Data processing agreement is required.
  • adequate technical and organisational level measures to be implemented on the connected systems. For purposes of clarity, the absolute minimum required is as follows:
    • in cases where personal data is being exchanged, a GDPR compliant Data processing agreement is required.
    • adequate technical and organisational level measures to be implemented on the connected systems. For purposes of clarity, the absolute minimum required is as follows:
    • access control rules and mechanisms.
    • securing exposed endpoints.
    • securing development and test environments.
    • demonstrating how data is secured at rest and in-transit.
    • demonstrating existence of vulnerability management capabilities.
    • demonstrating existence of incident management and software update process.
    • PI secrets and password management.
    • log collection and monitoring.
    • clearly defined service level agreement with contact data.

Kõik tarnijad, kellel on tõendatud HIPAA, PCI DSS-i, GDPR-i, ISO27001 sertifitseerimine/valideerimine, tõendavad tavaliselt nende nõuete rakendamist, kuid seda tuleb siiski kontrollida. Tarnijalepingusse tuleks lisada ka viide asjakohastele turvakontrollidele.

For all information-processing equipment providers and communication providers, a proper risk assessment must be carried out to assess possible risks and take the necessary remedial steps as may be required.

Detailed requirements

Üksikasjalikud teabeturvalisuse nõuded tuleb kontrollida pärast lepingu sõlmimist ja enne sisemise IT või teabeturvalisuse meeskonnaliikme tegelikku andmetöötlust. Peale siin esitatud nõuete peab kolmandal isikul olema juurdepääs Bolti infoturvalisuse poliitikale ja ta peab sellega kirjalikult nõustuma. Üksikasjalikud nõuded on esitatud kontrollnimekirja vormi lisas A.

Audit

On reasonable notice or information, and during normal working hours, Bolt shall have the right, but not the obligation, to review periodically the Supplier's operations, processes and systems insofar as they relate to the Services, for the purpose of monitoring the Supplier's compliance with the terms and conditions of this Policy.

Review and update

These requirements must be reviewed at least once a year by the document owner.

Lisa A

Checklist for common requirements of processing confidential,restricted and internal information

  • Access control
    • are user accounts centrally managed
    • are user accesses regularly reviewed
    • are there enforced requirements for password length and complexity
    • are access failures being registered, alerted and investigated
    • is there multi-factor authentication
    • is the PKI being used in access control
    • are systems being accessed over public Internet directly
    • is there work-from-home policy or practice in place
  • Incident prevention and vulnerability management
    • is the software in workstations regularly, centrally managed and updated
    • kas seal on tsentraalselt hallatav ja jälgitav lõpp-punkti turvalisuse tarkvara
    • is there requirement or practice to apply encryption to data at rest
    • is there requirement or practice to apply encryption to data in transit
    • are the workstations centrally manageable
    • is there “acceptable use” type of policy which addresses common cyber hygiene topics
    • are there any data backup policy or procedures
    • is the external and internal network perimeter regularly scanned
  • Incident handling policy and procedures
    • is there incident classification and prioritisation matrix
    • is there incident resolution escalation process
    • in case data breach type classification exists for incidents -how many data breaches have been registered in past 6 months

Checklist for processing confidential information

  • Incident handling policy and procedures
    • what data extra prevention mechanisms are implemented

Avaliku teabe töötlemise kontrollnimekiri

  • Andmete terviklikkus
    • kas andmete terviklikkuse tagamiseks on kehtestatud mõni protseduur