The following technical and organizational measures (TOM for short) regarding the case of commissioned processing pursuant to Art. 28 DS-GVO/GDPR have been implemented: 

11/2023

The following technical and organizational measures (TOM for short) regarding the case of commissioned processing pursuant to Art. 28 DS-GVO/GDPR have been implemented: 

Confidentiality

Admission control

The following measures prevent unauthorized persons from accessing the office premises where confidential/personal data is processed, used, or stored:

Technical measures

  • Alarm system (applies to locations Luisenforum/ Kirchgasse 6, and Tower/Kirchgasse 2)
  • Chip cards/transponder systems
  • RFID-based access control system for access to office areas (all locations)
  • RFID-based access control system for access to the server room, the staff office and the archive restricted to selected employees (need-to-know principle)
  • All external doors are fitted with smart locks
  • 24 hr recorded video surveillance of all entrances to all office areas in both buildings

Organizational measures

  • Reception at the Luisenstrasse 37-39 location (headquarters) is always staffed during business hours, 9 a.m.-5 p.m.
  • Registration of all visitors in the visitor list by the reception desk
  • Visitors are accompanied by staff in areas otherwise protected by the transponder system
  • Visitor management is specified in a policy for managing visitors
  • Central network equipment is secured in locked cabinets
  • All mobile equipment in the office is secured in lockable cabinets and safes
  • Security screening of all external providers/subcontractors, e.g., cleaning contractors
  • Strict security screening and monitoring of all other external service providers. In addition, all external contractors are closely supervised by Seibert-Group personnel when onsite. 
  • Out-of-office hours security at the Luisenforum / Kirchgasse 6 (location of our HQ)
    • Outside regular business hours of the Luisenforum (building) a security service patrols the premises. All entrances are via security doors and are alarmed. In addition, the entire building is under video surveillance
    • Access to Seibert-Group offices is only possible when employee ID has been verified, and this security service will accompany the staff member

Systems security access

The following measures prevent facilities/apps and data from being used by unauthorized persons:

Technical measures:

  • All staff logins require usernames and passwords
  • Central assignment of passwords: Passwords are generated by IT software according to defined criteria (default length and complexity). 
  • Two-factor authentication for Google Workspace and applications authenticated via Workspace
  • Central software-supported password management with access history
  • Access to server systems only with personal password-protected critical files via encrypted connection using SSH (Secure Shell)
  • Operation of firewall software on each server system
  • Mobile device management
  • Use of an encrypted VPN connection for remote access
  • Encryption of data carriers, especially notebooks and smartphones, as well as backup data carriers
  • Comprehensive use of Encryption at Rest
  • Automatic 5 min desktop lock
  • Biometric access control for access to safes (fingerprint scanner)

Organizational measures:

  • Managed user permissions based on need, clearly assigned user accounts
  • Documented and checklist-based process for creating and deactivating of accounts for new employees/employees leaving the company (onboarding/offboarding) and adjusting authorizations in the event of a role and/or team change (changeboarding)
  • Regular verification of user authorizations to determine whether they are still required
  • Annual password change is enforced
  • Electronic keys for remote access are clearly assigned to authorized users
  • Software control of which keys can be used to access server systems
  • Password-Policy on the secure choice and proper use of passwords
  • Policy on the Handling of Personal Data
  • Policy on the use of mobile data carriers

User Access Management

The following additional measures ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified, or removed without authorization during processing, use, and after storage:

Technical measures:

  • File destruction in accordance with DIN 66399 (security level 3)
  • Physical deletion of data carrier by vetted qualified service providers
  • Central logging of accesses and events

Organizational measures:

  • Use of an authorization concept
  • Management of user rights by administrators
  • Process based on various checklists for granting and withdrawing rights when joining and leaving the company and when changing roles/teams

Separation control

The following specialized measures ensure data isolation, i.e., that data collected for different purposes can only be processed separately:

Technical measures

  • Separation of production and test systems through different virtual machines
  • Separation of independent systems through VLANs, firewalling, and virtual machines, each with its own database

Organizational measures

  • Management via an authorization concept


Integrity

Transfer control

The following measures shall ensure that personal data cannot be read, copied, modified or removed by unauthorized persons during electronic transmission or during their transport or storage on data carriers and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment:

Technical measures

  • Use of encryption for web transmission (widespread use of HTTPS and VPN)
  • Central logging of accesses and events
  • Secure transport containers for shredding documents with personal data

Organizational measures

  • Transfer in anonymized or pseudonymized form, if possible, or required
  • Due diligence regarding the selection of transport service providers
  • Use of encrypted data carriers during physical transport (physical transport is avoided as far as possible)


Input control

The following measures allow us to check and determine retrospectively if and by whom personal data has been entered, modified, or removed from data processing systems:

Technical measures

  • Central logging of accesses and system events
  • Use of the versioning functions in the various applications to log changes

Data availability and resilience:

The following measures ensure that personal data is protected against accidental loss or destruction:

Technical measures

  • Fire and smoke detection systems
  • RAID system
  • Hourly system snapshots of the customer workspace/accounts and data, and daily backups of this data on remote storage systems: https://seibert.biz/backupconcept   
  • Separate partitions for operating systems and data to limit failures when storage capacities are exceeded
  • Monitoring of availability of all applications, services, and IT systems
  • Critical systems in both buildings are protected by a UPS (Electrical power supply backup.) In the Luisenforum/Kirchgasse 6 its a 1000VA system and in the Tower/kirchgasse 1500VA system.
  • Redundant design of critical systems

Organizational measures

  • Use of ISO 27001 certified IaaS service providers for fail-safe operation of customer systems
  • Our backup and recovery concept: https://seibert.biz/backupconcept  
  • Regular tests of the data recovery system
  • System redundancy regarding operational and production systems. These systems and their associated backup servers are located in different, geographically separated data centers or availability zones
  • Documented and clearly defined emergency procedures in the event of an incident based on a business continuity managament handbook 

Procedures for review, assessment, and evaluation of all Data protection measures:

Data protection, evaluation of procedures:

Organizational measures

  • Central documentation of all data protection procedures and regulations with controlled access for employees as required/authorized
  • Annual review and evaluation of technical and organizational measures
  • We have an external data protection officer and an internal information security officer
  • Written commitment of employees to data (Art. 32 Abs. 4 DS-GVO), telecommunications and trade secrecy
  • We provide regular data protection and security training and evaluation for all our employees. This includes dedicated I.T. training courses and one-on-one coaching provided by our in-house I.T. security specialists every two years at the latest
  • Company-wide data protection strategy and information security guideline
  • Policy on the Handling of Personal Data
  • Software-supported management of data protection agreements (AVVs) and their requirements
  • Data protection impact assessments are performed if required
  • We comply with the information obligations pursuant to Art. 13 and 14 DSGO/GDPR

Incident prevention & response management

Technical measures

  • Use of firewalls, including regular monitoring & security updates
  • Use of antivirus scanners on customer systems
  • Proactive monitoring of all our server systems seeking out illegal third-party processes

Organizational measures

  • Defined documented processes for reporting security and data protection incidents (also meeting our obligations to report incidents to any relevant supervisory authorities.)
  • The immediate involvement of our DPOs (Data Protection Officers) and IPM in security regarding any data protection incidents
  • All security and data protection incidents are recorded and documented via our ticket system and wiki
  • Clearly defined formal processes and responsibilities for following up on security and data protection incidents

Order control regarding outsourcing tasks to third parties

The following measures ensure that any confidential client data passed to any of our subcontractors can only be processed in accordance with that client's strict instructions:

Organizational measures

  • An initial audit of subcontractors' general work methods, security measures, and procedures
  • Then a second more detailed granular inspection including a thorough verification of all processes regarding the subcontractor's confidentiality, data protection, and data security policies
  • Conclusion of the necessary data processing agreement or E.U. standard contractual clauses
  • All communications and instructions to our subcontractors are documented and stored electronically in the form of e-mails
  • Agreement on effective control rights vis-à-vis the subcontractor

Further technical Measures

  • Documented deletion of customer data at the customer's request in accordance with BSI specifications
  • Regular updates for all applications and operating systems:
    • Weekly scheduled operating system updates
    • Monthly updates of all internal applications of Seibert Group if available
    • applications operated for our customers
    • Immediate software/OS updated in light of any new security vulnerabilities being discovered
  • Detailed monitoring of all server systems to detect malfunctions. https://seibert.biz/monitoring


Link to this page: https://seibert.biz/drawio-toms


  • No labels
This page was last edited on 01/25/2024.