1. General information
Serviceplan has adopted a range of appropriate technical and organisational measures to ensure a level of protection adequate to the risk, taking into account the state of the art, the implementation costs and the nature, extent, circumstances and purposes of the processing as well as the varying probability of occurrence and severity of the risk to the rights and freedoms of natural persons.
Serviceplan has established appropriate technical and organisational measures in order to:
- restrict access to locations where personal data or other confidential information is stored
- secure systems on which personal data or other confidential information is stored against unauthorized access.
- ensure that only authorized persons have admission to server rooms
- ensure that attempts to gain unauthorised admission are detected and prevented
- identify with certainty any person who wishes to have access to personal data or other confidential information
- to grant such access only to authorised persons
- prevent the unauthorised inspection, copying, alteration or deletion of personal data or other confidential information
- create and configure authorization profiles to ensure that employees only have access to the personal information and other confidential information or resources they need to perform their assigned duties
- be able to determine whether, when and by whom personal data and other confidential information has been entered into, accessed, copied, modified, or deleted from CRM systems
- ensure that personal data and other confidential information is collected, processed and used only in accordance with this IT-security policy and other provisions (e.g. applicable laws, customer contracts, internal guidelines)
- ensure that personal data and other confidential information collected for different purposes may be separately processed; and
- ensure that personal data and other confidential information are, to the extent possible, pseudonymised or encrypted
- ensure that the confidentiality, integrity, availability and resilience of systems and services relating to the processing of personal data and other confidential information are maintained on a permanent basis
- ensure that the availability of, and access to, personal data and other confidential information may be rapidly restored in the event of a physical or technical incident
- ensure that all employees who have access to personal data or other confidential information are aware of their duties and the consequences of their violation
- ensure that employees are trained in their role in Incident Management through awareness measures
- ensure, through procedures, that data breaches will be reported to the supervisory authority within 24 hours
Measures in important individual domains are summarised in the following sections, whereby the illustration is based on the requirements of Art. 32 para. 1 GDPR in conjunction with the technical requirements of the BSI Basic Protection.
2. Admission control
Serviceplan adopts appropriate measures to prevent unauthorised persons from gaining entrance to data processing systems with which personal data are processed or used. For this purpose, Serviceplan implements the following measures, among others:
- Unauthorized admission to the buildings and rooms is considerably prevented by various constructional measures, technical facilities and organizational precautions
- Constructional safety measures include among others:
- Door locks and electric door locks (transponder cards and badge reader)
- Secured light wells and ventilation openings
- Safety glazing of windows
- Technical facilities include, but are not limited to:
- Video surveillance in critical areas (e.g. all entrance doors etc.) by Dallmeier electronic GmbH & Co.KG, Bahnhofstr. 16, 93047 Regensburg, Germany
- Alarm secured doors
- Organisational arrangements shall include, inter alia:
- Guarding the buildings (factory security)
- Key control and acknowledgement of key output. Within this framework, it is documented who receives which admission card. The admission cards and the keys are handed out via the personnel system in a personalised form only (provider: Dorma Matrix Software) and managed by the Building Facility Management. The entire admission system is supplied by Dormakaba International Holding AG, Group Communications, Hofwisenstrasse 24, 8153 Rümlang, Switzerland.
- Secure storage of general keys and regulations for the removal of general keys
- Spatial storage locations for the safekeeping of data backups (lockable cabinet, safe). Only a part of the authorized IT employees and designated employees from facility management are granted admission (a total of 10 employees). This is necessary for the purposes of maintenance and fire protection.
- Logging of admissions
- Delivery zones are controlled
- Special security of the administrators' admission
- Clear assignment of authorizations (access building, office, server room)
- Regular inspection of access authorisations
- Guest principle:
- Visitors can only enter the building via the reception desk which is manned by staff, from where they are collected by an internal employee and always accompanied through the building, i.e. visitors cannot move freely and uncontrolled within the building
- Particularly critical areas (e.g. server rooms) are separately secured with fire doors
- Regular and occasion-based monitoring of IT functionality, including the aspect of admission control
3. Data carrier and storage control
Serviceplan will adopt reasonable measures to prevent data carriers from being read, copied, modified or deleted by unauthorised persons. For this purpose, Serviceplan shall take the following measures, among others:
- The use of mobile data media is not permitted in principle. Deviations from this rule may be made if this is necessary for administrative reasons (e.g. moving data from one end device to another), for organizational reasons (e.g. viewing the images from a photo shoot) or due to customer requirements (e.g. transfer of customer data). For the transfer of customer data, however, an encrypted HTTPS server with personal access is preferred.
- Before use, the relevant device is always checked by a virus scanner.
- An ownCloud (from ownCloud GmbH, Rathsbergstr. 17, 90411 Nuremberg, Germany) is used for data backup. The data is hosted on Serviceplan´s own servers (file hosting). This allows several computers to access a consistent database. In addition, Office 365 from Microsoft (Microsoft Corporation, Redmond, One Microsoft Way, Redmond, Washington 98052-6399, United States) is also on use. It is ensured that the data are processed only in Europe.
- Immediate deletion or deactivation of permissions that are not or no longer required.
- Secure deletion or destruction and disposal of electronic data carriers and other documents containing confidential information that is no longer required.
- Certified disposal of old backup tapes.
4. User control
Serviceplan shall take appropriate measures to prevent automated processing systems from being used by unauthorised persons with the assistance of data transmission equipment. To this purpose, Serviceplan takes the following measures, among others:
- Multi-factor user authentication (MFA):
- Sign-in Risk Policy and User Risk Policy: The complete authentication is monitored and checked on the basis of various plausibility guidelines and comprehensive data tracking.
- Biometric authentication, FaceID, TouchID, Windows Hello and Apple Watch. On individual devices, 6-digit pin authentication is possible.
- During the authentication process, a maximum of 10 attempts may be made. The device is then locked.
- PIN authentication can only be carried out on the personally assigned device on which it was configured. The PIN is useless for third parties without this specific hardware.
- PIN authentication is supported by a Trusted Platform Module (TPM) chip. The chip includes several physical security mechanisms that make it impossible to manipulate. User key material is generated and deployed in the Trusted Platform Module (TPM) of the user device, which provides protection against attackers who want to capture and reuse the key material. Because it uses asymmetric key pairs, user login information cannot be stolen.
- It ensures that privileged employees select a 10-digit password. This must be changed every 60 days.
- Every 60 days, the authentication is revalidated on the device.
- Each login is checked for plausibility with Microsoft Azure AD. In oder to log in to any IT system the user has to enter an user ID, usually consisting of user name and password.
- Automatic blocking of the computer after 5 minutes of inactivity with subsequent renewed login and waiting period of 60 sec.
- Automatic standby funktion for all workstations and mobile devices
- Enhanced password policy:
- Complexity default for passwords (8 characters, complex, password history, password change every 90 days).
- Passwords consist of letters, numbers and special characters. The passwords are distinguished between upper and lower case.
- When password changes are made by administrators, all other admins are informed (without knowing the password).
- There are no group passwords, but a single sign-on is used for all central applications and systems.
- Prohibition on disclosure of user IDs and passwords: Identical or similar passwords may not be reused for 2 years.
- New employees receive a one-time password to activate their account at their private e-mail address. No default passwords are used.
- The user ID must not be part of the password.
- The "Save password" function offered by some browsers may only be used on the managed end devices and on authorised browsers.
- Passwords that are used within the company must not be used in the same way in other environments (e.g. on the Internet, on customer portals, etc.).
- Administrator passwords are only known to permanent employees of the IT department. These are 30 characters long. The passwords are role-related. There is no general admin password.
- Immediate obligation to inform the IT managers in the event of detected or suspected password loss or other indications of unauthorized use of user IDs.
- Depending on the application, distributed passwords are also known to service providers for the corresponding application to ensure continuity (e.g. SAP service provider ISC).
- The IT-security policy is published on the intranet and is already integrated into all operational processes. Every in-houseemployee shall agree to it once a year. External employees are obliged to accept a non-disclosure agreement (NDA). The IT-security policy is regularly revised in order to keep pace with internal technical developments.
- It is ensured that access to the company network portal from outside is possible with multi-factor authentication (MFA).
- Differentiated authorizations and restrictive assignment of rights according to official requirements (need-to-know principle) and associated documentation. The assignment of additional authorisations shall only take place after written confirmation by the responsible managing director.
- Documentation of system, application and data accesses.
- Training measures for employees in dealing with personal data.
5. Access control
Serviceplan undertakes reasonable steps to ensure that persons authorized to use a data processing system have access only to the data that is subject to their access authorization and that personal data cannot be read, copied, modified or removed without prior authorization during processing, use and after storage.
To this end, Serviceplan takes the following measures, among others:
- Differentiated role-based authorization policy as to how authorizations are tob e assigned and restrictive assignment of rights according to official requirements (need-to-know principle)
- In principle, the following rights can be assigned:
- Create: Insert and edit a file
- Read: Read an existing file.
- Modify: Change an existing file.
- System authorisation, i.e. verification whether the user is entitled to carry out a certain action.
- Privileged access rights (administrators, consultants, service providers, supervisors)
- Preliminary examination and control of external connections to the internal interfaces by IT managers
- Immediate deletion or deactivation of authorizations that are not or no longer required
- Employees are only allowed to access the systems and data fields they need to fulfill their work assignment. If, in individual cases, it is necessary to access resources that lie outside the user's area of responsibility, the supervisor must be informed.
- The user accounts and access rights are configured by the supervisor via an internal personnel system (Colleague Tool) on the basis of the classification and authorization policy.
- If the employee leaves the company, is transferred or changes tasks and responsibilities, the personnel system (see above) automatically blocks any authorizations that are no longer required.
- New access rights are to be assigned and set up in accordance with the new area of responsibility. The rights authorization is to be reviewed annually. Rights that are no longer required shall be deleted.
6. Transmission and transport control
Serviceplan undertakes reasonable steps to ensure that personal data cannot be read, copied, modified or deleted without prior authorization during an electronic transmission or during its transport or storage on data carriers, and that it is verifiable and ascertainable where personal data are to be transmitted by data transmission facilities.
Serviceplan undertakes the following measures, among others, for this purpose:
- Encryption of all mobile devices.
- Tunnel connection (VPN = Virtual Private Network) via the SonicWall Mobile Connect system (provider: SonicWall Mobile Connect): Microsoft Corporation, Redmond, One Microsoft Way, Redmond, Washington 98052-6399, United States). A VPN connection is only possible once per device and is only technically possible if a device is compliant.
- Electronic signature and person-related mail encryption (software provider: SEPPmail - Germany GmbH, Ringstrasse 1c, 85649 Brunnthal b. Munich, Germany).
- In the case of highly sensitive information, the use of TLS preferred transport encryption in e-mail communication may be guaranteed.
- Depending on the need for protection, encryption or secure transport containers and paths shall be employed. The physical transport is carried out by Ontime Courier GmbH, Alois-Wolfmüller-Straße 8, 80939 Munich. However, this as a rule is avoided.
- Data carriers are shipped or transported in such a way that damage to the data carriers can be eliminated as far as possible (e.g. air-cushioned envelopes).
- All published services are transport encrypted (e.g. https, website, TLS/ITC).
- Internal: All central systems are encrypted.
- No forwarding of e-mails to private e-mail accounts of employees. Forwardings are automatically documented in accordance with the IT-security policy.
- Employee instructions for printing confidential documents: Ensuring that no one else has access to printouts. The entire press council is encrypted. Prints are sent encrypted and temporarily saved. Access to printouts is only possible with a personalised card (TA aQrate). The documents to be printed are to be deleted after 72 hours.
- All end devices, USB sticks, memory cards and mobile drives as well as other mobile data carriers for business use are provided by Serviceplan and are subject to the regulations of this policy. The procurement of IT equipment for corporate use is only permitted after inspection and approval by the IT department and only in accordance with the specifications defined by it.
7. Input control
Serviceplan undertakes reasonable steps to ensure that it is subsequently verifiable and ascertainable whether, by whom and at what time personal data has been entered into, modified in or deleted from data processing systems.
To this end, Serviceplan takes among others the following measures:
- Automatic documentation of system utilization in compliance with data protection law restrictions. Logging of all registrations, data accesses and changes as soon as sensitive data is included.
- Protocolling of accesses and access attempts:
- Access to files containing personally identifiable or confidential personally identifiable content
- Repeated entry of incorrect passwords for a login
- The protocols are to be evaluated regularly and promptly in the context of registration and deregistration for security-relevant and other critical activities and conditions. If the log data are not required for a longer period for legal reasons, e.g. to pursue legal claims, they shall be deleted immediately.
- Investigation of detected or suspected breaches of security-relevant regulations. Application of content filters (Sonicwall Supermassive, Sonicwall Inc. 1033 McCarthy Blvd, Milpitas, CA 95035), Gateway AV, Intrusi-on Prevention System.
Serviceplan undertakes appropriate measures to ensure that used systems can be restored in the event of a fault. The rules for storing files are decided centrally and the data backup modalities are defined in cooperation with the administrators. All regulations are recorded in a data backup plan. For this purpose, Serviceplan takes among others the following measures:
- Use of a disk-to-disk backup system: In addition to fast data backup, this guarantees rapid recovery of backed up data. In this way, long-term archiving is also ensured. The use of both systems enables the combination of so-called "snapshots" (point-in-time copy), which save a momentary data image and are required for disaster recovery, with classic backup.
- Conducting test backups as part of the IT standard procedure for server installation after the initial backup and before the start of productive operation.
- The Serviceplan Group has two data processing centers of its own. According to the specifications of the BSI Basic Protection Manual, these have a distance of more than 200 meters from each other (and are used for data storage). In the data processing centers, the data is replicated every hour and mirrored between 0-4 hours.
- All data is stored in both data processing centers for 4 weeks for fast recovery. All data is archived for 10 years in accordance with the legal retention periods.
- Regular data backup on discs, including mirroring to redundant storage system.
- In addition to the central long-term backup, the Veeam backup and replication solution is deployed in the disaster recovery environment. The storage solution deployed is Ontap Data Management Software from Netapp, Inc. 1395 Crossman Ave, Sunnyvale CA 94089, United States); the backup solution is VEEAM Availability Suite and VEEAM Backup for Office 365 (provider: VEEAM Backup for Office 365: Veeam Software Group GmbH, Linden Park, Lindenstrasse 16, Baar, CH-6340) is in place.
- Function and recovery tests, also with regard to the risk of data loss.
- Depending on the system, data can be indexed to make it easier to find as part of the document management process.
- Primary data backup to a disk subsystem (NetApp Storage System) located in the second data center. This fast data backup to hard disks via secured fiber optic connections may minimize the interference to the systems.
- The recovery mechanisms are made available to all users in close cooperation with the IT department of the Serviceplan Group.
- Responsibility of storage system operators (such as SAN, backup, archiving) for the availability of storage media and the correct processing of recovery requests.
9. Availability control
Serviceplan undertakes reasonable steps to ensure that personally identifiable information is protected against accidental destruction or loss. To this end, Serviceplan takes among others the following measures:
- Buildings, rooms and IT are adequately protected in compliance with the requirements of artt. 24, 33 DS-GVO in conjunction with the requirements of the BSI Basic Protection Manual against intentional or negligent behaviour or disruptions caused by force majeure, including the following measures:
- Fire protection equipment (fire extinguishers in server rooms and offices, fire doors and dampers, fire classification of rooms)
- Video surveillance of the server room
- Door locks and electric door locks (transponder card) on all server rooms
- Precautions for the backup and recovery of the data stock (see above under paragraph 6.8 "Recovery").
- Use of firewalls, virus scanners and other intrusion detection and prevention systems, including regular updates:
- Virus scanners that are deployed: Microsoft System Center Endpoint Protection (Microsoft Corporation, Redmond, One Microsoft Way, Redmond, Washington 98052-6399, United States) + eset Antivirus (ESET, spol. s r.o., Data Protection Officer, Einsteinova 24, 85101 Bratislava, Slovak Republic), Sophos Antivirus for storage systems (Sophos Limited, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom);
- Firewall: SonicWall supermassive (Sonicwall Inc. 1033 McCarthy Blvd, Milpi-tas, CA 95035) and SonicWall Network Security virtual (NSV)
- Gateway security: Sonicwall sma
- Use of Jamf Pro (JAMF Software, LLC, 100 Washington Ave S, Suite 1100, Minneapolis, MN 55401, United States), Microsoft Intune and Microsoft SCCM (Microsoft System Center Configuration Manager) for (IT) Systems Management: Application and License Management, Security and Configuration Management, Patch Management, Computer Imaging and Asset Management.
- Use of Microsoft Intune MDM (Mobile Device Management) and Jamf Pro on all Serviceplan end devices for configuration, deletion and search of end devices, as far as permitted by data protection law.
- Backup not only of customer data (applications, databases, etc.), but also of data required to sustain operations. These are:
- Firewall rules and regulations
- Proxy settings
- Configurations of operating systems, applications and databases
- The backup of data (software, application data, protocol data, system data) is based on the generation principle. The backup cycle is based on a daily backup according to the "Forward Incrementel Forever" principle. Depending on the type, between 30 and 1,500 generations are retained hereby.
- Backup cycle from 1 hour to 24 hours (depending on data type), once to twice a week and once a month.
- The system administrators of the Serviceplan IT Infrastructure department are responsible for data backup and reconstruction as well as data storage in accordance with data protection regulations under the responsibility of the Senior Technical Manager.
- Holiday, illness and other substitution regulations: At least 2 permanent employees are responsible for all technologies/systems. For critical systems and service and maintenance contracts a reaction time of maximum 4 hours is contractually owed.
- Preventive blocking of security-critical content (e.g. certain file types) and untrustworthy sources (e.g. certain websites).
- Function and recovery tests also with regard to risk of data loss quarterly penetration tests for internal and external systems according to CVSS carried out by the independent service provider DATA-SEC IT-security.
- Failure computer center:
- In the event of an absolute disaster, the destruction of the computer centre, Serviceplan has a further replacement computer centre (RZ2). The HOT Standby data center can be recovered with RTO (Recovery Time Object) between 0 and 4 hours. The two data centers are operated in parallel.
- The infrastructure connections of the WAN carriers are redundantly routed to the replacement data center. There are two separate Internet lines, one from the provider MNet and one from the provider Telekom. These have a different house access and go to both data processing centers.
- In the event of a disaster, all customer connections and the Internet connection are automatically redirected to the second data center.
- The central disk-based backup system is located in the second data center.
- A corresponding emergency policy exists for emergency situations.
Serviceplan shall undertake reasonable measures to ensure that all functions of the system are available and any malfunctions are reported. To this end, Serviceplan takes among others the following measures:
- Correctness of data backups: The "technical correctness" of backups is ensured to a high level by the data backup system and the following process:
- the transfer of backup data from the client to the backup server
- storing the backup data on the hard disk subsystems of the backup server
- storing the metadata in the backup system database, and
- the feedback on the success of the backup to the client. This means that the backup of a file is not reported as error-free until all operations in the chain have been completed successfully.
- The person responsible for data backup regularly checks whether the data backup was indeed carried out properly.
- Checkpoints for data backups are:
- the evaluation of log files and error logs
- the date of the backup file
- the sample inspection of the file contents and
- the plausibility of the file size etc.
- in individual cases, e.g. when using cryptographic methods, a file comparison is required.
- The backup servers are located in the second IT data processing center and are owned by Serviceplan. If the data is lost, the data backups would be available for restoration at the location of the backup system in the second data center due to locally limited events.
- Storage and provision of secured data on SAN storage systems.
- High availability of hardware: For each technical facility, Serviceplan has suitable maintenance contracts with the manufacturers, which either foresee immediate repair or provide replacement equipment. All critical hardware contracts have a reaction time of 4 hours or less [Dell, NetApp, Arista Networks and SonicWall, HPE (Hewlett Packard Enterprise Company, Aruba Networks)].
- In many cases, all central production systems are maintained by Serviceplan in cluster or failover operation. If individual components fail, the application is still available. All possible component redundancies are available for individual systems (e.g. fans, power supplies, network cards and raid disk composites).
- Monitoring of all essential systems (such as the backup system) from proactive reporting mechanisms to manufacturers who can initiate the appropriate measures as soon as an imminent malfunction is detected (icinga).
11. Functional separation
Serviceplan will take reasonable steps to ensure that data collected for different purposes may be separately processed. To this purpose Serviceplan undertakes among others the following measures:
- Physically and/or logically separate storage, modification, deletion and transmission of data for different purposes (client capability)
- Separation of functions, especially between production and test data:
- Regular data backup on disks, including mirroring to redundant storage systems;
- Spatially separate storage of backup data carriers through outsourcing: Productive data are stored separately from backup data in the computing center;
- Firewall router configurations separate secure (e.g. company network) from insecure (e.g. Internet) networks. The internal company network is once again divided into zones, each of which is further subdivided by internal firewalls. A zone contains a maximum of one location or up to 250 workstations. All data transfer from the campus (internal client network) to central systems - whether hosted or in the data processing centre - is checked by an internal firewall.
12. Regular review, assessment and evaluation of technical and organisational measures
Serviceplan shall take appropriate measures to ensure that the effectiveness of the technical and organisational measures taken is regularly reviewed, evaluated and evaluated. To this end, Serviceplan takes among others the following measures:
- Checking the reconstruction of data with the aid of data backup stocks after each change to the data backup procedure, otherwise at regular intervals. Here it must be ensured that a complete data reconstruction is possible.
- Training of employees in the handling of data and for sharpening IT-security awareness. The trainings are individual and take place in Serviceplan Campus, internal. This includes:
- the correct choice and use of data backup media
- the access rights to data backup for data backup and data reconstruction
- the correct use of data backup programs
- the correct storage and documentation of the data carriers for data backup
- Escalation and reporting channels for safety-related incidents:
- The IT helpdesk is the single point of contact for all service plans for customers and users. For the Munich location, the service center was implemented and staffed with personal IT contacts for 1st level support. The following activities, among others, are carried out in this contact point:
- Fault recording and request acceptance (requirements); resolution of minor faults (runtime < 15 minutes)
- Loan of pool hardware or other IT accessories
- Handing over of IT accessories when employees leave the company
- Issue of hardware for employee entries as well as newly ordered hardware and IT accessories
- Dispatch of group tickets
- Emergency support
- If deeper expert knowledge is required to process malfunctions or requests, the tickets are forwarded to the back office at the 2nd level.
- Availability of the IT managers and the company data protection officer as contact persons for all questions relating to IT use and IT-security.
Munich, 27th October 2020
Dr. Georg F. Schröder, LL.M.
Data Protection Officer