Security Measures – EndoGusto

  • Personnel.

Confidentiality and reliability. Personnel engaged in the processing of personal data are reliable, they are informed of the confidential nature of the personal data, they have received appropriate training on their responsibilities, are regularly trained, and they have executed written confidentiality agreements. Confidentiality obligations survive the termination of the personnel engagement. Access privileges are terminated upon termination of employment. 

Segregation of Duty and Limitation of Access. There is segregation of duties and personnel’s access to personal data is limited as appropriate and necessary to their roles.

Access Control and Authentication.

a. A procedure for user account creation and deletion, with appropriate approvals is in place;

b. Industry standard practices to identify and authenticate users who attempt to access information systems are utilized;

c. De-activated or expired identifiers are not granted to other individuals.

  • Physical and Environmental Security.

Physical Access. Company utilizes facilities with access control (e.g. CCTV, reception, access code), and with emergency and contingency plans for various disasters, including fire.  

Exposure of Documents. A Clean Desk Policy is implemented. All physical files are kept in cabinets or drawers. Photocopy and fax machines are not in common view.

Destruction of Documents. Papers with personal data are dispensed exclusively in paper shredders. After retention period, electronic data are not just deleted, but destroyed (including their back-ups) by overwriting with the use of special software, like file erasers, file shredders, file pulverizers or, alternatively, for destruction on a daily basis by formatting.

Portable Devices. Laptops are encrypted and accessed only by secure codes.  

  • Data Security.
  1. Use of anti-virus, anti-malware and anti-spyware software, and of industry-standard firewalls of the latest update;
  2. Undertaking of specific hardening activities;
  3. Capacity planning with view to work load and future requirements;
  4. Remote access based on encryption and safe protocols;
  5. Change control: all changes to platform, application, and production infrastructure (for example software update, development of new software, antivirus installation or deinstallation) are tested in an isolated environment not affecting real data; central administration of changes by specific users; regular controls that no software has been installed out of the regular process;
  6. logical and physical (where applicable) separation of personal data. 
  • Log Retention Policy.

General. Log files are retained for all crucial systems. The following information are necessarily retained at a minimum:

  1. identification of user who required access to personal data, date and time of the request, system for which access was requested, whether access has been granted or not.
  2. Same information with regard to non-authorized access efforts
  3. Printing requests of files with personal data
  4. Modifications in crucial files of the system or in the users’ rights
  5. Changes in the parameters of apps and systems
  6. Crucial events and of any action that may be considered as an attack or a security incident (e.g. port scanning). The retention of events is directly supervised by the Security Officer and the System Administrators.

Log files may only be assessed by the Security Officer and the system administrators. Deletion of log files has to be authorized by both the Security Officer and a member of the senior management.

  • Password Policy.

Access to all systems, applications and software is password protected. Admissible passwords comply with password configurations (eg minimum length, expiration, complexity etc.). Change of passwords is enforced regularly.

Passwords are not written, physically, in their actual form. They are retained electronically in an encrypted form, whereas the retrieval of their initial form is possible. After three attempts of unsuccessful access authorization, access is prohibited to the user.

Passwords are not kept in logs.

Industry standard procedures are implemented to deactivate passwords that have been corrupted or inadvertently disclosed.

  • Service Continuity and Disaster Recovery. Data Recovery.

EndoGusto utilizes facilities (data centers), for file storage and their back-ups, providing adequate emergency and contingency plans and guarantees, as well as adequate data recovery procedures. 

  • Incident Monitoring and Management.

An “Incident” means any security incident that may lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise processed (potential Personal Data Breach). EndoGusto has in place a policy for Incident Monitoring and Management, which includes:

  1. internal reporting of potential Personal Data Breaches,
  2. recovery of a Personal Data Breach,
  3. risk assessment,
  4. notification of Personal Data Breach to the Data Controller, the Supervisory Authority and the affected data subject, as applicable,
  5. evaluation and response measures to prevent similar breaches.
  • Data Breach Policy.

EndoGusto has a Data Breach Policy in place, which includes but is not limited to:

  1. internal reporting of potential Personal Data Breaches,
  2. recovery of a Personal Data Breach,
  3. risk assessment,
  4. notification of Personal Data Breach to the Data Controller, the Supervisory Authority and the affected data subject, as applicable,
  5. evaluation and response measures to prevent similar breaches. A Security Officer is responsible for the implementation and update of the Data Breach Policy.
  • Account Owner’s responsibility. 

Customer is solely responsible for the safe connection to the internet. Account Owner is responsible to use complex and secure passwords, and renew them regularly. 

  • Audit and Review. 

Internal audit of all systems takes place on an annual basis. Technical and Organizational Security Measures are reviewed annually, and in case of a major change. Audit and Review include capacity planning of IT resources with view to future requirements based on workload and data storage requirements.

Security Measures – EndoGusto was last modified: November 4th, 2024 by Endogusto