Access Control to Processing Areas (Physical Access Control)
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are processed.
The CareAR service is hosted on Google Cloud Platform (GCP). This ensures that all physical access to processing areas is restricted using Google’s controls. These are described here and include (but are not limited to) the following:
- Google designs and builds its own data centers, which incorporate multiple layers of physical security protections.
- Access to these data centers is limited to only a very small fraction of Google employees.
- Google uses multiple physical security layers to protect the data center floors and uses technologies like biometric identification, metal detection, cameras, vehicle barriers, and laser-based intrusion detection systems.
- Google additionally hosts some servers in third-party data centers, where they ensure that there are Google-controlled physical security measures on top of the security layers provided by the data center operator.
Access Control to Data Processing Systems (System Access Control)
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons. User identification and authentication procedures include:
- Production access is reviewed periodically - all users are verified
- Access requests are tracked in JIRA with VP of Operations approvals - reviews done at least quarterly
- GCP read only accounts are given only to those with need
- System Admin accounts (read only) are given only to those that require access
- Currently using Google authentication so lockouts are based upon Google's control - MFA is manually verified
- CareAR internet facing infrastructure is all using Google services - no servers are configured or managed by CareAR
Access Control to Use Specific Areas of Data Processing Systems (Data Access Control)
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization
All users with access to production have:
- been approved by management to have access to the systems
- been given the minimum access (read only access for most)
- read and acknowledged the CareAR Data Management Policy
- read and acknowledged the Xerox security and privacy policies
- taken GDPR and privacy training as part of Xerox onboarding
Measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof of during the transport of the data media.
- Network and network access protection technologies are used
- Monitoring of the completeness and correctness of the transfer of data is supported by using networking protocols (TCP/TLS) with error correction features
Technical and organizational measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing systems
- Access Logging and reporting systems
- Audit trails and documentation
Technical and organizational measures to ensure that personal data may only be processed for the purpose described.
- Access control and privacy training for those with access to personal data
Technical and organizational measures to ensure that personal data are protected from accidental destruction or loss.
- Availability is managed and designed based on an overall service level concept.
- The physical site where the data processing equipment is located is protected against general environmental hazard and unauthorized access. It is protected with specific measures against power loss. It monitors and controls temperature and humidity at the site and alerts where reaching limits.
- Availability of the network access to the site is enhanced thought WAN based redundancies, network access redundancies to the site.
- Redundancies of the infrastructure components itself (servers and storage arrays) are in place in accordance with the agreed and predefined service levels.
- Functionalities are used on DB level to target for a minimum loss of transaction information in case of a technical failure. This is done by using DB features supporting minimal loss of transaction information were possible and meaningful.
- In line with the service levels defined, additional availability features on DB level (real application clustering) or at application level (application-based replication, load balancing) are in place.
- To reduce unscheduled downtimes proactive infrastructure maintenance is done. This maintenance work is planned and based on a predefined schedule. During these maintenance windows proactive tasks are executed to keep the infrastructure on a supported level aligned with the providers of the infrastructure components.
- After serious events a structured After Action Review is executed to detect mitigation actions and potential proactive measures.
- Technical and application related changes follow change management processes, supported where possible by multiple tiers where changes are applied first before being applied to the production environment.
Additional following controls
- Monitoring and surveillance techniques are used detect any misuse of threatening behavior without disclosing this beforehand
- All data at rest is encrypted
- A data retention policy is in place to ensure that data is removed when no longer required and is minimalized where possible
- Changes to production environment are tracked and pre-approved.
- All changes to production systems are tracked using an external logging system
- Products are developed using a Software Development Life Cycle process which ensures quality releases.
- A separate development/staging/production environment is used to ensure that products are fully tested before being delivered to customers – it also ensures that the production environment is not disrupted due to testing
- The redundancy measures are checked on a regular basis. The results are documented accordingly.