Annex 2 to the Standard Contractual Clauses
Security measures implemented by the data importer
The data importer has implemented and shall maintain the following security measures intended to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
Security Measure: Pseudonymisation and Encryption
Where data is processed and how it is Secured
The data, systems and applications used are hosted in public cloud services. Use is made of AWS where the systems and data are hosted in Dublin and the UK and Office 365 data is stored within the UK. The native facilities within the cloud platforms are used to encrypt all data at rest and in transit. Key management is undertaken using the in-built platform functionality.
As part of our comprehensive supplier due diligence process, the location and protection of our data that the supplier is storing/processing is addressed. In all cases, data is encrypted in transit, at rest and when backed up.
Where data is stored on an external system (e.g. SaaS provider), we ensure that this is encrypted. The majority of external applications that we use store and process data within the UK and/or EEA. Should data reside in a different jurisdiction, confirmation is obtained that appropriate and approved agreements are in place in compliance with Data Protection Legislation.
Security Measure: Data Protection Controls
Data transmitted between Azets and any external party uses one of the following mechanism’s:
Email – our email system is configured to send all emails encrypted by default where supported by the receiving party.
Where the email contains sensitive information, we have a secure email facility that would be used. This shall result in the recipient receiving a notification that a secure email is waiting for them and they shall need to log in to a secure portal to retrieve it. The same facility can be used by the external party to send and/or reply to emails to/from Azets
We have a secure file exchange facility that can be used to exchange data between an external party and Azets. All data is encrypted in transit and when stored on the file exchange server. A dedicated repository shall be created for the external party to ensure that no unauthorised user is able to gain access to their data. The external party’s users shall be added to the file exchange solution on an individual basis and only the necessary access rights shall be assigned to each user.
Removeable media. This is an option that is rarely used but should it prove necessary, then the following shall apply:
Only IT approved and issued encrypted USB devices can be used. This is controlled via the device control application within our endpoint management software
If we were to receive a USB device from an external party, the recipient’s device would be configured to permit access to the USB device such that they could download the content and then this would be disabled. Our A/V software would automatically scan the device before any data is read from it
Security Measure: Ongoing Confidentiality, Integrity, Availability and Resilience.
Commercially reasonable and appropriate methods and safeguards are utilised to protect the confidentiality, availability, and integrity of Personal Data.
Azets ensures that Azets Personnel authorised to access Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
All Azets Personnel with access to Personal Data receive annual training.
24/7 managed backup services are provided that include Personal Data stored in the primary site backed up on at least a daily basis to a secondary site. Azets provides backup services for all components included in the Services. Backups are maintained for a period of ninety days in the primary data centre, and ninety days in the secondary data centre.
Azets maintains disaster recovery capabilities designed to minimise disruption to the Services. Included within these plans is disaster recovery incident management, procedures for the recovery of access to Personal Data in the secondary data centre, as well as the periodic testing/exercising of the disaster recovery plan.
Security Measure: Regularly Testing, Assessing and Evaluating the Effectiveness of the Measures
Azets undergoes penetration testing of its IT infrastructure, conducted by an independent third-party organisation, on an annual basis.
Security Measure: IT Security Controls Authentication
Users are forced to use complex passwords (via system configuration settings) with a minimum length of 14 characters. As detailed below, this is supplemented with multi-factor authentication.
Infrastructure Security Controls
The following measures are in place:
All end user devices (EUD) and servers have a hardened build applied to them
Firewalls are enabled on all EUDs and within our server/cloud environment. Additionally, network security groups are also in place
Anti-virus software is installed on all EUDs and servers. These are updated as soon as an update is issued by the vendor and we proactively check for currency of the installed A/V products
With the exception of Microsoft Office, minimal software is installed on the EUD. As Remote Desktop Service (RDS) or Citrix is used to access the servers/line of business applications, any additional software is installed within the respective environment
Whitelisting has been applied on all devices to define what applications users are permitted to run
Users do not have local admin rights to their machines so are limited as to the changes that they can make to their machine
An email gateway scans all inbound, outbound and internal email. If an email fails any of the checks, it is quarantined. In most cases, the email would need to be released by the IT support team (only emails identified as potentially spam can be released by the user)
URL filtering is in place. Certain website categories are blocked unless there is a specific business requirement to access these. The following are some of categories that are blocked: gambling, adult themes, internet file storage services, web-based email. Where exceptions are made, these would be on a per-user basis
We have a managed Extended Detection and Response (XDR) service which monitors all activity within our network, EUDs and servers. If a significant event is identified, this is investigated by the XDR provider and following investigation is either sent to Azets to undertake remedial activity. Logs from all our systems are ingested into the XDR service which also includes integration with AWS, Office365, firewalls and our secure email gateway
Access to our line of business applications is via our RDS or Citrix solutions. Authentication is via the user’s network credentials and if accessing from outside an office, multi-factor authentication (MFA) is required. All data remains within this environment and there is no access to the user’s local hard drive when using an RDS/Citrix session
Every user has their own network account. MFA is also required when accessing externally provided services. To minimise the number of accounts users shall use, single sign-on has been implemented where this is supported by the vendor
Access to Azets systems is obtained solely via a corporate issued device.
The following measures are in place:
Network management of each office is undertaken by the IT department
Firewalls have been implemented in all offices
Minimal IT infrastructure resides within each office, typically just network devices
The Guest wireless network has no connectivity to the corporate network
Personal devices (e.g. mobile phones) cannot connect to the corporate wireless network
Within our AWS deployment, extensive use is made of Network Access Control
Test environments are segregated from the Production environment
The following measures are in place:
All data within our environment is encrypted at rest and in transit. Various backup methods are in place depending on the system that is being backed up. This includes traditional daily/weekly/monthly backups, 30 minute snapshots and log file shipping
Immutable backups are in place and are stored in a different location to our Production systems
Our cloud hosting provider has various resilience facilities in place (i.e. availability zones)
Cloud native backup solutions are in use
All backed-up data is encrypted
The backup solutions are automated and an alert would be generated if there was a failure in any of these. Processes/scripts are in place to restore data should there be a system failure, loss of data or data corruption
Restore testing is undertaken to ensure that the business Recovery Time/Point Objective can be achieved
A role-based access control model has been implemented and access is provided on a need-to-know basis based on the user’s role requirements; users are only provided with the minimum level of access required to undertake their job. All application and IT system administration is undertaken by the IT team – users cannot administrate for business applications.
There is an internal service desk system where access requests can be made which requires approval by the line manager and/or the system/ business owner.
System Maintenance and Vulnerability Management
A patching policy and process is in use within the business which includes patching timescales based on severity. This is supplemented with a vulnerability management application which scans devices on a daily and/or weekly basis (dependent on the device type). The security team proactively work with IT to ensure that patches are applied to the devices in a suitable timeframe (in accordance with the policy) and based on the severity. Patching progress/mitigation measures are closely monitored by the security team.
Additionally, vendor websites are monitored and/or we receive notifications when vulnerabilities have been identified with their product and their recommended actions shall be followed. The managed XDR service also provides threat information which supplements the vulnerability management measures in place.
Where appropriate, patches are tested on a sample number of systems to ensure that there are no adverse impacts before being rolled out to the rest of the estate. A system management tool is in place which is used to push out software and/or configuration updates to all systems.
Third Party Access
There are very few instances whereby third parties have access to our systems. Where this is in place, it is to provide support services. Access is provided only as and when required and is disabled when no longer needed. Confirmation would be obtained from the third party
Security Measure: Protection of Personal Data During Transmission
Personal Data in transit is transferred across encrypted network connections and/or protocols (i.e., hypertext transfer protocol secure (HTTPS) and/or virtual private network (VPN)).
Protection of Personal Data During Storage Encryption. Personal Data at rest is encrypted using ciphers at least as strong as 256-bit advanced encryption standard (AES).
Encryption of Backups
Backups of Personal Data are encrypted and stored in a secondary data centre.
Security Measure: Physical security
Physical security safeguards are maintained at any facilities where Azets hosts Personal Data. Physical access to such facilities is only granted following a formal authorisation procedure and access rights are reviewed periodically.
Such facilities are rated as Tier 3 data centres or greater, and access to such facilities are limited to identified and authorised individuals. Such facilities use a variety of industry standard systems to protect against loss of Personal Data due to power supply failure, fire, and other natural hazards.
Security Measure: Event Logging
Azets utilises an enterprise-class security information and event management (SIEM) system and maintains firewalls and other control measures (e.g., security appliances, network segmentation) to provide reasonable assurance that access from and to its networks is appropriately controlled.
Azets logs access and use of information systems containing Personal Data.
Security Measure: System Configuration
Anti-malware controls are maintained to help prevent malicious software from causing accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
Asset inventories of computing equipment and media used in connection with the processing of Personal Data are maintained. Access to such inventories is restricted to authorised Azets Personnel.
Security Measure: Governance and Management
Information Security and data protection
Information security and associated data protection is taken extremely seriously within the business. The following are in place:
A dedicated Cyber Security team is in place covering all cyber technical, procedural and governance processes. These individuals work across the business to ensure that all processes incorporate adequate security measures and that appropriate technical controls are in place and their configuration is suitably robust. The UK Security Director has overall responsibility for Cyber within the UK.
Data privacy is included within the Risk and Compliance team where the Group’s Data Protection Officer resides. The Privacy and Cyber team work very closely to ensure that both of these aspects are fully addressed across the business. This includes day-to-day operation, projects, third-party suppliers/vendors and regulatory requirements.
Updates pertaining to Cyber and data privacy are provided to the Groups monthly Exco forum.
Group wide security policies are place along with an Information Governance Framework. These documents are reviewed at least annually and are available to all staff. Supplementary policies and supporting procedures are created on a country basis where necessary.
There is a defined process supporting risk assessments. These are undertaken at the start of a project, prior to any major upgrade and as part of our wider supplier due diligence approach and on a continual basis. Any residual risk is managed and tracked. A GRC tool is in place which is used for capturing, tracking and managing all risks. Risks are regularly reviewed for status, accuracy and change in impact. Major/significant risks are reported to the Exco and the risk & audit committee.
Security Working Group
The security working group meets on a monthly basis. This includes representation from IT, business units, the Risk and Compliance team (which includes privacy) and the security team. This is a critical activity to ensure that all key stakeholders are aware of any security issues and also allows them to raise any concerns that they have become aware of.
A detailed incident management process is in place and shall be followed in the event of a security incident. This incorporates a lessons learned activity which shall capture any remedial activity/recommendations. The process includes details of communications with customers in the event that their data may be affected.
Scenario based tests have and shall continue to be undertaken.
Azets maintains written policies and procedures that address the roles and responsibilities of Azets personnel, including both technical and non-technical personnel, who have access to Personal Data in connection with providing the Services.
Security Measure: Certification of Processes
Azets Holdings and Blick Rothenberg hold Cyber Essential certification. The details relating to these certifications are:
Certificate Number: IASME-CE-037202
Date Obtained: 28/02/2022
Expiry Date: 28/02/2023
Certificate Number: IASME-CE-045481
Date obtained: 07/07/2022
Expiry Date: 07/07/2023
The AWS and Microsoft data centres that are used by Azets have undergone numerous certifications; details are available on their respective vendor’s Trust Portal.
On an annual basis, Azets has an independent third-party organisation conduct an independent assessment of security standards. A business continuity plan is maintained that is compliant with ISO 22301.
Security Measure: Training of Personnel
Security Awareness Training
Azets uses an externally provided security training and awareness platform which also includes an email phishing component. Security training courses are sent to staff on a frequent basis throughout the year and the completion of such training is monitored and followed up if necessary. Phishing emails are also sent to staff on a periodical basis. Should a user fail a phishing test, details are provided to them of the “red flags” that they should have picked up on. Repeat phishing test failures by a member of staff would be followed up by the security team.
In addition to the training platform, security/awareness related information is included in staff bulletins and emails and is also contained on the Intranet.
All staff are required to sign an acceptable use policy. Mandatory training is also undertaken annually covering staff’s responsibility relating to data and GDPR.
All new starters undergo an induction session which includes security and privacy related training. This also includes acceptance of the acceptable use policy and undertaking core security training modules.
Regardless of where the member of staff works (office, home), all users receive the same training. The training also reflects the changed working environment and the measures that staff take when working from home.
Security Measure: Accountability
Azets defines accountability as holding individuals accountable for their internal control responsibilities.
Specific control activities that Azets has implemented in this area are described below.
An employee sanction procedure is in place and documented to communicate that an employee may be terminated for noncompliance with a policy and/or procedure; and
A performance review of employees is conducted on an annual basis to evaluate the performance of employees against expected levels of performance and conduct and hold them accountable for their internal control responsibilities.
Security Measures: Data Minimisation / Data Quality
Azets shall make reasonable efforts to use the minimum necessary Personal Data to provide the Services.
At all times during the applicable Term, Customer shall have the ability to amend Personal Data to assist the Customer with its data quality obligations.
Security Measures: Data Retention
Azets shall retain Personal Data stored in Cozone for ninety (90) days after expiration or termination of the Engagement Letter so that Customer may extract Personal Data. After said 90-day period ends, Azets shall disable Customer’s Cozone account and delete all Personal Data (within thirty (30) days) and, where required by Law, shall certify to Customer that it has done so, save to the extent that Azets is required by any applicable Law to retain some or all of such Personal Data.
Security Measures: Portability and Erasure
At all times during the applicable Term, Customer shall have the ability to access, extract, and delete Personal Data in Cozone.
Azets destroys, deletes, or otherwise makes irrecoverable Personal Data upon the disposal or removal of storage media. Personal Data for each Customer is logically separated from data of other Azets customers.
Effective 23 January 2023