Common use of Security risk Clause in Contracts

Security risk. The Data Processor must take the measures necessary to identify, evaluate and limit any reasonably foreseeable internal and external risks to the availability, confidentiality or integrity of all personal data covered by the Data Processing Agreement. The Data Processor must take appropriate technical steps to limit the risk of any unauthorised access. The Data Processor must evaluate and improve the effectiveness of these precautions when necessary. The Data Processor must document identified risks, as well as when a risk is reduced to an acceptable level. The above obligation involves the Data Processor carrying out a risk evaluation followed by measures to counter identified risks. This could include any relevant measures from the following list: Pseudonymisation and encryption of personal data Capability to ensure continued confidentiality, integrity, availability and resilience of processing systems and services Capability to correctly re-establish availability of and access to personal data in the case of a physical or technical incident A procedure for regular trial, assessment and evaluation of the effectiveness of the technical and organisational measures for ensuring security of processing. The Data Processor must have formal procedures for handling security incidents. Authorisations must state to which extent users may request, input or delete personal data. Only authorised persons may access personal data processed under the Data Processing Agreement. The Data Processor must be able to document which employees are authorised to access personal data processed under the Data Processing Agreement. Authorised persons must carry picture ID when processing data on-site at the Data Controller’s premises. Only persons engaged in purposes for which the personal data is being processed may be authorised. Individual users must not be authorised for uses they do not require. Authorisation may also be given to persons who require access to personal data for auditing, operational or systems tasks. Each authorised user is provided with a personal user ID and a personal password, which must be used every time the user accesses the data processing. Passwords must be changed every 6 months. Passwords must be sufficiently long and complex. Generally, 2-factor authentication must be used to access systems with sensitive personal data by internet or unsecured network. The authentication method can be, for example, Nem-id, SMS token, RFID or similar. The Data Processor must take steps to ensure that authorised users can only access the specific personal data they have authorisation to access. The Data Processor must have reasonable restrictions regarding physical access. Areas where personal data covered by the Principal Agreement is processed must be properly separated from general access areas. The Data Processor must have formal procedures for dealing with resetting passwords, and other situations in which the normal, logical access controls are not in force. There must be ongoing checks – at least once every 6 months – to ensure that users have the access and authorisation they should have. This check can include, for example, statistics created by the systems showing the individual users’ use of the systems so that it can be determined whether issued accesses and authorisations are still being used. The Data Processor must, without unnecessary delay, cancel access and authorisation for users who, according to a concrete evaluation, no longer require them. The Data Processor must make sure that colleagues receive adequate training and instruction to ensure that personal data is processed in accordance with relevant legislation as well as with the Data Processor’s policies and procedures. All failed access attempts must be registered. If 3 or more consecutive failed access attempts from the same user ID are registered within a set time, further attempts from that user ID must be blocked. Access must not be re-established until the reason for the failed attempts has been determined. All processing of personal data must be logged on hardware. The log must contain, as a minimum, information on the time, user, type of use, and identity of the data subject the data concerned, or the search criteria used. The log must be saved for 6 months and then it must be deleted unless the log’s purpose requires a longer storage period in order to use it as a tool in later investigation. Input data materials can only be used by persons who are engaged in inputting. Input data materials must be stored so that unauthorised persons cannot access the personal data within the materials. When it is no longer necessary to save input data materials, the Data Processor must delete or destroy the input data materials. The method for this must follow best practice. The provision regarding deletion or destruction does not apply if the material is covered by storage/discarding provisions related to other legislation, or if journalised materials are processed in accordance with the ordinary archiving provisions on storage, including the delivery of materials to the National Archives Output data materials are covered by the same instructions as input data materials, with the following addition: Output data may only be used by persons who are engaged in purposes for which the personal data is being processed, as well as for auditing, technical maintenance, operational monitoring and corrective measures etc. Mobile storage media with personal data must be clearly marked, and must be stored with an adequately strong encryption as well as under surveillance or locked up when not in use. Mobile storage media with personal data may only be supplied to authorised persons for auditing or operational and systems tasks. There must be a register of the mobile storage units used in connection with data processing. There must be written instructions for use and storage of removable mobile storage media. There must be sufficient necessary precautions taken in connection with repair and servicing of data equipment with personal data, as well as with the sale and discarding of used data media to ensure that personal data is not accidentally or deliberately destroyed, lost or deteriorated, and that personal data is not accessed by unauthorised persons, misused or otherwise processed in contravention of current legislation. This must happen following best practice.