Security Measures
Data Processing Addendum
Description of the technical and organizational security measures implemented by the Processor in accordance with Article 32 GDPR.
1. General Aspects Of Information Security
1.1 Information security policies and organization
| A set of policies for information security is defined, approved by management, published, and communicated to employees and relevant external parties. | ISO 27002 - 5.1.1 |
| The policies for information security are reviewed at planned intervals, or if significant changes occur, to ensure their continuing suitability, adequacy, and effectiveness. | ISO 27002 - 5.1.2 |
| All information security responsibilities are defined and allocated. | ISO 27002 - 6.1.1 |
| Conflicting duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of Teradata’s assets. | ISO 27002 - 6.1.2 |
| Appropriate contacts with relevant authorities are maintained. | ISO 27002 - 6.1.3 |
| Appropriate contacts with special interest groups or other specialist security forums and professional associations are maintained. | ISO 27002 - 6.1.4 |
| Information security is addressed in project management, regardless of the type of project. | ISO 27002 - 6.1.5 |
1.2 Human resources management
| Background verification checks on all candidates for employment are carried out in accordance with relevant laws, regulations, and ethics, and shall be proportional to the business requirements, the classification of the information to be accessed, and the perceived risks. | ISO 27002 - 7.1.1 |
| The contractual agreements with employees and contractors state their and Teradata’s responsibilities for information security. | ISO 27002 - 7.1.2 |
| Management requires all employees and contractors to apply information security in accordance with the established policies and procedures of Teradata. | ISO 27002 - 7.2.1 |
| All employees of Teradata and, where relevant, contractors receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant to their job function. | ISO 27002 - 7.2.2 |
| There is a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. | ISO 27002 - 7.2.3 |
| Information security responsibilities and duties that remain valid after termination or change of employment are defined, communicated to the employee or contractor and enforced. | ISO 27002 - 7.3.1 |
1.3 Management of information security incidents
| Management responsibilities and procedures are established to ensure a quick, effective, and orderly response to information security incidents. | ISO 27002 - 16.1.1 |
| Information security events are reported through appropriate management channels as quickly as possible. | ISO 27002 - 16.1.2 |
| Employees and contractors using the Teradata’s information systems and services are required to note and report any observed or suspected information security weaknesses in systems or services. | ISO 27002 - 16.1.3 |
| Information security events are assessed and it is decided if they are to be classified as information security incidents. | ISO 27002 - 16.1.4 |
| Information security incidents are responded to in accordance with the documented procedures. | ISO 27002 - 16.1.5 |
| Knowledge gained from analyzing and resolving information security incidents is used to reduce the likelihood or impact of future incidents. | ISO 27002 - 16.1.6 |
| Teradata defines and applies procedures for the identification, collection, acquisition, and preservation of information, which can serve as evidence. | ISO 27002 - 16.1.7 |
1.4 Compliance
| Teradata’s approach to managing information security and its implementation in is reviewed independently at planned intervals or when significant changes occur. Relevant certificates are shared with customers. | ISO 27002 - 18.2.1 |
| Information security events are reported through appropriate management channels as quickly as possible. | ISO 27002 - 18.2.3 |
| Managers regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards, and any other security requirements. | ISO 27002 - 18.2.2 |
| All relevant legislative statutory, regulatory, contractual requirements, and Teradata’s approach to meet these requirements are explicitly identified, documented, and kept up to date for each information system and Teradata. | ISO 27002 - A.18.1.1 |
| Appropriate procedures are implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights and use of proprietary software products. | ISO 27002 - A.18.1.2 |
| Privacy and protection of personally identifiable information is ensured as required in relevant legislation and regulation where applicable. | ISO 27002 - A.18.1.4 |
2. PHYSICAL ACCESS CONTROL
| Security perimeters are defined and used to protect areas that contain personal data and processing facilities. | ISO 27002 - 11.1.1 |
| Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access. | ISO 27002 - 11.1.2 |
| Physical security for offices, rooms, and facilities is designed and applied. | ISO 27002 - 11.1.3 |
| Physical protection against natural disasters, malicious attack, or accidents is designed and applied. | ISO 27002 - 11.1.4 |
| Procedures for working in secure areas are designed and applied. | ISO 27002 - 11.1.5 |
| Access points such as delivery and loading areas, and other points where unauthorized persons could enter the premises, are controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. | ISO 27002 - 11.1.6 |
3. LOGICAL ACCESS CONTROL
3.1 General aspects of access control and authentication
| An access control policy is established, documented and reviewed based on business and information security requirements. | ISO 27002 - 9.1.1 |
| The allocation of secret authentication information is controlled through a formal management process. | ISO 27002 - 9.2.4 |
| Users are required to follow the Teradata’s practices in the use of secret authentication information. | ISO 27002 - 9.3.1 |
| Where required by the access control policy, access to systems and applications is controlled by a secure log-on procedure. | ISO 27002 - 9.4.1 |
| Password management systems are interactive and shall ensure quality passwords. | ISO 27002 - 9.4.2 |
| A policy and supporting security measures is adopted to manage the risks introduced by using mobile devices. | ISO 27002 - 6.2.1 |
| A policy and supporting security measures is implemented to protect information accessed, processed, or stored at teleworking sites. | ISO 27002 - 6.2.2 |
| Users ensure that unattended equipment has appropriate protection. | ISO 27002 - 11.2.8 |
| A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities is adopted. | ISO 27002 - 11.2.9 |
3.2 Network security
| Users are only provided with access to the network and network services that they have been specifically authorized to use | ISO 27002 - 9.1.2 |
| Networks are managed and controlled to protect information systems and applications. | ISO 27002 - 13.1.1 |
| Security mechanisms, service levels, and management requirements of all network services are identified and included in network services agreements, whether these services are provided in-house or outsourced. | ISO 27002 - 13.1.2 |
| Groups of information services, users, and information systems are segregated on networks. | ISO 27002 - 13.1.3 |
3.3 Secure system development
| The information-security related requirements are included in the requirements for new information systems or enhancements to existing information systems. | ISO 27002 - 14.1.1 |
| Rules for the development of software and systems are established and applied to developments within Teradata. | ISO 27002 - 14.2.1 |
| Principles for engineering secure systems are established, documented, maintained, and applied to any information system implementation efforts. | ISO 27002 - 14.2.5 |
| Teradata established and appropriately protects secure development environments for system development and integration efforts that cover the entire system development lifecycle. | ISO 27002 - 14.2.6 |
| Teradata supervises and monitors the activity of outsourced system development. | ISO 27002 - 14.2.7 |
| Access to program source code is restricted. | ISO 27002 - 9.4.5 |
3.4 Logging and log management
| Event logs recording user activities, exceptions, faults, and information security events are produced, kept, and regularly reviewed. | ISO 27002 - 12.4.1 |
| Logging facilities and log information are protected against tampering and unauthorized access. | ISO 27002 - 12.4.2 |
| System administrator and system operator activities are logged and the logs protected and regularly reviewed. | ISO 27002 - 12.4.3 |
3.5 Technical vulnerability management and protection from malware
| Information about technical vulnerabilities of information systems being is obtained in a timely fashion, Teradata’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. | ISO 27002 - 12.6.1 |
| Detection, prevention, and recovery controls to protect against malware are implemented, combined with appropriate user awareness. | ISO 27002 - 12.3.1 |
4. DATA ACCESS CONTROL
4.1 Authorization
| A formal user registration and de-registration process is implemented to enable assignment of access rights. | ISO 27002 - 9.2.1 |
| A formal user access provisioning process is implemented to assign or revoke access rights for all user types to all systems and services. | ISO 27002 - 9.2.2 |
| Asset owners review users’ access rights at regular intervals. | ISO 27002 - 9.2.5 |
| The access rights of all employees and external party users to information and information processing facilities are removed upon termination of their employment, contract or agreement, or adjusted upon change. | ISO 27002 - 9.2.6 |
| The allocation and use of privileged access rights is restricted and controlled. | ISO 27002 - 9.2.3 |
| Information involved in application service transactions is protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication, or replay. | ISO 27002 - 14.1.3 |
4.2 Use of cryptography
| A policy on the use of cryptographic controls for protection of information shall be developed and implemented. | ISO 27002 - 10.1.1 |
| A policy on the use, protection, and lifetime of cryptographic keys is developed and implemented through their whole lifecycle. | ISO 27002 - 8.1.2 |
| Cryptographic controls are used in compliance with all relevant agreements, legislation and regulations. | ISO 27002 - 8.1.3 |
| Security is applied to off-site assets, taking into account the different risks of working outside Teradata’s premises. | ISO 27002 - 11.2.6 |
| All items of equipment containing storage media are verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. | ISO 27002 - 11.2.7 |
4.3 Information classification, asset management & disposal
| Assets associated with information and information processing facilities are identified and an inventory of these assets is drawn up and maintained. | ISO 27002 - 8.1.1 |
| Assets maintained in the inventory are owned. | ISO 27002 - 8.1.2 |
| Rules for the acceptable use of information and of assets associated with information and information processing facilities are identified, documented, and implemented. | ISO 27002 - 8.1.3 |
| All employees and external party users return all Teradata-owned assets in their possession upon termination of their employment, contract or agreement. | ISO 27002 - 8.14 |
| Information is classified in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. | ISO 27002 - 8.2.1 |
| An appropriate set of procedures for information labelling is developed and implemented in accordance with the information classification scheme adopted by Teradata. | ISO 27002 - 8.2.2 |
| Procedures for handling assets are developed and implemented in accordance with the information classification scheme adopted by Teradata. | ISO 27002 - 8.2.3 |
| Procedures are implemented for the management of removable media in accordance with the classification scheme adopted by Teradata. | ISO 27002 - 8.3.1 |
| Media is disposed of securely when no longer required, using formal procedures. | ISO 27002 - 8.3.2 |
4.4 Personal data disclosure and notification
| Teradata will notify the customer, in accordance with any procedure and time periods agreed in the contract, of any legally binding request for disclosure of Personal Data by a law enforcement authority, unless such a disclosure is otherwise prohibited. | ISO 27002 - A.5.1 |
| Disclosures of Personal Data to third parties are recorded, including what Personal Data has been disclosed, to whom and at what time. | ISO 27002 - A.5.2 |
| Teradata will promptly notify the customer in the event of any unauthorized access to Personal Data or unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of Personal Data. | ISO 27002 - A.9.1 |
5. DATA TRANSFER CONTROL
| Security perimeters are defined and used to protect areas that contain personal data and processing facilities. | ISO 27002 - 11.1.1 |
| Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access. | ISO 27002 - 11.2.1 |
| Physical security for offices, rooms, and facilities is designed and applied. | ISO 27002 - 11.3.1 |
| Physical protection against natural disasters, malicious attack, or accidents is designed and applied. | ISO 27002 - 11.4.1 |
| Procedures for working in secure areas are designed and applied. | ISO 27002 - 11.5.1 |
| Access points such as delivery and loading areas, and other points where unauthorized persons could enter the premises, are controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. | ISO 27002 - 11.6.1 |
6. INPUT CONTROL
| The collection of Personal Data is limited to that which is within the bounds of applicable law and strictly necessary for the specified purpose(s). | ISO 27002 - A.3 |
| Teradata provides the customer with the means to enable them to fulfil their obligation to facilitate the exercise of Personal Data principals’ rights to access, correct and/or erase Personal Data pertaining to them. | ISO 27002 - A.1.1 |
| Teradata implements appropriate measures that enable Personal Data principals to access, check, update/correction and removal of their data. | ISO 27002 - A.8 |
7. CONTROL OF INSTRUCTIONS
7.1 Internally
| Personal Data to be processed under a contract will not be processed for any purpose independent of the instructions of the customer. | ISO 27002 - A.2.1 |
| Personal Data processed under a contract is not used by Teradata for the purposes of marketing and advertising without express consent. Such consent will not be a condition of receiving the service. | ISO 27002 - A.2.2 |
| Copies of security policies and operating procedures are retained for a specified, documented period upon replacement (including updating). | ISO 27002 - A.9.2 |
7.2 Third party sub-contracting
| Information security requirements for mitigating the risks associated with supplier’s access to the Teradata’s assets is agreed upon with the supplier and documented. | ISO 27002 - 15.1.1 |
| All relevant information security requirements are established and agreed upon with each supplier that may access, process, store, communicate, or provide IT infrastructure components for the Teradata’s information. | ISO 27002 - 15.1.2 |
| Agreements with suppliers include requirements to address the information security risks associated with information and communications technology services and product supply chain. | ISO 27002 - 15.1.3 |
| Teradata regularly monitors, reviews, and audits supplier service delivery. | ISO 27002 - 15.2.1 |
| Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures, and controls, are managed, taking account of the criticality of business information, systems, and processes involved and re-assessment of risks. | ISO 27002 - 15.2.2 |
| Contracts between Teradata and any sub-contractors that process Personal Data specify minimum technical and organizational measures that meet the information security and Personal Data protection obligations of Teradata. Such measures will not be subject to unilateral reduction by the sub-contractor. | ISO 27002 - A.10.12 |
8. AVAILABILITY CONTROL
8.1 Backup
| Backup copies of information, software, and system images are taken and tested regularly in accordance with an agreed backup policy. | ISO 27002 - 12.3.1 |
| Records are protected from loss, destruction, falsification, unauthorized access, and unauthorized release in accordance with legislatory, regulatory, contractual, and business requirements. | ISO 27002 - 18.1.3 |
8.2 Change control
| Operating procedures shall be documented and made available to all users who need them. | ISO 27002 - 12.1.2 |
| Changes to systems within the development lifecycle are controlled by the use of formal change control procedures. | ISO 27002 - 14.2.2 |
| When operating platforms are changed, business critical applications are reviewed and tested to ensure there is no adverse impact on operations or security. | ISO 27002 - 14.2.3 |
| Modifications to software packages are discouraged, limited to necessary changes, and all changes shall be strictly controlled. | ISO 27002 - 14.2.4 |
| Testing of security functionality is carried out during development. | ISO 27002 - 14.2.8 |
| Acceptance testing programs and related criteria is established for new information systems, upgrades, and new versions. | ISO 27002 - 14.2.9 |
| Procedures are implemented to control the installation of software on operational systems. | ISO 27002 - 12.1.2 |
| Rules governing the installation of software by users are established and implemented. | ISO 27002 - 12.6.2 |
8.3 Business continuity and disaster recovery
| Teradata determines its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. | ISO 27002 - 17.1.1 |
| Teradata establishes, documents, implements and maintains processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. | ISO 27002 - 17.1.2 |
| Teradata verifies the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. | ISO 27002 - 17.1.3 |
| Information processing facilities are implemented with redundancy sufficient to meet availability requirements. | ISO 27002 - 17.2.1 |
8.4 Operational aspects
| The use of utility programs that might be capable of overriding system and application controls is restricted and tightly controlled. | ISO 27002 - 9.4.4 |
| The use of resources is monitored, tuned and projections made of future capacity requirements to ensure the required system performance. | ISO 27002 - 12.1.3 |
| The clocks of all relevant information processing systems within a security domain are synchronized to a single reference time source. | ISO 27002 - 12.4.4 |
| Audit requirements and activities involving verification of operational systems are carefully planned and agreed to minimize disruptions to business processes. | ISO 27002 - 12.7.1 |
| Operating procedures are documented and made available to all users who need them. | ISO 27002 - 12.1.1 |
8.5 Environmental security
| Equipment is sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. | ISO 27002 - 11.2.1 |
| Equipment is protected from power failures and other disruptions caused by failures in supporting utilities. | ISO 27002 - 11.2.2 |
| Power and telecommunications cabling carrying data or supporting information services are protected from interception, interference, or damage. | ISO 27002 - 11.2.3 |
| Equipment is correctly maintained to ensure its continued availability and integrity. | ISO 27002 - 11.2.4 |
| Equipment, information, or software is not taken off-site without prior authorization. | ISO 27002 - 11.2.5 |
9. DATA SEPARATION
| Access to information and application system functions is restricted in accordance with the access control policy. This includes the isolation of Personal Data in multi-tenant systems. | ISO 27002 - 9.4.1 |
| Development, testing, and operational environments are separated to reduce the risks of unauthorized access or changes to the operational environment. | ISO 27002 - 12.1.4 |
| Test data is selected carefully, protected, and controlled. Personal Data is not utilized for testing purposes during the software development lifecycle. | ISO 27002 - 14.3.1 |