With the increased adoption of aaS (as-a-Service) solutions, most organizations rely on a large number of vendors for provisioning their services. But supply-chain risk has motivated many companies and data protection law to introduce data protection requirements on vendors, specifically when they receive personal data. These requirements are usually described in documents called TOMs (technical and organizational measures) which may be incorporated or referenced in data processing agreements.
Most comprehensive data protection regulations include requirements for protecting personal data. The protection of personal data is achieved through various technical and organizational measures. The only specifics that the regulations include about these measures are, that they should be reasonable and proportionate to the risks, "in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data"(GDPR Article 32(2)).
When involving vendors in the processing, these protection requirements need to be part of the agreements that regulate the sharing of personal data (see GDPR Article 28(3)(c) and CPRA Section 4). The way these requirements are phrased can vary significantly based on the maturity of the particular organization's security programs. But more and more organizations take the approach to put specific controls, based on industry good practice, into the agreement and might even require regular third-party attestation of these controls.
Based on past years' data protection related enforcement actions across the globe and the publicly published TOMs of large service providers, it is possible to identify a set of common topics and related practices. Note, however, that the maturity level for these practices varies based on the risks.
The basis for a security program are a set of policies, roles, responsibilities, and risk management practices that set the direction for implementing particular controls. These topics should be available in documented format and communicated across the organization.
Apart from ensuring that all personal data in encrypted in transit, there are a bunch of basic network security practices that are usually referred to, like firewalls, network flow monitoring, and volume based alerting. Unfortunately, these technologies are not plug and play, hence managing these solutions and keeping them compliant with good practices needs to be a continuous activity.
Additionally, assets connected to the network or even exposed to the Internet should regularly be scanned for known vulnerabilities, weak configurations, or open network services. Many attacks start with an unpatched system, so keeping all your assets up to date with software updates is a must.
While network management looks at assets from the outside, each of these assets hosts various systems, which all require individual management. Specifically, user management is a topic always looked for and the proper provisioning and configuration of permissions. Often specific requirements are defined in how authentication should be set up.
All these systems produce logs in one way or another. These logs, similarly to those of the network, need to be collected, protected, reviewed and alerted based upon. Logs should also be used to measure the effectiveness of various security controls.
For situations, where a company develops its own software, requirements may apply to the secure development practices applied. Often, minimum strengh of cryptographic algorithms is prescribed and various security tests, including pentests, may be required.
When relying on a vendor, companies most often fear outages they have no control over. Therefore TOMs regularly include specific provisions about recovery capabilities. Not only does a vendor need to have a comprehensive backup strategy. It is also required, that the company knows how to restore service from these backups and has documented and practiced incident and disaster management capabilities.
As seen above, there are many disciplines covered in the TOMs, and you may have different TOMs requirements for each of your business relations. How do you find the common denominator? How do you ensure that changes to your operations don't collidate with your agreements?
In PASERO, you can have all your vendor related agreements and documents in one repository. Soon to come, you will also be able to review how common controls are handled differently by each of your agreements. PASERO gives you a bird's eye view of your obligations, allowing you to make quick decisions on how to meet them across your business relations.
Feel free to take a look at our study that goes into more detail what GDPR requires in terms of technical and organizational measures here.