|
技術及組織措施
|
Technical And Organisational Measures
|
|
KLDiscovery 將採取所有審慎及公認的措施,以確保其從客戶接收、處理、轉移、傳輸、儲存、提供及/或以其他方式存取的個人資料之安全(「資訊安全計劃」)。
|
KLDiscovery shall take all prudent and recognised steps to ensure the security of the Personal Data it receives, processes, transfers, transmits, stores, delivers, and/or otherwise accesses from Clients (“Information Security Program”).
|
|
定義
“資源”指任何KLDiscovery設備,包括但不限於筆記本電腦、個人電腦、路由器、伺服器和其他存儲、處理、轉移、傳輸、提供或以其他方式訪問個人信息的計算機系統。
|
Definitions
“Resource” means all KLDiscovery devices, including but not limited to laptops, PCs, routers, servers, and other computer systems that store, process, transfer, transmit, deliver or otherwise access the Personal Data.
|
|
資訊安全計劃
KLDiscovery將維持一個全面性的資訊安全計劃,該計劃包含管理、技術及實體層面的保護措施,並與其活動的複雜性、性質及範圍,以及資訊資產的敏感程度相符。此類保護措施將包括以下所列要素,並合理設計以達成以下目標:(1)確保個人資料的安全性與機密性; (2)防止對個人資料的安全性或完整性構成預期的威脅或危險;(3)防止未經授權存取或使用可能對客戶造成重大傷害或不便的個人資料; 及(4)向客戶保證控制措施的持續有效性。
|
Information Security Program
KLDiscovery will maintain a comprehensive Information Security Program that contains administrative, technical, and physical safeguards appropriate to the complexity, nature, and scope of its activities, and the sensitivity of its information assets. Such safeguards will include the elements set forth below and will be reasonably designed to: (1) Achieve the security and confidentiality of Personal Data; (2) Protect against any anticipated threats or hazards to the security or integrity of Personal Data; (3) Protect against unauthorised access to or use of Personal Data that could result in substantial harm or inconvenience to Client; and (4) Provide assurances to Client of the ongoing effectiveness of controls.
|
|
安全要求
資訊安全政策與管理
KLDiscovery的資訊安全計劃符合ISO 27001及其安全要求。 作為其資訊安全計劃管理的一部分,KLDiscovery將利用高階管理層論壇來審查並批准所有新政策及對現有政策的變更。 KLDiscovery將採用一個正式的流程來管理風險,通過識別、批准和處理無法達到其資訊安全計劃合規性的情況。
|
Security Requirements
Information Security Policies and Governance
KLDiscovery’s Information Security Program will be consistent with the practices described in ISO 27001 and this Security Requirements Document. As part of the management of its Information Security Program, KLDiscovery will use a senior management forum to review and approve all new policies and changes to existing policies. A formal process will be used by KLDiscovery to manage risk by identifying, approving and managing those situations where compliance with its Information Security Program is not obtained.
|
|
資訊管理與監督責任
KLDiscovery將指定資訊擁有者對他們控制的數據來源負責,包括個人信息。針對傳輸、披露、儲存和銷毀的具體要求,將涵蓋個人資料的整個生命週期。 KLDiscovery 會為每個資源分配一個系統擁有者。 系統擁有者對遵守安全控制措施負有全面責任,包括對支援個人資料的機密性、可用性和完整性的設備進行維護和維修的程度。
|
Information Stewardship
KLDiscovery will designate information owners who are responsible for information assets under their control, including Personal Data. Specific requirements for transmission, disclosure, storage, and destruction will address the entire lifecycle of Personal Data. KLDiscovery will assign a systems owner for each Resource. The systems owner has the overall responsibility to ensure compliance with security controls including the maintenance of the equipment and patch level to support the confidentiality, availability and integrity of Personal Data.
|
|
機密性與完整性
KLDiscovery將採用託管安全方法,確保個人信息在其整個生命週期中受到保護,從創建、轉換和使用、存儲到銷毀,無論儲存媒介為何。根據個人資料的分類實施特定控制措施,以保護個人資料的機密性與完整性。控制元件將用於規範存取控制要求、加密、標籤與披露,涵蓋內部及外部各方以及運送與處理及銷毀。
|
Confidentiality and Integrity
KLDiscovery will utilise a managed approach to security to ensure that Personal Data is protected through the entire life cycle, from creation, transformation and use, storage and destruction regardless of the storage media. Specific controls will be implemented according to the classification of the Personal Data to protect the confidentiality and integrity of the Personal Data. Control components will be used to specify access control requirements, encryption, labelling and disclosure for both internal and external parties, shipping and handling, and destruction.
|
|
漏洞管理
防火牆、路由器、伺服器、及所有其他資源將盡可能保持最新狀態,並安裝適當的安全專用系統修補程式。 KLDiscovery將定期進行滲透測試,由獨立第三方進行,以更準確地評估KLDiscovery的安全準備情況。 KLDiscovery將定期測試其資源以識別已知漏洞(更新管理、連接埠掃描、病毒掃描等)。 所有核心技術都按照最佳實踐進行配置,以移除不必要的服務和其他可能使資源面臨風險的配置選項。 KLDiscovery將維護排程來修復所有漏洞熱點,並確保及時解決高風險或嚴重漏洞。
|
Vulnerability Management
Firewalls, routers, servers, PC’s, and all other Resources will be kept as current as possible with appropriate security-specific system patches. KLDiscovery will perform regular penetration tests to be completed by independent third parties to further assess KLDiscovery’s security preparedness. KLDiscovery will perform regular tests of its Resources to detect any known vulnerabilities (patch management, port scanning, virus scanning, etc.). All major technologies will be configured to best practice standards to remove unnecessary services and other configuration options that can subject the Resources to unnecessary risk. KLDiscovery will maintain a schedule for remediation for all vulnerability criticalities and ensure that vulnerabilities that are high or critical in nature are addressed in a reasonable time frame.
|
|
物理性安全
將引入一項安全功能,以授予、調整和撤銷對存放或可存取個人資料之設施的物理性訪問權限。
|
Physical Security
A security function will exist to grant, adjust and revoke physical access to facilities where Personal Data resides or can be accessed.
|
|
外部物理性安全控制
每個KLDiscovery設施的外部將保持物理性安全,以防止公眾未經授權進入。設施外部不會有任何標示顯示該設施處理或儲存個人資料。外部門將設置警報系統,以在未經授權進入時發出警示。外部門將自動關閉。在適當情況下,將設置並固定周界圍欄或大門。
|
Exterior Physical Controls
The exterior of each KLDiscovery facility will be physically secure to prevent the public from unauthorised entry. No signs outside the facility will show that Personal Data is processed or stored at the facility. Exterior doors will be alarmed to warn when unauthorised entry occurs. Exterior doors will close automatically. Where appropriate, perimeter fences/gates will be in place and secured.
|
|
內部物理性安全控制
KLDiscovery人員將配發唯一識別的證件。所有證件系統將具備記錄機制,可識別個人、時間戳記以及進入的門或區域。內部物理性安全控制還包括訪客管理、整潔桌面作業、防火偵測與滅火系統、事件應變程序、受控存取、安全照明,以及其他旨在保護人員與資產的措施。
|
Interior Physical Controls
Assigned KLDiscovery personnel will be identified with a uniquely assigned badge. All badging systems will have a logging mechanism that will identify the individual, timestamp and door or area accessed. Interior physical security controls also include visitor management, clean desk practices, fire detection and suppression systems, incident response procedures, controlled access, security lighting, and other measures designed to protect personnel and assets.
|
|
個人資料之刪除及銷毀
在處置任何媒介之前,所有個人資料將從任何形式的媒介中予以銷毀,無論是紙本、磁性、光學或其他形式:(a) 由指派人員於本公司場所內,使用市售碎紙設備、軟體或其他方式進行;或 (b) 由具信譽之第三方碎毀服務執行。
|
Destruction of Personal Data
All Personal Data will be destroyed from any media, whether hard copy, magnetic, optical or any other form, before disposing of such media: (a) on or about the premises by assigned staff using commercially available shredding devices, software, or other means; or (b) by a reputable third-party shredding service.
|
|
記錄與系統監測
審計日誌將記錄對個人資料的存取、新增使用者、嘗試變更安全性設定、系統啟動、備份、關機,以及無效登入嘗試。審計日誌將以受保護狀態保存,並以自動或人工方式定期檢視,並保留至少90天。
|
Logging and Monitoring
Audit logs will capture access to Personal Data, new user additions, attempts to change security configuration, system start up, back up, shut down, and invalid login attempts. Audit logs will be retained in a protected state and will be reviewed regularly in an automated or manual fashion and retained for at least 90 days.
|
|
入侵偵測與預防
KLDiscovery將採取安全措施,以保護KLDiscovery的電信系統,以及KLDiscovery 用於向客戶提供服務的任何電腦系統或網絡設備,以降低遭第三方滲透、駭入、存取入侵或暴露的風險,方法包括:(a) 防範入侵;(b) 保護電腦系統及網絡設備;以及 (c) 防範作業系統或軟體遭入侵。將建立相關流程與程序,以應對安全違規及異常或可疑事件與事故,藉此限制對資訊資產的進一步損害,並協助識別及追究違規者責任。KLDiscovery將向客戶報告任何實際影響客戶的安全違規或事故。
|
Intrusion Detection and Prevention
KLDiscovery will use security measures to protect the KLDiscovery telecommunications system and any computer system or network device that KLDiscovery uses to provide services to Client to reduce the risk of infiltration, hacking, access penetration by or exposure to a third-party by: (a) protecting against intrusions; (b) securing the computer systems and network devices; and, (c) protecting against intrusions of operating systems or software. Processes and procedures will be established for responding to security violations and unusual or suspicious events and incidents to limit further damage to information assets and to permit identification and prosecution of violators. KLDiscovery will report actual security violations or incidents that impact Client to Client.
|
|
惡意程式防護
KLDiscovery將採取以下電腦惡意程式偵測/掃描服務及程序:(a) 在傳送任何資料、檔案或其他素材及/或存取或提交上述內容(單獨或統稱為「資料傳送」)之前,實施並維持市售電腦病毒偵測措施;(b) 一旦偵測到影響或可能影響客戶的電腦病毒或其他惡意程式,立即通知客戶,並立即停止資料傳送,且在該病毒或惡意程式依客戶滿意的標準被消除或控制之前,不得恢復資料傳送;以及 (c) 在所有資料傳送機制及客戶指示的其他位置安裝並使用電腦病毒偵測在所有資料傳送機制及客戶指示的其他位置安裝並使用電腦病毒偵測/掃描工具。KLDiscovery將保持所有防毒軟體的最新狀態,並在防毒供應商提供新定義檔時立即安裝。
|
Malware Defense
KLDiscovery will use the following computer malware detection/scanning services and procedures: a) prior to sending any data, files or other material and/or accessing or submitting the same (singularly or collectively “Data Sending”), implement and maintain commercially available computer virus detection; b) upon detecting a computer virus or other malware that has affected or will affect client, notify Client and immediately cease Data Sending and do not resume the same until the computer virus or malware has been eliminated or contained to the satisfaction of Client; and, c) install and use such computer virus detection/scanning on all Data Sending mechanisms as well as at any other points directed by Client. KLDiscovery will keep all anti-virus software up-to-date by installing new definition files when made available by the anti-virus supplier.
|
|
職責分工
KLDiscovery維持控制措施,以確保KLDiscovery員工之間有適當的職責分工,包括系統和網絡的存取。職責分配的方式必須避免任何人有機會隱瞞其錯誤或不當行為。職責分工必須在以下職能之間維持和/或劃分:電腦操作、網絡管理、系統管理、開發、變更管理、安全管理,以及家庭成員。
|
Segregation of Duties
KLDiscovery maintains controls designed to provide adequate segregation of duties among KLDiscovery personnel, including access to systems and networks. Duties are assigned in such a manner that a person will not have the opportunity to conceal their errors or irregularities. Segregation of duties shall be maintained among and/or within the following functions: computer operations, network management, system administration, development, change management, security administration and family members.
|
|
加密和公鑰基礎設施
所有個人資料在靜態儲存時都必須加密,除非已實施獲得客戶批准的補償性控制措施。手提電腦不得儲存個人資料,除非客戶同意有業務需要。如達成協議,手提電腦上的個人資料必須加密。KLDiscovery的資訊安全辦公室將批准所有加密設備、演算法、密鑰長度及密鑰管理系統,以確保符合行業標準並具備互通性。KLDiscovery將維護市售的加密密鑰管理系統,以保護密鑰免遭未經授權的使用或洩露。
|
Encryption and Public Key Infrastructure
All Personal Data will be encrypted when in storage, unless Client-approved compensating controls are implemented. Laptop computers will not store Personal Data unless Client agrees there is a business need for such storage. If agreement is reached, Personal Data on laptops will be encrypted. KLDiscovery’s Information Security Office will approve all cryptographic devices, algorithms, key lengths, and key management systems to ensure adherence to industry standards and interoperability. KLDiscovery will maintain commercially available encryption key management systems to protect encryption keys against unauthorised use or disclosure.
|
|
網絡安全
KLDiscovery 將提供以下數據通信安全服務:(a)保護所有透過任何形式的數據網絡傳輸的數據之機密性和完整性;以及(b)在所有被識別為個人資料的數據透過公共數據網絡傳輸的情況下,實施並維持高強度的行業標準加密技術。建議至少使用 256 位元密鑰加密。KLDiscovery的互聯網連接將由專用、獲得行業認可的防火牆保護,並按照行業最佳實踐進行配置和管理。任何內部或私有的互聯網協議(IP)地址將不會公開,也不會直接路由至互聯網。所有對防火牆和伺服器的管理存取僅能透過安全的內部網絡完成。
|
Network Security
KLDiscovery will provide the following data communication security services: (a) safeguard the confidentiality and integrity of all data being transmitted over any form of data network; and (b) implement and maintain strong industry standard encryption techniques for all cases in which data identified as Personal Data is transmitted over any public data network. A minimum of 256-bit key encryption is preferred. KLDiscovery’s Internet connections will be protected with dedicated, industry-recognised firewalls that are configured and managed to adhere to industry best practices. No internal or private Internet Protocol (IP) addresses will be publicly available or natively routed to the Internet. All administrative access to firewalls and servers will be through a secure internal network only.
|
|
識別、認證和授權
資源中的每個使用者都會被分配一個唯一的使用者ID,以確保個別身份驗證和問責。每個資源在授予任何授權存取之前,必須先驗證使用者身份。存取資源所需的驗證級別與資源中數據的敏感度成正比。特權帳戶的存取權限僅限於管理該資源的人員,並保持個人責任。所有預設密碼(例如硬體或軟體供應商提供的密碼)在收到後會立即更改。KLDiscovery將使用並遵守以下存取控制服務和程序:(a)實施措施,限制僅有授權人員能以電子方式存取資源;(b)確保所有存取或提交資料至資源的 KLDiscovery人員均由資源唯一識別並驗證(KLDiscovery不會使用任何通用或共享的使用者識別碼來處理個人資料);(c)堅持「最小特權」原則,即授權人員僅擁有履行其職責所需的資源存取權,並在最短時間內享有該等權限;(d)限制僅有執行客戶服務職責所需的員工能存取備份媒體、紙本或其他形式儲存的個人資料,並將資料保存在物理安全的位置;以及(e)在任何人員終止或調職後,立即移除其實體及邏輯存取權。KLDiscovery的資源將以與其他客戶資料分隔且受控的方式儲存個人資料。
|
Identification, Authentication and Authorisation
Each user of any Resource will have a uniquely assigned user ID to enable individual authentication and accountability. Each Resource will authenticate the user prior to granting each authorised access. The level of authentication required for access to any Resource is proportionate to the sensitivity of the data housed on the Resource. Access to privileged accounts will be restricted to only those people who administer the Resource; individual accountability will be maintained. All default passwords (such as those from hardware or software vendors) will be changed immediately upon receipt. KLDiscovery will use and comply with the following access control services and procedures: (a) implement measures to restrict electronic access to Resources to only authorised personnel; (b) ensure that all KLDiscovery personnel who access or submit material to Resources are uniquely identified to and authenticated by the Resource (KLDiscovery will not use any form of generic or shared user identifier to access Personal Data); (c) enforce the principle of “least privilege,” namely, that authorised personnel have only the level of access to Resources required to perform their job functions in relation to the Resource and have such rights and privileges for the shortest length of time necessary; (d) restrict access to all Personal Data stored on backup media, in hardcopy form or in any other format to only those employees who require such access to accomplish their job functions in performance of services for Client and store such data in a physically secure location; and (e) remove physical and logical access rights immediately upon termination or transfer of the individual. KLDiscovery’s Resources will store Personal Data in a segregated and controlled manner from KLDiscovery’s other customers’ information.
|
|
使用者密碼與帳戶
使用者密碼必須:(a)保持機密,不得分享、張貼或以任何方式披露;(b)標準使用者帳戶的密碼至少由八(8)個字母和數字字符組成;(c)不得包含帳戶名稱、帳戶識別碼或其他容易猜測的內容;(d)不得重複使用之前的五個密碼;以及(e)在儲存和傳輸過程中必須進行雜湊處理。使用者帳戶在連續五(5)次登入失敗後將自動鎖定。
|
User Passwords and Accounts
User passwords will: (a) remain confidential and will not be shared, posted, or otherwise divulged in any manner; (b) consist of a minimum of eight (8) alpha and numeric characters for standard user accounts; (c) not contain the account name or account ID or other easily guessed values; (d) not allow the previous five passwords to be reused; and (e) be hashed in storage and transmission. User accounts will automatically lockout after five (5) consecutive incorrect attempts.
|
|
與第三方服務供應商的關係
KLDiscovery將對任何有權存取個人資料的第三方服務供應商進行安全風險評估。安全風險評估的目的在於確保保護措施足以保障個人資料。此外,KLDiscovery與該等第三方服務供應商簽訂的合約,將確保服務供應商維持控制措施,以確保任何對個人資料有物理或數據存取權限的人,擁有與本安全要求文件所列類似的保護措施,以保障個人資料。
|
Third-party Relationships
KLDiscovery will conduct security risk assessments of any third-party service providers with access to Personal Data. The purpose of the security risk assessments will be to ensure that safeguards are sufficient to protect the Personal Data. Furthermore, KLDiscovery’s contracts with such third-party service providers will ensure that the service providers maintain controls to ensure that any individual with physical or logical access to Personal Data have safeguards similar to those set forth in this Security Requirement Document to ensure the protection of the Personal Data.
|
|
遠端存取授權
所有與KLDiscovery內部網絡和/或計算機系統的遠端連接均需獲得授權,並在「入口點」採用多重身份驗證,為KLDiscovery的計算機或通信資源提供核准的存取控制。此類存取將使用安全的通道,例如虛擬私人網絡(VPN)。KLDiscovery能夠存取個人資料的網絡,將在數據上與其他允許無線連接的網絡部分隔離。
|
Remote Access Connection Authorization
All remote access connections to KLDiscovery internal networks and/or computer systems will require authorization and will provide an approved means of access control at the “point of entry” to the KLDiscovery computing or communication resources through multi-factor authentication. Such access will use secure access channels, such as a Virtual Private Network (VPN). KLDiscovery networks that have access to the Personal Data will be logically isolated from any other network segments that allow wireless access.
|
|
安全系統開發
KLDiscovery為客戶開發的應用程序遵循一套方法,該方法包括:(i)在需求定義階段將安全要求納入規範;(ii)使用包含安全最佳實踐的設計模型;(iii)以減少安全漏洞的方式開發程式碼(例如跨網站腳本、SQL 注入、緩衝區溢位等);(iv)透過靜態和動態評估測試程式碼;以及(v)在安全的生產環境中部署應用程式。
|
Secure System Development
Applications developed by KLDiscovery for Client will follow a methodology that allows for: (i) defining security requirements as part of the requirements definition phase; (ii) using a design model that incorporates best practices in security; (iii) developing code in ways that minimise security vulnerabilities (such as cross-site scripting, SQL injection, buffer overflows, etc.); (iv) testing the code through static and dynamic assessments; and (v) deploying the application is a secure production environment.
|
|
人員安全
所有KLDiscovery員工都必須完成犯罪記錄和一般背景調查。若法律禁止,KLDiscovery無須對任何人進行審核。
|
Personnel Security
All KLDiscovery personnel must pass a criminal background check and general background investigation. KLDiscovery shall not be required to screen any individual where it is prohibited by law.
|
|
培訓與資訊宣導
KLDiscovery將要求所有員工每年至少參加一次培訓和資訊宣導會。培訓系統會追蹤出席情況,並提供測驗,以確保員工理解相關內容。
|
Training and Awareness
KLDiscovery shall require all KLDiscovery personnel to participate in training and awareness sessions at least annually. The training system will track attendance and provide testing to ensure the materials are understood.
|
|
持續性與災難恢復
KLDiscovery要求所有代表客戶託管的應用程式必須具備一個正式、有文件記錄、經批准並經過測試的災難恢復計劃。所有業務持續性計劃必須由正式管理層傳達和批准,並至少每年由內部或第三方審計機構進行審核。所有業務持續性計劃每年都會進行測試,以驗證其有效性和適用性,並記錄測試的各個方面,包括整體結果和經驗教訓。測試結果將傳達給高級管理層。
|
Continuity and Disaster Recovery
KLDiscovery requires that all applications hosted on behalf of clients to have a formal, documented, approved, and tested disaster recovery plan. All continuity plans must be communicated and approved by formal management and audited at least annually by an internal or third-party auditing body. All continuity plans are tested annually to verify their effectiveness and suitability with all aspects of the testing being documented including overall results and lessons learned. Results of tests are communicated to senior management.
|
.svg){kind=small}
