For the purposes of Telmar’s Security Policy:
“Customer Data” means any Datasets (including any personal data therein, if any) and/or Customer Confidential Information, stored and/or processed by Telmar.
“Industry Standards” shall mean commonly accepted information security best practices for service providers providing technology services.
Capitalised terms shall have the meanings set forth in the Master Subscription Agreement between Customer and Telmar.
Governance & Management
Telmar will implement security controls, policies and procedures according to ISO/IEC 27001 and be consistent with Industry Standards.
In accordance with ISO/IEC 27001, appropriate controls detailed in Annex A of ISO/IEC 27001 will be adopted where appropriate by Telmar and reviewed on a regular basis.
Telmar will continually improve the effectiveness of its Security Policy.
Physical and Environmental Security
Telmar will ensure appropriate security controls for all physical entry points to locations containing systems that host the Services (each a “Site”), including the following:
access to Sites by authorized personnel will be controlled and restricted by use of appropriate security measures including security cameras, entry controls and authentication controls;
where relevant, electronic and written access logs will be maintained for a reasonable period of time;
Telmar maintains a clear desk and clear screen policy at Telmar premises and in respect of Telmar Users (as defined in section 4, below); and
visitors without access-rights to a Site will be escorted at all times by authorized personnel.
Background Checks. Subject to Applicable Law, Telmar shall carry out background verification checks, at its expense, on employees and contractors that are involved in the provision of Services.
Adherence. Telmar will ensure that employees and contractors are bound by appropriate confidentiality terms and to Telmar’s security policies.
Training. Telmar employees and contractors involved in the provision of the Services will receive periodic training in respect of data privacy/data protection; confidentiality and measures to protect Confidential Information.
Segregation of Duties. Telmar will ensure necessary segregation of duties to limit conflicting duties and areas of responsibility and measures to reduce the opportunities for unauthorized or unintentional modification or misuse of any of the organisation’s assets.
Security Management. Telmar shall allocate dedicated security roles, responsibilities and resources.
Access Controls & Monitoring
Logical Security. To protect against unauthorized access to the Services, Telmar adopts a defense in depth (using multiple controls), least privilege, need to know, and need to use strategy to its security. Telmar will:
employ a formal procedure for granting and revoking access and access rights to Telmar employees and/or contractors (each a “Telmar User”) to the Telmar Technology used to provide the Services;
review each Telmar User’s access rights to confirm they are appropriate for their role (need to know, need to use); and
have security practices and controls regarding: (i) the selection and use of strong passphrases in line with Industry Standards and as defined by Telmar’s password policy; and (ii) closure of inactive application sessions when technically possible, after a defined period of inactivity.
Network Access Control. Telmar will employ network access controls with respect to internal, external and public network services that allow access to the Telmar Technology used to provide the Services.
Minimum Access Rights (least privilege). Telmar will provide Telmar Users with the minimum access rights and privileges needed to perform a particular function or transaction. Telmar User access reviews will be conducted at least annually and updated as necessary.
Availability Monitoring. Telmar will employ multiple levels of system monitoring including server fault monitoring, service functionality monitoring, API functionality monitoring, user functionality monitoring and service availability monitoring.
Logging & Monitoring. Telmar ensures appropriate logging and monitoring is in place and is auditabile for a defined period.
Telmar will implement rules for the acceptable use of Customer Data and assets which comply with Industry Standards.
All media and assets that contain Customer Data transferred from Telmar’s custody shall be encrypted, sanitized, destroyed, or purged of Customer Data in accordance with Industry Standards and applicable data retention policies. Sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed.
Encryption & Cryptographic Controls
Telmar will use encryption and cryptography to protect the confidentiality, authenticity and/or integrity of Customer Data. Such controls will include:
where feasible, Customer Data in transit and at rest will be encrypted whether on Telmar’s own systems or third party systems; and
access to systems storing Customer Data will be via Virtual Private Network (VPN) using transport layer security.
Telmar will establish processes to keep up to date with emerging security threats and vulnerabilities and ensure that the relevant security controls are implemented. Telmar will implement security patches within a prudent timeframe as determined by Telmar. Particular consideration is given to:
the severity of any identified security vulnerability;
the extent to which a vulnerability may affect any specific system or subsystem;
the extent to which a system may be insulated from particular attack vectors; and
a holistic consideration of the security implications that could arise in respect of the introduction of a particular security patch.
Vulnerability Management and Testing
Telmar shall arrange for a suitably-qualified, independent Third Party (“External Tester”) to conduct penetration testing of the Services at least once in any twelve (12) month period(“Penetration Testing”).
Telmar shall scan the Services for known vulnerabilities periodically (each a “Vulnerability Scan”).
Telmar will remediate any material deficiencies in the security of the Services identified by the External Tester from the Penetration Testing and/or Vulnerability Scan within a reasonable timeframe.
Telmar applications will be tested against OWASP criteria (https://www.owasp.org) to ensure that they are not vulnerable to the OWASP top ten risks.
Third Party Vendor Assessment
Where Telmar makes use of a Third Party in support of the provision of the Services, Telmar will ensure the following:
appropriate due diligence is exercised in the selection and approval of such Third Party vendor;
a formal contract is in place between Telmar and the Third Party vendor;
access to Customer Data will be limited where possible according to clear business needs. Basic information security principles such as least privilege, separation of duties and defence in depth will be applied;
where possible, Telmar will have the right to audit the information security practices of the Third Party vendor and, where appropriate its contractors; and
to the extent that a Third Party vendor is a subprocessor of Customer personal data, Telmar will comply with section 4.7 of the Data Processing Agreement.
Business Continuity & Security Incidents
Telmar has in place and shall maintain a business continuity and disaster recovery plan (the “Plan”) that will enable Telmar to recover from an incident or event whether natural or manmade which prevents Telmar from providing access to the Services (“Disaster”), and continue providing the Services as set forth in the MSA and/or an applicable Order.
The Plan is documented in written form and includes details appropriate for the Services, the complexity of the environment and probability of occurrence, including:
a description of the facilities, employees, roles, responsibilities, procedures and processes required to provide a coordinated approach to managing Disaster response activities at the time of any Disaster;
actions to be taken before, during and after Telmar’s reasonable determination that an incident or event is a Disaster (“Disaster Declaration”); and
the recovery time objective and recovery point objective for the Services.
Telmar will review and, if necessary, update the Plan at least once annually.
Telmar has a security incident management process in place to identify and address potential security breaches and compliance failures.
In the case of a Security Incident (as defined in the Data Processing Agreement), Telmar shall notify Customer in accordance with section 4.10 of the Data Processing Agreement.