Data Protection Policy

Topics: Genomics Always-On Security

Subjects: ZTRON Series product security practice

Last updates: 6 AUG, 2020

Mission: Genomics always see product information security as top matter to maintain. Below listed the security measurement that we follow in order to maintain the product data security at compliance level.

Objectives: ZTRON instruments are equipped with devices that operates as a whole. System and devices which deployed to customer premises, are subject to information security risks like brute force attacks, malfunctions, inappropriate usage and damaging the service and will bring disruption to business.

Data protection principle

We are committed to processing data in accordance with its responsibilities under the GDPR.

Article 5 of the GDPR requires that personal data shall be:

processed lawfully, fairly and in a transparent manner in relation to individuals;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Table below list the data security policy:

	Standards and Coverage	Descriptions
1	Information Security Policy
	Cybersecurity Framework and standards	We follow best practice and standards which comply with GDPR. The cybersecurity standards work as the set of policies that define the methods or approaches that have to be followed in order to keep the system protected. We operate at a higher level that are bound to comply with the standards as it is the factors that ensure the security of the organization including: - Data Protection - Key management - Strong authentication - Role separation, network segregations - Monitoring and alerts - Regular training ** See Appendix A
	Access	Organizations need to follow governance regulations, where dictate how organizations can access personally identifiable data, how it’s stored, for how long, and even for what purpose. More importantly, these standards highlight the intersection of data access and data security. Data access is meaningless if it’s not based on security standards. Policies is implemented to protect the resources being access without authorization: 1) least privilege concept is implemented 2) Authentication implementation for access 3) Strong password policies 4) Need to know basis 5) Time limit 6) Exit interview is implemented
	Authentication and password	Authentication is the process of determining whether someone or something is, in fact, who or what it declares itself to be. Authentication technology provides access control for systems by checking to see if a user's credentials match the credentials in a database of authorised users or in a data authentication server. Authentication is required when accessing the system contains sensitive data. User is created according to their role. Password need to be set according to policy required and strictly enforce. Password policies: - Minimum length =8; number=1; Capital Letter = Y, special Character=Y - Password expiry no=90days - Password min change days 3 - Password Warning= 7 days - Password Hash algorithm = SHA512 - Password must not store in cleartext
	Role Management	Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within system. RBAC lets user has access rights only to the information they need to do their jobs and prevents them from accessing information that doesn't pertain to them. A role in a system determines the permissions that individual is granted and ensures that lower-level users can't access sensitive information or perform high-level tasks. In the role-based access control data model, roles are based on several factors, including authorization, responsibility and job competency. As such, companies can designate whether a user is an end user, an administrator or a specialist user. In addition, access to computer resources can be limited to specific tasks, such as the ability to view, create or modify files. Role management is important in our product design, Roles are required to operate ZTRON for different tasks. As such, role base authentication with password policies to increase password security. To enable admin and user account able to login to Ztron, authentication policies need to be set to compliance standard to protect the user from known attacked. Role separation concept is implement to maintain its functional integrity.
2	Data Protection requirement
	Encryption	Data security is a set of standards and technologies that protect data from intentional or accidental destruction, modification or disclosure. Data security can be applied using a range of techniques and technologies, including administrative controls, physical security, logical controls, organizational standards, and other safeguarding techniques that limit access to unauthorized or malicious users or processes. In the context of Data confidentiality of ZTRON, encryption is most common way to address confidentiality of sensitive personal data. Protected data method is properly plan to secure customer medical data. We implement Data at rest encryption to make sure the data generated on system is secure against data theft. - OS encryption is used to protect all data written to the disk, Industrial grade encryption standard is adopted with AES 256bit encryptions. - Database encryption is enforced. - Data in motion encryption is protected by HTTPS/TLS technology. Data access from browser is secured by customer digital certificates with NIST recommended algorithm. - Removable media/backup must not contain MGI sensitive data, in event of sensitive data need to be in removable media, backup, data must be encrypted.
	Data Integrity	Data integrity is the overall accuracy, completeness, and consistency of data. Data integrity also refers to the safety of data in regard to regulatory compliance and security. It is maintained by a collection of processes, rules, and standards implemented during the design phase. When the integrity of data is secure, the information stored in a database will remain complete, accurate, and reliable no matter how long it’s stored or how often it’s accessed. Data integrity also ensures that your data is safe from any outside forces. Data Integrity risk There is a various factor that can affect the integrity of the data stored in a system/database. • Transfer errors • Bugs and viruses • Compromised hardware: Sudden computer or server crashes, and problems with how a computer or other device functions, are examples of significant failures and may be indications that your hardware is compromised. Compromised hardware may render data incorrectly or incompletely, limit or eliminate access to data, or make information hard to use. Risks to data integrity is minimised or eliminated by doing the following: • Limiting access to data and changing permissions to restrict changes to information by unauthorised parties • Validating data to make sure it’s correct both when it’s gathered and used • Backing up data • Using logs to keep track of when data is added, modified, or deleted • Conducting regular internal audits • Using code signing tools
		Code Security We protect our products with data security measurement. Ztron design follows compliance standard and Quality Control to provide data security. Software and firmware is tightly integrated with industrial key management standards. The measurement to protect the code from malicious code attack. Manufacturing Information Security system is designed to follow NIST SP 800-53 on Data Security framework to implement risk strategy to protect confidentiality, integrity and availabilty of the information process in our product.
	Data availability	Data availability is about the timeliness and reliability of access to and use of data. It includes data accessibility. Availability has to do with the accessibility and continuity of information. Information with low availability concerns may be considered supplementary rather than necessary. Data Availability is crucial to maintain business continuity. Strategies should be implemented as required by regulation. As a processor We provide guidance to backup and restore sensitive data from the system. Guidance includes information to be backup, data security practice, media handling, backup strategies. Here are keys elements we maintain: 1) Backup plan drafted for controller 2) Sensitive backup policies are provided • Best practice • Backup procedure 3) System redundancy Notifications and automation Restore procedure information Destruction of data practise and recommendations
	Administration procedure	Data Are Complex The flow of data/information within a system is complex since the same data are viewed differently from one function to another. For this instance, we maintained - Documentations - Role Separations - Key Management and process - Data Classification Log Management is critical in cybersecurity. Entries of log is recorded, for troubleshooting, problem tracking and analysis. Logging is active at ZTRON system, from OS level and Database level. System Security Patches of system – planned and required Change Management – documented and required
3	Incident Response
	Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
	Incident response framework	We maintain below for ZTRON: Incident response team Detection Response and react – Elite team Notification Remediate BC/BR plan
	Breach Notifications	Hotline and contact
4	Training and Updates
	Training	- Regular security training to create internal awareness - Industrial best practise update from professional - Professional Certification
	Update and Notification	Important to system containing sensitive data. Update and patch need to be conveyed at proper way. Continuous support from system provider is required to maintain security of ZTRON. As a provider, proper channel has been setup to deliver: 1) Updates and patches 2) Product information 3) Message from vendor

Genomics Always-On Security

Genomics Always-On Security system is a cybersecurity feature that come in default to protect the solutions from manufacture, use and maintain, from Data security, Integrity, availability and monitoring

Appendix A:

Data Protection life cycle - framework reference

Create and store

NIST SP 800-53 Rev. 4 SC-28

PR.DS.1 Data-at-rest is protected

NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16

PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition

NIST SP 800-53 Rev. 4 SI-7

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity

NIST SP 800-53 Rev. 4 CM-2

PR.DS-7: The development and testing environment(s) are separate from the production environment

NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10

PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained

Use

NIST SP 800-53 Rev. 4 SC-8

PR.DS-2: Data-in-transit is protected

NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10

PR.IP-3: Configuration change control processes are in place

NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4

PR.IP-8: Effectiveness of protection technologies is shared with appropriate parties

NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14

PR.IP-10: Response and recovery plans are tested

NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5

PR.MA-1: Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools

NIST SP 800-53 Rev. 4 AU Family

PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy

NIST SP 800-53 Rev. 4 MP-2, MP-4, MP-5, MP-7

PR.PT-2: Removable media is protected and its use restricted according to policy

NIST SP 800-53 Rev. 4 AC-3, CM-7

PR.PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality

NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7

PR.PT-4: Communications and control networks are protected

Store

NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4

PR.DS-5: Protections against data leaks are implemented

NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6

PR.IP-7: Protection processes are continuously improved

NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9

PR.IP-4 Backups of information are conducted, maintained, and tested periodically

Destroy

NIST SP 800-53 Rev. 4 MP-6

PR.IP-6: Data is destroyed according to policy

Reference notes:

1: https://www.nist.gov/privacy-framework

2. https://www.riskmanagementstudio.com/how-to-use-nist-frameworks-for-gdpr-requirements/

3. Other enterprise practice: https://www.illumina.com/content/dam/illumina-marketing/documents/company/commitment-to-cybersecurity.pdf

Appendix B

Access Control Framework

Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.	NIST SP 800-53 Rev. 4 AC-2, IA Family	PR.AC-1: Identities and credentials are managed for authorized devices and users
	NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9	PR.AC-2: Physical access to assets is managed and protected
	NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16	PR.AC-3: Remote access is managed
	NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16	PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
	NIST SP 800-53 Rev. 4 AC-4, SC-7	PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate

Data Are ComplexThe flow of data/information within a system is complex since the same data are viewed differently from one function to another.

Data Are Complex
The flow of data/information within a system is complex since the same data are viewed differently from one function to another.