Data Protection Policy
Topics: Genomics Always-On Security
Subjects: ZTRON Series product security practice
Last updates: 6 AUG, 2020
Mission: Genomics always see product information security as top matter to maintain. Below listed the security measurement that we follow in order to maintain the product data security at compliance level.
Objectives: ZTRON instruments are equipped with devices that operates as a whole. System and devices which deployed to customer premises, are subject to information security risks like brute force attacks, malfunctions, inappropriate usage and damaging the service and will bring disruption to business.
We are committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
Table below list the data security policy:
| Standards and Coverage | Descriptions |
1 | Information Security Policy | |
| Cybersecurity Framework and standards | We follow best practice and standards which comply with GDPR.
** See Appendix A |
| Access | Organizations need to follow governance regulations, where dictate how organizations can access personally identifiable data, how it’s stored, for how long, and even for what purpose. More importantly, these standards highlight the intersection of data access and data security. Data access is meaningless if it’s not based on security standards.
Policies is implemented to protect the resources being access without authorization: 1) least privilege concept is implemented 2) Authentication implementation for access 3) Strong password policies 4) Need to know basis 5) Time limit 6) Exit interview is implemented
|
| Authentication and password | Authentication is the process of determining whether someone or something is, in fact, who or what it declares itself to be. Authentication technology provides access control for systems by checking to see if a user's credentials match the credentials in a database of authorised users or in a data authentication server. Authentication is required when accessing the system contains sensitive data. User is created according to their role. Password need to be set according to policy required and strictly enforce. Password policies: - Minimum length =8; number=1; Capital Letter = Y, special Character=Y - Password expiry no=90days - Password min change days 3 - Password Warning= 7 days - Password Hash algorithm = SHA512 - Password must not store in cleartext |
| Role Management | Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within system. RBAC lets user has access rights only to the information they need to do their jobs and prevents them from accessing information that doesn't pertain to them. A role in a system determines the permissions that individual is granted and ensures that lower-level users can't access sensitive information or perform high-level tasks. In the role-based access control data model, roles are based on several factors, including authorization, responsibility and job competency. As such, companies can designate whether a user is an end user, an administrator or a specialist user. In addition, access to computer resources can be limited to specific tasks, such as the ability to view, create or modify files. Role management is important in our product design, Roles are required to operate ZTRON for different tasks. As such, role base authentication with password policies to increase password security. To enable admin and user account able to login to Ztron, authentication policies need to be set to compliance standard to protect the user from known attacked. Role separation concept is implement to maintain its functional integrity. |
2 | Data Protection requirement | |
| Encryption | Data security is a set of standards and technologies that protect data from intentional or accidental destruction, modification or disclosure. Data security can be applied using a range of techniques and technologies, including administrative controls, physical security, logical controls, organizational standards, and other safeguarding techniques that limit access to unauthorized or malicious users or processes.
In the context of Data confidentiality of ZTRON, encryption is most common way to address confidentiality of sensitive personal data. Protected data method is properly plan to secure customer medical data.
We implement Data at rest encryption to make sure the data generated on system is secure against data theft. - OS encryption is used to protect all data written to the disk, Industrial grade encryption standard is adopted with AES 256bit encryptions. - Database encryption is enforced. - Data in motion encryption is protected by HTTPS/TLS technology. Data access from browser is secured by customer digital certificates with NIST recommended algorithm. - Removable media/backup must not contain MGI sensitive data, in event of sensitive data need to be in removable media, backup, data must be encrypted. |
| Data Integrity | Data integrity is the overall accuracy, completeness, and consistency of data. Data integrity also refers to the safety of data in regard to regulatory compliance and security. It is maintained by a collection of processes, rules, and standards implemented during the design phase. When the integrity of data is secure, the information stored in a database will remain complete, accurate, and reliable no matter how long it’s stored or how often it’s accessed. Data integrity also ensures that your data is safe from any outside forces. Data Integrity risk There is a various factor that can affect the integrity of the data stored in a system/database. • Transfer errors • Bugs and viruses • Compromised hardware: Sudden computer or server crashes, and problems with how a computer or other device functions, are examples of significant failures and may be indications that your hardware is compromised. Compromised hardware may render data incorrectly or incompletely, limit or eliminate access to data, or make information hard to use.
Risks to data integrity is minimised or eliminated by doing the following: • Limiting access to data and changing permissions to restrict changes to information by unauthorised parties • Validating data to make sure it’s correct both when it’s gathered and used • Backing up data • Using logs to keep track of when data is added, modified, or deleted • Conducting regular internal audits • Using code signing tools
|
|
| Code Security We protect our products with data security measurement. Ztron design follows compliance standard and Quality Control to provide data security. Software and firmware is tightly integrated with industrial key management standards. The measurement to protect the code from malicious code attack. Manufacturing Information Security system is designed to follow NIST SP 800-53 on Data Security framework to implement risk strategy to protect confidentiality, integrity and availabilty of the information process in our product. |
| Data availability | Data availability is about the timeliness and reliability of access to and use of data. It includes data accessibility. Availability has to do with the accessibility and continuity of information. Information with low availability concerns may be considered supplementary rather than necessary.
Data Availability is crucial to maintain business continuity. Strategies should be implemented as required by regulation. As a processor We provide guidance to backup and restore sensitive data from the system. Guidance includes information to be backup, data security practice, media handling, backup strategies. Here are keys elements we maintain: 1) Backup plan drafted for controller 2) Sensitive backup policies are provided • Best practice • Backup procedure 3) System redundancy Notifications and automation Restore procedure information Destruction of data practise and recommendations
|
| Administration procedure | Data Are Complex |
3 | Incident Response
| |
| Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
| |
| Incident response framework | We maintain below for ZTRON: Incident response team Detection Response and react – Elite team Notification Remediate BC/BR plan |
| Breach Notifications | Hotline and contact
|
4 | Training and Updates | |
| Training | - Regular security training to create internal awareness - Industrial best practise update from professional - Professional Certification
|
| Update and Notification
| Important to system containing sensitive data. Update and patch need to be conveyed at proper way. Continuous support from system provider is required to maintain security of ZTRON.
As a provider, proper channel has been setup to deliver: 1) Updates and patches 2) Product information 3) Message from vendor |
Genomics Always-On Security
Genomics Always-On Security system is a cybersecurity feature that come in default to protect the solutions from manufacture, use and maintain, from Data security, Integrity, availability and monitoring
Appendix A:
Data Protection life cycle - framework reference
Create and store | NIST SP 800-53 Rev. 4 SC-28 | PR.DS.1 Data-at-rest is protected | |
NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16 | PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition | ||
NIST SP 800-53 Rev. 4 SI-7
| PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity | ||
NIST SP 800-53 Rev. 4 CM-2
| PR.DS-7: The development and testing environment(s) are separate from the production environment | ||
NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10 | PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained | ||
Use |
| PR.DS-2: Data-in-transit is protected | |
NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10 | PR.IP-3: Configuration change control processes are in place | ||
NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4 | PR.IP-8: Effectiveness of protection technologies is shared with appropriate parties | ||
NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14 | PR.IP-10: Response and recovery plans are tested | ||
NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5 | PR.MA-1: Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools | ||
NIST SP 800-53 Rev. 4 AU Family | PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy | ||
NIST SP 800-53 Rev. 4 MP-2, MP-4, MP-5, MP-7 | PR.PT-2: Removable media is protected and its use restricted according to policy | ||
NIST SP 800-53 Rev. 4 AC-3, CM-7 | PR.PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality | ||
NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7 | PR.PT-4: Communications and control networks are protected | ||
Store | NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4 | PR.DS-5: Protections against data leaks are implemented
| |
NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6 | PR.IP-7: Protection processes are continuously improved
| ||
NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9 | PR.IP-4 Backups of information are conducted, maintained, and tested periodically | ||
Destroy | NIST SP 800-53 Rev. 4 MP-6 | PR.IP-6: Data is destroyed according to policy |
Reference notes:
1: https://www.nist.gov/privacy-framework
2. https://www.riskmanagementstudio.com/how-to-use-nist-frameworks-for-gdpr-requirements/
3. Other enterprise practice: https://www.illumina.com/content/dam/illumina-marketing/documents/company/commitment-to-cybersecurity.pdf
Appendix B
Access Control Framework
Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. | NIST SP 800-53 Rev. 4 AC-2, IA Family
| PR.AC-1: Identities and credentials are managed for authorized devices and users |
NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9 | PR.AC-2: Physical access to assets is managed and protected | |
NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16 | PR.AC-3: Remote access is managed | |
NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16 | PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties | |
NIST SP 800-53 Rev. 4 AC-4, SC-7 | PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate |