Supplier Data Security Policy and Standards
Date: 8 Aug 2020
Introductions
MGI Genomics Third Party Information Security Requirements document outlines the security requirements applicable to MGI Third Party, including suppliers and joint ventures. The security requirements outlined herein, are applicable to Third Parties that Process MGI Confidential Information, have access to Information System, or provide certain services/products, as described below. The security requirements are designed to vary based on the level of risk the Third Party presents to MGI, specifically guided by the type of MGI information the Third-Party Processes, network connection, services provided by the Third Party, and data availability requirements. MGI’s information security program is aligned with compliance requirement, GDPR, ISO 27001.
Applicability
These Third Party Information Security Requirements (the “Requirement” or “Standard”) list the security controls that MGI’s Suppliers are required to adopt when (a) accessing MGI equipment, Networks, and/or Confidential Information, or (b) having custody of MGI Assets. Supplier is responsible for compliance with these Standards by Supplier Personnel, including ensuring that all such Supplier Personnel are bound by contractual terms consistent with the requirements of the Standards.
Part A: Key Definitions
Part B: Supplier Personnel/Human Resources Security
Part C: Audit and Compliance Check
Part D: Supplier Data collections
Part E: Information Security Standards
Part F: Basic Physical Security
Part G: Incident Reporting
Part A: Key Definitions.
The following terms used in this Requirement have the following meanings
1. “Agreement” means an agreement between MGI and Supplier under which (i) Supplier performs services for MGI, and/or (ii) Supplier is provided access to MGI or MGI Facilities, Network(s), Environments and/or Confidential Information.
2. “Computer” means any desktop or laptop computer, mobile device (e.g., cellular phone, Smartphone, tablet), server and/or storage device that (i) is involved in the performance of the Services, (ii) may be used to access a Network or an Environment, or (iii) may access or store Confidential Information.
3. “Confidential Information” means all confidential information to which Supplier may be provided access in connection with the performance of Services under an Agreement, including without limitation all Environments; data; personally identifiable information (PERSONAL DATA); system configuration details; information concerning MGI’s customers, Suppliers, partners, and personnel; manufacturing data; engineering or other technical designs; intellectual property (IP); passwords; and any other MGI confidential information as defined in an Agreement. References in this document to “Confidential Information” shall be deemed to include confidential information of MGI customers to which Supplier is provided access in connection with providing Services.
4. “Environment” means any MGI computing environment, including but not limited to development, test, stage, production and/or backup application and computing environment to which Supplier is provided access under an agreement.
5. “Facilities” means (i) any offices, data centers and all other locations (whether owned or managed by MGI, an MGI customer, Supplier or a third-party) from which MGI Confidential Information, Environments or Networks may be accessed or (ii) any permanent or non-permanent location handling or storing MGI Assets. References in this document to (a) “MGI Facilities” shall be deemed to include Facilities of MGI customers, and (b) “Supplier Facilities” shall be deemed to include third-party Facilities used by Supplier.
6. “MGI Asset” means any tangible MGI-owned or MGI customer-owned item for which a Supplier has responsibility, including, but not limited to any hardware or software component or assembled good manufactured for or supplied to MGI.
7. “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) and any other information that constitutes “personal data” or “personal information” under Law; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
8. “Services” means the services Supplier is obligated to perform for MGI under an Agreement.
9. “Supplier” means an entity that (i) performs Services under an Agreement; and/or (ii) is granted access to MGI Facilities, Networks, Environments and/or Confidential Information.
10. “Supplier Personnel” means all Supplier employees, contractors, sub-contractors, suppliers and agents provided access to MGI Facilities, Networks, Environments and/or Confidential Information.
Part B: Supplier Personnel/Human Resources (HR) security
|
|
Requirement |
Response |
Description |
|
1 |
All Supplier Personnel are required to agree, in writing, to abide by Supplier’s physical and information security requirements. |
<Compliant> <Not Compliant> <Does not Apply> <Legal Conflict> |
|
|
2 |
Assign responsibility and accountability for compliance with the Requirement to a designated person or group within the company. |
<Compliant> <Not Compliant> <Does not Apply> <Legal Conflict> |
A document describing the authority and accountability of this person or group that demonstrates a privacy and/or security role. |
|
3 |
Establish, maintain, and perform annual privacy and security training for employees that will have access to MGI facilities
|
<Compliant> <Not Compliant> <Does not Apply> <Legal Conflict> |
|
Part C: Audit and Compliance Checks
|
|
Requirement |
Response |
Description |
|
4 |
Supplier must maintain a complete list of all Supplier Personnel with permission to access MGI Facilities |
<Compliant> <Not Compliant> <Does not Apply> <Legal Conflict> |
|
|
5 |
MGI may complete an audit report in connection with any such audit. The audit report will be treated as MGI and Supplier Confidential Information. Supplier must promptly address all security issues identified in a security audit report. |
<Compliant> <Not Compliant> <Does not Apply> <Legal Conflict> |
|
|
6 |
If requested, Supplier will certify to MGI in writing its compliance with the requirements of these Standards and will provide written responses to any questions that MGI submits to the Supplier about its security practices. |
<Compliant> <Not Compliant> <Does not Apply> <Legal Conflict> |
|
|
7 |
Supplier must assign a representation to liaise with MGI for Information Security related matters |
|
|
D: Supplier Data Collections
|
|
Requirement |
Response |
Description |
|
8 |
Where supplier relies on consent as its legal basis for Processing data, the supplier must obtain and record a Data Subject’s consent for all of its Processing activities. |
<Compliant> <Not Compliant> <Does not Apply> <Legal Conflict> |
|
|
8 |
Where required to collect the data from third party for processing, The supplier must monitor and ensure that they only collect data enough to perform and process. |
<Compliant> <Not Compliant> <Does not Apply> <Legal Conflict> |
|
|
9 |
If the supplier collects Personal Data from third parties on behalf of MGI, the supplier must validate that the third-party data protection policies and practices are consistent with the supplier’s contract with MGI’s Data Protection Requirement.
|
<Compliant> <Not Compliant> <Does not Apply> <Legal Conflict> |
|
|
9.1 |
Supplier MUST NOT access genomic data (sequencing run data), personally identifiable information (PII), child data or protected (patient) health information (PHI) at any time. If the process is required, special permission must be obtained from MGI’s team and sensitive data must be de-identified according to data security policy. |
<Compliant> <Not Compliant> <Does not Apply> <Legal Conflict> |
|
Part E: Information Security Standards
|
|
Requirement |
Response |
Description |
|
10 |
Supplier must maintain a formal written information security policy or policies and procedures for the administration of information security throughout the organization consistent with Data Security Standards |
<Compliant> <Not Compliant> <Does not Apply> <Legal Conflict> |
|
|
11 |
Storage, Back-up, Retention and Deletion. Supplier may not maintain or store any Confidential Information except as necessary for the performance of the Services under an Agreement. |
<Compliant> <Not Compliant> <Does not Apply> <Legal Conflict> |
|
|
12 |
All environments and Confidential Information must be stored in a secure location at Supplier’s Facilities and at any secure off-site locations. Suppliers that use third party Suppliers for transporting or storing backup media must assess all Suppliers used in order to verify the confidentiality, integrity and availability of backup media, and must make documentation detailing such information comply to MGI policies. All back-up media that leaves the facility must be encrypted using 256-bit or higher encryption. |
<Compliant> <Not Compliant> <Does not Apply> <Legal Conflict> |
|
|
13 |
In any case, if any PERSONAL DATA is stored on Supplier laptop, the laptop must be encrypted using 256-bit or higher encryption. |
|
|
|
14 |
If any case, MGI Confidential Information may not be stored on any mobile device or removable media (such as external disks, USB memory storage, smartphone, and backup media) unless required for the performance of the services. All Confidential Information stored on a mobile device or removable media must be encrypted using 256-bit or higher encryption. |
|
|
|
15 |
When complying with any provisions in the Agreement related to the destruction of Confidential Information, Supplier shall follow the standards contained in NIST SP-800-88. |
|
|
|
16 |
Patches Define and implement patch management procedures that prioritize security patches for systems used to Process Personal or Confidential Data. These procedures include, defined risk approach to prioritize security patches ability to handle and implement emergency patches, applicability to Operating System and server software such as application server and database software, document the risk the patch mitigates and track any exceptions, and requirements for retirement of software that is no longer supported by the authoring company. |
|
|
|
17 |
The supplier must protect all data Processed in connection with its Performance in transit across networks with encryption using Transport Layer Security (“TLS”) or Internet Protocol Security (“IPsec”). These methods are described in the NIST 800-52 and NIST 800-57; an equivalent industry standard can also be used. |
|
|
|
18 |
Operations and Change Management Supplier must maintain change management procedures that provide a consistent approach for controlling and identifying changes for all systems and Network infrastructure that may be used to provide the Services and/or that may access or store Confidential Information. |
|
|
|
19 |
Supplier must have roles and responsibilities principle to define appropriate segregation of duties, to prevent fraud and potential malicious or accidental misuse of Supplier systems, applications and Networks that are used to provide the Services to MGI. |
|
|
|
20 |
All supplier devices (laptops, workstations, etc.) that will access or handle MGI Personal Data must employ disk based encryption. |
|
|
|
21 |
Establish and test business continuity and disaster recovery plans. (If applicable to the Service) |
|
|
|
22 |
Access control Networks and Environments. Supplier is responsible for the actions of Supplier Personnel and will ensure that Supplier Personnel will follow the Standards set forth herein when accessing MGI Networks and Environments. |
|
|
|
23 |
MGI Networks and Environments may be accessed only by authorized Supplier Personnel to perform the Services specified in an Agreement. All Suppliers accessing MGI’s Network must execute an MGI Network Access Agreement specifying the Supplier Personnel and the systems to which access is provided. |
|
|
|
24 |
Supplier Personnel will terminate their access when no longer required for the performance of the Services, and Supplier will promptly inform MGI upon termination of any Supplier Personnel. |
|
|
|
25 |
Establish and maintain access rights management procedures to prevent unauthorized access to any MGI Personal Data under supplier control. Supplier must ensure that user accounts for access to Environments that contain Confidential Information are attributable to single individuals. Generic user accounts may not be used and accounts may not be shared. Supplier Personnel must be instructed not to share user account credentials. |
|
Supplier demonstrates it has implemented an access rights management plan that includes, lockout procedures after unsuccessful attempts, password reset as often as necessary but no longer than every 90 days, robust parameters for selecting authentication credentials, and deactivation of user accounts on employment termination All passwords must be encrypted during transmission and authentication for applications and systems must not allow connections on unencrypted channels or services. |
|
26 |
Install anti-virus and anti-malware software on equipment connected to the network used to Process MGI Personal Data, including servers, production and training desktops to protect against potentially harmful viruses and malicious software applications. |
|
|
|
27 |
Promptly communicate Investigation results from incident response to senior management and to Personal.
|
|
|
|
28 |
Supplier Personnel System administrators, operations staff, management and third parties must undergo annual security training.
|
|
|
|
29 |
Supplier must practice backup and restore planning processes to protect Personal data from unauthorized use, access, system hijacking, and destruction. |
|
Document to demonstrates the response and recovery procedure. |
|
Part F: Information Security Compliance |
|||
|
30 |
Supplier may not use MGI Environments or Confidential Information for development or testing of any system other than the MGI system specified in Agreement, unless such additional use is specified in an Agreement. |
|
|
|
31 |
Supplier may access, use and process Confidential Information only on behalf of MGI and only for the purposes specified in the Supplier’s Agreement with MGI, in compliance with these Standards and such further instructions as MGI may provide regarding the processing of such information. |
|
|
|
32 |
The supplier must store MGI physical assets in an access-controlled environment.
|
|
|
|
33 |
Anonymize all Personal Data used in a development or test environment. |
|
|
|
34 |
Supplier Personnel are required to abide by MGI’s Facilities security requirements and directions. |
|
|
|
35 |
Supplier Personnel may not access MGI Computers or Networks unless access is expressly authorized and supervised by MGI. |
|
|
|
36 |
Access to areas where Confidential Information is stored or accessed must be restricted to authorized Supplier Personnel. Such areas must be situated away from public areas and access must be restricted using reasonable access controls and authentication mechanisms. |
|
|
Part G: Incident Reporting
|
37 |
Supplier must immediately report to MGI any security or other event that creates reasonable suspicion as it applies to MGI Assets of a) unauthorized access to PERSONAL DATA, Confidential Information or an Environment, b) misappropriation or alteration of any PERSONAL DATA or Confidential Information, or c) theft, loss of or damage to MGI Assets. For information security or physical security events, e-mail miaojiye@genomics.cn |
|
|
|
38 |
Supplier will take appropriate steps to immediately address any such incident, and will reasonably cooperate with MGI with respect to the investigation of such incident. |
|
|
|
39 |
Supplier may not make or permit any public statements concerning any such incident which identify MGI without the explicit written authorization of MGI’s Legal Department. |
|
|