Exhibit 2 - Security Controls
IBackup will implement the controls listed below or their equivalent during the term of this DPA:
1. Access Controls. Data Processor will implement suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment. This will be accomplished by:
- Access authorization for employees and third parties
- Keycards and passes
- Restriction on keys
- Requirements for third parties
- Identifying of the persons having authorized access
- Protection and restriction of entrance and exits
- Establishing security areas
- Securing the building (e.g., security alarms systems)
2. Access Control to Data. Data Processors commits that persons entitled to use the data processing systems will only access Customer Personal Data within the scope and to the extent covered by the respective access permissions/authorization.
- Locking of workstations
- Requirements for user authorization
- Confidentiality obligations
- Controlling destructions of data media
- Processes for the development and release of programs
3. User Controls. Data Processor will implement suitable measures to prevent its data processing systems from being used by unauthorized persons including unauthorized reading, copying, alteration, or removal of the stored data and data media. This will be accomplished by:
- Access authorization requirements
- Logging of events and activities
- Dedicated workstations and/or users
- Authenticating authorized personnel
- Use of encryption where deemed appropriate by Processor
- Controlling removal of data media
- Securing areas in which data media are located
- Authentication requirements include requirement of strong passwords & periodic change of passwords.
- Disabling of Inactive Accounts within 60 days.
- If a session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session.
- Remote Access authentication requirements.