Landis+Gyr Cloud Security Terms
This document sets forth the technical and organizational measures that Landis+Gyr follows with respect to maintaining the high standard of information security in connection with the provision of services to customers.
Technical and Organizational Measures
Landis+Gyr maintains globally applicable policies, standards, and procedures intended to protect data and information within provided services. Without limiting the generality of the foregoing, Landis+Gyr has implemented and maintains appropriate technical and organizational measures, internal controls, and information security routines intended to protect information against accidental, unauthorized, or unlawful access, disclosure, alteration, loss, or destruction, as follows:
Organization of Information Security
- Security Ownership. Landis+Gyr appointed the Chief Information Security Officer, who coordinates, monitors, and develops the global Information Security Management System.
- Security Roles and Responsibilities. Landis+Gyr defined Security Roles and Responsibilities within the global Information Security Organization.
- Risk Management Program. Landis+Gyr has a risk management program in place to identify, assess and take appropriate actions with respect to global Information Security.
Human Resources Security
- Screening. Landis+Gyr carries out background verification checks in accordance with relevant laws, regulations, and ethics. Verification checks are proportional to the business requirements, the classification of the information to be accessed and perceived risks.
- Terms and Conditions of Employment. The contractual agreements with employees and contractors state their and the Landis+Gyr’s responsibilities for information security. Landis+Gyr informs its personnel about relevant security procedures, their respective roles and of consequences of breaching the security rules and procedures.
- Management Responsibilities. Management requires all employees and contractors to apply information security in accordance with the established policies and procedures of Landis+Gyr.
- Information Security Awareness, Education and Training. All Landis+Gyr employees and, where relevant, contractors receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
- Disciplinary Process. There is a formal and communicated disciplinary process in place to act against employees who have committed an information security breach.
- Termination or Change of Employment Responsibilities. Information security responsibilities and duties that remain valid after termination or change of employment are defined, communicated to the employee or contractor and enforced.
- Inventory of Assets. Assets associated with information and information processing facilities are identified and an inventory of these assets is drawn up and maintained.
- Ownership of Assets. Assets maintained in inventory are owned.
- Acceptable Use of Assets. Rules for the acceptable use of information and of assets associated with information and information processing facilities are identified, documented and implemented.
- Return of Assets. All employees and external party users return all of the organizational assets in their possession upon termination of their employment, contract or agreement.
- Classification of Information. Information are classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
- Labelling of Information. An appropriate set of procedures for information labelling are developed and implemented in accordance with the information classification scheme adopted by Landis+Gyr.
- Handling of Assets. Procedures for handling assets are developed and implemented in accordance with the information classification scheme adopted by Landis+Gyr.
- Management of Removable Media. Procedures are implemented for the management of removable media in accordance with the classification scheme adopted by Landis+Gyr.
- Disposal of Media. Media are disposed of securely when no longer required, using formal procedures.
- Physical Media Transfer. Media containing information are protected against unauthorized access, misuse, or corruption during transportation.
- Access Control Policy. An access control policy is established, documented, and reviewed based on business and information security requirements.
- Access to Networks and Networks Services. Users are provided with access to the network and net-work services that they have been specifically authorized to use.
- User Access Management:
- A formal user registration and de-registration process is implemented to enable assignment of access rights.
- A formal user access provisioning process is implemented to assign or revoke access rights for all user types to all systems and services.
- The allocation and use of privileged access rights is restricted and controlled.
- The allocation of secret authentication information is controlled through a formal management process.
- Asset owners review users’ access rights at regular intervals.
- The access rights of all employees and external party users to information and information processing facilities will removed upon termination of their employment, contract or agreement, or adjusted upon change.
- User Responsibilities. Users are required to follow the Landis+Gyr’s practices in the use of secret authentication information.
- System and Application Access Control
- Access to information and application system functions are restricted in accordance with the access control policy.
- Where required by the access control policy, access to systems and applications are controlled by a secure log-on procedure.
- Password management systems are interactive and shall ensure quality passwords.
- The use of utility programs that might be capable of overriding system and application controls are restricted and tightly controlled.
- Access to program source code is restricted.
- Policy on the Use of Cryptographic Controls. A policy on the use of cryptographic controls for protection of information is developed and implemented.
- Key Management. A policy on the use, protection and lifetime of cryptographic keys is developed and implemented through their whole lifecycle.
Physical and Environmental Security
- Physical Security Perimeter. Security perimeters are defined and used to protect areas that contain either sensitive or critical information and information processing facilities.
- Physical Entry Controls. Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
- Securing Offices, Rooms and Facilities. Physical security for offices, rooms and facilities are designed and applied.
- Protecting against External and Environmental Threats. Physical protection against natural disasters, malicious attack or accidents are designed and applied.
- Working in Secure Areas. Procedures for working in secure areas are designed and applied.
- Delivery and Loading Areas. Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises are controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.
- Equipment is sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.
- Equipment is protected from power failures and other disruptions caused by failures in supporting utilities.
- Power and telecommunications cabling carrying data or supporting information services are protected from interception, interference, or damage.
- Equipment is correctly maintained to ensure its continued availability and integrity.
- Equipment, information, or software is not taken off-site without prior authorization.
- Security is applied to off-site assets considering the different risks of working outside the Landis+Gyr’s premises.
- All items of equipment containing storage media is verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
- Users ensure that unattended equipment has appropriate protection.
- A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities is adopted.
Operations Security Management
- Documented Operating Procedures. Operating procedures are documented and made available to all users who need them.
- Change Management. Changes to the organization, business processes, information processing facilities and systems that affect information security are controlled.
- Capacity Management. The use of resources is monitored, tuned and projections made of future capacity requirements to ensure the required system performance.
- Separation of development, testing, and operational environments. Development, testing, and operational environments are separated to reduce the risks of unauthorized access or changes to the operational environment.
- Protection against Malware. Detection, prevention, and recovery controls to protect against malware is implemented, combined with appropriate user awareness.
- Information Backup. Backup copies of information, software and system images are taken and tested regularly in accordance with an agreed backup policy.
- Event Logging. Event logs recording user activities, exceptions, faults, and information security events are produced, kept and regularly reviewed.
- Protection of Log Information. Logging facilities and log information are protected against tampering and unauthorized access.
- Administrator and Operator Logs. System administrator and system operator activities are logged, and the logs protected and regularly reviewed.
- Clock Synchronization. The clocks of all relevant information processing systems within an Landis+Gyr or security domain are synchronised to a single reference time source.
- Control of Operational Software. Procedures are implemented to control the installation of software on operational systems.
- Technical Vulnerability Management. Information about technical vulnerabilities of information systems being used are obtained in a timely fashion, the Landis+Gyr’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. Rules governing the installation of software by users are established and implemented.
- Information Systems Audit Controls. Audit requirements and activities involving verification of operational systems are carefully planned and agreed to minimise disruptions to business processes.
- Network Controls. Networks are managed and controlled to protect information in systems and applications.
- Security of Network Services. Security mechanisms, service levels and management requirements of all network services are identified and included in network services agreements, whether these services are provided in-house or outsourced.
- Segregation in Networks. Groups of information services, users and information systems are segregated on networks.
- Information Transfer Policies and Procedures. Formal transfer policies, procedures and controls are in place to protect the transfer of information using all types of communication facilities.
- Agreements on Information Transfer. Agreements address the secure transfer of business information between the Landis+Gyr and external parties.
- Electronic Messaging. Information involved in electronic messaging are appropriately protected.
- Confidentiality or Nondisclosure Agreements. Requirements for confidentiality or non-disclosure agreements reflecting the Landis+Gyr’s needs for the protection of information are identified, regularly reviewed and documented.
System Acquisition, Development and Maintenance
- Information Security Requirements Analysis and Specification. The information security related requirements are included in the requirements for new information systems or enhancements to existing information systems.
- Securing Application Services on Public Networks. Information involved in application services passing over public networks are protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.
- Protecting Application Services Transactions. Information involved in application service transactions are protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
- Security in Development and Support Process:
- Rules for the development of software and systems are established and applied to developments within the Landis+Gyr.
- Changes to systems within the development lifecycle are controlled using formal change control procedures.
- When operating platforms are changed, business critical applications are reviewed and tested to ensure there is no adverse impact on organizational operations or security.
- Modifications to software packages are discouraged, limited to necessary changes and all changes shall be strictly controlled.
- Principles for engineering secure systems are established, documented, maintained, and applied to any information system implementation efforts.
- Secure development environments for system development and integration efforts are established and appropriately protected that cover the entire system development lifecycle.
- Landis+Gyr supervises and monitors the activity of out-sourced system development.
- Testing of security functionality is carried out during development.
- Acceptance testing programs and related criteria are established for new information systems, upgrades, and new versions.
- Test Data. Test data are selected carefully, protected, and controlled.
- Information Security Policy for Supplier Relationships. Information security requirements for mitigating the risks associated with supplier’s access to the Landis+Gyr’s assets are agreed with the supplier and documented.
- Addressing Security within Supplier Agreements. All relevant information security requirements are established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the Landis+Gyr’s information.
- Information and Communication Technology Supply Chain. Agreements with suppliers will include requirements to address the information security risks associated with information and communications technology services and product supply chain.
- Monitoring and Review of Supplier Services. Landis+Gyr monitors, reviews and audits supplier service delivery.
- Managing Changes to Supplier Services. Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures, and controls, will be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.
Information Security Incident Management
- Responsibilities and Procedures. Management responsibilities and procedures are established to ensure a quick, effective and orderly response to information security incidents.
- Reporting Information Security Events. Information security events are reported through appropriate management channels no more than 36 hours after its confirmation. as quickly as possible.
- Notifying Customers about Security Incidents. Confirmed Security Incidents with impact to customer or customer data and systems are notified without undue delay.
- Reporting Information Security Weaknesses. Employees and contractors using the Landis+Gyr’s information systems and services are required to note and report any observed or suspected information security weaknesses in systems or services.
- Assessment of and Decision on Information Security Events. Information security events are assessed and decided if they are to be classified as information security incidents.
- Response to Information Security Incidents. Information security incidents are responded to in accordance with the documented procedures.
- Learning from Information Security Incidents. Knowledge gained from analysing and resolving information security incidents is used to reduce the likelihood or impact of future incidents.
- Collection of Evidence. Landis+Gyr defines and applies procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.
Business Continuity Management
- Planning Information Security Continuity. Landis+Gyr determines its requirements for information security and the continuity of information security management in adverse situations, e.g., during a crisis or disaster.
- Implementing Information Security Continuity. Landis+Gyr establishes, documents, implements, and maintains processes, procedures, and controls to ensure the required level of continuity for information security during an adverse situation.
- Verify, Review and Evaluate Information Security Continuity. Landis+Gyr verifies the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.
- Availability of Information Processing Facilities. Information processing facilities are implemented with redundancy sufficient to meet availability requirements.
Compliance with Legal and Contractual Requirements
- Identification of Applicable Legislation and Contractual Requirements. All relevant legislative statutory, regulatory, contractual requirements and the Landis+Gyr’s approach to meet these requirements are explicitly identified, documented, and kept up to date for each information system and Landis+Gyr itself.
- Intellectual Property Rights. Appropriate procedures are implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights and use of proprietary soft-ware products.
- Protection of Records. Records are protected from loss, destruction, falsification, unauthorized access, and unauthorized release, in accordance with legislator, regulatory, contractual, and business requirements.
- Privacy and Protection of Personally Identifiable Information. Privacy and protection of personally identifiable information are ensured as required in relevant legislation and regulation where applicable.
- Regulation of Cryptography Controls. Cryptographic controls are used in compliance with all relevant agreements, legislation, and regulations.
- Independent Review of Information Security. Landis+Gyr’s approach to managing information security and its implementation (i.e., control objectives, controls, policies, processes, and procedures for information security) is reviewed independently at planned intervals or when significant changes occur.
- Compliance with Security Policies and Standards. Managers review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards, and any other security requirements.
- Technical Compliance Review. Information systems are regularly reviewed for compliance with the Landis+Gyr’s information security policies and standards.