Vendors must maintain an automated audit trail that documents system security events and all change management events that result in access, modification, and/or deletion of N-compatible sensitive information. The audit trail must record at least the following information for each event: Vendors must implement a set of multi-layered security controls to logically isolate and segment N-compatible sensitive information in a hosted environment. Mechanisms to ensure adequate isolation and segmentation must be implemented at the network, operating system and application level. Vendors must ensure that these systems and other resources are properly hardened in accordance with security best practices to establish a secure information system baseline, including, but not limited to, removing or disabling unused network ports, protocols, and services, and installing malware, antivirus, and host-based firewall protection technologies. “Personal Data” as defined in the European Union`s General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and other applicable global information security, data protection and data protection laws means any information relating to an identified or identifiable natural person. An identifiable person is a person who can be identified, directly or indirectly, by reference to an identification number or to one or more specific characteristics of his or her physical, physiological, mental, economic, cultural or social identity. Examples include, but are not limited to: full name (including prefix and suffix), personal identification number (PIN) or password, payment card information or related numbers (e.g., CVV number), bank account information, email addresses, phone number, physical address, proof of health information (e.g. previous processing) or health requirements, travel documents such as driver`s license number, national or state identification number, passport number, citizenship, residence, date of birth, sexual orientation, religion, trade union membership, social security number or visa number, criminal record, biometric or genetic data. Upon termination of the Agreement, or at any time prior to the reuse or re-use of media used to store or process N-compatible confidential information, the media must be deleted (with a DoD-compliant 7-pass erase) or deleted in accordance with NIST SP 800-88. If the media is to be destroyed, the seller must provide N-able with a certificate of destruction. Prior to such destruction, the Provider shall comply with all applicable technical and organizational security measures to protect the security, privacy and confidentiality of N-compatible confidential information. Another limitation of traditional third-party cybersecurity assessments is that they only capture an instant view of a vendor`s performance. Between annual assessments, vulnerabilities in a third-party IT infrastructure can occur and put your business at risk.
Basic security and privacy requirements for providers If you have any questions that are not covered by the following information, please contact your local vendor service center. Any provider that has access to N-compatible data classified as personal data or superior is expected to demonstrate its security policies, processes and procedures and demonstrate its ability to ensure adequate protection of such data, including against misuse or compromise. The following sections describe the requirements that providers must meet when collecting, using or processing personal data when providing services or business with N-able. Vendors must develop, operate, manage and revise business continuity and disaster recovery (BCP/disaster recovery) plans. These plans include BCP/RD roles and responsibilities, established recovery time and recovery point objectives, daily data and system backups, offsite storage of media and backup records, record protection, and contingency plans in accordance with the requirements of the agreement. Suppliers must keep these plans securely off-site and ensure that these plans are available to the supplier when needed. But relationships with third-party providers also carry cybersecurity risks. To reduce this risk, you need to hold vendors accountable for a cybersecurity base. But what is an appropriate baseline and how can you stick to it without depleting your resources? Providers must ensure that secure configurations of information systems that access N-compatible sensitive information are developed, documented and maintained.