This chapter describes the technical and organizational measures implemented by oculavis SHARE Software, oculavis SHARE Apps and the development company oculavis GmbH. These measures are binding and apply to all cases of data processing activities. The implemented measures take into account the state of the art according to guidelines/policies of the Federal Office for Information Security (BSI) and the recommendations of the IT Security Association Germany. The data protection officer of oculavis GmbH assures the fulfilment of TOM and guarantees in the long run that the selected technical and organizational measures for the present data processing by oculavis GmbH will remain in force.
oculavis is ISO 27001 furthermore oculavis’ hosting providers have several certifications, see also:
We currently support the following hosting providers with the appropriate technical and organizational security measures:
Internal privacy and IT security policies (based on the ISMS ISO 27001 Norm), including procedures under applicable laws and regulations, are implemented and regularly (in general on an annual basis) reviewed and updated, as necessary.
Based on ISO 27001 requirements, our policies and regulations are audited by an external auditor on an annual basis.
Based on risk management, internal systems and their responsible parties are additionally monitored and audited.
Based on at least yearly conducted compliance audit, verifications regarding relevant standards, regulations, legal/contractual, and statutory requirements are audited.
oculavis implements a formal and documented audit management process to support audit planning, risk analysis, security control assessments, conclusions, remediation schedules, report generation, and reviews of past reports.
Based on the formal audit process, oculavis maintains a risk-based corrective action plan to remediate audit findings in a documented way. This also includes the involvement of all relevant stakeholders.
Based on ISO 27001 requirements, our policies and regulations are audited by an external auditor on an annual basis. Application security policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained to guide appropriate planning, delivery, and support of the organization’s application security capabilities. Similarly, application security policies and procedures are reviewed and updated at least annually.
Based on ISO 27001, baseline requirements to secure different applications are established, documented, and maintained.
Based on ISO 27001, technical and operational metrics are defined and implemented according to business objectives, security requirements, and compliance obligations.
Based on ISO 27001, SDLC process is defined and implemented for application design, development, deployment, and operation per organizationally designed security requirements.
Testing strategy does outline criteria to accept new information systems, upgrades, and new versions while ensuring application security, compliance adherence, and organizational speed of delivery goals. Moreover, testing is automated when applicable and possible. Internal penetration tests are carried out before new releases of the software products. Internal audit documents are not freely available, but any fixed vulnerabilities found are documented in the release notes.
Strategies and capabilities are established and implemented to deploy application code in a secure, standardized, and compliant manner. The deployment and integration of application code is automated where possible.
Application security vulnerabilities remediation process is following defined processes and the remediation of application security vulnerabilities is automated when possible.
Based on the business impact analysis, a framework for planning the business continuity and a business continuity plan is introduced, documented and applied with clear roles & responsibilities, defined communication channels, restoration procedures & recovery time targets, temporary intermediate solutions and improvement processes as well as integration of the incident management.
A risk management system has been implemented which regularly (in general on an annual basis) analyzes risks and weaknesses, derives suitable measures, and monitors the overall status (PDCA cycle). Key stakeholders are involved within the risk assessment with clear responsibilities.
The overall business continuity management (BCM) strategy involves planning, implementing, and testing the business continuity concept as well as incorporating safeguards to ensure and maintain operations including regularly (in general on an annual basis) verification, reviews, and updates.
Operational resilience strategies and capability results are incorporated to establish, document, approve, communicate, apply, evaluate, and maintain a business continuity plan.
Based on ISO 27001, relevant documentation is developed, identified, and acquired to support business continuity and operational resilience plans. Moreover, business continuity and operational resilience documentation is available to authorized stakeholders and business continuity and operational resilience documentation are reviewed regularly.
The business continuity and operational resilience plans are exercised and tested at least annually and when significant changes are applied- All BCM exercises are documented.
Business continuity and resilience procedures establish communication with stakeholders and participants during the management review meeting.
Cloud data is periodically backed up, the confidentiality, integrity, and availability of backup data is ensured and backups can be restored appropriately for resiliency. Backup and recovery policies and procedures are implemented. The servers and databases are regularly backed up and checked in accordance with the SLA.
SLA Basic: Weekly backup of the oculavis’ software products with a retention period of 4 weeks.
SLA Standard/Premium: Daily backup of the oculavis’ software products with a retention period of 7 days. Weekly backup of the oculavis’ software products with a retention period of 4 weeks. Monthly backup of the oculavis’ software products with a retention period of 12 months. Older backups are deleted step by step.
There exists a disaster response plan how to immediately act in case of an incident. After a security/data privacy incident has been identified, a documentation, an analysis and an evaluation of the security/data privacy incident are performed. Measures are then taken and in the event of a customer-relevant incident, the customer is informed of the incident via Email/phone and the measures within 24 hours.
The emergency response plan is exercised annually or when significant changes occur and in case local emergency authorities are included, if possible, in the exercise.
Business-critical equipment is supplemented with redundant equipment independently located at a reasonable minimum distance in accordance with applicable industry standards.
A formal change management process exists at oculavis GmbH, especially in the area of software development and deployment (customer instances). Requests for changes are formally entered in the backlog via the product owner. This is followed by a priority assessment, a technical classification and security assessment of the change, and a rough time estimate. Changes implemented are developed/deployed and intensively tested within sprints and there is a formal review process, especially for security-related changes.
A defined quality change control, approval and testing process (with established baselines, testing, and release standards) is followed.
Risks associated with changing organizational assets (including applications, systems, infrastructure, configuration, etc.) are managed, regardless of whether asset management occurs internally or externally (i.e., outsourced).
The unauthorized addition, removal, update, and management of organization assets is restricted and only performed by authorized employees.
Provisions to limit changes that directly impact customer’s environments and require customers to authorize requests explicitly included within the service level agreements (SLAs) between oculavis and customers.
Change management baselines are established for all relevant authorized changes on organizational assets; as in alignment with ISO 27001.
Detection measures are implemented with proactive notification if changes deviate from established baselines.
oculavis implemented an emergency change process for exception management.
Based upon our backup policy, a process to proactively roll back changes to a previously known “good state” is defined and implemented in case of errors or security concerns.
oculavis GmbH has a key and certificate management concept with a clear authorization/generation concept and according to BSI-Recommendation BSI TR-02102. Within projects, oculavis will follow the cryptographic requirements specified in BSI TR-03116. The key generation and CSR process is integrated into the automated deployment of the software products, which is configured by the software’s administrators’ group. All access to confidential keying material or certificates is controlled by the data protection officer.
Cryptography, encryption, and key management roles and responsibilities are defined and implemented based on the need to know principle.
Use of encryption to store personal and confidential data. Encryption of personal data during transport on mobile data carriers (laptops, desktop computers, hard disks, USB sticks) is also implemented following approved encryption algorithms.
oculavis uses SHA-256 Salted Hash values for storing passwords. (Virtual) disks and backups are encrypted using AES-256 encryption algorithm.
Standard change management procedures are established to review, approve, implement, and communicate cryptography, encryption, and key management technology changes that accommodate internal and external sources.
Changes to cryptography, encryption and key management related systems, policies, and procedures are managed and adopted in a manner that fully accounts for downstream effects of proposed changes, including residual risk, cost, and benefits analysis.
Cryptography, encryption, and key management are part of the oculavis risk management process.
The cloud service providers utilized by oculavis are providing oculavis with the capacity to manage their own data encryption keys.
Encryption and key management systems, policies, and processes are audited with a frequency proportional to the system’s risk exposure, and after any security event. Audit is done at least annually.
Cryptographic keys are generated using industry-accepted and approved cryptographic libraries that specify algorithm strength and random number generator specifications.
Private keys are provisioned for a unique purpose.
Private keys are rotated based on a cryptoperiod calculated while considering information disclosure risks and legal and regulatory requirements.
Cryptographic keys are revoked and removed before the end of the established cryptoperiod (when a key is compromised, or an entity is no longer part of the organization) per defined, implemented, and evaluated processes, procedures, and technical measures to include legal and regulatory requirement provisions.
Processes, procedures, and technical measures to destroy unneeded keys are defined, implemented, and evaluated.
Processes, procedures, and technical measures to create keys are being defined, implemented, and evaluated to include legal and regulatory requirement provisions.
Processes, procedures, and technical measures to monitor, review and approve key transitions (e.g., from any state to/from suspension) are being defined, implemented, and evaluated to include legal and regulatory requirement provisions.
Processes, procedures, and technical measures to deactivate keys (at the time of their expiration date) are being defined, implemented, and evaluated to include legal and regulatory requirement provisions.
If needed, encryption keys are archived. Processes, procedures, and technical measures to manage archived keys are being defined.
Processes, procedures, and technical measures to handle compromised keys are implemented and included to the risk management of oculavis.
Backup processes, procedures, and technical measures to assess operational continuity risks are being defined, implemented, and evaluated.
Key management system processes, procedures, and technical measures are being defined, implemented, and evaluated to track and report all cryptographic materials and status changes that include legal and regulatory requirement provisions.
Encryption during the online transmission of personal data. Encryption of video streams, encrypted connection to software platform oculavis SHARE (DTLS 1.2, SRTP, HTTPS, TLS 1.2).
Policies and procedures are established, documented, approved, communicated, enforced, evaluated, and maintained for the classification, protection, and handling of data throughout its lifecycle according to all applicable laws and regulations, standards, and risk level. Internal privacy and IT security policies (based on the ISMS ISO 27001 Norm), including procedures under applicable laws and regulations, are implemented and regularly (in general on an annual basis) reviewed and updated, as necessary.
Industry-accepted methods are applied for secure data disposal from storage media so information is not recoverable by any forensic means.
Use of encryption to store personal data. Passwords saved as Salted Hash (SHA-256). Databases and customer data in the file system are encrypted (AES-256). Backups are also encrypted (AES-256). Regular internal audits (in general on an annual basis) to verify compliance with data protection and IT security policies and to assess whether they are appropriate to ensure the protection of personal data. Internal penetration tests are carried out before new releases of the oculavis’ software products. Internal audit documents are not freely available, but any fixed vulnerabilities found are documented in the release notes.
Data is classified according to type and sensitivity levels. All employees are aware of the data classification and of the handling procedure.
Data flow documentation is created to identify what data is processed and where it is stored and transmitted. The documentation is reviewed at defined intervals, at least annually, and after any change.
The ownership and stewardship of all relevant personal and sensitive data is documented in an asset inventory and reviewed at least annually.
Systems, products, and business practices are based on security principles by design and per industry best practices.
oculavis has appointed a data protection officer for implementing, monitoring and advising data protection topics.
A data protection impact assessment (DPIA) is conducted when processing personal data and evaluating the origin, nature, particularity, and severity of risks according to any applicable laws, regulations and industry best practices. Processes, procedures, and technical measures are defined, implemented, and evaluated to ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope (as permitted by respective laws and regulations).
Processes, procedures, and technical measures are defined, implemented, and evaluated to enable data subjects to request access to, modify, or delete personal data (per GDPR). Processes, procedures, and technical measures are defined, implemented, and evaluated to ensure personal data is processed (per applicable laws and regulations and for the purposes declared to the data subject).
Processes, procedures, and technical measures are defined, implemented, and evaluated for the transfer and sub-processing of personal data (according to GDPR regulations). Processes, procedures, and technical measures are defined, implemented, and evaluated to disclose details to the data owner of any personal or sensitive data access by sub-processors before processing initiation.
Access to personal (customer) data by oculavis employees is subject to corresponding confidentiality obligations (employment contract and confidentiality agreement, in particular with regard to handling customer data). oculavis stores personal data only for the operation of business operations. Customer data is accessed after getting consent of the customer and accessed with four eyes principle.
A deletion concept has been implemented which guarantees retention periods for personal data. An automatic or semi-automatic deletion of personal data does not take place during the contract period. At the end of the contract, the customer is given the opportunity to save data from his software platform oculavis SHARE. All personal data will be deleted and/or destroyed in a controlled manner at the end of the retention period (usually 90 days) or at the request of the customer. Log files are deleted after 30 day.
Authorization from data owners is obtained, and the associated risk is managed, before replicating or using production data in non-production environments. Data retention, archiving, and deletion practices follow business requirements, applicable laws, and regulations.
Processes, procedures, and technical measures are defined, implemented, and evaluated for the transfer and sub-processing of personal data (according to GDPR).
Processes, procedures, and technical measures are defined, implemented, and evaluated to disclose details to the data owner of any personal or sensitive data access by sub-processors before processing initiation.
Authorization from data owners is obtained, and the associated risk is managed, before replicating or using production data in non-production environments.
Processes, procedures, and technical measures are defined and implemented to protect sensitive data throughout its lifecycle as per GDPR.
oculavis’ cloud service providers describe to oculavis, the procedure to manage and respond to requests for disclosure of Personal Data by Law Enforcement Authorities according to applicable laws and regulations.
Processes, procedures, and technical measures are defined and implemented to specify and document physical data locations, including locales where data is processed or backed up.
Information governance program policies and procedures sponsored by organizational leadership are established, documented, approved, communicated, applied, evaluated, and maintained and updated at least annually.
oculavis has an established formal, documented, and leadership-sponsored enterprise risk management (ERM) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks.
Annual review, assessment, and evaluation of the effectiveness of the technical and organizational measures is anually performed and as well an annual review of compliance with data protection and IT security guidelines by the data protection and IT security officer is performed.
An approved exception process is mandated by the governance program established at oculavis and followed whenever a deviation from an established policy occurs.
Initial training of new employees in the areas of information security through workshops on the subject of IT security and data protection.
Roles and responsibilities for planning, implementing, operating, assessing, and improving governance programs are defined and documented.
Based on ISO 27001, all relevant standards, regulations, legal/contractual, and statutory requirements are identified and documented at oculavis.
At oculavis, contact is established and maintained with cloud-related special interest groups and other relevant entities.
Background verification policies and procedures of all new employees (including but not limited to remote employees, contractors, and third parties) are established, documented, approved, communicated, applied, evaluated, and maintained.
Background verification policies and procedures are designed according to local laws, regulations, ethics, and contractual constraints and proportional to the data classification to be accessed, business requirements, and acceptable risk. Background verification policies and procedures are reviewed and updated at least annually.
Policies and procedures for defining allowances and conditions for the acceptable use of organizationally or managed assets are established, documented, approved, communicated, applied, evaluated, maintained, and updated at least annually.
Policies and procedures requiring unattended workspaces to conceal confidential data are established, documented, approved, communicated, applied, evaluated, maintained, and updated at least annually.
Policies and procedures to protect information accessed, processed, or stored at remote sites and locations are established, documented, approved, communicated, applied, evaluated, maintained, and updated at least annually.
Return procedures of organizationally owned assets by terminated employees are established and documented.
Contractual obligations (confidentiality agreement) in the handling of customer data for all oculavis employees.
Procedures outlining the roles and responsibilities concerning changes in employment are established, documented, and communicated to all personnel.
Employees are required to sign an employment agreement before gaining access to organizational information systems, resources, and assets.
Provisions and/or terms for adherence to established information governance and security policies are included within employment agreements.
Employee roles and responsibilities relating to information assets and security are documented and communicated.
Requirements for non-disclosure/confidentiality agreements reflecting organizational data protection needs and operational details are identified, documented, and reviewed at planned intervals.
Regular training of employees in the areas of data protection and IT security through bi-weekly company meetings on the subject of IT security and data protection.
Employees are notified of their roles and responsibilities to maintain awareness and compliance with established policies, procedures, and
applicable legal, statutory, or regulatory compliance obligations.
Access to personal (customer) data by oculavis employees is subject to corresponding confidentiality obligations (employment contract and confidentiality agreement, in particular about handling customer data).
Strong password policies and procedures are established, documented, approved, communicated, implemented, applied, evaluated maintained and updated at least annually.
System identity information and levels of access is managed, stored, and reviewed.
The separation of duties principle is employed when implementing information system access.
Authorizations and accesses are assigned and granted based on the need-to-know principle, taking into account the sensitivity and criticality of data processing, and the employee’s responsibilities within the company.
Authorizations and accesses are assigned and granted on the basis of the need-to-know principle, taking into account the sensitivity and criticality of data processing, and the employee’s responsibilities within the company.
A user access provisioning process is defined and implemented which authorizes, records, and communicates data and assets access changes.
A process is in place to de-provision or modify the access, in a timely manner, of movers / leavers or system identity changes, to effectively adopt and communicate identity and access management policies.
Reviews and revalidation of user access for least privilege and separation of duties are completed with a frequency commensurate with organizational risk tolerance.
Processes, procedures, and technical measures for the segregation of privileged access roles are defined, implemented, and evaluated such that administrative data access, encryption, key management capabilities, and logging capabilities are distinct and separate.
An access process is defined and implemented to ensure privileged access roles and rights are granted for a limited period. Procedures implemented to prevent the culmination of segregated privileged access.
Processes, procedures, and technical measures to ensure the logging infrastructure is “read-only” for all (including privileged access roles) are defined, implemented, and evaluated. The ability to disable the “read-only” configuration of logging infrastructure controlled through a procedure that ensures the segregation of duties.
Processes, procedures, and technical measures that ensure users are identifiable through unique identification (or can associate individuals with user identification usage) are defined, implemented, and evaluated.
Processes, procedures, and technical measures for authenticating access to systems, application, and data assets including multi factor authentication for a least-privileged user and sensitive data access are defined, implemented, and evaluated. Digital certificates or alternatives that achieve an equivalent security level for system identities are adopted.
Processes, procedures, and technical measures for the secure management of passwords are defined, implemented, and evaluated.
Processes, procedures, and technical measures to verify access to data and system functions are authorized, defined, implemented, and evaluated.
Resource availability, quality, and capacity are planned and monitored in a way that delivers required system performance, as determined by the business.
Communications between environments are monitored and encrypted. The protection of the internal network against unauthorized access is ensured by a security gateway with firewall and IDS module. Network configurations are reviewed at least annually and supported by the documented justification of all allowed services, protocols, ports, and compensating controls.
The software platform for the client runs on its own customer instance and is completely isolated from other customer instances. Furthermore, the platform is divided into modules and deployed according to the docker concept (sandbox concept), so that the individual modules (database, frontend, backend) are additionally isolated.
Strict separation of test/development data/platforms and production data/platforms. Only the software’s Administrators Group has access to the customer instances (production environment) and only for backup, update, or data recovery purposes. Anomalies in the access are handled by the Incident Management of oculavis.
oculavis has implemented secure and encrypted communication channels including only up-to-date and approved protocols are used when migrating servers, services, applications, or data to cloud environments.
Identification and documentation of high-risk environments.
Processes, procedures, and defense techniques are defined, implemented, and evaluated for protection, detection, and timely response to network-based attacks.
Assets associated with information and information processing facilities are identified and an inventory of these assets is drawn up with clear responsibilities and regularly (in general on an annual basis) maintained. All information is classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. A set of procedures for information labelling and handling is implemented according to the information classification scheme.
The protection of the internal network against unauthorized access is ensured by a security gateway with firewall and IDS module.
Logging and monitoring policies and procedures are established, documented, approved, communicated, applied, evaluated, maintained and updated at least annually.
A pseudonymized logging of all data accesses with timestamps to instances of the client takes place. Log files can only be viewed by administrators and are protected against unauthorized manipulation. The assignment of authorizations is documented in detail by full name. The data protection officer monitors the authorized persons accesses on instances of the client. Log files in the background of the software document system adjustments and serve to prevent error states, detect potential attacks on the system and ensure traceability of system activities.
Processes, procedures, and technical measures are defined, implemented, and evaluated to ensure audit log security and retention. The data protection officer monitors the authorized persons accesses on instances of the client.
Security-related events are identified and monitored within applications and the underlying infrastructure. A process is defined and implemented to communicate alerts to responsible stakeholders based on security events and their corresponding metrics.
Access to audit logs is restricted to authorized personnel, and records are maintained to provide unique access accountability.
Security audit logs are monitored to detect activity outside of typical or expected patterns. Process is established and followed to review and take appropriate and timely actions on detected anomalies.
A reliable time source is being used across all relevant information processing systems.
The information system protects log records from unauthorized access, modification, and deletion.
Physical access is logged and monitored using an auditable access control system.
Processes and technical measures for reporting monitoring system anomalies and failures are defined, implemented, and evaluated. Accountable parties are immediately notified about anomalies and failures.
Policies and procedures for security incident management, e-discovery and cloud forensics are established, documented, approved, communicated, applied, evaluated, maintained, reviewed, and updated annually.
Policies and procedures for timely management of security incidents are established, documented, approved, communicated, applied, evaluated, maintained, reviewed, and updated at least annually.
There exists an emergency response plan how to immediately act in case of an incident. After a security/data privacy incident has been identified, a documentation, an analysis and an evaluation of the security/data privacy incident are performed. Measures are then taken and in the event of a customer-relevant incident, the customer is informed of the incident via E-Mail/phone and the measures within 24 hours.
The security incident response plan is tested and updated for effectiveness, as necessary, at planned intervals or upon significant organizational or environmental changes.
Information security incident metrics are established and monitored.
Processes, procedures, and technical measures for security breach notifications are defined and implemented. Security breaches and assumed security breaches are reported (including any relevant supply chain breaches).
Points of contact are maintained for applicable regulation authorities, national and local law enforcement, and other legal jurisdictional authorities.
Policies and procedures implementing the shared security responsibility model (SSRM) within the organization are established, documented, approved, communicated, applied, evaluated, maintained, reviewed, and updated annually.
Risk factors are associated with all organizations within the supply chain periodically reviewed by oculavis.
Service agreements between oculavis and customers (tenants) incorporate at least the following mutually agreed upon provisions and/or terms.
Based on ISO 27001, there is a process for conducting internal assessments at least annually to confirm the conformance and effectiveness of standards, policies, procedures, and SLA activities.
A process to conduct security assessments for all supply chain organizations is defined and implemented.
There is a clear process for selecting subcontractors. Formalized, documented, and controlled data processing agreements have been concluded with the subcontractors commissioned by oculavis GmbH and all sub processors are regularly checked. Data protection-compliant data processing agreements with subcontractors through concluded EU standard contract clauses.
Clear distinction between the areas of responsibility of the client and the contractor.
Procurement of hardware and software is centralized. All procurements are inventoried.
Policies and procedures are established, documented, approved, communicated, applied, evaluated, and maintained to identify, report, and prioritize the remediation of vulnerabilities to protect systems against vulnerability exploitation. Threat and vulnerability management policies and procedures are reviewed and updated at least annually.
Policies and procedures to protect against malware on managed assets are established, documented, approved, communicated, applied, evaluated, maintained, reviewed, and updated at least annually.
Processes, procedures, and technical measures are defined, implemented, and evaluated to enable scheduled and emergency responses to vulnerability identifications (based on the identified risk).
Processes, procedures, and technical measures are defined, implemented, and evaluated to update detection tools, threat signatures, and compromise indicators on frequent basis.
Processes, procedures, and technical measures are defined, implemented, and evaluated to identify updates for applications that use third-party or open-source libraries (according to the oculavis’ vulnerability management policy).
Internal penetration tests are carried out before new releases of the oculavis’ software products. Internal audit documents are not freely available, but any fixed vulnerabilities found are documented in the release notes.
Processes, procedures, and technical measures are defined, implemented, and evaluated for vulnerability detection on organizationally managed assets at least monthly.
Vulnerability remediation is prioritized using a risk-based model from an industry-recognized framework.
A process is defined and implemented to track and report vulnerability identification and remediation activities that include stakeholder notification.
Metrics for vulnerability identification and remediation are established, monitored, and reported at defined intervals.
Policies and procedures are established, documented, approved, communicated, applied, evaluated, and maintained for all endpoints. Universal endpoint management policies and procedures are reviewed and updated at least annually.
There is a defined, documented, applicable and evaluated list containing approved services, applications, and the sources of applications (stores) acceptable for use by endpoints when accessing or storing organization-managed data.
A process is defined and implemented to validate endpoint device compatibility with operating systems and applications.
An inventory of all endpoints is used and maintained to store and access company data.
All relevant interactive-use endpoints are configured to require an automatic password protected lock screen.
All relevant interactive-use endpoints are configured to require an automatic password protected lock screen.
Changes to endpoint operating systems, patch levels, and/or applications are managed through the organizational change management process.
Information is protected from unauthorized disclosure on managed endpoints with storage encryption.
If based on the oculavis’ risk management needed, malware detection and prevention technology services are configured on managed endpoints.
Software firewalls are configured on managed endpoints.
Managed endpoints are configured with data loss prevention (DLP) technologies and rules are defined based on a risk assessment.
Remote geolocation capabilities are enabled for all managed mobile endpoints.
Processes, procedures, and technical measures are defined, implemented, and evaluated to enable remote company data deletion on managed endpoint devices.
Processes, procedures, and technical and/or contractual measure are defined, implemented, and evaluated to maintain proper security of third-party endpoints with access to organizational assets.
There is a formal release procedure for software versions of oculavis SHARE and data protection and IT security requirements are part of the software release process. Releases are delivered every 6-8 weeks.
No installation of third-party software without license rights. A list of libraries/dependencies together with their licensing information is maintained for oculavis SHARE and is reviewed/updated regularly (part of the software release process).
Updating of all software and IT used in connection with data processing (e.g., through updates, patches, fixes, etc.). A patch and vulnerability management exists at oculavis GmbH, especially a monitoring for available (security) patches of relevant used libraries/systems. Patches are applied promptly and libraries are kept up to date. Typically patches for oculavis SHARE are delivered every 6-8 weeks. Depending on the severity and BSI recommendation, security patches may also be fixed earlier and applied as “hot fixes” (typically within four weeks after publication of an update/vulnerability).
A formal change management process exists at oculavis GmbH, especially in the area of software development and deployment (customer instances). Requests for changes are formally entered in the backlog via the product owner. This is followed by a priority assessment, a technical classification and security assessment of the change, and a rough time estimate. Changes implemented are developed/deployed and intensively tested within sprints and there is a formal review process, especially for security-related changes.
Guidelines for remote maintenance and support have been implemented.
IT security is part of the agile development process of the software oculavis SHARE according to 4 phase model:
SHARE administrators receive regular training on how to use confidential authenticators (passwords, keys, etc.), how to utilize privileged access, and how to act with their special role and responsibility.
Regular (at job start and then at least yearly) training on Secure Scrum development and secure coding based on the OWASP recommendations for all software developers of oculavis SHARE.
Regular review, assessment, and evaluation of the effectiveness of the technical and organizational measures as well as regular review of compliance with data protection and IT security guidelines by the data protection and IT security officer.
User input is strictly validated to prevent injection attacks (e.g., SQL injections or XSS).
A pseudonymized logging of all data accesses with timestamps to instances of the client takes place. Log files can only be viewed by administrators and are protected against unauthorized manipulation. The assignment of authorizations is documented in detail by full name. The data protection officer monitors the authorized persons accesses on instances of the client. Log files in the background of the software document system adjustments and serve to prevent error states, detect potential attacks on the system and ensure traceability of system activities.
The customer instances and the IT infrastructure of oculavis GmbH are monitored to detect anomalies, potential malicious activities or server downtimes.
Alarm-monitored building, office space and separately secured server room.
Use of personal security tokens for access to the building and office premises, including access logging.
oculavis has implemented physical access authorizations for employees and third parties (visitors, customers, cleaning personnel, craftsmen, etc.), including the request, authorization, and removal of access.
Separate key system for the server room with sharp-name assignment of access authorizations and logging of accesses. The access protection to the server farms of our hosting providers depends on the physical security measures of the hosting provider.
Procedures are implemented for the management of media/removable media in accordance with the classification scheme. Media shall be disposed of securely when no longer required, using these formal procedures.
Policies and procedures are established, documented, approved, communicated, applied, evaluated, and maintained for communications between application services (e.g., APIs), information processing interoperability, application development portability, information/data exchange, usage, portability, integrity, and persistence. These policies and procedures are reviewed and updated at least annually.
oculavis can programmatically retrieve data via an application interface to enable interoperability and portability.
Cryptographically secure and standardized network protocols are implemented for the management, import, and export of data.
