Security Measures

Wave
Technical and organizational security measures to be implemented by Lattice:

A. Annual Evidence of Compliance

1.第三方安全审核:
莱迪思是,并将继续每年对SOC 2 II型标准进行审计。审计应由独立的第三方完成。根据客户的书面请求,格子将提供最新结果的核准副本(在机密基础上)最新的年度审计报告,以便客户可以验证格子是否遵守审计标准,以反对其评估和该DPA。虽然该报告每年提供独立审计的莱迪思安全姿势的确认,但下面进一步详述最常见的兴趣点。格子应在书面请求的三十(30)天内的三十(30)天内的符合要求的初始证据中提供客户。

2. Web应用程序渗透测试摘要:
Lattice shall continue to annually engage an independent, third-party to perform a web application penetration test. Upon Customer’s written request, Lattice shall provide a summary of the findings to Customer. Lattice shall address all medium, critical and severe vulnerabilities in the findings of the report within a reasonable, risk-based timeframe. Lattice shall provide Customer with this initial evidence of compliance within thirty (30) days of written request.

3.安全意识培训:Lattice shall provide annual Security Training to all personnel. “Security Training” shall address security topics to educate users about the importance of information security and safeguards against data loss, misuse or breach through physical, logical and social engineering mechanisms. Training materials should address industry standard topics which include, but are not limited to:
• The importance of information security and proper handling of personal information.
• Physical controls such as visitor protocols, safeguarding portable devices and proper data destruction.
• Logical controls related to strong password selection/best practices.
• How to recognize social engineering attacks such as phishing.

4.漏洞扫描:晶格应确保在每种情况下,在每次使用行业标准漏洞扫描工具时,必须确保在服务器上执行漏洞扫描,并且网络安全扫描在每种情况下至少完成。

B.安全

1.过程级要求
一种。Lattice shall implement user termination controls that include access removal / disablement promptly upon termination of staff.
湾记录的更改控制过程将用于记录和批准格子环境中的所有主要版本。
C。Lattice shall have and maintain a patch management process to implement patches in a reasonable, risk-based timeframe.

2. Network Requirements
一种。格子应使用防火墙,安全组/ VPC或类似技术来保护存储客户个人数据的服务器。

3.托管要求
一种。Where Lattice handles Customer Personal Data, servers shall be protected from unauthorized access with appropriate physical security mechanisms including, but not limited to, badge access control, secure perimeter, and enforced user provisioning controls (i.e. appropriate authorization of new accounts, timely account terminations and frequent user account reviews). These physical security mechanisms are provided by data center partners such as, but not limited to, AWS, Salesforce and Google. All cloud-hosted systems shall be scanned, where applicable and where approved by the cloud service provider.
湾Cloud Environment Data Segregation: Lattice will virtually segregate all Customer Personal Data in accordance with its established procedures. The Customer instance of Service may be on servers used by other non-Customer instances.

4.应用程序级要求
一种。晶格应在处理客户个人数据的应用程序中保持整体应用程序架构,过程流和安全功能的文档。
湾Lattice shall employ secure programming techniques and protocols in the development of applications handling Customer Personal Data.
C。Lattice shall employ industry standard scanning tools and/or code review practices, as applicable, to identify application vulnerabilities prior to release.

5.数据级要求
一种。Encryption and hashing protocols used for Customer Personal Data in transit and at rest shall support NIST approved encryption standards (e.g. SSH, TLS).
湾Lattice shall ensure laptop disk encryption.
C。格子应确保访问信息和应用系统功能仅限于授权人员。
d. Customer Personal Data stored on archive or backup systems shall be stored at the same level of security or better than the data stored on operating systems.

6.最终用户计算级别要求
一种。晶格应采用具有每日签名更新的防病毒解决方案,用于连接到客户网络或处理客户个人数据的最终用户计算设备。
湾Lattice will have a policy to prohibit the use of removable media for storing or carrying Customer Personal Data. Removable media include flash drives, CDs, and DVDs.

7. Compliance Requirements
,晶格,并合法pe程度rmissible, perform criminal background verification checks on all of its employees that provide Services to Customer prior to obtaining access to Customer Personal Data. Such background checks shall be carried out in accordance with relevant laws, regulations, and ethics.
湾Lattice will maintain an Information Security Policy (ISP) that is reviewed and approved annually at the executive level.

8.共享责任
格子的服务需要共同的责任模型。例如,客户必须维护客户用户帐户的控件(例如当客户员工终止时禁用/删除访问,为客户用户建立密码要求等)。

Additional Privacy Resources