Publitas is ISO 27001 certified.
Publitas takes every reasonable effort to collect and store personal data in accordance with Confidentiality (Art 32(1)(b) GDPR) and the ISO 27001 standard. The following controls are applied, and all controls and security measures are set up according to the ISMS (Information Security Management System), which is an internal manifest of the implementation of the aforementioned standard.
Confidentiality
Data access control
AAA model
Publitas employs the AAA security framework (Authentication, Authorization, Accounting) to control access to computer resources and information systems, to define and enforce policies, and to audit usage. Besides the AAA model, additional measures are taken to protect data from theft and unintentional or malicious data alteration, to maintain data integrity.
Authentication
All information systems and data access processes require authentication, including user/password keypairs with strong password complexity, and multi-factor authentication is used on all critical systems. Authentication principles are a part of the ISMS policies and Information Security Guidelines. Password complexity and multi-factor requirements are revised periodically and proactively. Employees are obliged to use individual accounts at all times. Individual user accounts must not be shared or used jointly with other persons to ensure accountability.
Authorization
Least-privilege
Every access privilege – both access to information systems and data, is assigned by applying the principle that employees and third-party users are only granted the level of access they need to perform their activities (need-to-know basis).
Roles
Access privileges are granted according to predefined roles.
Access requests, assignments, and revocations are logged and audited.
Audit logs are kept for 365 days to ensure accountability.
Accounting
See section “Integrity”.
Separation control
Design
Production infrastructure logical access is protected by zero trust architecture design, including but not limited to logical and physical network and service segregation.
Active Filtering
Packet filters (firewalls) are in place to protect against unauthorized network access.
Web Application Filter (WAF) is employed to protect against external attacks through the web interface.
Environments
Production and test environments are separated, and no interoperability is possible between the different environments.
- encryption (access keys and administration channels are encrypted)
- policy definitions and enforcement
Client
All client end-points (workstations) are separated from the test and production infrastructure, only selected personnel have access to VPN (Virtual Private Network), which is required to access the deployment pipeline. Code deployment is not possible without utilizing the standard pipeline.
Data
Data separation for different clients and customers is guaranteed on the code and access level.
Integrity
Authorization
- Authorization is in place for all system that handles, transfers or stores personal data.
- Assignment of rights to enter, change, and delete data on the basis of an authorization
concept
Accounting
- Logging of data accesses and retrievals
- Logging of the entry, modification, and deletion of data
Other controls
- Clear responsibilities are defined for data deletions.
- Periodic backups are made, and Backup Testing Plans are executed regularly
- Data backups are stored in a secure, off-site location
- Bug Bounty Program
- Publitas has an ongoing vulnerability disclosure (bug bounty) program. Publitas monitors CVE disclosures and acts upon severity and applicability. The results of these processes are fed back into the development team for review and, if applicable, patches are developed and released.
Transfer control
Measures are in place to ensure that data cannot be read, copied, altered, or removed without authorization during electronic transmission or during their transport or storage on data carriers and to ensure verification and establishment of protocols that define how personal data shall be transmitted by data transmission equipment.
Encryption
Encrypted communication over secure networks is ensured in accordance with current security industry standards (provision of data via encrypted connections (SSL/TLS))
Disclosure of Data
Asset classification is a part of the ISMS, whereas forwarding information to external information systems is possible only for “Public” assets. Data related to personal information can never be classified as “Public,” and this rule cannot be overridden.
Pseudonymization and anonymization of end-user data
Any personal data collected for statistics is pseudonymized and anonymized before storage to ensure the data is not traceable back to the end-users
Availability and resilience
Updates
All software and software components are regularly updated in accordance with the ISMS policies and Secure Development Principles
Disaster Recovery
A Disaster Recovery Plan and Disaster Recovery Procedure are in place in accordance with the ISMS.
Regular review, assessment, and evaluation
Data protection management
The following measures are applied to ensure the organization meets the requirements of data protection laws and regulations:
- Observing the ISMS
- Obligation of employees to data secrecy
- Regular security awareness training of all employees
- Keeping an overview of processing activities (Art. 30 GDPR)
- Data breach notification process in accordance with Art. 4 No. 12 GDPR to the supervisory authorities (Art. 33 GDPR)
- Data breach notification process in accordance with Art. 4 No. 12 DSGVO vis-à-vis data subjects (Art. 34 DSGVO)
- Only personal data is collected that is necessary for the respective purpose of providing services
Organisational measures
Acceptable Use Policy
A code of conduct is in place for information security and employee security awareness.
Supplier and vendor evaluation
A standard process is in place to ensure security measures in place when establishing relationships with vendors and suppliers. GDPR compliance and a signed DPA are mandatory to establish such a relationship.
Consent and compliance
Depending on their role and the scope of access to confidential or personal data, employees, contractors, and subcontractors must acknowledge and comply with policies and regulations on secrecy/confidentiality, as well as data protection (e.g., confidentiality/non-disclosure agreement), and Information Security Policy, Acceptable Use Policy, and the respective parts of the ISMS.