search

    Security Measures

    Beeline has implemented and will maintain for Customer Data the following minimum security measures in conjunction with the security commitments in the DPA Terms for JoinedUp.  

      Domain  

      Practices  

    Organization of Information Security 

    Security Ownership. Beeline has appointed one or more security officers responsible for coordinating and monitoring the security rules and procedures.  

    Security Roles and Responsibilities. Beeline personnel with access to Beeline Data are subject to confidentiality obligations. Least privilege access is used.  

    Risk Management Program. Beeline performed a risk assessment before processing the Beeline Data.  

    Asset Management 

    Asset Inventory. Beeline maintains an inventory of all media on which Beeline Data is stored. Access to the inventories of such media is restricted to Beeline personnel authorized in writing to have such access.  

    Asset Handling 

    - Beeline classifies Beeline Data to help identify it and to allow for access to it to be appropriately restricted.  

    - Beeline imposes restrictions on printing Beeline Data and has procedures for disposing of printed materials that contain such data.  

    • Beeline personnel must obtain Beeline authorization prior to storing Beeline Data on portable devices, remotely accessing such data, or processing such data outside Beeline’s facilities.  

    Security Training 

    Security Training. Beeline informs its personnel about relevant security procedures and their respective roles. Beeline also informs its personnel of possible consequences of breaching the security rules and procedures. Beeline will only use anonymous data in training.  

    Physical and Environmental Security 

    Physical Access to Facilities. Beeline limits access to facilities where information systems that process Beeline Data are located to identified authorized individuals.  

    Physical Access to Components. Beeline maintains records of the incoming and outgoing media containing Beeline Data including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of such data they contain.  

    Protection from Disruptions. Beeline uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.  

    Component Disposal. Beeline uses industry standard processes to delete and/or return Beeline Data when it is no longer needed.  

    Communications and Operations Management 

    Operational Policy. Beeline maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Beeline Data.  

    Data Recovery Procedures 

    - On an ongoing basis, but in no case less frequently than once a week (unless no updates have occurred during that period), Beeline maintains multiple copies of Beeline Data from which such data can be recovered.  

    - Beeline stores copies of Beeline Data and data recovery procedures in a different geographic location from where the primary computer equipment processing the Beeline Data are located.  

    - Beeline has specific procedures in place governing access to copies of Beeline Data.  

    - Beeline reviews data recovery procedures at least every twelve months.  

    - Beeline logs data restoration efforts, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process.  

    Malicious Software. Beeline has anti-malware controls to help avoid malicious software gaining unauthorized access to Beeline Data including malicious software originating from public networks.  

    Data Beyond Boundaries 

    - Beeline encrypts Beeline Data that is transmitted over public networks.  

    - Beeline restricts access to Beeline Data in media leaving its facilities.  

    Event Logging. Beeline logs access and use of information systems containing Beeline Data registering the access ID, time, authorization granted or denied, and relevant activity.  

    Access Control 

    Access Policy. Beeline maintains a record of security privileges of individuals having access to Beeline Data.  

    Access Authorization 

    - Beeline maintains and updates a record of personnel authorized to access Beeline systems that contain Beeline Data.  

    - Beeline deactivates authentication credentials that have not been used for a period of time not to exceed six months.  

    - Beeline identifies those personnel who may grant, alter or cancel authorized access to data and resources.   

    - Beeline ensures that where more than one individual has access to systems containing Beeline Data the individuals have separate identifiers/log-ins.  

    Least Privilege 

    - Technical support personnel are only permitted to have access to Beeline Data when needed.   

    - Beeline restricts access to Beeline Data to only those individuals who require such access to perform their job function.  

    Integrity and Confidentiality 

    - Beeline instructs Beeline personnel to disable administrative sessions when leaving premises Beeline controls or when computers are otherwise left unattended.  

    - Beeline stores passwords in a way that makes them unintelligible while they are in force.  

    Authentication 

    - Beeline uses industry standard practices to identify and authenticate users who attempt to access information systems.  

    - Where authentication mechanisms are based on passwords, Beeline requires that the passwords are renewed regularly.  

    - Where authentication mechanisms are based on passwords, Beeline requires the password to be at least eight characters long.  

    - Beeline ensures that de-activated or expired identifiers are not granted to other individuals.  

    - Beeline monitors repeated attempts to gain access to the information system using an invalid password.  

    - Beeline maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.  

    - Beeline uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.  

    Network Design. Beeline has controls to avoid individuals assuming access rights they have not been assigned to gain access to Beeline Data they are not authorized to access.  

    Information Security Incident Management 

    Incident Response Process 

    - Beeline maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data.  

    - For each Security Incident, notification by Beeline (as described in the “Security Incident Notification” section in the DPA Terms) will be made without undue delay and, in any event, within 72 hours.  

    - Beeline tracks, or enables Beeline to track, disclosures of Beeline Data including what data has been disclosed, to whom, and at what time.  

    Service Monitoring. Beeline security personnel verify logs at least every six months to propose remediation efforts if necessary.  

    Business Continuity Management 

    - Beeline maintains emergency and contingency plans for the facilities in which Beeline information systems that process Beeline Data are located.  

    - Beeline’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Beeline Data in its original or last-replicated state from before the time it was lost or destroyed.