General description of the technical and organizational measures

 

1.    Confidentiality

The risk of physical, material or immaterial damage or the risk of impairment of the rights and freedoms of data subjects must be reduced.

>> Access control

Technical and organizational measures:

  • Regulations for visitor guidance
  • Registration at reception
  • Visitors are entered in the visitor list by reception
  • Personal visitor guidance
  • Further protective measures
    • Security monitoring
    • Camera surveillance

 

>> Access control

Technical and organizational measures::

  • Access control to computers in the DocuWare network and cloud-based accounts
    • User identification
    • Mandatory two-factor authentication
    • Location-based login blockade (country blacklist)
    • Secure password
      • Password retry lock after 3 failed attempts
      • Complexity, 9 characters, no password repetitions
      • Change cycle
    • Time-controlled password-protected pause (screen saver)
      • There is a regulation requiring employees to lock their computers manually when they leave the workplace. The screen is automatically locked after 15 minutes
    • Securing networked systems against unauthorized intrusion
      • Firewall
      • Endpoint protection
      • Auditing and Threat Detection
      • External penetration tests to identify and eliminate vulnerabilities
    • Hard disks in notebooks are encrypted

 

>> Access control

Technical and organizational measures:

  • Authorization profile for employees
  • User administration
  • Access authorization depending on
    • Responsibilities
    • Assignment of tasks
  • Where necessary, also differentiated according to
    • read authorization
    • write authorization
  • Authorizations for external employees are documented in the IT database. All requests for authorization changes are processed by IT in the ticket system
  • Clear rules for adapting rights management
    • If an employee's area of responsibility changes, rights that are no longer required are adjusted promptly
    • Changes are processed via the IT ticket system and
    • Authorizations of external employees and access to business-critical applications are checked regularly
  • Measures for access control
    • Program testing and release procedures
    • Logging and evaluation of security-critical incidents
    • Changes to firewall settings

 

>> Disconnection control

Technical and organizational measures:

  • DocuWare Cloud systems
    • Logical separation of data (documents) and databases per customer
      • Documents: each customer has their own file share in which their documents are stored
      • Database: each customer has their own database
        • Contains index data for documents in mailboxes and archives
        • Also contains organizational data such as users and roles
      • DocuWare system database
        • Contains data required for operating the system (not customer-specific)

 

 

2.   Integrity

The risk of physical, material or immaterial damage or the risk of impairment of the rights and freedoms of data subjects due to unintentional or unauthorized modification or unlawful or negligent action of data processed on behalf of the controller must be reduced.

>> Transfer control

Technical and organizational measures:

  • Data is always transmitted via the Internet in encrypted format
    • VPN: between different locations of the company network and data centers
    • SSL: Access to the DocuWare Cloud systems for customers
  • Data protection during transmission
    • Password protection
    • TeamViewer is used by Support and Professional Service for remote maintenance (encrypted connection)
    • Access data (also for customer systems) is managed in Password Tools
      • Important:
        • Never give test accounts or access data in emails to DocuWare
  • Test accounts or access data for DocuWare Support or Professional Services should be deactivated or passwords changed after the support case or project has been completed
  • Securing PCs and external drives (mobile hard disks, USB sticks, etc.) against misuse
    • Security guidelines for encrypted transport can be found in the data protection manual
  • Use of mobile data carriers is regulated in a guideline
  • Secure deletion / disposal of data carriers
    • Discarded data carriers are collected in the IT department, where they are professionally deleted and then disposed of
  • Access to customer data and customer systems via remote maintenance
    • The client starts TeamViewer. This shows him a number. He tells this number to the DocuWare employee so that he can establish the connection
    • In consultation with the customer, Professional Service sometimes also uses a mode in which the customer does not confirm the connection on his side
    • TeamViewer uses a secure
    • Logging of the remote maintenance

 

>> Input control

Technical and organizational measures:

  • Access to customer data and customer systems in a remote maintenance session
    • TeamViewer remote maintenance access must be actively started by the customer
    • In consultation with the customer, Professional Service sometimes also uses a mode in which the customer does not have to confirm the connection on their side
    • Teamviewer remote maintenance is logged on both sides (customer/contractor)

 

3.   Availability and resilience

The risk of physical, material or immaterial damage or the risk of impairment of the rights and freedoms of data subjects, including through unlawful or negligent actions, due to the unavailability of data processed on behalf of the controller must be reduced.

>> Availability control

Technical and organizational measures:

  • Backup: Important data is regularly backed up in a backup system and synchronized to an external location according to defined schedules (cloud backup)
  • Servers and infrastructure devices in the local network are connected to a For servers in the data centers, the data center provider takes care of this
  • Reporting channels are known and adhered to
  • Emergency plans exist for central systems
    • Important servers of the DocuWare Cloud systems can be set up again at any time using a script (scaling/resilience)
  • Restore of central systems in IT is carried out regularly

 

 

4.   Procedures for regular review, assessment and evaluation

Procedures shall be in place to regularly review, assess and evaluate the effectiveness of the technical and organizational measures to ensure the security of the processing.

>> Order control

Technical and organizational measures:

  • Regular review
    • "Technical and organizational measures" are reviewed at least once a year
  • Monitoring the execution of the customer order / service action
    • Professional Services describes a user acceptance test (test plan, which must function according to the order) before the order is carried out. Acceptance by customers is recorded in the acceptance protocol
  • Logging of access to customer systems and customer data
    • Remote maintenance access takes place via This can also be used on site if the customer so wishes

 

 

>>    Internal organization Technical and organizational measures:

  1. Data protection management
    • Only employees who have been obliged to comply with data protection regulations may access the data relevant to their area of responsibility
    • Internal behavioral guidelines and a data protection policy are in place
    • All employees are regularly (at least once a year) trained on the topic of data protection via e-learning or other means, and
    • The responsibilities and powers of individual employees are defined in an organization chart and in job descriptions and are known throughout the company This is reviewed at regular intervals by top management as part of the process
  2. Incident management
    • Compliance with the technical and organizational measures is reviewed annually (audit) by the data protection officer and, if necessary
    • Incident management is reviewed as part of the certification process.
  1. Data protection through technology design
    • Selection of data protection-friendly technology during procurement