Technical and Organizational Measures

The below are ProSciento’s technical and organizational measures (“TOMS”):

Type of TOMs

Description of TOMs

Measures for pseudonymization* and encryption of Personal Data:

*The GDPR defines “pseudonymization” as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (Article 4(5)). For more information on pseudonymization, please see ENISA’s techniques and best practices.

  • Full-volume AES256-bit encryption on all workstations via a Full Disk Encryption (FDE) application.
  • ProSciento’s corporate wireless network is secured with the highest level of encryption standards under NIST SP 800-48 recommendations and best practices. This includes:
    • Wireless Network Security Policies;
    • Wireless Network Architecture;
    • Access Controls, and;
    • Device Security (if applicable).
  • ProSciento encrypts data during transmission. Data in transit in exchange services is encrypted, using several strong encryption protocols, technologies that include TLS/SSL, IPsec, and AES (Advance Encryption Standard).
  • Device management – enterprise data wipe for lost/stolen machines, enforce security protocol configuration including MFA and encryption.
  • Employ of Virtual Private Networks (VPNs): ProSciento use of VPN to create secure and encrypted connections over public networks.
  • Pseudonymization is being used on ProSciento’s studies participants (subjects) where they are assigned a unique identifier that is only connected to the real person in the sites’ records (not retained in the Electronic Data Capture). Those unique identifiers are used throughout the Electronic Data Capture (EDC) to attribute all the data to that one (non-directly identifiable) individual.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services:

  • Internal policies, including business continuity plan, information security policy, cyber security incident response plan.
  • Endpoint protection – Next-Generation Antivirus, and Endpoint Detection and Response (EDR) modules are installed on ProSciento managed computers and servers.
  • Content filtering/blocking is configured on the firewall to block access to web traffic that does not fall under work safe ratings.
  • Incident response and management procedures.
  • Anti-virus and anti-malware programs.
  • Expedited patching of known exploitable vulnerabilities in the software applications and IT systems.
  • Implementation of robust access controls to restrict access to personal data and systems.
  • Design systems with redundancy and failover mechanisms to ensure continuity in case of hardware or software failures.

Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident:

  • Business continuity plan that is reviewed and updated as needed.
  • Disaster recovery plan that is reviewed, tested, and updated as needed.
  • Servers and files are replicated 3 times daily to ProSciento’s offsite Data Center as well as backed up daily on-premises and off-site.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the Processing:

  • Periodic internal and external vulnerability scans and penetration testing on information technology systems, including software applications and networks that will be used for processing Personal Data.
  • Formal patch management process for vulnerabilities.

Measures for user identification and authorization:

  • Role-based access authorization policy.
  • Standard security principle of “Least Required Access”/ “Usage of Least Privilege”.
  • Configuration of systems and applications to restrict access to only authorized access.
  • Monitoring of all user access.
  • Users are recommended to enable mobile security features provided by the manufacturer (e.g., Face ID, Biometrics, PIN, etc.)
  • Password policies and password management procedures that require strong passwords.
  • Multi-Factor Authentication (MFA) on all applicable SaaS and network resources (if available).
  • A third-party SSO provider implemented into the ProSciento network to ensure ease of access and security measures to SaaS applications and services.

Measures for the protection of Personal Data during transmission:

  • Encryption: ProSciento encrypts data during transmission using secure protocols such as TLS (Transport Layer Security) or its predecessor SSL (Secure Sockets Layer).
  • Regularly Update and Patch Systems: ProSciento keeps software, operating systems, and network equipment up to date with the latest security patches.
  • Use Strong Authentication: ProSciento implements strong authentication mechanisms for both users and systems involved in the transmission process. Multi-factor authentication adds an extra layer of security by requiring users to provide multiple forms of identification.
  • Employ Virtual Private Networks (VPNs): ProSciento use of VPN to create secure and encrypted connections over public networks.
  • Secure Wi-Fi Networks: When transmitting data wirelessly, ProSciento ensures that Wi-Fi networks are secured using strong encryption (WPA3 for Wi-Fi). Avoid using open or unsecured Wi-Fi networks for transmitting sensitive information.
  • Educate Users on Security Best Practices: Train users on security best practices, such as avoiding public Wi-Fi for transmitting sensitive data, recognizing phishing attempts, and understanding the importance of secure transmission methods.

Measures for the protection of Personal Data during storage:

  • Encryption of Personal Data during storage (i.e., at rest) using a minimum of AES-256. – all workstations via the BitLocker application – Full Disk Encryption (FDE).
  • Secure configuration for network devices, such as firewalls, routers, and switches.
  • Encryption of Personal Data stored on all mobile devices, including laptops.
  • Device management – enterprise data wipe for lost/stolen machines, enforce security protocol configuration including MFA, and encryption.
  • Application protection policies – control application data and policies.

Measures for ensuring physical security of locations at which Personal Data are Processed:

  • Physical access controls to prevent unauthorized access to facilities (badge access, intrusion alarm, video surveillance, environmental controls, etc).
  • Access is managed in accordance with ProSciento’s Facility Security SOP.
  • Network and server rooms are protected by magnetic locks, a keycard reader, and a physical lock and key.
  • IT staff members that have access to the datacenter must present valid identification, datacenter access badge and are enrolled in MFA.

Measures for ensuring events logging:

  • ProSciento event logging measures include relevant metadata in logs, such as timestamps, source IP addresses, user IDs, and detailed logging (if applicable).
  • Capture information that aids in understanding the context of events.
  • Restrict access to log files to authorized personnel.
  • Applied access controls to prevent unauthorized modification or deletion of logs.
  • Set up real-time alerts for critical events.
  • Ensure that the monitoring system can generate notifications for immediate response.
  • Continuously monitor logs to detect anomalies or security incidents promptly.
  • Implement automated monitoring tools to streamline the process.

Measures for ensuring system configuration, including default configuration:

  • New workstations are configured by ProSciento IT according to a standardized and pre-defined configuration of applications, security protocols and settings, known as the “ProSciento Standard Configuration”.
  • Use of an Endpoint Manager as part of its standard Mobile configuration, which provides mobile device management and control features.
  • Standard/harmonized workstation configuration to set up and pre-configure new devices, getting them ready for production use.
  • Workstation imaging is preinstalled on the device, so it is not necessary to maintain custom images and drivers for every device model. Instead of re-imaging the device.

Measures for internal IT and IT security governance and management:

  • ProSciento has a dedicated IT governance team.
  • ProSciento’s CISO duties are covered by the CIO, and security is managed by a dedicated security administrator.
  • Implementation and maintenance of an information security management program based on generally accepted frameworks, such as the NIST Cybersecurity.

Measures for certification/assurance of processes and products:

  • Policies and procedures are managed via ProSciento’s QMS systems to ensure compliance with applicable legislative and regulatory requirements.

Measures for ensuring data minimization:

  • Service accounts for specific service needs and requirements.
  • Continuous audits regarding data and stored environments.
  • Reoccurring audits on access permissions.

Measures for ensuring data quality:

  • Firewall High Availability cluster (Comprehensive/Advanced Gateway Security Suite. It includes Gateway AV, Anti-Spyware, Intrusion Prevention, Application Control, Content Filtering, Network Analyzer, Advance Threat Protection).
  • Anti-virus platform for end-point protection. It includes: NextGen AV real-time response detection and quarantine, host Intelligence scanning, exploit mitigation, ransomware prevention, exploit behaviour prevention, lateral movement, and unauthorized credential access prevention. Real-time notifications regarding any security alerts.
  • Data at rest encryption (servers and laptops) via total HDD encryption as well as in transit.
  • Exchange Services Threat Protection, including email filtering, ATP anti-phishing, spam policy, Data Loss Prevention (DLP).
  • Server and network equipment firmware, software patching, and upgrades according to vendor specifications or maintenance schedule. Critical security patches are performed asap upon approved Change Request.
  • Recurring preventative maintenance tasks to review network and hardware health and security standards, e.g. user access, firewall/endpoint protection policies, etc.
  • Virtual LAN (VLAN) segregation of internal and external as well as WIFI networks, network access rules applied on Firewall to minimize network access and increase network security.
  • Monthly external Security Intelligence Vulnerability scan of ProSciento’s main network devices through third party attack surface discovery services.
  • Periodic internal and external penetration testing.
  • Data replication and backup through third party services locally as well as off-site storage in two (2) remote locations. Annual restore testing to support business continuity plan.
  • UPSs and power generator for server and network infrastructure to ensure uninterrupted uptime.

Measures for ensuring limited data retention:

  • Secure disposal of devices that store Personal Data standardized for all managed ProSciento’s devices.

Measures for ensuring accountability:

  • Third-party security awareness training platform to educate employees regarding IT security (Social engineering, Phishing, Ransomware attacks, Malware, etc.).
  • New hire, annual, and quarterly security awareness campaigns for training with new material is created by the IT department to ensure all employees are educated appropriately.
  • Personnel reviews and signs ProSciento’s Security Policy annually and is responsible for confidentiality obligations when processing Personal Data.