Seagate shall implement, maintain, monitor and, where necessary, update a comprehensive written information security program that contains appropriate administrative, technical, and physical safeguards to protect Stored Data against anticipated threats or hazards to its security, confidentiality, or integrity (such as unauthorized access, collection, use, copying, modification, disposal or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage or any other unauthorized form of processing) (“Information Security Program”).
Company acknowledges that the Information Security Program is subject to technical progress and development and that Seagate may update or modify the program from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Company. Subject to such updates and modifications, the Information Security Program will include the security controls identified below.
Seagate does not review, edit, or take any responsibility for data, content, or material created, stored, or made accessible through the Services. Seagate does not accept responsibility from Company or Users for any resulting damages or liabilities arising therefrom.
Seagate reserves the right to investigate any violation of the Information Security Program or misuse of the Services. Seagate may report any activity that Seagate suspects violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties, and assist all such parties with such investigations.
Information Security Controls for Lyve Cloud Services
Security Control Category
|
Description
|
1. Governance
|
a. Assign to an individual or a group of individuals appropriate roles and responsibilities for developing, coordinating, implementing, and managing Seagate’s administrative, physical, and technical safeguards designed to protect the security, confidentiality, and integrity of Stored Data
b. Use of data security personnel that are sufficiently trained, qualified, and experienced to be able to fulfill their information security-related functions
|
2. Risk Assessment
|
a. Conduct periodic risk assessments designed to analyze existing information security risks, identify potential new risks, and evaluate the effectiveness of existing security controls
b. Maintain risk assessment processes designed to evaluate likelihood of risk occurrence and material potential impacts if risks occur
c. Document formal risk assessments
d. Review and approve formal risk assessments by appropriate managerial personnel
|
3. Information Security Policies
|
a. Create information security policies, approved by management, published and communicated to all employees.
b. Review policies at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.
|
4. Human Resources Security
|
a. Maintain policies requiring reasonable background checks of any new employees who will have access to Stored Data or Seagate Systems, subject to local law
b. Regularly and periodically train personnel on information security controls and policies that are relevant to their business responsibilities and based on their roles within the organization
|
5. Asset Management
|
a. Maintain policies establishing data classification based on data criticality and sensitivity
b. Maintain policies establishing data retention and secure destruction requirements
c. Implement procedures to clearly identify assets and assign ownership
|
6. Access Controls
|
a. Identify personnel or classes of personnel whose business functions and responsibilities require access to Stored Data, Seagate Systems and the organization’s premises
b. Maintain controls designed to limit access to Stored Data, Seagate Systems and the facilities hosting the Seagate Systems to authorized personnel
c. Review personnel access rights on a consistent basis
d. Maintain physical access controls to facilities containing Seagate Systems, including by using access cards or fobs or other relevant physical access equipment issued to Seagate personnel as appropriate
e. Maintain policies requiring termination of physical and electronic access to Stored Data and Seagate Systems after termination of an employee
f. Implement access controls designed to authenticate users and limit access to Seagate Systems
g. Implement policies restricting access to the data center facilities hosting Seagate Systems to approved data center personnel and limited and approved Seagate personnel
h. Maintain Multi-Factor Authentication processes for Seagate employees with administrative access rights to Seagate Systems
|
7. Cryptography
|
a. Implement encryption key management procedures
b. Encrypt sensitive data using a minimum of AES/256 bit ciphers in transit and at rest
|
8. Physical Security
|
a. Require two factor controls to access data center facilities
b. Register and escort visitors on premises
|
9. Operations Security
|
a. Perform periodic network and application vulnerability testing using dedicated qualified internal resources
b. Contract with qualified independent 3rd parties to perform periodic network and application penetration testing
c. Implement procedures to document and remediate vulnerabilities discovered during vulnerability and penetration tests
|
10. Communications Security
|
a. Maintain a secure boundary using firewalls and network traffic filtering
b. Require internal segmentation to isolate critical systems from general purpose networks
c. Require periodic reviews and testing of network controls
|
11. SDLC (System Development Lifecycle) Security
|
a. Provide a framework for addressing security concerns through governance, review, testing, and evaluation of new systems development.
b. Mitigate risk to production applications and infrastructure
|
12. System Acquisition, Development and Maintenance
|
a. Assign responsibility for system security, system changes and maintenance
b. Test, evaluate and authorize major system components prior to implementation
|
13. Supplier Relationships
|
a. Periodically review available security assessment reports of vendors or contractors hosting Seagate Systems to assess their security controls and analyze any exceptions set forth in such reports
|
14. Information Security Breach Management
|
a. Monitor the access, availability, capacity and performance of the Seagate Systems, and related system logs and network traffic using various monitoring software and services
b. Maintain incident response procedures for identifying, reporting, and acting on Data Incidents
c. Perform incident response table-top exercises with executives and representatives from across various business units
d. Implement plan to address gaps discovered during exercises
e. Establish a cross-disciplinary Data Incident response team
|
15. Business Continuity Management
|
a. Design business continuity program with goal of meeting specified RTO and RPO requirements
b. Conduct scenario-based testing annually
|
16. Compliance
|
a. Establish procedures designed to ensure all applicable statutory, regulatory and contractual requirements are adhered to
|
