Security Policies
Published on February 28, 20241. Introduction
Information like other important business assets, has value to organization and consequently needs to be suitably protected. Information Security comprises of processes and methodologies which are designed and implemented to protect print, electronic or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification or disruption.
RSM Greece SA and RSM Greece Business Advisors Ltd (together as “RSM Greece”) consider information as an important asset and hence accord Information Security high priority in their operational framework.
Information security consists of preserving the following elements:
a) Confidentiality: Ensuring that information can be assessed only by authorized individuals.
b) Integrity: Safeguarding the accuracy and completeness of information
c) Availability: Ensuring that authorized users have access to information and associated assets whenever required.
The Management of RSM Greece have taken a number of steps with respect to the implementation of a robust Information Security Management System (ISMS) the objective of which is the protection of the Security of RSM Greece’s Information Assets such as (i) Information / Data in logical or hard-copy form, (ii) Computer H/W-S/W Systems, (iii) Networks & Network Devices, (iv) Telecoms equipment / installations and (v) Personnel (People Assets) and, of course, RSM Greece’s Business Services which are run and supported by the above Assets.
The Management of RSM Greece has designed an ISMS Function Manual and the related ISMS Security Policies with an aim to:
- Document the “high level” security organization & infrastructure
- Document and ensure a “secure business environment” at RSM
- Assure the Confidentiality (C), Integrity (I) and Availability (A) of the Information processed by RSM Greece
The ISMS has been designed, planned, documented and is being implemented in conformance to the requirements of:
- the applicable international standard (ISO 27001:2013)
- the applicable National and European Legislation / Regulations
- Contractual (Clients) requirements
- RSM’s corporate security-related policies & requirements
RSM Greece’s Management ensures that recognizes, identifies, evaluates and assesses all “issues” and “risks” related to Information Security and manages these risks by (i) promoting a “Security & Privacy Culture” within RSM Greece, (ii) ensuring that security-related Personnel & technical Resources are adequate (iii) ensuring the documentation and implementation of effective Security / Privacy Policies, (iv) training Personnel & Partners on Security / Privacy issues and (v) applying all necessary organizational / technical controls and good Security / Privacy practices (Risks Treatment).
Furthermore, RSM Greece implements a “PDCA” (Plan-Do-Check-Act) Policy, by:
- constantly reviewing and updating Security Policies and overall ISMS implementation
- regularly reviewing the applied controls’ effectiveness
- setting and reviewing suitable and quantifiable Information Security Metrics / KPIs
- planning & implementing Internal Audits to the ISMS
- regularly reviewing the overall ISMS implementation / progress
2. Security & Privacy Protection
- RSM Greece is certified as per ISO 27001:2013 for the Information Security Management of the services that it offers
- Additionally, RSM has a SOC-1 certification from an independent third party regarding certain processing procedures
- Our software as an Application is overall compliant with the General Data Protection Regulation (GDPR) requirements
- Additionally, since the environment of our systems is sited and based on Microsoft Azure Cloud services, the highest level of data protection (confidentiality, integrity and availability) is ensured.
- Oracle Database (Enterprise Edition 12c) is encrypted
- Additionally, “Advanced Security” and “Oracle Active Data Guard” have been implemented.
3. Organizational Controls implemented
3.1. RSM Greece Data Protection Officer (DPO)
Given the fact that a significant volume and variety of personal data is processed, RSM Greece has appointed a Data Processor Officer (DPO) (currently DPO services are offered by an independent company - legal office).
3.2. RSM Employees
Every RSM Employee, has signed a specific contract regarding the confidential & secure processing of BPO Personal data, in order to ensure compliance with the applicable data protection regulations. In addition, all Employees have been trained in GDPR compliance issues as well as information security / data protection issues and controls. Training is performed on an annual basis and on an ad-hoc basis when new requirements, standards or RSM policies are to be implemented.
RSM Employees are contractually bound to follow the policies and guidelines regarding secure access to the systems, so that to ensure that any unauthorized access to these systems is prevented.
3.3. Segregation of Duties & Functions
Separation of functions has been assured (i.e. which functions cannot be combined and therefore cannot be performed by the same person at the same time). Basically, business functions that have an operational role cannot be combined with control functions.
3.4. Security / Data Breach Incidents Response
- Formally documented Security Incidents Response Policies / Procedure are in place for responding/managing Incidents and Personal Data Breaches (typical types of attacks “covered” by the incident response escalation procedures include data loss/phishing & ransomware cases, cyberattacks, fraud, disruptive attacks etc.)
- RSM Employees are trained regarding the escalation of an actual or suspected privacy/security incident.
- RSM Greece has a stand-alone Cyber Insurance policy coverage. The respective policy components include privacy liability / personal data laws fines, business interruption, network security costs, medial liability, cyber extortion costs, data recovery costs etc. Insurance provider is Beazley Solutions Ltd.
3.5. Policies / Procedures for regular control & compliance evaluation
RSM Greece has developed and implements policies & procedures within the context of GDPR compliance, summarized as follows:
- Information security policies and procedures (also compatible with ISO 27001 requirements)
- Procedure for managing data breach incidents
- “Data protection by design and by default” policy
- Procedure for the exercise of the rights of the data subjects (DSRs)
- Procedure / Guide for persons authorized to process personal data
- Policy/procedure for maintaining or destroying confidential information
- Various Privacy policies / notices
- Specific policies/procedures regarding every service line and related data processings
3.6. Audits – Inspections
Being part of a global Enterprise networks requires that RSM Greece abides to specific RSM Group corporate controls, rules and obligations, which ensure that RSM Clients receive a standardized and high level of services quality.
To this, RSM Greece :
- Performs self-assessment compliance check on an annual basis.
- Plans / implements Internal Audits, also on at least annual basis. These Internal Audits cover all business / operational processes.
- Additionally, and as required by the Information Security Management ISO 27001 System as well as the GDPR / Privacy requirements, specific security & privacy internal audits are being planned / implemented annually.
- Further on, both the SOC-1 and the ISO 27001 certifications require periodical external audits by an independent third party (certified SOC-1 public accountant & accredited ISO 27001 certification body) which cover the payroll and management processing procedures.
4. Technical Controls implemented
4.1. Confidentiality (Art. 32(1b) GDPR)
4.1.1. Physical Access Control
A site / DC entry permit check is carried out at the Azure DC premises, in addition to the implementation of effective site security systems (CCTV, motion detectors, recording and escorting visitors, etc.). Only authorized access to the facilities is allowed, always under custody. Microsoft Azure sites / DCs are certified as per all International Security & Privacy standards.
4.1.2. Logical Access Control
Strong user authentication and login authorization controls are implemented. To this purpose:
- (RSM DC) to (Azure environment) connections are secured via site-to-site VPN.
- Similarly, all remote and teleworking Users are required to first authenticate and connect, using IPSec VPN / RDS, to their desktops (“virtual desktop”), before accessing (always via site-to-site VPN) the cloud environment / systems.
- User access control offers “granularity” regarding internal access control and permissions for users' access and data processing rights.
- Application user IDs / passwords are protected for authentication purposes (this is enhanced by the fact that Connection is site to site VPN between RSM DC / users and cloud environment).
- Passwords strength controls include quality passwords (10+ plus), maximum password duration, password complexity and invalid password lockout.
- Hardened user authentication measures include TFA (two-factors-authentication) - use of OTP additional password, access to different levels of security, etc.
- Recording access for successful and unsuccessful access attempts (user ID, IP address, etc.) is possible.
- Only authorized access, read, copy, convert or delete data within the system is possible (eg. granting user approval, access only to any documented users need to access, monitor access incidents).
4.1.3. Further Logical Access Controls
- In response to potential policy violations or malicious behavior, remote access, VPN access and privileged user access is suspended.
- Review of access rights to systems, applications, and network devices is performed semi annually.
- A formal procedure for disabling accounts of terminated employees and contractors from accessing sensitive client data or systems is in place.
- Segregation of duties, for accessing application, network or server resources, including segregation of duties between those requesting, approving, and granting access, is implemented.
4.1.4. Data Classification
- RSM has a data classification and handling policy in place. All corporate & Client or 3rd Party-owned information is identified and classified by the responsible Information / Data Owner, according to its level of confidentiality. The data classification levels used by RSM are: Public; Internal Use Only; Confidential; and Restricted.
- All information is considered "Confidential" by default.
- RSM has in place a records retention policy to support the handling / retention of all data.
4.1.5. Data Protection
- RSM has documented policies, standards and controls in place to appropriately safeguard personal data.
- RSM privacy policy is available on RSM web site (https://www.rsm.global/greece/privacy-policy).
- The privacy policy is revised and updated at least annually.
- Controls are in place to ensure compliance with the organization's privacy policy.
- Personal data is not shared for the purpose of the provision of Client services with any unauthorized third party (systems’ database is encrypted and the key is not shared with third parties).
- There are contractual controls in place to ensure that personal data, if shared, is appropriately protected by a third party acting as Data Processor.
- There is a process for facilitating individual access, deletion and other rights at the direction of the client.
- There is a process in place for addressing request and complaints with respect to privacy.
- RSM Employees are regularly trained on privacy / data protection when they join the company and on an annual basis or when new policies / systems are introduced.
- Appropriate sanctions are applicable to employees, contractors etc. in case of privacy policies violation.
4.1.6. Application Security
Regarding SW Developer / Vendor:
- There a formal System Development Lifecycle (SDLC) process that includes application development and testing.
- SW code reviews and application vulnerability scans are performed to ensure application security to identify vulnerabilities or errors.
- Application security preventative controls include separate development and production environments, application and services training, logging of activity, version controls and change management controls.
- Vendors are responsible for any application upgrades. Only when tested, the new versions can be used.
Regarding RSM:
- There is a formal Change Control Policy regarding managing and tracking changes to all systems.
- There is a formal systems monitoring policy and tools in place to oversee the SW patching for all environments that store/process or allow access to information.
4.1.7. Data Encryption & Keys Management
- Oracle Database (Enterprise Edition 12c) is encrypted (TDE encryption)
- TLS (1.2 and above) and secure VPN are implemented for all connections / data transmission
- Bitlocker is used for storage encryption
- All client data-containing backups are also encrypted
4.1.8. Network Security
- Next-Gen Firewalls (in redundant mode) are installed across network segments. Controls include stateful packet inspection, deep packet inspection, SSL decryption, IPSec VPN, "deny any" as default rule etc.
- RSM has also implemented Intrusion Detection / Prevention System (IDS / IPS) to detect / block known attacks, real time and zero-day (“unknown”) attacks.
- Network routing device activity is logged to enable robust monitoring, alerting of anomalous behavior, and investigations.
- RSM is using one or more logical controls to authenticate, filter and monitor email (spam, phishing emails and URL protection).
- RSM has implemented DNS protection capabilities.
4.1.9. Data Separation
Data is separated according to the purpose for which it has been collected / will be used.
The group of users authorized to access Clients’ data shall be limited to the minimum required for the performance of the tasks of individuals in the context of issuing and managing payroll.
4.1.10. Antivirus – Antimalware protection
A modern antivirus / antimalware program is used, which is able to detect, remove and protect against all kinds of viruses and malware
4.1.11. Data Collection, Disposal & Destruction
RSM has established a procedure for the collection, disposal, destruction or deletion of all formats of data / media (electronic or hard-copy). The rules and procedures for safe collection and internal distribution, as well as for the storage and destruction of media, take into account the formal characteristics of the media and are described in an internal organizational policy / procedure directive. For this purpose, our company has contracted with a third-party certified provider for the safe destruction of all non-electronic media.
4.2. Integrity (Art. 32(1b) GDPR)
4.2.1. Data Transmission / Exchange control
Ensuring only authorized access, read, copy, convert or delete actions when transmitting data electronically, e.g. via encryption, VPNs, digital signatures etc.
4.2.2. Data-entry checks
Confirmation if and by whom personal data has been entered into a system, if changes or deletions have been made e.g. by logging, document management etc.
4.3. Availability (Art. 32(1b) GDPR)
4.3.1. Systems & Operations Availability / Continuity infrastructure / Recovery
- Specific systems & services availability / restore targets have been set.
- Client data is located in Azure RSM st Europe datacenter, which generally ensures systems / connections / data availability.
- Rapid recovery is ensured through automated applications in the Azure cloud environment.
- Frequent Data Backups (online / offline; on-site / off-site) are taken.
- All backups are hosted on Azure Datacenter in different resources (Recovery Services vault).
- Data is backuped / stored in reserve mechanisms at regular time intervals to ensure that it is available even in an emergency.
- There is a formal process in place to identify, inventory and track backup media.
- Multiple availability zones and one or more backup providers / azure cluster are considered for resiliency purposes to meet service level objectives.
- Backup capabilities used to restore normal operations following a security or disruptive incident (e.g. a data corruption or a ransomware attack) include full backup / incremental backups.
- Operating system, application data and application code and config files are backed up and are available from restoration.
- Data backup and system recovery operations are independently tested.
- Also, Power Generator and UPS are used at RSM HQs site / DC (this is important regarding availability of the Firewalls managing users access to the Azure environment).
4.3.2. Continuity / Disaster Recovery Plans
RSM has drawn up contingency (continuity & disaster recovery) policies and plans, which list the steps to be taken in case of a disruptive incident.
4.3.3. Cloud Architecture & Controls
- RSM mainly use Azure as Cloud provider for IT services (cloud architecture is IaaS and PaaS).
- Virtual Private Cloud is used to store client data.
- Azure Disk and Azure Archive is used for storage.
- Data in motion is encrypted.
- In the event internet connectivity is not available (e.g., local ISP failure), RSM has a backup plan in place to prevent interrruption of services that includes switch to a different line with different ISP and / or use of 4G connections.
- Continuity – D/R plans are tested annually.
- Azure Key Vault is considered as key management service.
- Azure storm shield is used as a logging service for audit trails.
- Log files are retained for 90 days.
- In the event of a breach, an incident response policy and plan is in place.
- Azure Monitor is used for security alerts to monitor cloud events.