article banner

GDPR: Technical and organisational measures

Background

Grant Thornton implements appropriate technical and organisational measures to ensure the protection of personal data processed under the Data Processing Agreement. The measures are adapted to the types of processing, scope, context, categories of personal data, the cost of implementation, the purposes of the processing as well as risks, of varying probability and severity.

Grant Thornton uses an Information Security Management System (ISMS) based on the international standard ISO/IEC 27001 as the basis for all security measures. The ISO/IEC 27001 standard provides guidelines and general principles for planning, implementing, maintaining and improving information security in an organisation.
To address GDPR's requirements such as confidentiality, integrity, availability and resilience, Grant Thornton applies documented IT security processes and routines, covering authorisation management, encryption, operational security, malware protection, backup, logging, vulnerability management, communications security, continuity management and supplier relationship management.

Authorisation management

Access to systems
Access to systems is governed by an access control policy. The employee┬┤s manager is responsible for ordering access rights to systems, applications and information at the IT service desk. The access control policy also covers changes and removal of access rights, for example due to role changes or termination of employment. Orders relating to access rights always require the explicit approval of a responsible person, which for example can be the nearest manager or the system owner. The approving person will assess the specific needs of the requesting employee before approval.
Requests related to access rights follow established processes and are registered in a ticket management system. This enables traceability of the execution including approvals. The access rights related activities (addition, change, removal and review) are carried out by trained staff. Only a limited number of personnel are authorised to carry out these activities.

Access to IT-infrastructure
Grant Thornton actively monitors all critical IT infrastructure components and has configured alarms that automatically trigger under certain conditions or events (for example extreme CPU usage and lost connection). Physical access to Grant Thornton's data centres requires a personal security token as well as a pass code. The data centres have camera monitoring and clearly inform visitors on that matter. Only authorized personnel have physical access to Grant Thornton's data centres.
Special authorisation of the system owner is required to be able to log on to servers and network components that constitute critical parts of the IT infrastructure. The system owner will assess amongst others the needs, purpose and function of the requesting person before giving approval.
External suppliers can be given temporary access to Grant Thornton's IT infrastructure if a special need exists. This can for example concern maintenance of equipment that requires technicians with specific certification. Established procedures are followed for these situations. Normally, an expiration time limit is set for supplier access to a system. Alternatively, supplier access is verified regularly to ensure the need for access is still legitimate.

Encryption
Grant Thornton applies encryption to hard disks, storage media, backup data and any other media used for any kind of sensitive data. Encryption is also applied to any kind of communication of sensitive data.

All computer hard disks are encrypted during installation. This is part of Grant Thornton's default configuration for computers. The default configuration also requires that USB devices that are connected always need to be encrypted before anything can be saved on them. The encryption keys required for encryption and decryption are handled by staff with special authorisation only. As part of the operational security routines, an automated scan of all Grant Thornton computers is performed regularly to verify that encryption is active.

All communications to and from the computers shall be encrypted if a service is used that contains sensitive data, also covering sensitive personal data. The assurance that the communication is encrypted lies on the service being used. The service verifies that the connecting computer and the user meet certain requirements, such as computer certificate to ensure the device identity and legitimacy or that the user must enter a one-time password. Grant Thornton encrypts all data during automated backup of all systems.

Operational security

Malware protection
Grant Thornton has different systems and methods to protect the IT infrastructure against malicious code, including various antivirus scanners, spam filters, security updates and training. Grant Thornton uses active monitoring to ensure that antivirus scanners and spam filters are active and updated. Malicious code often exploits vulnerabilities in systems and applications for their attacks. Consequently, Grant Thornton actively installs the latest security updates on systems and applications to minimize the risk for exploitation of vulnerabilities. Malicious code also exploits human curiosity. Therefore, as a part of basic training, all Grant Thornton employees must take a training covering the identification of malicious code.

E-mail
Grant Thornton utilises the email security framework of two suppliers to protect all inbound and outbound e-mail from malware. The e-mail protection of the supplier of standard email services and the supplier of e-mail spam filtering services are complementing each other and both guard against amongst others spam, virus and phishing attacks. The e-mail security frameworks are updated on a regular basis with the latest patches and contain information about known malicious code that may be attached to or be part of the content of an email. Updates are ongoing and in the form of a subscription service. If an email is identified as infected or harmful, the email will be blocked and quarantined automatically. The verification and assessment of whether an email is malicious or not is automated and based on the rules provided by the suppliers. The portion of the mail security solutions on the users' computers are updated regardless of whether they are within or outside Grant Thornton's network.

Internet
Grant Thornton applies different types of security measures related to the usage of Internet. The technical security measures are found in the central IT infrastructure and locally on Grant Thornton's computers and mobile devices. In the central IT infrastructure there are, for example, filters that blacklist Internet sites that are considered hazardous. Organisational security measures include training and a central IT-policy covering guidelines for Internet usage.

Computers and servers
All computers and servers, hereafter devices, have malware protection software against computer viruses, spyware and other malicious code. The protection software is managed from a central management console provided by the supplier. The console deploys the latest updates of the protection software, sets security policies and actively monitors all devices. Scans of devices are automated and occur mainly in scheduled intervals but are also event-driven. The protections software also scans files when they are opened or otherwise handled by the user, including downloading or uploading of a file to another device. Detected malware is removed automatically, whenever possible, and notifications are sent to the central management console for further processing.

Backup
Data backup is automated and carried out according to a documented schedule. The backup solution used by Grant Thornton is redundant and backup media is stored at a different physical location. Alarm triggers are set on backup jobs to detect and report deviations and incidents. Data restore tests are carried out in different ways based on risk assessments. Grant Thornton encrypts data backups.

Vulnerability management
Vulnerability management covers vulnerability scanning, security updating and penetration testing.
Grant Thornton's performs vulnerability scanning of IT infrastructure critical devices. The central vulnerability management console detects, gathers, classifies and reports vulnerabilities and provides suggestions for remediation. The supplier delivers updates with known vulnerabilities with regular intervals. The vulnerability scans that are scheduled generate a vulnerability report that is analysed and handled by specially trained personnel. The vulnerabilities are prioritized and remediated based on risk classification. Vulnerabilities that have been remediated are verified through new vulnerabilities scans.
Regular security updates are automatically distributed monthly during planned service windows. Security updates that solve critical issues and vulnerabilities are verified at release by trained personnel and distributed with the highest priority.

Penetration tests are conducted annually by external parties.

Logging
Logging of activities such as change and removal of users to the Grant Thornton domain, devices and applications is handled centrally by trained staff. This is done in accordance with regulatory and business needs and requirements. Tasks performed by staff with high authorisation are logged. The logs are reviewed with a risk-based perspective. Identified deviations are followed up and, when applicable, escalated as incidents.
The systems logs are protected against removal and manipulation. This is to ensure its integrity, confidentiality and accuracy. Deletion occurs in accordance with applicable legislation.

Communications security

To ensure communications security, there are active monitoring and alarm settings on a variety of components and parameters in the IT Infrastructure that manages communications.

Computers, servers, network equipment, and other hardware connected to the GT network are handled based on applicable security requirements and placed in designated segments to achieve an appropriate level of communications security.

Continuity management

Data backup is one of the cornerstones of Grant Thornton's IT continuity plan. Therefore, trained personnel manage and follow up on backup execution to ensure the integrity, confidentiality and accuracy of the backup data. Another cornerstone are the processes and routines that are carried out when a serious incident occurs. Grant Thornton continually works on keeping processes and routines updated. The continuity plan is tested at intervals based on regular risk assessments.
Grant Thornton's data centres have specialized and qualified solutions to achieve redundancy on several levels, i.e. failback systems that automatically take over a task of another system that has stopped functioning. The servers have a 24/7 support agreement. The redundancy in Grant Thornton's data centres is tested at intervals based on regular risk assessments.

Grant Thornton has a high degree of digitization and many of the services and tools are accessible through the Internet. As a result, most employees can continue to work from other locations even if some or all of Grant Thornton's offices are closed or not accessible due to an extreme event.

Supplier relationship management

Grant Thornton secures that identified security requirements are met by external suppliers during the procurement process. A contract with a chosen supplier addresses the demands on the supplier's IT environment and information security measures. The supplier shall present and account for their technology, routines and processes as well as IT and information security policies. Non-disclosure agreements and other relevant regulatory agreements are signed by the supplier before the service is taken into service. Grant Thornton conducts regular control of suppliers' access rights and other aspects of the agreement with the supplier.