Altia Trust Centre

Your single point of truth for Altia's Compliance, Legal and Trust documentation. Welcome to the Altia Trust Centre.

Information and Cybersecurity Schedule
For Altia Service(s)
Published: | In Effect: to Current
For Agreements prior to the Published Date, please review the Archive

You may download the original PDF copy of this document as signed by Altia's Chief Information Officer under the navigation menu, along with a Microsoft Word copy, allowing for track changed amendments and comments. This document is current at the published date online and made available, by Altia, at https://legal.altiacloud.com. An original PDF copy, Microsoft Word copy or printed version of this document may not be current and is provided as a signed copy, by Altia, for Customer(s) seeking ‘point in time’ referencing against other documents, agreements or arrangements between the Customer and Altia.

Contents

  1. Introduction and General Notes

  2. Applicability

  3. Intent of this Security Schedule

  4. Definitions

  5. Requirements of Customer(s) and/or User(s)

  6. GSF – Information and Cybersecurity Governance

  7. GSF - Asset Management

  8. GSF - Access and Identity Management

  9. GSF - Operations Security

  10. GSF - Cryptography

  11. GSF - Physical and Environmental Security

  12. GSF – System(s), Software and Application(s)

  13. GSF - Security Patching

  14. GSF - Security Incident and Breach Management

  15. GSF – Internal Audit

  16. GSF - Customer Data and Information Classification

  17. Altia365 Platform and Compliance as-a-Service

  18. Compliance with Law (Value of Altia Service(s) Derived Information)

  19. Outsourcing and Third Party Relationships

  20. Assistance and Professional Service(s)

  21. Acceptance of Shared Responsibility

  22. Disputes

1.  Introduction and General Notes

About this document. This Information and Cybersecurity Schedule (“Security Schedule”) sets out the baseline security measure when Applicable to an Agreement. Customer(s) must make their own determination of Applicability based on section two of Altia’s Security Schedule on its Applicability to them and any and all risks contained within the document. Altia’s Security Schedule is Applicable to Customer(s) using Altia Service(s) to collect, handle, maintain, use or store highly sensitive information.

Definitions, terms and interpretation. In this document, defined terms are contained within the Altia Legal Definition Schedule (“Definition Schedule”). Words capitalised in error appearing as a Term, or where words are intentionally not defined as Term(s) but are perceived by a Party as potentially being a Term, are to be given the meaning of the word, or words, in context, as determined by what a reasonable person, having been deemed responsibly capable for reviewing commercial agreement(s), would have understood the word(s). Definitions may be inferred from the subject of the section, and where appropriate, Terms may be defined ‘in line’ or their acronyms introduced.

Agreement Generalisation. The Agreement in its entirety is geographically, currency and Altia Service(s) generalised, to ensure consistency in legal and commercial agreement(s). There may be clause(s), sections or reference to the Agreement and/or Agreement Supplementary Material that are not relevant to a specific Agreement between Altia and a Customer. Section Two of this document, the Agreement and each refenced Agreement Supplementary Material outlines Applicability for Party(s) to determine if the clause(s), sections or referenced Agreement Supplementary Material are in scope of the Agreement.

Document Version. This document is made current at the date published and made available at https://legal.altiacloud.com (the “Reference Date”). The Reference Date determine(s) the Agreement entered into, which survives in perpetuity, through Order Form(s).

Altia’s right to update, change or amend. Altia, from time to time, may update this document, the Agreement and Agreement Supplementary Material. If you are supplied Altia Service(s) by Altia, through an Agreement, you will be advised of changes to this Agreement or Agreement Supplementary Material through the Notices to Parties section of Altia’s Master Services Agreement (“MSA”). Archived versions of Altia’s MSA and any Agreement Supplementary Material form the Agreement against the Reference Date can be found at https://legal.altiacloud.com. If there are any disputes to clause(s) of this document, the Agreement or Agreement Supplementary Material as varied from the Reference Date, you may raise a dispute as per the ‘Dispute Resolution’ Section of Altia’s MSA.

2.  Applicability

THIS SECURITY SCHEDULE SETS OUT INFORMATION AND CYBER SECURITY BASELINES WHICH MUST BE OBSERVED BY ALTIA, CUSTOMER(S) AND USERS(S) OF ALTIA SERVICE(S); WHEN ALTIA SERVICE(S) ARE BEING USED TO COLLECT, MAINTAIN, STORE, ANALYSE, OR OTHERWISE HANDLE ANY INFORMATION THAT IF LOST, STOLEN, DELETED, MADE PUBLIC, OR IF COMPROMISED MAY:

a)   RESULT IN RISK TO LIFE OR SERIOUS INJURY TO ANYONE, ANYWHERE.

b)   POSE A RISK TO HEALTH, SAFETY, WELLBEING, OR CAUSE SIGNIFICANT REPUTATIONAL HARM OR SIGNIFICANT FINANCIAL LOSS TO ANY INDIVIDUAL(S), ANYWHERE.

c)   POSE ANY IMPACT TO MILITARY OPERATIONS OR NATIONAL SECURITY EFFORTS, TO ANY DEGREE, ANYWHERE.

d)   IMPEDE THE DETECTION, INVESTIGATION, OR PROSECUTION OF ANY ACT OR OMISSION MADE AN OFFENCE, ANYWHERE.

e)   FACILITATE THE COMMISSION OF ANY ACT OR OMISSION MADE AN OFFENCE, ANYWHERE.

f)     DISADVANTAGE ANY GOVERNMENT LAW ENFORCEMENT, INTELLIGENCE, NATIONAL SECURITY, OR REGULATORY BODY, ANYWHERE.

g)   DISCLOSE ANY METHODOLOGY USED BY ANY GOVERNMENT LAW ENFORCEMENT, INTELLIGENCE, NATIONAL SECURITY, OR REGULATORY BODY THAT IS NOT IN THE PUBLIC’S INTEREST FOR DISCLOSURE, OR MAY IMPACT THE OPERATIONAL OR NON-OPERATIONAL EFFECTIVENESS OF ANY GOVERNMENT LAW ENFORCEMENT, INTELLIGENCE, NATIONAL SECURITY, OR REGULATORY BODY, ANYWHERE.

h)   DAMAGE ANY NATIONAL INTEREST, DISRUPT SIGNIFICANT INFRASTRUCTURE, RESULT IN SIGNIFICANT PROPERTY LOSS OR DAMAGE, ANYWHERE.

i)    CAUSE A SHORT OR LONG TERM MATERIAL IMPACT OR DISRUPTION TO DIPLOMATIC RELATIONSHIPS, ANYWHERE.

j)    DISADVANTAGE ANY GOVERNMENT(S) IN INTERNATIONAL NEGOTIATIONS OR STRATEGY, ANYWHERE.

k)  CAUSE A SHORT OR LONG TERM MATERIAL IMPACT ON A THE FINANCES OR ECONOMY OF ANY GOVERNMENT OR COMMUNITY, ANYWHERE.

l)   DISADVANTAGE NUMEROUS NON-GOVERNMENT ORGANISATIONS OR COMPANIES, TO ANY DEGREE, ANYWHERE.

Altia will not make a determination of Applicability on behalf of Customer(s) or Party(s) to the Agreement, and it is the sole responsibility of Customer(s) to determine if any of the Applicability clauses apply.

4.  Definitions

CUSTOMER(S) OR USER(S) MUST MAKE THEIR OWN DETERMINATION AS TO THE DEFINITION OF THE TERMS USED IN SECTION 2 OF THIS DOCUMENT, ‘APPLICABILITY,’ BEING: “NUMEROUS”“DISADVANTAGE”“MATERIAL IMPACT”“IMPACT”“IMPEDE”“POSE”; AND/OR “SERIOUS” AND ARE NOT DEFINED.

Definitions in used in this Agreement are defined in Altia’s Agreement Definition Schedule (Or, “Definition Schedule”).

5.  Requirements of Customer(s) and/or User(s)

Customer(s) and User(s) must maintain information and cybersecurity standards, in the access and use of Altia Service(s) in accordance with standards, frameworks, guidelines and requirements Applicable to them. Where there is no referenceable requirements, Customer(s) and User(s) should observe the GSF as outlined in this document.

5.1.        Relevant to All Customers

a)   All Customer(s) and User(s) must identify and implement Applicable baseline requirements from, but not limited to, the below refence material (including later version) appropriate to the Altia Service(s) and the Customer(s) or User(s) own risk assessment:

  • ISO/IEC 27001:2013. Information technology - Security techniques - Information security management systems – Requirements.

  • ISO/IEC 9001:2015. Quality management systems – Guidelines.

  • ISO/IEC 31000:2018. Risk Management – Guidelines.

  • NIST. Cybersecurity Framework – Guidelines.

  • OWASP. Application Security Verification - Standard(s).

b)   While Customer(s) or User(s) do not need to show Altia compliance of clause 5.1, Altia reserves the right to request sight of any related Statement of Applicability (“SoA”) prior to accepting an Initiating Order or subsequent Order Form. Customer(s) and User(s) must research and identify any other Applicable requirements imposed on them.

5.2.        Relevant to Specific Jurisdictions

Customer(s) and User(s) in specific jurisdictions may have different or additional requirements Applicable to them and it is the Customer(s) and User(s) responsibility to determine Applicability and implement any requirements accordingly. Notable jurisdiction specific information and cybersecurity requirements include, but are not limited to the below:

a)   United Kingdom. Cabinet Office Government Security Classifications Policy (“GSCP”); United Kingdom Ministry of Defence Cyber Security Model (“CSM”), Defence Cyber Protection Partnership (“DCPP”) and Cyber Essentials Scheme (“CES”).

b)   Australia. Australian Government Information Security Manual (“ISM”) and Protective Security Policy Framework (“PSPF”).

c)   United States. Federal Risk and Authorisation Management Program (“FedRAMP”); Presidential Action Executive Order on Improving the Nation’s Cybersecurity; and United States General Services Administration (“GSA”) Information Technology (“IT”) Security Policies.

d)   Canada. Government of Canada Policy on Government Security (“PGS”), Canadian Centre for Cyber Security Communications Security Establishment (“CSE”) and Communications Security (“COMSEC”).

e)   New Zealand. New Zealand Government Information Security Manual (“NZISM”) and Protective Security Requirements (“PSR”).

f)     While Customer(s) or User(s) do not need to show Altia compliance of clause 5.2, Altia reserves the right to request sight of any related Statement of Applicability prior to accepting an Initiating Order or subsequent Order Form. Customer(s) and User(s) from other jurisdictions must research and identify Applicable requirements imposed on them.

6.  GSF – Information and Cybersecurity Governance

6.1.        Policies, Procedures and Guidelines

In order to support secure access and use of Altia Service(s), Customer(s) and User(s) must maintain adequate information security policies, procedures and guidelines (“Information and Cybersecurity Documentation”) in accordance with requirements, guidelines and standards as per clause 5. Information and Cybersecurity Documentation should be:

a)   In the form of a complete ISMS and SoA.

b)   Reviewed at regular intervals, no less than annually.

c)   Facilitate appropriate responses to changing threats and risks.

d)   Cater for technology advances.

6.2.        Leadership

a)   Security Executive(s). Customer(s) should appoint a member of its senior executive to be responsible for the Altia Service(s), overseeing the Customer’s information and cyber security framework and obligation(s) that may exist under this Agreement. The Security Executive(s), or delegate, shall be the person(s) responsible for the operational aspects of the acquisition, access and use of Altia Service(s) by the Customer and User(s), and be the point of contact for Altia regarding matters of information and cybersecurity.

b)   System Owner(s). The Security Executive(s) should nominate a suitably qualified person, or persons, as System Owner(s) of Altia Service(s), with authority to notify Altia of possible or actual Security Incidents and breaches, including to Personal Data; assign and revoke User(s) access to Altia Service(s); inform Altia of resulting changes to acquisition, access and use of Altia Service(s); and authorise Altia on matters relating to database rollback, update(s), and changes of requirements.

c)   Culture. Customer(s) should promote and adopt learning culture of up-skilling, awareness and education, in order to maintain pace with the information and cybersecurity threat landscape and new technologies that may impact the Customer or User(s). Information and cybersecurity culture should be aligned with business objectives, and technology adopted through risk vs benefit analysis, with zero trust.

d)   Communication. Communication between Customer(s) information and cybersecurity capabilities, business stakeholders and Users(s) should be ongoing, translating information and cybersecurity concepts and language(s) into business concepts and language, as well as ensuring that business units(s) and User(s) consult with Customer(s) information and cybersecurity function(s) to determine appropriate strategies when planning new business projects involving the adoption of new technologies, including Altia Service(s).

e)   Reporting. Customer(s) should regularly review, document and report on its information and cybersecurity model; maturity; risk profile; status of key Customer Hardware or Device(s); any outstanding security risks; any real or perceived breaches or threats to the information and cybersecurity model; and expected returns on the acceptance of risk, such as adopting, accessing and using Altia Service(s).

f)     Continuity and Resilience. Customer(s) should have documented and practiced business continuity plans in the event of technology failings, including of Altia Service(s), and plan for disaster or data loss.

g)   Training. Customer(s) should have training programs in place for User(s) of technology, including Altia Service(s); and encourage participation.

h)   Vendor Management and Needs Analysis. Customer(s) should continually assess risks posed by vendors, including Altia, and undertake Needs Analysis of technologies, including Altia Service(s).

6.3.        User(s) and Personnel

Customer(s) should ensure User(s) who access and use Altia Service(s):

a)   Are subject to enforceable confidentiality obligations or agreements.

b)   Are eligible to have access to the Altia Service(s) and any Altia Service(s) Derived Information. 

c)   Have had their identity established.

d)   Are suitable to authorisation to access any governed Altia Service(s) Derived Information at the access level identified.

e)   Have undergone probity, where necessary.

f)     Have agreed to comply with Customer(s) policies, procedures, standards and guidelines that safeguard Customer Data, Altia Service(s) Derived Information, Altia Service(s) and related resources from harm.

g)   Are properly trained in the Altia Service(s), handling of Altia Service(s) Derived Information, and requirements imposed on them if Applicable in its jurisdiction.

h)   Have procedures in place for reporting Security Incidents that may compromise the access and use of Altia Service(s) and/or the integrity of Customer Data or Altia Service(s) Derived Information.

i)      The Customer shall monitor and update User(s) security requirements at least on a monthly basis, and report to Altia any breaches of requirements.

6.4.        Codes of Conduct

Customer(s) should identify and comply with all relevant public and private sector codes of conduct and ensure all User(s) of the Altia Service(s) comply with the Customer(s) OWN policy(s) and code of conduct, including that they act lawfully, with care, diligence, honesty, empathy, respect, openness, fairness, transparency, accountability and always in good faith.

6.5.        Customer(s) Own Terms of Use

Customer(s) should identify what deems appropriate use Altia Service(s) within their own operating environment and make available to User(s) its own Terms of Use, specific to their business requirements, function(s), jurisdiction, and risk profile, in addition to the Agreement and its referenced material.

7.  GSF - Asset Management

7.1.        Data Loss Prevention

Customer(s) should have in place Data Loss Prevention (“DLP”) capability in the form of software, systems and/or processes to ensure the protection of Customer Data and Altia Service(s) derived information, from data leakage risk.

7.2.        Portable Media Handling

a)   Customer(s) should not store Altia Service(s) derived information on portable or removable media without the prior written consent of Altia, unless lawfully required to do so, or operational or administrative functions that require such storage to carry out critical function(s).

b)   In the event that portable or removal media is approved by Altia, the Customer(s) must have in place best practice encryption technologies to ensure Altia Service(s) Derived Information is removed from portable removable media on Altia’ request.

c)   Subject to clauses 7.1 and 7.2, Altia and Customer(s) acknowledge and agree that Customer Data may be exported and/or transferred to portable media by the Customer as part of the Altia Service(s) for purposes associated with the designed or advertised use of Altia Service(s), including for lawful information sharing or for purposes of legal proceedings.

7.3.        Securing Hardware and Hardening Devices

a)   Customer(s) should ensure Hardware and Devices used to access and use Altia Service(s), or Altia Service(s) Derived Information, are appropriately configured to meet its risk profile, and consider updates; patching; mobile device management; endpoint protection; physical security; damage; and programmatic controls for session locking and screen obfuscation.

b)   If Customer(s) allow User(s) to utilise Personal Customer Hardware or Devices, a Bring Your Own Device (“BYOD”) policy should be considered to mitigate risks associated with unmanaged Customer Hardware or Device(s).

c)   Customer(s) should ensure auxiliary software is subject of application control; patching of application(s); patching of operating systems(s); macro-disabling; application hardening; and regular backups enforced.

d)   Customer(s) should enforce Multifactor Authentication (“MFA”) for Customer Hardware or Device(s) accessing Altia Service(s) or Altia Service(s) Derived Information.

e)   Customer(s) should enforce a principal of least privilege approach to access control of Altia Service(s) and auxiliary software on Customer Hardware or Device(s) connected to Altia Service(s), or any Customer Hardware or Device(s) that may store or Altia Service(s) Derived Information; and restrict administrative access to a minimum.

f)     Customer(s) should maintain an asset register of Customer Hardware or Device(s) used to access or use Altia Service(s), or any Customer Hardware or Device(s) that may store or Altia Service(s) Derived Information.

8.  GSF - Access and Identity Management

8.1.        Controlled Access and Logging of Altia Service(s)

a)   Customer(s) should ensure that privileged administrative access to the Altia Service(s) is delivered through secure communications infrastructure.

b)   Customer(s) should establish and maintain complete, accurate, and up to date records of: Customer Data and Altia Service(s) Derived Information accessed; details of User(s) who accessed, collected or changed the Customer Data or Altia Service(s) Derived Information; and the date and purpose for which it was accessed, collected or changed, using the Altia Service(s) if available, or by another means if not.

c)   On Altia’s request, in the event of a Security Incident, and where the requested information is not sensitive or privileged, provide copies of the records referred as soon as possible. At a minimum, within 24-hours of the request.

d)   Customer(s) should ensure, where access to any portion of the Altia Service(s) used to deliver the Altia Service(s) is provided to any third party in connection with this Agreement, that such access is only provided subject to best practice authentication and access control restrictions.

e)   Customer(s) should keep development, testing and production environments used to access Altia Service(s) separate and only use the Altia Cloud Multitenancy Beta (Pre-Production) Environment as described in the Altia MSA.

f)     Customer(s) must ensure any access to, or use of Altia Service(s) comply with the Altia Service(s) End User Licence Agreement (“EULA”) found here; and Altia’s Acceptable Use Policy (“AUP”) found here; and in accordance with training made available by Altia, either as delivered training through Altia’s Professional Service(s), or on-demand training documentation.

g)   Customer(s) must restrict access to Altia Service(s) only to User(s) who have been approved and authorised by the Customer to have such access. Altia may on reasonable grounds revoke its approval in respect of any User(s) at any time as a result of an identified breach the Agreement, EULA, AUP or training and Customer(s) must ensure User(s) comply with any such notification immediately to allow for remediation prior to the User(s) being authorised subsequent access to and use of the Altia Service(s).

h)   Customer(s) should enforce MFA at all times, including for VPNs, RDP, SSH and other remote access, and for all User(s) when they perform privileged access actions, or access sensitive and high-availability data repositories that may have a connection to Altia Service(s) and/or Altia Service(s) Derived Information.

i)      Password policies and complexity should be governed and ensure User(s) are not able to select ‘known’ or ‘risky’ passwords and a best practice password policy set, as an example, a memorable sentence comprising a character and number, though easy to remember, such as Th!sIsmypr0tectedpassw0rd.

j)      Customer(s) should ensure remote administration access is compliant within a Customer(s) mobility, or mobile device management policy (remote access policy).

k)    The Customer should document, communicate and enforce its security policy regarding access to Altia Service(s) and Altia Service(s) Derived Information.

9.  GSF - Operations Security

9.1.        Security Vulnerability Management

a)   Customer(s) should ensure Customer Hardware or Device(s) that store, transmit or process Customer Data and Altia Service(s) Derived Information undergo vulnerability scans on a regular basis, at least once a month, and immediately after a material change to the Customer Hardware or Device(s).

b)   If a vulnerability scan reveals any vulnerability(s), Customer(s) must immediately take all steps to remediate the vulnerability(s) and report to Altia, detailing the vulnerability(s), and any remediation action taken, as soon as reasonably practicable.

9.2.        Protection from Malware

a)   In the event Customer(s) use any third party software or tools on its Customer Hardware or Device(s) to access Altia Service(s) or Altia Service(s) Derived Information, Customer(s) should ensure no backdoortime bomb, trojan horse or other computer software enables access by a third person not authorised by Altia or Customer(s), to Altia Service(s) or Altia Service(s) Derived Information.

b)   Customer(s) should use all reasonable endeavours to ensure Altia Service(s) are not compromised by malware. Customer(s) should use anti-malware controls to help avoid malicious software gaining unauthorised access to Customer Data or Altia Service(s) Derived Information, including malicious software originating from public networks.

9.3.        Denial of Service Protection

a)   Customer(s) should ensure all Customer Hardware or Device(s) used to access and use Altia Service(s) are protected from Distributed Denial of Service and Denial of Service attacks with appropriate technologies and solutions.

9.4.        Penetration Testing

b)   Customer(s) should undertake, at its own expense, independent third party vulnerability testing and as least once every 12-months, including penetration testing, ethical hacking activities on all Customer Hardware or Device(s) or Customer Software used to access Altia Service(s) or Altia Service(s) Derived Information.

c)   Where the results of this testing negatively and materially impact the Altia Service(s), Customer(s) shall notify Altia as soon as reasonably possible, making the relevant results of the testing available to Altia.

d)   Customer(s) and Altia shall agree on a plan to rectify the vulnerabilities with immediate effect, prioritised by severity and in collaboration.

e)   Any testing of this nature where Altia Service(s) are subject, must be approved by Altia, in writing, before such testing is undertaken.

9.5.        Data Backups

a)   Customer(s) should document, implement and regularly test a backup policy which takes daily copies of Customer Data and Altia Service(s) Derived Information used in the access and use of the Altia Service(s). Backups should be captured at times of Customer(s) initiated:

b)   System administration; Patching; change management; and to ensure Customer(s) are able to determine the Customer database restore point for database rollback purposes.

c)   The following backups must be retained for at least 3-months: new and material changes; Customer(s) software and configuration settings.

d)   The following backups must be retained for at least 12-months: test restoration; and IT infrastructure changes.

9.6.        System Monitoring

Customer(s) should develop and maintain a system for monitoring the detection of security events or Security Incidents involving Altia Service(s) or other Customer services on its Customer Hardware or Device(s), through measure(s) including but not limited to:

a)   Building a Security Operation Centre (“SOC”) to reduce information and cybersecurity threats, detect and respond to Security Incidents on its computers, servers and networks.

b)   Engaging a Security Information and Event Management (“SIEM”) approach to provide real-time analysis of security alerts generated by applications and network hardware.

10.      GSF - Cryptography

a)   The Customer should ensure any Customer Hardware or Device(s) including mobile phones, laptops and tablets used to access or use Altia Service(s) or Altia Service(s) Derived Information has end point protection and encryption capabilities installed.

b)   The Customer should ensure all API connections are protected using TLS 1.2 encryption, or above.

c)   The Customer should ensure encryption conforms with encryption regulations, guidelines, or standards as per clause 5, or Altia’s encryption policy which can be made available, on request and in absence of an Applicable policy for a Customer(s) jurisdiction, or Applicability.

d)   The Customer should ensure it maintains the confidentiality of all encryption techniques such as keys and secrets at all times.

e)   The Customer should ensure Customer Data held within Customer Hardware or Device(s) outside of Altia’s control is encrypted at all times, at rest and in transit.

f)     The Customer should ensure it has the ability to delete Customer Data or Altia Service(s) Derived Information on Customer Hardware or Device(s) when it is no longer needed, or on Altia reasonable request.

11.      GSF - Physical and Environmental Security

Customer(s) should ensure it has adequate policies, systems, practices, procedures and guidelines in place to secure, monitor and audit the physical security of its User(s), premises, data centres, facilities and Customer Hardware or Device(s), including techniques as follows, but not limited to:

a)   Personnel probity and access/identity cards.

b)   Equipment Inventories and access.

c)   Locks, lights, sensors.

d)   HVAC systems.

e)   Back to base alarms.

f)     Physical security monitoring (guards) as required.

g)   Any other requirements under legislation or frameworks as Applicable to Customer(s) in clause 5.

12.      GSF – System(s), Software and Application(s)

Customer(s) should ensure any Customer Hardware of Device(s), server, system or network element, including APIs that store, process or facilitate Customer access to and use of Altia Service(s) or Altia Service(s) Derived Information have in place the following:

a)   Application control. To prevent execution of unapproved or malicious programs including.exe, DLL, scripts (e.g., Windows Script Host, PowerShell or hierarchical task analysis) and installers.

b)   Application patching.  Including, but not limited to, Flash, web browsers, Microsoft Office, Java and PDF viewers.

c)   Operating system patching. To secure computers (including network devices) with ‘extreme risk’ vulnerabilities as soon as possible, but no later than within 48-hours of notification. Customer(s) should always use the latest operating system version and not use unsupported versions.

d)   User application hardening. Including, but not limited to ensuring web browser security settings cannot be changed by User(s); web browsers do not process web advertisements from the internet; Internet Explorer 11 does not process content from the internet; web browsers do not process Java from the internet; Microsoft Office is blocked from creating child processes; Microsoft Office is blocked from creating executable content; Microsoft Office is blocked from injecting code into other processes; Microsoft Office is configured to prevent activation of object linking and embedding packages; PDF software is blocked from creating child processes; Microsoft Office and PDF software security settings cannot be changed by User(s); blocked PowerShell script executions are logged; Internet Explorer 11 is disabled or removed (where possible);.NET Framework 3.5 (including.NET 2.0 and 3.0) is disabled or removed; Windows PowerShell 2.0 is disabled or removed; and PowerShell is configured to use Constrained Language Mode; Blocked PowerShell script executions are centrally logged and protected from unauthorised modification, and deletion monitored for signs of compromise and actioned when cyber security events are detected.

e)   Restricted administrative privileges. To operating systems and applications based on a User(s) duty.

f)     Regularly revalidate need for privileged access and how these are use. For example, do not use privileged accounts for reading email and web browsing.

g)   Configured Microsoft Office macro settings. To block macros from the internet, and only allow vetted macros in ‘trusted locations’ with limited write access, or digitally signed with a trusted certificate.

h)   Assurance that only macros digitally signed. Only Macros digitally signed by trusted publishers are enabled.

13.      GSF - Security Patching

Customer(s) Customer Hardware or Device(s) (including BYOD devices), server, system or network element, including APIs that store, process or facilitate Customer access to, and use of, the Altia Service(s) or Altia Service(s) Derived Information should be patched by Customer(s) in accordance with the Applicable inclusions of clause 12 above, and as a minimum on the following timelines:

a)   Critical vulnerabilities with a known available patch - Immediately.

b)   Critical vulnerabilities without a known available patch - As soon as possible, but no later than within 48-hours.

c)   High level vulnerabilities - Within 7-days.

d)   Medium to low level vulnerabilities - Within the current monthly patch cycle.

14.      GSF - Security Incident and Breach Management

a)   Security Incidents. Customer(s) should not and should ensure that User(s) do not do anything in connection with access to, or use of the Altia Service(s), which could reasonably be expected to have an adverse impact on the security of the Altia Service(s) or on Altia’s ability to maintain information and cybersecurity standards. On becoming aware of any Security Incident (meaning an actual or potential compromise of information security) which negatively impacts the Altia Service(s) or Altia’s information and cybersecurity standards, Customer(s) must immediately notify Altia of the Security Incident or risk, and provide the details reasonably required in order for Altia to respond appropriately and timeously; and provide all assistance necessary and reasonably requested by Altia to respond to, protect against or prevent further incidents or risk.

b)   Notification. In the event of a Security Incident or actual breach, being any event or circumstance, which compromises the confidentiality, integrity or availability of the Altia Service(s), Customer(s) must as soon as reasonably possible, and at least within 48-hours: notify Altia of the Security Incident or breach and provide all details known at the time of notification; and provide ongoing notification of the details of the breach as they become known, including the affected infrastructure, Customer Hardware or Device(s) and affected User(s).

c)   Response. In response to a Security Incident or actual breach the Customer must provide Altia with all assistance reasonably requested by Altia to recover from and protect against the breach. The Security Executive (or delegate), System Owner and Altia shall work together to coordinate communication and activities between the Customer and Altia in response to the Security Incident. The Customer and Altia must cooperate to promptly resolve the Security Incident and provide details of the mitigation steps taken and actions performed to restore the confidentiality, integrity and availability of the Altia Service(s). Under no circumstances will Customer(s) notify any third party about a Security Incident or breach without first obtaining the prior written consent of Altia, or a governing information and/or cyber security body in its jurisdiction.

15.      GSF – Internal Audit

For internal audit and reporting purposes, Customer(s) should (in absence of its own) undertake an annual security assessment against the requirements of these information security standards and any others deemed relevant. Where any non-compliance with mandatory requirements is reasonably likely to result in risk to Altia’s information and cybersecurity framework, Altia Service(s), and or Altia Service(s) Derived Information, Customer(s) must as soon as possible notify Altia of the nature of the risk; remedial action taken; and plan for risk treatment.

16.      GSF - Customer Data and Information Classification

a)   Customer(s) should identify all Altia Service(s) Derived Information (text, sound, video, image files, software, data, records, evidence, intelligence, etc.) in its possession or under its control and assess the sensitivity and security classification of that Customer Data or Altia Service(s) Derived Information against the Customer’s Applicable information security and classification policies (if available).

b)   Customer(s) should implement security and operational controls for the Customer Data or Altia Service(s) Derived Information that are proportional to their value, importance and sensitivity.

c)   The classification and operational controls should comply with relevant regulation, government requirements, policy frameworks and relevant law (security, privacy, evidence etc.) and codes of conduct.

d)   Access to, and associated privileges to Customer Data or Altia Service(s) Derived Information should be role based and apply the principle of least privilege.

17.      Altia365 Platform and Compliance as-a-Service

a)   Altia offers a Client-Side Windows and Microsoft 365 delivery model for Altia Service(s), and other third party services; comprising Microsoft Services to provide a secure, isolated and fully managed client-side delivery model for fully managed Instances of Altia Service(s). Altia365 is not specific to any Altia Service(s), and can be used to deploy PROTECTED workloads, and any complimentary (or client elected) Microsoft or third party software service or solution.

b)   Deployment of ANY workloads will be documented in the case of using Endpoint Manager to configure the Microsoft Windows 365 Cloud PCs to deploy application workloads of any type consistently, and with greater management oversight, visibility and control by Altia, taking the requirements of maintaining a majority of a GSF and inclusions, including jurisdiction specific inclusions, in clause 5, away from the Customer(s) responsibilities.

c)   Please note, any compliance or assurances provided through regionally governed independent audit, or information and cybersecurity assessment programs are for the resources and configuration of Altia365 and not the workloads deployed within. It is critical that any application workloads have been either assessed against the Customer(s) requirements under clause 5 to ensure Altia can inherit previous assessments. For example, Microsoft Services, when configured in accordance with their best practice guidelines, blueprints and controls to allow for the collection, handling and storage of information considered as per those requirements.

d)   The end result of Altia365 is to deliver a secure and isolated Desktop Environment accessible by browser, or natively through the Windows Remote Desktop Client across all platforms, including Windows PCs, Mac/Linux Based PCs, or mobile devices capable of consuming the native Windows Remote Desktop Client application (such as Apple iPad) in a hyper-available, hyper-accessible, remote, modern and high-performing way, with significant reduction in information and cyber security risk and enhanced compliance with like regulatory frameworks and guidelines.

e)   While Altia provision, maintain and support Altia365, there will be areas of responsibility on Customer(s) which are simply out of Altia’s control. This may include (but is not limited to) Customer(s) own acceptable use policies, internal governance frameworks and/or specific legislative requirements imposed on them. While the adoption of Altia365 removes a majority of requirements and the GSF outlined in this document; there are still Shared Responsibilities on Customer(s).

f)     Share Responsibilities will be outlined in the Terms and Conditions, and/or any references contained within an Initiating Order or subsequent Order Forms relating to an Agreement where Altia365 is a nominated Altia Service.

18.      Compliance with Law (Value of Altia Service(s) Derived Information)

So as not to compromise the admissibility of evidence recorded and/or infringe individual rights, including privacy rights, Customer(s) and User(s) must instruct and train all User(s) on relevant legislation that applies to capturing intelligence, information and evidence when using the Altia Service(s), including National (domestic) law Applicable to the Customer. The below should be observed at a minimum as Applicable to the Customer(s) jurisdiction:

a)   Telecommunications and surveillance laws.

b)   Human rights charters, polices, guidelines and legislation.

c)   privacy charters, polices, guidelines and legislation.

d)   Law and rules of evidence.

e)   Criminal, civil and procedural law.

f)     Tort law.

g)   International law, including mutual assistance treaties.

h)   Customer(s) should, and should ensure that User(s), comply with the Customer(s) own policy, procedure, guidelines, and best practice regarding information, intelligence, and evidence, including standard requirements for the admissibility of evidence, such as ensuring the information is contemporaneously recorded; relevant; reliable; and lawfully obtained.

19.      Outsourcing and Third Party Relationships

Customer(s) are responsible for managing all third parties providing services to the Customer (“Customer Third Party Service Providers”) and should ensure that all Customer Third Party Service Providers are legally bound through contractual arrangements which require them to meet all the same standards the Customer itself must meet in accessing and using the Altia Service(s) or Altia Service(s) Derived Information.

20.      Assistance and Professional Service(s)

Altia provides Professional Service(s) on information and cyber security governance, policy, procedure and programmatic enforcement of information and cybersecurity frameworks. If Customer(s) require assistance implementing or managing all or parts of this Security Schedule, Altia may assist through Professional Service(s) engagement or deliver Altia Service(s) through Altia Managed Platforms.

21.      Acceptance of Shared Responsibility

In entering the Agreement with Altia, Customer(s) accept the Shared Responsibilities and are responsible for making reasonable efforts to research, identify, implement and maintain a GSF and comply with Applicable requirements as per clause 5.

22.      Disputes

Any disputes relating to this Security Schedule, are to be raised in writing, within a reasonable time and in sufficient detail, with sufficient evidence to legal@altiaintel.com.