Lumar takes information security seriously in its processing and transfers of Personal Data. This information security overview applies to Lumar’s controls for safeguarding Personal Data which is processed by Lumar.
Lumar has implemented an information security management system that is designed to safeguard Lumar’s environment and manage the organization’s sensitive data.
These policies and standards are approved by Lumar’s executive management and are periodically reviewed and updated where necessary.
Lumar shall maintain an appropriate data privacy and information security program, including policies and procedures for physical and logical access restrictions, data classification, access rights, credentialing programs, record retention, data privacy, information security and the treatment of personal data and sensitive personal data throughout its lifecycle. Key policies will be reviewed at least annually.
It is the responsibility of all of Lumar employees who are involved in the processing of Customer Personal Data to comply with these practices and standards. Lumar’s Information Security (“IS”) function is responsible for the following activities:
- Security strategy –The IS function works to ensure compliance with its own security-related policies and standards and all relevant regulations, and to raise awareness and provide education to users. The IS function also carries out risk assessments and risk management activities and manages contract security requirements.
- Security engineering – the IS function manages testing, design and implementation of security solutions to enable the adoption of security controls across Lumar’s online and information technology environment.
- Security operations – the IS function manages support of implemented security solutions, monitors and scans Lumar’s online and information technology environment and assets, and manages incident response.
- Forensic investigations – the IS function works with, Legal and Compliance, and Human Resources to carry out investigations, including discovery and forensics.
- Security consulting and testing – the IS function works with software developers on developing security best practices, consults on application development and architecture for software projects, and carries out assurance testing.
Asset Classification and Control
Lumar’s practice is to track and manage key information and physical, software and logical assets. Examples of the assets that Lumar might track include:
- information assets, such as identified databases, disaster recovery plans, business continuity plans, data classification, archived information;
- software assets, such as identified applications and system software;
- physical assets, such as identified servers, desktops/laptops, printers, and communications equipment.
The assets are classified based on business criticality to determine confidentiality requirements. Industry guidance for handling personal data provides the framework for technical, organizational, and physical safeguards. These safeguards may include controls such as access management, encryption, logging and monitoring, and data destruction.
Employee Screening, Training and Security
- Screening/background checks: Where reasonably practicable and appropriate, as part of the employment/recruitment process, Lumar performs employee screening and background checks on employees or prospective employees (which shall vary from country to country based on local laws and regulations), where such employees will have access to Lumar’s networks, systems or facilities.
- Identification: Lumar requires all employees to provide proof of identification and any additional documentation that may be required based on the country of hire or if required by other Lumar entities or customers for whom the employee is providing services.
- Training: Lumar’s annual compliance training program includes a requirement for employees to complete an online data protection and information security awareness.
- Confidentiality: Lumar ensures its employees are legally bound to protect and maintain the confidentiality of any data they handle according to standard agreements.
Security Incidents and Response Plan
- Security incident response plan: Lumar maintains a security incident response policy and related plans and procedures that address the measures that Lumar will take in the event of loss of control, theft, unauthorized disclosure, unauthorized access, or unauthorized acquisition of personal data. These measures may include incident analysis, containment, response, remediation, reporting, and the return to normal operations.
- Response controls: Controls are in place to protect against, and support the detection of, malicious use of assets and malicious software and to report potential incidents to Lumar’s IS function or Service Desk for appropriate action. Controls may include, but are not limited to: information security policies and standards; restricted access; designated development and test environments; virus detection on servers, desktop and notebooks; virus email attachment scanning; system compliance scans; intrusion prevention monitoring and response; firewall rules; logging and alerting on key events; information handling procedures based on data type; application and network security; and system and application vulnerability scanning. Additional controls may be implemented based on risk.
Data Transmission Control and Encryption
Lumar shall, to the extent it has control over any electronic transmission or transfer of personal data, take all reasonable steps to ensure that such transmission or transfer cannot be read, copied, altered or removed without proper authority during its transmission or transfer. In particular, Lumar shall:
- implement industry-standard encryption practices in its transmission of personal data. Industry-standard encryption methods used by Lumar includes Secure Sockets Layer (SSL), Transport Layer Security (TLS 1.2), a secure shell program such as SSH, and/or Internet Protocol Security (IPSec);
- for Internet-facing applications that may handle sensitive personal data and/or provide real-time integration with systems on network that contains such information (including Lumar’s core network), a Web Application Firewall (WAF) may be used to provide an additional layer of input checking and attack mitigation. The WAF will be configured to mitigate potential vulnerabilities such as injection attacks, buffer overflows, cookie manipulation and other common attack methods.
System Access Controls
Access to Lumar’s systems is restricted to authorized users. Formal procedures and controls govern how access is granted to authorized individuals and the level of access required and appropriate for them to perform their job duties.
Data Access Control
Lumar applies the controls set out below regarding the access and use of personal data:
- personnel are instructed to only use the minimum amount of personal data necessary in order to achieve Lumar’s relevant business purposes
- personnel are instructed not to read, copy, modify or remove personal data unless necessary to carry out their work duties;
- third party use of personal data is governed through contractual terms and conditions between the third party and Lumar which impose limits on the third party’s use of personal data and restricts such use to what is necessary for the third party to provide services;
Lumar protects personal data against accidental destruction or loss by following these controls:
- personal data is retained in accordance with customer contract or, in its absence, Lumar’s record management policy and practices, as well as legal retention requirements;
- appropriate technical measures are in place, including (without limitation): anti-virus software is installed on all systems; network protection is provided via firewall; network segmentation; regular generation of back-ups; hard disk mirroring where required; emergency plans.
Data Input Control
Lumar has, where appropriate, measures designed to check whether and by whom personal data have been input into data processing systems, or whether such data has been modified or removed. Access to relevant applications is recorded.
System Development and Maintenance
Publicly released third-party vulnerabilities are reviewed for applicability in the Lumar environment. Based on the risk to Lumar’s business and customers, there are pre-determined timeframes for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications and the infrastructure based on risk. Code reviews and scanners are used in the development environment prior to production to proactively detect coding vulnerabilities based on risk. These processes enable the proactive identification of vulnerabilities as well as compliance.
The information security, legal, privacy, and compliance departments work to identify regional laws and regulations that may be applicable to Lumar. These requirements cover areas such as the intellectual property of Lumar and its customers, software licenses, protection of employee and customer personal information, data protection, and data handling procedures.
Mechanisms such as the information security program, the executive leadership team, internal and external audits/assessments, internal and external legal counsel consultation, internal controls assessment, penetration testing and vulnerability assessments, contract management, security awareness, security consulting, policy reviews, and risk management combine to drive compliance with these requirements.
Information on current sub-processors is available upon request.