1. Organizational security
Priva has a Strategic policy, which is the foundation for the other policies and thus provides direction for further implementing information security and quality within Priva. It defines the purpose, contents, structure, objectives, responsibilities, and the management of the policies.
In order to provide such a level of continuous operation, Priva has implemented an Integrated Management System (IMS) in line with the International Standards for Information Security(ISO/IEC 27001), , and Quality Management (ISO/IEC 9001). Note: This security whitepaper focuses on information security. The IMS also provides a clear overview of all the security measures and, moreover, the IMS is a useful tool to continuously improve Priva’s security posture. Priva employs strict policies and procedures by taking into account the confidentiality, the integrity and availability of Priva’s systems and services.
Priva has a dedicated Security, Quality and Compliance (SQC) team in order to make sure Priva complies with the applicable standards. They determine what controls, processes and measures are needed to meet these standards.
Priva complies to the following standards related to information security and privacy:
- ISO / IEC 27001 – Information Security Management
1.2 Employee background checks
To ensure that employees and contractors are suitable for the roles for which they are considered, Priva has set guidelines for pre-employment screening. Priva has taken into account that there must be a justified cause and that the screening is necessary in order to verify whether someone's profile and someone’s past records meet the desired confidentiality and integrity levels for a specific role within Priva. Until the screening is successfully performed, the employee is not assigned to their role.
1.3 Security awareness
Apart from IMS related responsibilities, there are trainings for all employees and contractors within Priva (end users). The Security, Quality and Compliance (SQC) training hosted by the Priva Academy is an obligatory training for every employee or contractor who works for Priva. A part of the SQC training is security awareness. It is required to successfully complete the SQC training periodically. The knowledge of the employee will be tested based on tests. The employee needs to have sufficient knowledge on the security principles of Priva in order to successfully pass the training. Additionally, there are some roles which receive additional security awareness sessions based on their security clearance.
1.4 Dedicated Information Security team
Priva has a dedicated Information Security team, as part of the SQC team. The Information Security team is responsible for implementing and coordinating the security initiatives. This team develops and implements corporate information security and privacy policies and related documents. Additionally, this team develops processes in order to manage information security within Priva. They have a consulting role in Priva-wide projects to advise diverse teams about security risks and how to manage these risks.