5.4 INTERNAL POLICIES, GUIDANCE AND PRACTICES
Teradata has numerous internal written global policies (plus local policies in many jurisdictions and supplemental business, organizational, departmental and function/role-specific policies) that pertain to PDP, including:
- Protecting Information within Teradata (CMP 1402)
- Confidential Information Disclosure (CMP 1407)
- Protection of Personal (Employee/Workforce) Data (CMP 204)
- Privacy of Protected (Employee) Health Information (HIPAA) (CMP 205)
- Information Technology Infrastructure Requirements (CMP 1404)
- Data Management (CMP 1406)
- Record Retention (CFAP 111)
- Sharing of (Teradata) Financial Information (CMP 820)
- Publication of Proprietary Technical Information (CMP 911)
- Responding to Governmental Requests for Information (CMP 916)
- Electronic Data Interchange (“EDI”) for Trading Data (CMP 1405)
- Corporate Security (CMP 1700)
- Internal Accounting Controls – Information Systems (CFAP 1809)
We publish an “Information Security” ethics guide for our employees that all relevant employees are required to read, receive training on, and certify to – shortly after they are hired by us and annually thereafter in connection with our Code of Conduct training and certification processes. We also publish a “Social Media Guide” for our employees, reinforcing that our PDP policies and practices also apply to their uses of social media.
We publish a “Rules of the Road” IT Security reference document for all Teradata employees and contractors, as well as “Data Protection Awareness – Frequently Asked Questions (FAQ)”. In addition to PDP being addressed in our Code of Conduct, our employee Code of Conduct training, our Supplier Code of Conduct and our Business Partner Code of Conduct, we also provide our employees with standalone periodic training regarding PDP.
We have internal IT practices and procedures that pertain to PDP. Our internal written IT Information Protection Standards (“IPS”s) include:
- IPS Administration (IPS 101)
- Information Protection Data Center and Operations Requirements (IPS 102)
- Application Development/Deployment Standards (IPS 103)
- Secure Firewall Implementation (IPS 107)
- User ID and Password Management (IPS 109)
- Platform Compliance Monitoring, Administration & Oversight (IPS 115)
- Server Operating System Security Requirements (IPS 119)
- IT Service Production System Access Authorization Requirements (IPS 125)
- Wireless Network Security Requirements (IPS 127)
- Teradata Information at Non-Teradata Sites (IPS 128)
- Information Security for Connecting Outsourced Development & Support (IPS 129)
- Information Security for Teradata Global Consulting Centers (IPS 130)
- Encryption Standard for Teradata (IPS 131)
- Uses of Non-Teradata-Owned Apple Laptops on the Teradata Network (IPS 132)
Other IT practices we employ to help protect privacy and information include: penetration, vulnerability and firewall tests; anti-virus tools on all workstations; deployment of anti-spam and anti-phishing tools; URL and e-mail filtering; deployment of patch management tools; deployment of host-based intrusion detection system (“IDS”) and firewall protection tools; deployment of data loss prevention (“DLP”) tools; deployment of network access control tools; scans and blocks for advance persistent threats (“APT”); tests, scans, spot-checks, validations and reviews by internal auditing, as well as third-party subject-matter-expert service providers; deploying full disk encryption on all Teradata laptop computers; encryption on all Teradata servers and selected desktops; deploying Mobile Device Management (“MDM”) security tools and requirements for certain mobile devices used to access the Teradata network; and, deploying Multi-Factor-Authentication (“MFA”) tools and requirements such as for remote/mobile access to PII through our internal-use apps and Sites. We maintain and regularly update an IT Security internal online site for our employees where information relevant to information security is aggregated and made accessible to our employees.
Our main IT infrastructure production systems are operated from highly secure data centers that are designed and implemented to help assure PDP is achieved. Those systems are routinely backed-up, the back-up data is secured, and redundancy, disaster recovery and business continuity planning are built-in to our practices and procedures with respect to that data.
We conduct background checks and screening (subject to applicable laws) regarding proposed new-hire employees; these are conducted with the prospective employee’s express permission or otherwise in compliance with applicable laws, and we have arrangements in place with third-party service providers who assist us with background checks and screening to help assure that the rights of individuals are honored and that their PII is not used or disclosed for any illegal or impermissible purpose. Newly-hired employees are also required to sign agreements providing that they will protect, and not make unauthorized use or disclosure of, private and confidential information that they may have access to through Teradata. All employees confirm such each time they log-on to our network and systems, at which time they also acknowledge and confirm that they are granting us permission to monitor their use of our network, systems, internal-use apps, internal-use Sites and other IT resources, with no expectation of personal privacy by them, to the maximum extent permitted by law.
With respect to consulting, professional services and managed services activities we perform for our customers, we generally control and segregate access to PII that our customers possess or process, and comply with other industry-driven and customer-driven privacy and information security practices. For example, for most of our services engagements for deployments of our solutions at our customer sites or at our customer-selected data centers, we either do not have access to the PII in our customers’ data, or, where we do, we often do so solely through secure workstations and network connections provided and managed by or for, the customer, used only for that purpose, and accessible by log-on credentials and other security measures only by our authorized personnel who are in need-to-know positions with respect to that data. Typically, for our customer onsite solutions, we do not access or take possession of our customers’ PII or other sensitive data, nor remove it from our customers’ sites.
The same applies with respect to our Global Development Centers (“GDC”s), such as those in the Czech Republic, Philippines, India, and Pakistan. The services performed at those centers typically employ stricter controls, practices and procedures are applied to secure and limit access to the PII. Where applicable laws or contract provisions prohibit or restrict access to solutions or information from locations, from countries, or by citizens or residents of other than where the solution or data is located, we implement procedures to help assure we comply with those requirements.
When we run research, development or technical support tests and benchmarks against data for our customers, we rarely have access to or take possession of actual unmodified individually-identifiable PII. If PII is involved, sensitive individually-identifiable data elements typically are encrypted, obfuscated, truncated or otherwise made anonymous. In the exceptional circumstances where we access or take possession of sensitive individually-identifiable PII for critical testing, support or benchmarking, controls, practices and procedures are applied to secure and limit physical and electronic access to the data and data rooms, data centers and facilities involved.
When we host solutions for our customers, we require that it be done on systems that are separate from the IT infrastructure we use and access to manage and operate our own business. The data of various hosted customers is segregated from the data of other customers. Hosted solutions are operated from secure third-party-owned or third-party-operated data centers designed and implemented to help assure that PDP is achieved. The solutions we host, as set forth in the applicable hosting contracts or in standards incorporated into the contracts with our respective customers, are routinely backed-up, the back-up data is secured, and redundancy, disaster recovery and business continuity planning are built-in to our practices and procedures with respect to the hosted-data. Typically, with respect to environments where we serve as a data processor for our data-controller-customers, the hosted-environment and cloud-environment contracts make it the primary responsibility of our data-controller-customers to specify their policy, government and industry regulatory compliance requirements. We work with our hosted customers and cloud customers to help assure their data is stored, processed and managed according to their requirements. Teradata may also, if contracted to do so, function in the role of consultant to our customers and will help identify and bring to the attention of our customers PDP risks or non-compliance issues we notice in the normal course of business while providing services, hosted offerings or cloud offerings.
END OF POLICY