3P Customer Information Security Discussion
Date: 28 July 2017
Audience:
Marketing: Gunawan, Merrick, Dellyna, William, Natasha, Pooja
Infosec: Fergindo, Pertiwi, Rizka
Meeting Notes:
- There are 3 types of data that should be classified by each data owner (data owner = product team):
- Confidential: limited access to several team
- Internal: can be accessed/processed internally
- Public: can be published to third party
- Since Traveloka hasn't finalized the classification yet, we can follow the global standards which are:
- PCI DSS: which maintain the standards of card payment (credit card info, CC exp date, etc)
- PII: which maintain the standard of personal identifiable information such as name, date of birth, ID no, passport no
- For any vendor onboarding, Marketing team need to ensure that:
- the third party has to comply with those 2 global standards
- NDA signed or if there's no NDA we need to ensure that there's clause in the contract/agreement that the third party will not share the data.
- Infosec has IT security clause that can be added to the contract or agreement with the third party, If any team need NDA, we need to create it yourself and ask for a suggestion from Infosec. The Minimum set of IT considerations which is required from third party can be found here:
https://29022131.atlassian.net/wiki/display/IS/IT+Security+Clauses
- In the near time, Traveloka will establish policy for building relationship with third party. One of the main point is: before we get any agreement/contract with external vendor, during the assessment Infosec team has to be involved and assess each vendor options from the security side. In order to do this, each team need to provide:
- project background
- business justification
- project infrastructure
Notes:
- This policy only applied to critical vendor which process or transmit our customer/employee data from internal source (e.g policy not applied if the vendor consume data from Facebook)
- Request can be submitted through JIRA (Security Assessment - Outsource Application) here: https://29022131.atlassian.net/servicedesk/customer/portal/17
- For current onboarded vendor, Marketing team can share the existing contract to Infosec team and Infosec can help to check whether the vendors already comply or not. If not comply, contract renewal might be needed to ensure that IT security clause is included or the NDA signed.
Feel free to add/revise if any. Thanks.