Basic Security Requirement IT
1. Definitions
IT Systems – describes the IT Systems (servers, virtual servers, network components, etc.) used by the Contractor to perform the subject matter of the contract.
Operating Systems – describes the operating systems of the above IT Systems.
Applications – describes the applications (webserver application, etc.) used by the Contractor to provide the subject matter of the contract.
2. General Security Measures
2.1 General Organizational Security Measures
2.1.1 Unless expressly agreed otherwise, Contractor undertakes to treat all information and data made available to him by B. Braun as confidential information entrusted to him, which in particular he shall neither reproduce nor make accessible to third parties.
2.1.2 Contractor undertakes to process any B. Braun data exclusively in accordance with the written agreements or instructions issued by B. Braun and in compliance with the applicable legal provisions.
Furthermore, Contractor acknowledges that any access to B. Braun owned IT systems, B. Braun owned applications, or B. Braun data that has not been explicitly approved by B. Braun is inadmissible.
2.1.3 Contractor undertakes to
2.1.3.1 either return all B. Braun documents which are not needed anymore to B. Braun or - after prior approval by B. Braun - to dispose them irretrievably.
2.1.3.2 hand over defective or no longer required data media containing B. Braun data to B. Braun or - after prior approval by B. Braun - to delete (overwriting the entire data carrier in three passes with changing bit patterns) or to destroy (e.g. by shredding or incineration) them reliably.
Upon request, Contractor shall provide B. Braun with written proof of the deletion or destruction.
2.1.4 Contractor undertakes to
2.1.4.1 make all employees who are involved in the performance of the subject matter of the contract familiar with the applicable provisions of data protection and to oblige them in writing to comply with them.
2.1.4.2 to inform all employees who are involved in the performance of the subject matter of the Contract comprehensively about the security provisions arising from the contract as well as their corresponding obligations.
2.1.5 Contractor must ensure that at all times it is traceable which of Contractor’s employees have accessed IT systems, applications, or data which Contractor operates or processes on behalf of B. Braun, when and for what reason.
2.1.6 Contractor is obliged to prove implementation of appropriate security measures towards B. Braun by submission of
- a comprehensive security concept, IT operating documentation and relevant organizational and work instructions.
- or independent expert opinions or audit reports (e.g. ISAE 3402 Type-2 report) confirming the implementation of appropriate measures.
Contractor will provide any updates of the above unrequested to B. Braun during the contractual period.
2.1.7 Contractor undertakes to comprehensively inform B. Braun within two working days
2.1.7.1 if the security measures taken by Contractor do not meet, temporarily do not meet or no longer meet the requirements of B. Braun.
2.1.7.2 of any serious disruptions to operations or irregularities in the processing of B. Braun data.
2.1.7.3 of serious security incidents (e.g. burglaries or thefts in the data center, unauthorized access to data) insofar as these affect the subject matter of the contract.
2.1.8 Contractor undertakes to
2.1.8.1 investigate security incidents within his area of responsibility as quickly and comprehensively as possible and, if necessary, to pursue or punish them appropriately.
2.1.8.2 provide B. Braun with appropriate support in the defense, clarification, and prosecution of security breaches, insofar as these affect his area of responsibility.
2.1.9 Contractor grants B. Braun or third parties commissioned by B. Braun the right to
2.1.9.1 verify Contractor’s compliance with all contractual agreements insofar as these affect the subject matter of the contract
2.1.9.2 conduct security audits of systems and applications operated by B. Braun on the contractor’s premises or operated by the contractor on behalf of B. Braun (e.g. on-site audits, tool-supported penetration tests, vulnerability scans)
The above includes, to the extent necessary and subject to prior notification, access to Contractor's premises as well as access to IT systems which serve the performance of the subject matter of the contract. The Contractor undertakes to cooperate as necessary.
Insofar as Contractor makes use of subcontractors, he must ensure that this right also extends to the subcontractors.
2.1.10 Contractor undertakes to implement appropriate organizational and technical measures (maintenance of emergency plans, disaster recovery measures, etc.) to fulfill the agreements regarding availability and recovery (recovery time and maximum data loss).
Contractor must verify the effectiveness of these measures at least once a year and provide B. Braun with corresponding evidence.
2.1.11 Contractor undertakes to inform B. Braun promptly and in writing of all relevant technical (e.g. significant changes to the IT infrastructure) and organizational changes (e.g. changes to responsibilities or processes) on the part of Contractor, insofar as these significantly affect the subject matter of the contract.
2.1.12 Contractor undertakes to provide B. Braun with regular reports on any irregularities (operational disruptions, security incidents, etc.) in the provision of services.
Upon request, the reporting shall also include evidence of the performance of data backups as well as log file evaluations, insofar as these are the responsibility of the Contractor.
2.1.13 Contractor warrants that he will be able to provide information on request at any time on which data media (hard disks, backup media, etc.) he has stored B. Braun data.
2.1.14 Contractor undertakes to inform B. Braun without undue delay and in writing about any commissioning of subcontractors if this affects the operation of IT systems or applications for B. Braun or the processing of B. Braun data. It is the responsibility of Contractor to contractually oblige the subcontractors to comply with B. Braun's security requirements and to provide proof of this to B. Braun upon request.
2.1.15 Upon termination of the contract, Contractor undertakes to promptly and orderly hand over to B. Braun all documents, IT systems, data and data media as well as other property of B. Braun that is in the possession of Contractor or his subcontractors or on their premises.
2.2 Security Checks for Internet Servers
2.2.1 Servers accessible from the Internet, which Contractor operates exclusively for B. Braun, as well as the applications installed on them must be subjected to an expert penetration test prior to initial processing of B. Braun data.
Any material (i.e. Critical, High, or Medium) security deficiencies discovered during the test must be rectified prior to processing B. Braun data. B. Braun's Information Security Office (it-info.ch@bbraun.com) must be informed about the execution and result of this test and of the elimination of the deficiencies.
2.2.2 The penetration test according to 2.2.1 has to be repeated as soon as significant changes have been made to the system (e.g. release change of the operating system, installation of further applications accessible from the Internet).
Any material security deficiencies discovered during the test must be rectified with undue delay. If a prompt correction is not possible for compelling reasons, further action must be coordinated with B. Braun’s Information Security Office.
2.2.3 For servers accessible from the Internet on which Contractor processes not only data from B. Braun but also data from other customers (shared servers),
2.2.3.1 Contractor must provide written proof that an expert penetration test of the system and applications has been carried out within the last 12 months and all identified material security deficiencies have been eliminated.
2.2.3.2 Contractor undertakes to repeat the aforementioned penetration test at least once a year over the term of the contract, to remedy all material security deficiencies discovered without undue delay, and to provide B. Braun with corresponding written proof.
2.3 Physical security measures
2.3.1 Access to IT systems must be restricted by an electronic access control system to persons who require access to fulfil their official tasks. Each access must be logged by the access control system and must be traceable for at least 90 days.
Access authorizations issued within the access control system must be reviewed by Contractor regularly, but at least quarterly, with regard to their operational necessity. The performance of this review shall be documented and verified to B. Braun upon request.
2.3.2 IT systems operated by B. Braun on the premises of Contractor or by Contractor exclusively for B. Braun must be secured against unauthorized access (e.g. by other customers of Contractor) by additional physical measures (e.g. separate lockable room or cage, lockable racks).
2.3.3 The systems must be protected by anti-burglary measures (e.g. camera surveillance, alarm-secured windows and doors, motion detectors, security patrols). Alarm monitoring and an appropriate response to alarms must be ensured without interruption.
2.3.4 The IT systems must be protected against fire by an early fire detection system and a fire extinguishing system suitable for IT equipment.
2.3.5 Automated regulation and monitoring of the room temperature and humidity shall ensure that the environmental conditions always comply with the specifications of the system or media manufacturer.
2.3.6 The IT systems as well as the security-relevant infrastructural systems (e.g. access control, burglary, and fire protection systems) shall be protected by an uninterruptible power supply (UPS) against short-term power failures as well as under- and overvoltage.
In addition, the systems must be protected against longer-term power failures by an emergency power generator.
2.3.7 Data cables shall be laid in a way that they are protected against unauthorized access and damage. In particular, cables that run through areas that are not secured by an access control system must be protected against unauthorized access by separate measures (e.g. metal sheathing, closed channel systems).
2.4 IT Infrastructure
2.4.1 Contractor must take appropriate measures to ensure that unauthorized access to B. Braun systems, applications or data via Contractor's management systems is excluded.
2.4.2 For servers on which Contractor processes not only B. Braun data but also data from other customers (shared servers), Contractor is obliged to take adequate measures to keep the data separate.
2.5 Data Backups
2.5.1 Dedicated backup media must be used for B. Braun data, on which neither data of Contractor nor data of other customers of Contractor are stored.
If the use of dedicated backup media is not feasible for compelling reasons, Contractor warrants that media with B. Braun data will not be passed on to third parties or made accessible to them without B. Braun's prior approval.
2.5.2 The creation of data backups must be documented in a physical or electronic log book with all information required for restoring the data (e.g. scope of the backup, hardware and software used for the backup). The corresponding logs must be kept for at least 90 days. Contractor undertakes to provide B. Braun with proof of the creation of the backups upon request.
2.5.3 Backup media must be stored at a different location or at least in a different fire compartment than the systems secured on the media.
In addition, they must be protected against unauthorized access, fire, and unsuitable climatic conditions in accordance with 2.3.1 – 2.3.5.
2.5.4 If backup media are moved to another location, they must be adequately protected against unauthorized access, damage, and loss during transport (e.g. transport in stable and sealed transport containers directly).
2.5.5 Passing on backup media to third parties is only permitted if all data has been reliably deleted beforehand (e.g. overwriting of the entire medium in three passes with changing bit patterns). In the event of disposal, the media must be irretrievably destroyed (e.g. by shredding or incineration).
Contractor undertakes to provide B. Braun with proof of the corresponding deletion or destruction upon request.
2.6 Security Measures at Network and Transmission Level
2.6.1 The IT systems must be protected by firewalls both against external networks (e.g. the Internet) and against other data networks or systems in Contractor's data center. Systems accessible from the Internet must also be protected by intrusion detection or intrusion prevention systems (IDS/IPS).
2.6.2 If different IT systems are used to provide the subject matter of the contract (e.g., separate systems for storing and displaying content data), the individual systems must be operated separately according to functionality (e.g., display, data storage) in network segments that are separated by firewalls or other network security controls appropriate to the risk.
2.6.3 The following basic rules apply to the communication rules to be set up on firewalls and intrusion detection or intrusion prevention systems (IDS/IPS):
2.6.3.1 Firewalls and IDS/IPS must be configured so that general access from the Internet is only possible to systems expressly intended for this purpose (usually web servers) and only by means of the mandatory protocols required (generally HTTP or HTTPS).
2.6.3.2 Firewalls and IDS/IPS must be configured so that access from Contractor's internal networks is only possible via those protocols and from those IP addresses that are absolutely necessary for administration and monitoring by Contractor.
2.6.3.3 Firewalls and IDS/IPS must be configured so that all policy violations are logged. The protocols shall be continuously evaluated with regard to security incidents.
2.6.4 If firewalls or IDS/IPS of Contractor are used simultaneously for other customers of Contractor, Contractor guarantees that the effectiveness of the communication rules set up for B. Braun is not affected by the rules of the other customers.
2.6.5 For administrative access to systems or applications, encryption technologies (e.g. SSH) must be used by Contractor.
2.6.6 Secure authentication procedures (two-factor authentication or similar) must be used for remote access/remote support.
Any remote access must also be logged with date, time, employee name, and reason for access. The logs must be kept for at least 90 days.
2.6.7 If B. Braun data is made available on web servers via the Internet, only HTTPS with an asymmetric key length of at least 2048 bits and a symmetric key length of at least 128 bits is to be used for access. A corresponding SSL server certificate from a recognized certification authority must be installed on the web servers.
2.6.8 If it is necessary to transmit confidential B. Braun data via the Internet (e.g. between systems of B. Braun and systems of Contractor), the transmission must be encrypted (e.g. using IPSec).
2.7 Security Measures at Operating System Level
2.7.1 Operating system components or additional software not required for normal operation or system security must not be installed or removed after installation
2.7.2 Network services that are not required for proper system operation must be deac¬tivated or blocked.
2.7.3 Server systems and workstation computers for which anti-malware tools are available must be equipped with such a tool. The tool must be configured in a way that
2.7.3.1 all e-mails, electronic attachments and files transferred from or to the system are automatically checked for malware infestation (viruses, trojans, etc.)
2.7.3.2 all files stored on the system as well as the boot sectors and the memory are automa¬tically scanned at least once a day (on-demand scan) or permanently on access (on-access scan)
2.7.3.3 the signatures and engines are updated at least daily or continuously as released by the product vendor
2.7.4 Contractor must ensure that patches and updates that resolve security deficiencies of the system, are promptly tested and installed. In addition, it must be ensured that corresponding patches are installed immediately in acute emergencies.
2.8 Security Measures at Application Level
2.8.1 Components and functions of the application that are not required for operation must be deleted or deactivated (e.g. sample scripts, unnecessary server functions).
2.8.2 The application must be configured so that access via networks is only possible in an encrypted manner (e.g. HTTPS, SSH). This does not apply to applications that only process data classified as "public".
2.8.3 Applications must have access control mechanisms that allow the user rights to be defined on the basis of user and role profiles. It shall be possible to distinguish between read, write, delete, and execute access. Objects and functions for which a user is not authorized must not be accessible to the user.
2.8.4 The application must not have features that allow users to bypass access control mechanisms. In particular, the application must not contain any undocumented access paths (backdoors).
2.8.5 The application must be configured so that inactive user sessions are automatically terminated after 20 minutes.
2.8.6 For webserver applications, the following measures have to be implemented:
2.8.6.1 A separated area of the file system must be set up for the application from which sensitive system files (e.g. configuration files, log files, password files) cannot be accessed.
2.8.6.2 Web content must be stored on a dedicated partition or hard disk on which neither parts of the operating system nor applications (e.g. webserver application) are stored.
2.8.6.3 The web server process must be operated under a dedicated user and group ID which only has the necessary rights.
2.8.6.4 All external applications and scripts (e.g. CGI, PHP, ASP) called by the webserver application must be stored in a dedicated directory. Write access to this directory must be restricted to administrative accounts.
2.8.6.5 The web server application must be configured so that
users can only access the content stored here, even if they know the URLs of files in other areas of the file system
no hard- or soft links are followed
the output of directory listings is deactivated
2.8.6.6 Temporary files created by the web server application (e.g. when creating dynamic web pages) must be stored in a dedicated and protected directory. It must be ensured that, if multiple web server instances are operated, only the instance that has created this file can access a temporary file.
2.8.7 Contractor must ensure that patches and updates that resolve security deficiencies of the application, are promptly tested and installed. In addition, it must be ensured that corresponding patches are installed immediately in acute emergencies.
2.9 Accounts and Passwords
2.9.1 Accounts that are not required for regular system or application operation must be deleted or locked for login.
2.9.2 Accounts predefined by the manufacturer must be deleted, deactivated, or renamed, whenever possible.
2.9.3 Passwords assigned by the manufacturer must be replaced by new passwords.
2.9.4 For administrators, individual accounts must be created which either have the required administrative rights or from which the administrator assumes the required administrative role (e.g. via ‘su’ under Unix or “runas” under Windows). Direct login under generic administration accounts (e.g. root, administrator) is only permitted in compelling cases.
2.9.5 An individual account must be created for each user and user authentication must be acti-vated. No group accounts (shared accounts) and no accounts without passwords may exist. No unauthenticated or anonymous access to the system or application must be possible.
2.9.6 It must be ensured that each user or administrator has only the access rights to data, objects, and functions that he absolutely needs to fulfil his official duties.
The accounts administered by Contractor and the access rights assigned to them must be documented by the Contractor within the framework of a user and authorization concept and must be reviewed at least monthly for their necessity.
2.9.7 IT systems and applications must be configured to store passwords only in encrypted form. If the possibility of decryption is not necessary for compelling reasons, one-way encryption methods (cryptographic hash functions) must be used.
2.9.8 If it is necessary to transmit passwords via networks, encryption mechanisms (e.g. HTTPS, SSH) must be used.
2.9.9 IT systems and applications must be configured in such a way that passwords that do not contain at least three of the four character categories (uppercase letters, lowercase letters, numbers, special characters) are rejected.
2.9.10 IT systems and applications must be configured in such a way that the minimum length of all passwords is 12 characters and passwords with a shorter length are rejected.
2.9.11 IT systems and applications must be configured in such a way that the six preceding pass¬words are rejected as new passwords.
2.9.12 IT systems and applications must be configured in such a way that passwords are valid for a maximum of 180 days and must be changed at the next login after this period has expired
2.9.13 IT systems and applications must be configured so that users can change their personal password independently at any time. The previous password and a confirmation of the new pass¬word must be requested by entering it twice.
2.9.14 User passwords assigned by administrators must
2.9.14.1 be generated at random
2.9.14.2 contain upper- and lowercase letters as well as numeric characters,
2.9.14.3 be at least ten characters long
2.9.14.4 only be valid for the first login. After first login the user must be required to change the password
2.9.14.5 be communicated to the user in a secure manner (e.g. personally or in an encrypted email). User ID and password must never be sent together in an unencrypted e-mail or letter
2.9.15 The system or application must be configured in such a way that
- accounts are either locked for 5 minutes after five consecutive incorrect login attempts for a new login
- or an increasing logon delay is introduced after each failed logon attempt
2.10 Logging
2.10.1 IT systems or applications must be configured in such a way that security-relevant events are logged. These are at least
2.10.1.1 failed login attempts
2.10.1.2 failed or successful use of administrative accounts or privileges
2.10.1.3 failed or successful modification of security parameters or logging settings
2.10.1.4 failed or successful creation, modification, and deletion of accounts
2.10.1.5 failed or successful creation, modification and deletion of user authorizations or access rights
2.10.1.6 failed or successful input, modification, or deletion of personal data
2.10.1.7 failed or successful installation or deletion of components of the operating system or application software
2.10.1.8 policy violations on dedicated IT security solutions (e.g. IPS/IDS, firewalls)
2.10.1.9 Communication connections via proxy server and remote access systems
The logging must be configured in such a way that all relevant parameters (type of event, date and time, user IDs and IP addresses involved, etc.) are recorded. A reliable time server must be used for the corresponding time information.
2.10.2 The log data must be continuously evaluated by Contractor with regard to security breaches (e.g. unauthorized access attempts). If any anomalies are noticed, Contractor must initiate appropriate measures.
2.10.3 Log data must be stored and accessible for a period of 90 days and deleted after this period, if not needed longer for ongoing inquiries or due to legal requirements.
Status: March 2022