Logitech Vendor Information Security Requirements
Logitech Europe S.A. and all of its subsidiaries and affiliates (collectively “Logitech”) require all of its vendors, service providers and other business partners (“You” or “Vendor”) to maintain a comprehensive written information security program (“Information Security Program”) that includes technical, physical and organizational measures to ensure the confidentiality, security, integrity, and availability of information provided by Logitech, Logitech’s affiliates, and its and their employees, representatives, contractors, customers and Vendors (collectively, “Logitech Data”) and to protect against unauthorized access, use, disclosure, alteration or destruction of Logitech Data. This Information Security Program is attached to, and incorporated by reference into, the agreements for services (“Agreements”) by and between the Logitech entity named therein and You. In particular, the Information Security Program shall include, but not be limited to, the following measures where appropriate or necessary to ensure the protection of Logitech Data:
- Access Controls – Policies, procedures, and physical and technical controls:
- to limit physical access to your information systems and the facility or facilities in which they are housed to properly authorized persons;
- to ensure that all members of your workforce who require access to Logitech Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access;
- to authenticate and permit access only to authorized individuals and to prevent members of your workforce from providing Logitech Data or information relating thereto to unauthorized individuals; and
- to encrypt and decrypt Logitech Data where required.
- Security Awareness and Training – A security awareness and training program for all members of your workforce (including management) on a regular basis, which includes training on how to implement and comply with your Information Security Program.
- Security Incident Procedures – Policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Logitech Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes. If You become aware of any circumstance that may trigger either Party’s obligations under Security Breach Laws, You shall immediately provide written notice to Logitech via firstname.lastname@example.org and shall fully cooperate with Logitech to enable Logitech to carry out its obligations under Security Breach Laws.
- Contingency Planning – Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Logitech Data or systems that contain Logitech Data, including a data backup plan and a disaster recovery plan and immediately providing a written notice to Logitech via email@example.com.
- Device and Media Controls – Policies and procedures on hardware and electronic media that contain Logitech Data into and out of your facilities, and the movement of these items within your facilities, including policies and procedures to address the final disposal of Logitech Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Logitech Data from electronic media before the media are made available for re-use. You shall ensure that no Logitech Data is downloaded or otherwise stored on laptops or other portable devices unless they are subject to all of the protections required herein. Such protective measures shall include, but not be limited to, all devices accessing Logitech data shall be encrypted and use up-to-date anti-malware detection prevention software.
- Audit controls – Hardware, software, services, platforms and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.
- Policies and Procedures – Policies and procedures to ensure the confidentiality, integrity, and availability of Logitech Data and protect it from accidental, unauthorized or improper disclosure, use, alteration or destruction.
- Storage and Transmission Security – Technical security measures to guard against unauthorized access to Logitech Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Logitech Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access.
- Assigned Security Responsibility – You shall designate a security official responsible for the development, implementation, and maintenance of your Information Security Program.
- Physical Storage Media – Policies and procedures to ensure that prior to any storage media containing Logitech Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, you will securely delete in accordance with Section 2.3 (e.). such Logitech Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. You shall maintain an auditable program implementing the disposal and destruction requirements set forth in this Section for all storage media containing Logitech Data.
- Testing – You shall regularly test the key controls, systems and procedures of Your Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
- Keep the Program Up-To-Date – You shall monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Logitech Data, internal or external threats to you or the Logitech Data, and your own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.
More specifically, Vendor’s Information Security Program shall meet or exceed the following requirements:
1. SCOPE; DEFINITIONS
1.1. Security Policy. Vendor will comply in all respects with Logitech’s information security requirements set forth in these Logitech Information Security Requirements for Vendors (the “Security Policy”). The Security Policy applies to Vendor’s performance under any agreement between Vendor and Logitech (the “Agreement”) and all access, collection, use, storage, transmission, disclosure, destruction or deletion of, and security incidents regarding Logitech Information (as defined below). This Security Policy does not limit other obligations of Vendor, including under the Agreement or with respect to any laws that apply to Vendor, Vendor’s performance under the Agreement, the Logitech Information or the Permitted Purpose (as defined below). To the extent this Security Policy directly conflicts with the Agreement, Vendor will promptly notify Logitech of the conflict and will comply with the requirement that is more restrictive and more protective of Logitech Information (which may be designated by Logitech).
- “Affiliate” means, with respect to a particular person, any entity that directly or indirectly controls, is controlled by, or is under common control with such person.
- “Aggregate” means to combine or store Logitech Information with any data or information of Vendor or any third party.
- “Anonymize” means to use, collect, store, transmit or transform any data or information (including Logitech Information) in a manner or form that does not identify, permit identification of, and is not otherwise attributable to any user, device identifier, source, product, service, context, brand, or Logitech or its Affiliates.
- “Logitech Information” means, individually and collectively: (a) all Logitech Confidential Information (as defined in the Agreement or in the non-disclosure agreement between the parties); (b) all other data, records, files, content or information, in any form or format, acquired, accessed, collected, received, stored or maintained by Vendor or its Affiliates from or on behalf of Logitech or its Affiliates, or otherwise in connection with the Agreement, the services provided under the Agreement, or the parties’ performance of or exercise of rights under or in connection with the Agreement; and (c) derived from (a) or (b), even if Anonymized.
1.3. Permitted Purpose.
Except as expressly authorized under the Agreement, Vendor may access, collect, use, store, and transmit only the Logitech Information expressly authorized under the Agreement and solely for the purpose of providing the services under the Agreement, consistent with the licenses (if any) granted under the Agreement (the “Permitted Purpose”). Except as expressly authorized under the Agreement, Vendor will not access, collect, use, store or transmit any Logitech Information and will not Aggregate Logitech Information, even if Anonymized. Except with Logitech’s prior express written consent, Vendor will not (A) transfer, rent, barter, trade, sell, rent, loan, lease or otherwise distribute or make available to any third party any Logitech Information or (B) Aggregate Logitech Information with any other information or data, even if Anonymized.
2. SECURITY POLICY
2.1. Basic Security Requirements. Vendor will, consistent with current best industry standards and such other requirements specified by Logitech based on the classification and sensitivity of Logitech Information, maintain physical, administrative and technical safeguards and other security measures (A) to maintain the security and confidentiality of Logitech Information accessed, collected, used, stored or transmitted by Vendor, and (B) to protect that information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure and all other unlawful forms of processing. Without limitation, Vendor will comply with the following requirements:
- Firewall. Vendor will install and maintain a working network firewall to protect data accessible via the Internet and will keep all Logitech Information protected by the firewall at all times.
- Updates. Vendor will keep its systems and software up-to-date with the latest upgrades, updates, bug fixes, new versions and other modifications necessary to ensure security of the Logitech Information.
- Anti-malware. Vendor will at all times use anti-malware software and will keep the anti-malware software up to date. Vendor will mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably have been detected.
- Encryption. Vendor will encrypt data at rest and data sent across open networks in accordance with industry best practices.
- Testing. Vendor will regularly test its security systems and processes to ensure they meet the requirements of this Security Policy.
- Access Controls. Vendor will secure Logitech Information, including by complying with the following requirements:
- Vendor will assign a unique ID to each person with computer access to Logitech Information.
- Vendor will restrict access to Logitech Information to only those people with a “need-to-know” for a Permitted Purpose.
- Vendor will regularly review the list of people and services with access to Logitech Information, and remove accounts (or advise Logitech to remove accounts) that no longer require access. This review must be performed at least once every 90 days.
- Vendor will not use manufacturer-supplied defaults for system passwords and other security parameters on any operating systems, software or other systems. Vendor will mandate and ensure the use of system-enforced “strong passwords” in accordance with the best practices (described below) on all systems hosting, storing, processing, or that have or control access to, Logitech Information and will require that all passwords and access credentials are kept confidential and not shared among personnel. Passwords must meet the following criteria: contain at least 12 characters; not match previous passwords, the user’s login, or common name; must be changed whenever an account compromise is suspected or assumed; and are regularly replaced after no more than 90 days.
- Vendor will maintain and enforce “account lockout” by disabling accounts with access to Logitech Information when an account exceeds more than 10 consecutive incorrect password attempts.
- Except where expressly authorized by Logitech in writing, Vendor will isolate Logitech Information at all times (including in storage, processing or transmission), from Vendor’s and any third-party information.
- If additional physical access controls are requested in writing by Logitech, Vendor will implement and use those secure physical access control measures.
- Vendor will provide to Logitech on an annual basis or more frequently upon Logitech’s request, (1) log data about all use (both authorized and unauthorized) of Logitech’s accounts or credentials provided to Vendor for use on behalf of Logitech (e.g., social medial account credentials), and (2) detailed log data about any impersonation of, or attempt to impersonate, Logitech personnel or Vendor personnel with access to Logitech Information.
- Vendor will regularly review access logs for signs of malicious behavior or unauthorized access.
- Vendor Policy. Vendor will maintain and enforce an information and network security policy for employees, subcontractors, agents, and Vendors that meets the standards set out in this policy, including methods to detect and log policy violations. Upon request by Logitech, Vendor will provide Logitech with information on violations of Vendor’s information and network security policy, even if it does not constitute a Security Incident.
- Subcontract. Vendor will not subcontract or delegate any of its obligations under this Security Policy to any subcontractors without Logitech’s prior written consent. Notwithstanding the existence or terms of any subcontract or delegation, Vendor will remain responsible for the full performance of its obligations under this Security Policy. The terms and conditions of this Security Policy will be binding upon Vendor’s subcontractors and personnel. Vendor (a) will ensure that Vendor’s subcontractors and personnel comply with this Security Policy, and (b) will be responsible for all acts, omissions, negligence and misconduct of its subcontractors and personnel, including (as applicable) violation of any law, rule or regulation.
- Remote Access. Vendor will ensure that any access from outside protected corporate or production environments to systems holding Logitech Information or Vendor’s corporate or development workstation networks requires multi-factor authentication (e.g., requires at least two separate factors for identifying users).
- Vendor personnel. Logitech may condition access to Logitech Information by Vendor personnel on Vendor personnel’s execution and delivery to Logitech of individual nondisclosure agreements, the form of which is specified by Logitech. If required by Logitech, Logitech requests that Vendor’s personnel execute the individual nondisclosure agreement. Vendor will obtain and deliver to Logitech signed individual nondisclosure agreements from Vendor personnel that will have access to the Logitech Information (prior to granting access or providing information to the Vendor personnel). Vendor will also (a) provide that list of Vendor personnel who have accessed or received the Logitech Information to Logitech upon request within an agreed upon timeframe, and (b) notify Logitech no later than 24 hours after any specific individual Vendor personnel authorized to access Logitech Information in accordance with this Section: (y) no longer needs access to Logitech Information or (z) no longer qualifies as Vendor personnel (e.g., the personnel leaves Vendor’s employment).
2.2. Access to Logitech Extranet and Vendor Portals. Logitech may grant Vendor access to Logitech Information via web portals or other non-public websites or extranet services on Logitech’s or a third party’s website or system (each, an “Extranet”) for the Permitted Purpose. If Logitech permits Vendor to access any Logitech Information using an Extranet, Vendor must comply with the following requirements:
- Permitted Purpose. Vendor and its personnel will access the Extranet and access, collect, use, view, retrieve, download or store Logitech Information from the Extranet solely for the Permitted Purpose.
- Accounts. Vendor will ensure that Vendor personnel use only the Extranet account(s) designated for each individual by Logitech and will require Vendor personnel to keep their access credentials confidential.
- Systems. Vendor will access the Extranet only through computing or processing systems or applications running operating systems managed by Vendor and that include: (i) system network firewalls in accordance with Section 2.1(A) (Firewall); (ii) centralized patch management in compliance with Section 2.1(B) (Updates); (iii) operating system appropriate anti-malware software in accordance with Section 2.1(C) (Anti-malware); and (iv) for portable devices, full disk encryption.
- Restrictions. Except if approved in advance in writing by Logitech, Vendor will not download, mirror or permanently store any Logitech Information from any Extranet on any medium, including any machines, devices or servers.
- Account Termination. Vendor will terminate the account of each of Vendor’s personnel and notify Logitech no later than 24 hours after any specific Vendor personnel who has been authorized to access any Extranet (a) no longer needs access to Logitech Information, (b) no longer qualifies as Vendor personnel (e.g., the personnel leaves Vendor’s employment), or (c) no longer accesses Logitech information for 30 days or more.
- Third Party Systems.
- Vendor will give Logitech prior notice and obtain Logitech’s prior written approval before it uses any third-party system that stores or may otherwise have access to Logitech Information, unless (a) the data is encrypted in accordance with this Security Policy, and (b) the third-party system will not have access to the decryption key or unencrypted “plain text” versions of the data. Logitech reserves the right to require an Logitech security review (in accordance with Section 2.5 below) of the third-party system before giving approval.
- If Vendor uses any third-party systems that store or otherwise may access unencrypted Logitech Information, Vendor must perform a security review of the third-party systems and their security controls and will provide Logitech periodic reporting about the third-party system’s security controls in the format requested by Logitech (e.g., SAS 70, SSAE 16 or a successor report), or other recognized industry-standard report approved by Logitech.
2.3. Data Retention and Destruction.
- Retention. Vendor will retain Logitech Information only for the purpose of, and as long as is necessary for, the Permitted Purpose.
- Return or Deletion. Vendor will promptly (but within no more than 10 days after Logitech’s request) return to Logitech and permanently and securely delete all Logitech Information upon and in accordance with Logitech’s notice requiring return and/or deletion. Also, Vendor will permanently and securely delete all live (online or network accessible) instances of the Logitech Information within 90 days after the earlier of completion of the Permitted Purpose or termination or expiration of the Agreement, unless legally required to retain. If requested by Logitech, Vendor will certify in writing that all Logitech Information has been destroyed.
- Archival Copies. If Vendor is required by Law to retain archival copies of Logitech Information for tax or similar regulatory purposes, this archived Logitech Information must be stored in one of the following ways: as a “cold” or offline (i.e., not available for immediate or interactive use) backup stored in a physically secure facility; or encrypted, where the system hosting or storing the encrypted file(s) does not have access to a copy of the key(s) used for encryption.
- Recovery. If Vendor performs a “recovery” (i.e., reverting to a backup) for the purpose of disaster recovery, Vendor will have and maintain a process that ensures that all Logitech Information that is required to be deleted pursuant to the Agreement or this Security Policy will be re-deleted or overwritten from the recovered data in accordance with this Section 2.3 within 24 hours after recovery occurs. If Vendor performs a recovery for any purpose, no Logitech Information may be recovered to any third-party system or network without Logitech’s prior written approval. Logitech reserves the right to require an Logitech security review (in accordance with Section 2.5 below) of the third-party system or network before permitting recovery of any Logitech Information to any third-party system or network.
- Deletion Standards. All Logitech Information deleted by Vendor will be deleted in accordance with the NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitation December 18, 2014 (available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.Logitech), or such other standards Logitech may require based on the classification and sensitivity of the Logitech Information.
2.4. Forensic Destruction. Before disposing in any manner of any hardware, software, or any other media that contains, or has at any time contained, Logitech Information, Vendor will perform a complete forensic destruction of the hardware, software or other media so that none of the Logitech Information can be recovered or retrieved in any form. Vendor will perform forensic destruction in accordance with the standards Logitech may require based on the classification and sensitivity of the Logitech Information. Vendor shall provide certificate of destruction upon request from Logitech.
- Vendor will not sell, resell, donate, refurbish, or otherwise transfer (including any sale or transfer of any such hardware, software, or other media, any disposition in connection with any liquidation of Vendor’s business, or any other disposition) any hardware, software or other media that contains Logitech Information that has not been forensically destroyed by Vendor.
2.5. Security Review.
- Risk Assessment Questionnaire. Logitech requires all vendor to undergo a Vendor Risk Assessment, to be triggered by providing updated responses to Logitech’s risk assessment questionnaire, at the least on an annual basis, but may be more frequent based on the assessed risk of the vendor.
- Certification. Upon Logitech’s written request, Vendor will certify in writing to Logitech that it is in compliance with this Agreement.
- Other Reviews. Logitech reserves the right to periodically review the security of systems that Vendor uses to process Logitech Information. Vendor will reasonably cooperate and provide Logitech with all required information within a reasonable time frame but no more than 20 calendar days from the date of Logitech’s request.
- Remediation. If any security review identifies any noted deficiencies, Vendor will, at its sole cost and expense, take all actions necessary to address those deficiencies within an agreed upon timeframe.
2.6. Security Breach.
- Vendor will inform Logitech via firstname.lastname@example.org without undue delay (no longer than 24 hours) of Security Breach as defined by applicable law(s) (i) containing Logitech Information, or (ii) managed by Vendor with controls substantially similar to those protecting Logitech Information (each, a “Security Breach”). Vendor will remedy each Security Breach in a timely manner and provide Logitech written details regarding Vendor’s internal investigation regarding each Security Incident. Vendor agrees not to notify any regulatory authority, nor any customer, on behalf of Logitech unless Logitech specifically requests in writing that Vendor do so and Logitech reserves the right to review and approve the form and content of any notification before it is provided to any party. Vendor will reasonably cooperate and work together with Logitech to formulate and execute a plan to rectify all confirmed Security Incidents.
- Vendor will inform Logitech without undue delay (no longer than 24 hours) when Logitech Information is being sought in response to legal process or by applicable law.