Rockwell Automation implements, operates, and regularly maintains appropriate technical and organizational measures (TOMS) aligned to industry standards to protect Customer Personal Data. Customer acknowledges and agrees that Rockwell Automation reserves the right to modify these TOMS provided that the functionality and security are not materially degraded. Without limiting the generality of the foregoing, Rockwell Automation will at a minimum maintain its TOMS as set forth below. Where Customer purchases PLEX or Fiix Cloud Services, in addition to the General TOMS set forth below the additional security measures set forth in PLEX and Fiix TOMS also apply.
Information Security Governance. Rockwell Automation will maintain an Information Security Management System (ISMS) including information security policies, standards, and guidelines following industry best practices and industry standard security frameworks. Rockwell Automation has effectively established an organization led by a senior leadership position responsible for deployment and communication of the ISMS (e.g. CISO). Rockwell Automation appointed one or more security officers responsible for coordinating and monitoring the rules and procedures related to information security.
Risk Management. Rockwell Automation performs an annual risk assessment in alignment with National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF). Rockwell Automation assesses the design and operating effectiveness of internal controls against the established controls framework. Results from risk assessment activities are reviewed to prioritize mitigation of any identified risks.
Employee Management. Rockwell Automation conducts adequate pre-hire background checks on its employees as permitted by applicable law. Employees are required to sign confidentiality, non-disclosure agreements and are contractually obligated to follow a code of ethical conduct.
Training and Awareness. Rockwell Automation requires that all its employees and contractors complete annual security awareness training which is regularly maintained to include any changes in policies, standards, and threat or attack vectors. Additional security awareness and training (e.g. newsletters, phishing exercises, etc.) are deployed regularly.
Access Control. Rockwell Automation creates individual and unique identities for user and/or system accounts and prohibits the reuse, multi-purpose use, or sharing of identities. Identities no longer in use for any reason, including terminations, are subject to immediate disablement. Rockwell Automation uses reasonable, industry standard efforts to confirm that only authorized personnel can access facilities, systems, and information based on job responsibilities and a need-to-know/least privilege principle. All access requests are processed by authorized role owners and regular access reviews are completed so that access assignments remain relevant and accurate. Rockwell Automation further uses strong authentication methods (e.g. multi-factor) and extensive logging/monitoring of activities to protect remote access to privileged systems.
Physical and Environmental Security. Rockwell Automation protects its facilities and information systems against unauthorized physical access, damage, and theft by using appropriate perimeter, entry, monitoring, and environmental controls. Physical security controls deployed include, but are not limited to, entry/exit alarms, electronic badge and/or biometric access, and CCTV. Environmental controls deployed include, but are not limited to, temperature control, fire suppression, UPS, generators, and power/connectivity redundancy.
Operational Security. Rockwell Automation protects its network and information systems assets by using appropriate security devices, software, and controls. Network security controls include, but are not limited to, hardened firewalls, routers, switches with content and packet filtering, IDS/IPS, segmentation, and event logging/monitoring. Information system asset controls include, but are not limited to, hardened operating systems, next-gen anti-virus/anti-malware, host-based firewall, and full disk encryption. Event logging from network and information system devices are collected within a restricted enterprise security and incident event manager (SIEM) and monitored by an authorized security operations center (SOC). Where Rockwell Automation personnel uses Rockwell Automation workstations/laptops, Rockwell Automation is responsible for applying standard technical and organizational security controls. Where Rockwell Automation personnel use workstations from the Customer or accesses the customer network, system or infrastructure, Customer is responsible for applying Customers standard technical and organizational security controls.
Change Management. Rockwell Automation change management policies, standards, and procedures have been established, are maintained, and are enforced to track and manage changes made to its operational environment(s).
Configuration Management. Rockwell Automation security hardening and baseline configuration policies, standards, and procedures based on industry acceptable standards have been established, are maintained and enforced appropriately.
Incident Management. Rockwell Automation incident management and response policies, standards, and procedures have been established, are maintained, and are followed for any occurring incidents. Rockwell Automation has identification, investigation, preservation, remediation, and communication procedures in place as deemed necessary and appropriate by the type of incident. Any incidents directly impacting or having the potential to impact Customer Personal Data will involve response actions detailed in section 10 of this Addendum.
Threat and Vulnerability Management. Rockwell Automation threat and vulnerability management policies, standards, and procedures have been established, are maintained, and are followed to continuously identify threats and remediate critical vulnerabilities. Appropriate vendor security updates and patches are applied to its information systems on a reoccurring monthly basis. Vulnerability scans are regularly performed to identify potential threats and/or risks to apply appropriate risk mitigation.
Disaster Recovery and Business Continuity. Rockwell Automation maintains disaster recovery and business continuity policies, standards, and procedures to allow for the continuation and/or recovery of its critical business operations and services. Policies, standards, and procedures are reviewed, tested, and updated as necessary on an annual basis.
System and Software Development. Rockwell Automation follows a defined and secure software development lifecycle process. Authorized and role-trained employees are utilized to develop and maintain software. Secure coding, testing, and maintenance best practices include, but are not limited to, logged check in/check out of source code, version control, static/dynamic code analysis, code audits/reviews, vulnerability release management, and penetration testing when applicable. Rockwell Automation’s development processes and procedures are in alignment with industry accepted practices (e.g. OWASP, IEC 62443).
Third Party Management. Rockwell Automation subcontractors and other third parties are assessed for compliance with its information security requirements and that any Approved Subcontractor is in compliance with the TOMs set forth in this document.
PLEX & Fiix TOMS
Physical Access Control |
PLEX |
FIIX |
|
Rockwell Automation implements Technical and organizational measures to prevent unauthorized persons from gaining access to the data Processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal Data are Processed, including: |
|
|
|
|
a. Establishing security areas, restriction of access paths; |
x |
x |
|
b. Establishing access authorizations for employees and third parties; |
x |
x |
|
c. Access control system (ID reader, magnetic card, chip card); |
x |
x |
|
d. Key management, card-keys procedures; |
x |
x |
|
e. Door locking (electric door openers etc.); |
x |
x |
|
f. Security staff, janitors; |
x |
x |
|
g. Surveillance facilities, video/CCTV monitor, alarm system; |
x |
x |
|
h. Securing decentralized data Processing equipment and personal computers. |
x |
x |
|
|
|
|
Virtual access control |
|
|
|
Technical and organizational measures to prevent data Processing systems from being used by unauthorized persons, including: |
|
|
|
|
a. User identification and authentication procedures; |
x |
x |
|
b. ID/password security procedures (special characters, minimum length, change of password); |
x |
x |
|
c. Automatic blocking (e.g., password or timeout); |
x |
x |
|
d. Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; |
x |
x |
|
e. Encryption. |
x |
x |
Data access control |
|
|
|
Technical and organizational measures so that persons entitled to use a data Processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, including: |
|
|
|
|
a. Internal policies and procedures; |
x |
x |
|
b. Control authorization schemes; |
x |
x |
|
c. Differentiated access rights (profiles, roles, transactions and objects); |
x |
x |
|
d. Monitoring and logging of accesses; |
x |
x |
|
e. Disciplinary action against employees who access personal data without authorization; |
x |
x |
|
f. Reports of access; |
x |
x |
|
g. Access procedure; |
x |
x |
|
h. Change procedure; |
x |
x |
|
i. Deletion procedure; |
x |
x |
|
j. Encryption. |
x |
x |
|
|
|
|
Disclosure Control |
|
|
|
Technical and organizational measures so that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, including: |
|
|
|
|
a. Logging; |
x |
x |
|
b. Transport security; |
x |
x |
|
c. Encryption. |
x |
x |
|
|
|
|
Entry Control |
|
|
|
Technical and organizational measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data Processing systems, including: |
|
|
|
|
a. Logging and reporting systems |
x |
x |
|
b. Audit trails and documentation |
x |
x |
|
|
|
|
Control of Instructions |
|
|
|
Technical and organizational measures so that Personal Data are Processed solely in accordance with the Instructions of the Controller, including: |
|
|
|
|
a. Unambiguous contract wording |
x |
x |
|
b. Criteria for selecting Sub-Processors |
x |
x |
|
|
|
|
Availability Control |
|
|
|
Technical and organizational measures so that Personal Data are protected against accidental destruction or loss (physical/logical), including: |
|
|
|
|
a. Backup procedures; |
x |
x |
|
b. Mirroring of hard disks; |
x |
x |
|
c. Uninterruptible power supply; |
x |
x |
|
d. Remote storage; |
x |
x |
|
e. Anti-virus/firewall systems; |
x |
x |
|
f. Disaster recovery plan. |
x |
x |
|
|
|
|
External Certifications/Audits |
|
|
|
|
SOC1 |
x |
|
|
SOC2 |
x |
x |
|
ISO: 27001 |
x |
x |
|
|
|
|