Security requirements for external entities – moderate level of data vulnerability

At CD PROJEKT, we pay special attention to the security of the information we share.
For this reason, we recommend that the external entities we work with meet certain
security requirements.

We have specified three levels of security requirements depending on the criticality of
the data we entrust.

For each level of data vulnerability, our contractors should meet specific security
requirements in the areas of procedures, physical security, incident response,
continuity of operations, data security, infrastructure security, access and identity
management.

Security requirements for the CDPR’s moderate level of data
vulnerability

1. Procedures
1.1. The contractor should possess and observe management rules governing use
of mobile devices, along with security measures related to mobile devices
which are used to process CDPR data.
1.2. All of the contractor’s employees, as well, as – in justifiable cases – the
contractor’s business partners, should undergo security awareness training
and be regularly informed of the organisational principles and procedures,
depending on their specific function.
1.3. The contractor should possess and observe management rules governing use
of portable data carriers.
1.4. Prior to initiating collaboration with an external entity which involves granting
access to any CDPR data thereto, the contractor should make sure that the
relevant entity has obtained clearance from CDPR to access CDPR data.

2. Physical security
2.1. The contractor should deploy physical security systems (e.g. locks, CCTV
cameras, card readers, alarm systems) around areas where CDPR data is
processed.
2.2. All physical resources used to process CDPR data (such as external hard
drives and printouts) should be stored at a secure location.
2.3. The contractor should maintain a logbook of guests entering areas where
CDPR data is processed.
2.4. Guests entering areas where CDPR data is processed should at all times be
accompanied by a representative of the contractor.

3. Incident response
3.1. The contractor should appoint a person responsible for key aspects of
security, and provide that person’s contact details to CDPR.
3.2. Any security incident which may potentially involve CDPR data should be
immediately reported to security@cdprojektred.com.

4. Data security
4.1. The contractor should identify IT resources used to process CDPR data, and
maintain a list thereof. All such resources should have assigned owners,
responsible for their proper and secure operation.
4.2. The hardware and software used to process CDPR data should receive
regular security updates. The contractor should perform ongoing monitoring of
the availability of security updates for each component of its hardware and
software infrastructure.
4.3. Access to CDPR data must be restricted to persons who have been tasked
with processing such data by the contractor.
4.4. Each individual tasked with processing CDPR data should be covered by a
valid non-disclosure agreement with the contractor.
4.5. The contractor should have a valid non-disclosure agreement with CDPR.
4.6. The contractor should deploy malware protection measures (detection,
prevention, recovery); in particular, the contractor should regularly create
backup copies on separate media.
4.7. The contractor should ensure permanent protection of CDPR data through
encryption, both at rest and in transit.
4.8. The contractor should only transfer CDPR data in an encrypted form, or
transfer it using encrypted channels (e.g. VPN).

5. Infrastructure security
5.1. The contractor should employ network connectivity based on minimum
entitlements, in accordance with the zero-trust policy, and ensure network
segmentation (e.g. VLAN) or physical separation of network resources.
5.2. Remote access to the contractor’s intranet where CDPR data is processed
should be limited in scope and restricted to VPN which implements two-factor
authentication.

6. Access and identity management
6.1. IT systems where CDPR data is processed should be secured with individual
user logins and passwords.
6.2. Each user should only be able to access the specific CDPR data which they
require (resource segmentation and access management based on the
need-to-know principle).
6.3. The contractor should grant and modify user access on the fly, depending on
existing requirements (recruitment/dismissal/reassignment of employees, or
change in the scope of employment).

Download PDF