Privacy. CAST, as the operator of the Services, will collect and have access to Client Data. Client has sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Client Data. Client grants CAST a limited, non-exclusive, non-transferable (except in connection with permitted assignment under this Contract), non-sub licensable right to host the Client Data solely for the purposes of operating the Services for the benefit of Client pursuant to the terms and conditions of this Contract. Client Data means information collected and mined from, submitted by, or entered by CAST or Client. Client Data shall also include the semantic data and outputs generated by Client using the Services hereunder. CAST may only disclose Client Data if and when required by law and only if it provided prior written notice to Client as soon as reasonably practicable.

Password. Client is responsible for maintaining the confidentiality of its user identifications and passwords, and Client agrees that CAST has no liability with regard to the use of such user identifications or passwords by third parties. Each party agrees to notify the other party in writing immediately if it has any reason to believe that the security of Client’s account has been compromised or if Services have been accessed by unauthorized users. In such event, CAST will promptly correct such occurrence.


Roles and responsibilities
1. Security falls within CAST’s IT Organization domain.
2. Specific content of the policy is shared by the appropriate domain: CFO, Internal IT, Product Organization, Consulting and Operations
3. Security is a function managed by the Group IT Director
4. Formal submissions and approvals are managed by the Group IT Director
5. All changes in infrastructure must be validated and approved by the Group IT Director and the appropriate Functional Executive.
6. Security processes are formally reviewed annually and changes may be applied at any time during the year to accommodate specific operational requirements

Identification and Authentication
1. Each CAST employee gets a unique account needed to connect to the CAST network
2. Users do not share their ID
3. Unless it is required by specific software, generic accounts are prohibited. If generic accounts must be used, their default password is replaced by a strong password
4. Each account creation request must be completed by the manager of the new employee using the “Profile Creation” form. The manager must provide all required pieces of information (start date, employee position, required access, specific pieces of information linked to his/her position, profile). The list of rights linked to the requested profile is sent back to the manager who must validate it before the request is sent to IT. A copy of the request and of the creation confirmation is sent to Human Resources and saved
5. Use of password is enforced
6. Passwords are encrypted in transit and in storage
7. Passwords must not be shared
8. CAST employees are instructed not to write down passwords,
9. Passwords detection tests are conducted regularly
10. Three consecutive failed login attempts will lock the account. The account will be unlocked by IT on receipt of a request from the user and is recorded
11. The new account password is sent to the new employee’s manager. It must be changed during the initial connection and comply with the following rules:
a. Passwords must be changed every three months,
b. Passwords must be at least eight characters in length,
c. Passwords must contain special characters and mix upper and lower case alphanumeric characters and/or alphanumeric and numeric characters,
d. The five previous password cannot be used,
e. Passwords must not match or contain the word “password” or contain anything pertaining to the employee’s name

Contractors and non-employees authentication
1. Accounts assigned to contractors, partners or any non CAST personnel are subject to CAST identification and authentication rules.
2. Furthermore, account creation request for non CAST personnel must specify the end date of the contractor’s mission. Each request to extend the contractor’s account must be done through a new account creation request
3. A contractor’s account is easily identifiable as used by a non CAST personnel

Worker status change / termination
1. Each employee or contractor status change must be reported to IT by his/her manager and specify the explicit list of resources to which the user must have access. The user’s access will be reset to this list
2. When an employee or a contractor leaves CAST his termination must be notified before the termination date through the “Profile Cancelation” form.
3. The user’s account is deactivated on the day of his departure
4. The computer, telephone and any other equipment used by the employee/contractor during his mission at CAST must be identified and returned to IT by his/her manager
5. The user’s account is not deleted but deactivated and removed from all security or distribution groups. Any access accounts not managed by the CAST Corporate directory (for example, Blackberry account) are deleted.
6. Unused accounts are deleted after 2 months of inactivity
7. Each month, Human Resources will provide IT with the list of people that have left CAST

Security Audit Logging and System Access Control
1. When feasible, all Production hardware and software systems log the following security events:
a. Connections,
b. Failed connections,
c. Attempts to access unauthorized data
2. The following information is logged:
a. Account login,
b. Date and hour of logged action,
c. Source of logged action
3. Logs are reviewed as part of the daily administration tasks and are recorded for six months
4. System Administration access to IT resources and records is limited to IT staff and logged

Physical security – CAST offices
1. Access to CAST offices is restricted to CAST staff only.
2. All non-CAST personnel are regarded as visitors
3. Visitors invited by CAST personnel must be pre-registered with the CAST reception desk. Clear indication of date, time and purpose of the visit must be registered in the visitors log and will be approved by the central Finance & Administration department
4. All visitors are required to register in the visitors log at the reception desk stating their name, company name, time entered and time of departure; CAST staff to be visited and signature. Personal ID must be shown to the CAST reception to validate.
5. All visitors must be escorted by CAST staff at all times, from the moment of entrance to the moment of departure
6. All visitors must register their laptop at the reception desk with the serial number; upon departure, visitors are notified of the fact that their bags maybe checked to verify content
7. The Finance & Administration department reviews the list of visitors with the Corporate Security Officer on a bi-monthly basis
8. CAST personnel can obtain a key to the building as well as the alarm code for out-of hours work. The alarm code is managed by the CAST security officer. CAST senior management must approve this based on objective evidence that access to the building is required outside normal business working hours

Physical security – CAST Server rooms
1. CAST Server rooms are accessible by Corporate IT staff only
2. Access is granted and approved by the CAST Security officer.
3. CAST Server rooms are a secure environment accessed via a pin-code and key
4. The server room holds several UPS to protect data loss in the event of power failures
5. All server rooms are climate controlled
6. Regular checks are performed to validate the status of the server rooms
7. All software is stored physically in the Server room

1. Confidential information, including human perceptible form documents are covered under the non-disclosure agreements in place with all CAST clients
2. All relevant CAST personnel are required to familiarize themselves with the terms of the appropriate NDA and confirm what information is to be treated as confidential prior to sharing anything with external persons or companies
3. All CAST documents are required to be tagged with “Confidential” , Proprietary or similar legend indicators in the footer of each page, and is required for each client communication where a non-disclosure agreement is in place

Classification and security of sensitive information
1. Access to Information handled by CAST is compelled depending on its classification (Public, Private, or Confidential)
2. Information is determined to be Public when it can be accessed without authentication (CAST official website, blog, …)
3. Information that is accessed by Customer and Partners an protected by individual account and password is determined to be Private (extranet, support requests, ftp, dashboards)
4. All other Corporate or customer information is considered as Confidential
5. Public and Private information is shared in distinct DMZ segregated from internal networks by firewall
6. Only Public or Private Information can be shared with customers or partners. Access to Confidential information may be granted to CAST personnel only.

Classification and security of customer data
1. All customer data received by CAST must be treated with the highest confidentiality levels
2. All customer data received by CAST is stored be in a single place, explicitly identified at the beginning of the mission
3. Customer data is deleted when the mission ends
4. Unless requested by the customer and contractually agreed, Analysis and Dashboard platforms can be shared by different customer Analysis projects
5. Internal and client specific information is managed under a separate need to know process
6. Information created for and received from clients such as technical documents and source code are marked Strictly Confidential between client and CAST.
7. Access to customer data is restricted to specific employees working on the project
8. Analysis and Dashboard platforms hosting customer data for do not share IP subnets with other networks
9. Access to data produced by analysis (dashboards) is strictly reserved to the customer whose data has been analyzed and protected by a unique account and password

Remote access to CAST Corporate network
1. Remote access to CAST Confidential Information is reserved to laptops owned by CAST and through the CAST VPN client.
2. Remote access to CAST Confidential Information cannot be granted to non CAST computers
3. Remote access to CAST Confidential Information must have been authorized by the employee’s manager and validated by IT
4. Roaming VPN connections (non site to site) are logged and recorded. Failed connection attempts generate alerts analyzed by the IT
5. Remote access by CAST personnel to his/her mailbox is the only action that is expressly allowed outside an encrypted VPN tunnel
6. Access to Public data is the only action that allows the use of anonymous connections
7. Remote access to FTP servers is carried out in blind mode
8. Remote access to Private Data is protected by an individual login/password. Accounts can only be requested by CAST personnel, and requests are recorded.
9. Expiration notice of accounts created to access Private Information depends on the data being accessed. For example, it can vary from one day for FTP access, to the agreed term of the contract for dashboard access. Access is automatically revoked when the mission ends

Information and Data backup
1. Backup of Data is covered by the policy
2. Data is backed-up daily and automatically on tape libraries
3. Tests are performed regularly to determine successful backup of data
4. Access to backup media is restricted to authorized personnel only
5. Tape retention is 30 days
6. A full tape set is stored off Site on a weekly basis
7. Non Production Data (Dev, Projects) backup is requested by the Project Manager in his initial resources request for the project and added by IT to backup procedures
8. Customer data is not saved within CAST Corporate backup procedures
9. In order to preserve customer information confidentiality, customer information is never saved on removable media
10. Customer data is automatically saved on dedicated servers. Access is limited to IT. Data retention is set to seven days.
11. Information produced by Customer Data analysis is stored during the term of the contractual mission

Business Continuity Procedures
1. Critical data is hosted on CAST storage virtualized platforms (San) implementing high availability mechanisms
2. Critical servers are hosted on CAST hypervisors implementing high availability mechanisms
3. Snapshots of Critical servers are copied to Off Site disks. Access is limited to IT
4. Critical data disk to disk backup is carried out and automatically copied to Off Site disks. Access is limited to IT
5. CAST does not have Work Area Recovery capability

Wireless network access
1. Wireless access points are deployed in a meshed network.
2. The wireless network segment is fire-walled from the rest of the network.
3. Wireless connections are authenticated.
4. Wireless connections are encrypted.

1. Sensitive information is encrypted upon request.
2. Encryption covers emails and files in storage or in transit

Security Policy Monitoring and roll-out
1. The assistant CAST security officer will perform a regular check with random selected personnel to verify
a. All information is tagged
b. No data is removed or changed
c. All data is transferred via HTTPS protocols
d. Source code delivery locations in CAST infrastructure
e. VPN traffic
f. Updated virus checks
g. Logging of changes to the pin code of the server room
h. All asset changes are properly registered
i. Common file server do not contain any private information
2. Each new CAST employee will be made aware of the security policy via a mandatory training session that covers
a. Password policy,
b. Workstation lock,
c. Data backup,
d. VPN usage,
e. Internet acceptable use,
f. E-mail acceptable use
g. Private data identification,
h. Monitoring done through proxy
3. Any new update is reviewed by senior management and communicated to all CAST staff globally. Printed copies available in all CAST offices; at least one per office location is required and is included in the Company’s Policy and Procedures Manual.
4. When an employee is in breach of the CAST Security Policy, the following action will be taken:
a. First occurrence : the employee will receive a written warning,
b. Second occurrence : the employee will be placed on probation,
c. Third occurrence : the employee’s contract of employment will be terminated

Location and use of hardware assets
1. All CAST assets are properly tagged and registered by Corporate IT; primary assets are all desktop systems, laptops and CAST servers. Secondary assets are registered and tagged additionally.
2. Change of assets requires a formal application to the Corporate IT Director or CFO, and requires prior approval of senior line management
3. Physical change of assets can be handled only by Corporate IT and is logged by that function.

Virus countermeasures
1. All CAST laptops, desktops and servers are automatically installed and updated with the corporate anti-virus software and automatically updated with the latest updated virus definitions when they connect to the CAST network
2. Email and file server are installed with a dedicated anti-virus software and automatically updated with the latest updated virus definitions
3. Roaming laptops not regularly connected to CAST network are automatically updated through a local component when they connect to the internet
4. Computers on which the corporate anti-virus is not installed cannot connect to the CAST network
5. A list of non updated computers is generated each week and analyzed and corrected by IT staff
6. Anti-virus services are password protected and cannot be deactivated or configured by users
7. Automatic virus scans are launched on laptops , desktops and file servers
8. All incoming and outgoing mail traffic is subject to spam and virus checking on a dedicated email gateway before being delivered
9. Emails detected as spam are quarantined waiting to be deleted or freed by their recipient
10. Emails detected as containing viruses are cleaned and delivered to their recipient or deleted when they cannot be cleaned
11. Internet access is protected against threats and intrusion detections are automatically performed via our firewalls

Update and Patch Management
1. Security Updates and patches are managed by a centralized tool,
2. Security Updates and minor patches are automatically pushed to and installed on workstations and laptops,
3. Users are requested to restart their computer when security updates or patches have been installed on their computer,
4. Major patches (service packs) are tested in a dedicated environment before being installed
5. Security Updates and patches are automatically pushed to Production servers, but not installed,
6. Security updates and patches are installed manually on Production servers,
7. A report of installed / non installed Security Updates and patches is automatically generated weekly for analysis / change by IT

Applications and network management
1. Critical applications, servers, and network components are monitored through dedicated probes that monitor their state, performance, and behavior,
2. All errors or significant modification raised by probes are automatically reported to IT for analysis and / or correction

Network connectivity
3. All external connections from/to CAST network traverse a firewall
4. All external connections are logged on the firewall. Logs are analyzed daily as part of the daily administration tasks and recorded for a six months. Logs can only be viewed by authorized personnel.
5. Rules granting incoming/outgoing access are defined by exception to the rule prohibiting all incoming/outgoing access
6. Each firewall rule is documented. For each rule, the IT must be able to quickly identify :
a. The creation date of the rule,
b. The origin of the request,
c. The project served by the rule,
d. The duration of the rule
7. Incoming rules must explicitly identify flows by their origin, their destination and opened port
8. CAST firewalls include Intrusion Detection Systems and Intrusion Prevention Systems (network type)

Network Security
1. Production servers do not share IP subnet ranges with other networks
2. Production systems and networking equipment are enclosed in a locked room
3. Every connection to an external network is terminated at a firewall
4. Boundary devices are configured to use authentication
5. Critical network segments are isolated
6. Network devices are regularly monitored for compliance to security requirements
7. An approval process is in place prior to implementing or installing a network device
8. The network on which internet facing systems reside is segregated from the internal network
9. DMZ is limited to only those servers that require access from the internet (web servers, FTP servers)
10. Internal systems and users are required to pass through a content filtering proxy prior to accessing the internet

Network Security Architecture
1. CAST IT has established and maintains a network architecture that includes security for both network components and connected IT systems (see network diagrams in appendix)

System Control
1. CAST employees must not install or update the operating system or any software installed on their computer without the authorization of IT
2. CAST employees must not sign any contract, start any internal contract or make any commitment that would require modifications to the CAST Information System and/or involve its security
3. Operating System services that are not required by applications installed on a server are stopped and placed in “Manual State”
4. Each system change must be analyzed and accepted by IT before being implemented. Change requests, decisions and associated documents must be identified, commented and recorded
5. Security tests are carried out in a dedicated environment for each system or software installation or upgrade that has a potential impact on CAST Information System security. These tests are carried out by IT and must be approved before any modification to the Production environment

Internal audits and penetration tests
1. Penetration tests and vulnerability scans are undertaken annually to ensure continued compliance to CAST security rules and that an acceptable level of risk is maintained
2. Tests are conducted by independent specialized companies and follow a test plan that has been approved by IT
3. The test plan and relevant audit actions must at least check the following :
a. Compliance of passwords to security policy,
b. Status of computers security updates,
c. Protection of computers against known security threats,
d. Analysis of firewall security rules,
e. Access authorizations between DMZ and local networks,
f. Software updates on servers in DMZ,
g. Security of VPN access,
h. Access to exposed servers (FTP, Web, extranet, …)
4. A test report provided to IT will mention the exhaustive list of accomplished tests with their result, and if any, changes or corrections to apply.
5. Results must be ranked by their criticality. Items identified as critical for the security must be analyzed and managed immediately
6. Changes must be recorded and reported to CAST management

Customer Data disposal
(customer data removal on request from the customer or at the end of the project)
1. Information received from a customer as part of a contractual project only passes through file transfer servers and is automatically moved to the Analysis Server explicitly elected for the project
2. At the end of the project, information received from the customer is deleted from CAST servers by the Project Manager. Data produced by the Analysis is archived and deleted from CAST servers
3. Electronic data is wiped using secure destruction tools
4. Printed data is destroyed through shredding

Acceptable Use of Internal Resources
CAST employees and contractors must not
1. Use computing resources for personal usage
2. Use Corporate resources for mass mailing or junk mail purpose
3. Use Corporate resources for distributing, downloading or sharing [illegal] content/data
4. Violate any Anti-Piracy laws or using improper licensed software
5. Use of any personal electronic devices or computers to connect to the Cast network
6. Use of any Peer-to-Peer sharing software or VPN
7. Publish internal resources or data
8. Installation of any Servers or services (DHCP, DNS, FTP, …)
9. Massive use of computing resources impacting performances
10. Use of any Denial of Services Attacks against Cast resources
11. Use of someone else account
12. Provide or publish private information about Cast Infrastructure System
13. Provide improperly registered Cast Licenses
14. Provide, share or use Cast Customers source code