General Statement
Declaration of compliance with the EU Digital Operational Resilience Act (DORA)
We are pleased to confirm that baseVISION complies with the EU Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554. This regulation aims to strengthen the digital operational resilience of financial companies. It is an essential part of our commitment to the highest standards in ICT security and operational integrity.
As part of our compliance measures, we have implemented robust frameworks for ICT risk management, conducted comprehensive tests for digital operational resilience, and established strict mechanisms for monitoring and reporting ICT-related incidents. Furthermore, we ensure that all third-party ICT service providers we work with comply with the required contractual requirements and control standards.
The board is committed to maintaining high security standards and continuously monitors, measures, and supports improvements to ensure this level is maintained. Key commitments, roles, and responsibilities are clearly defined, implemented, and integrated into our services.
We have established a robust risk management framework, overseen by the Chief Information Security Officer (CISO) and reviewed and approved by the board at least annually. Our policy outlines the risk management system and mandates regular risk assessments of existing assets to identify potential risks and take appropriate measures.
Our compliance with the DORA regulation not only strengthens our ability to withstand disruptions but also underscores our commitment to providing our customers with secure and reliable services.
For more information about our compliance measures and how we protect your digital operations, please contact our CISO (ciso@basevision.ch).
Statement on “Chapter V, Management of ICT Third-Party Risks”
baseVISION has implemented and certified an ISO/IEC 27001 Information Security Management System (ISMS), which includes annual review cycles through internal and external audits. The ISMS is implemented without exceptions and is continuously expanded to meet the requirements of the DORA regulation.
Management Commitment
The board is committed to maintaining high security standards and continuously monitors, measures, and supports improvements to ensure this level is maintained. Key commitments, roles, and responsibilities are clearly defined, implemented, and integrated into our services.
We have established a robust risk management framework, overseen by the Chief Information Security Officer (CISO) and reviewed and approved by the board at least annually. Our policy outlines the risk management system and mandates regular risk assessments of existing assets to identify potential risks and take appropriate measures.
Essential Contractual Provisions
Our services include detailed service descriptions or a Statement of Work (SOW), depending on the service. Service descriptions are part of long-term services such as SOC services. These contracts are part of the SOC contract framework, which includes additional information such as our third-party providers, the “ADV Data Processing Addendum” or “Technical and Organizational Measures” to protect the data. We will inform customers of any service changes that require updates to the contract documents.
With the written consent of the customers, we will share contract documents with approved authorities. Customers must notify baseVISION before documents are forwarded to third parties not agreed upon in the service contract or Statement of Work.
Commitment
We can guarantee support in the event of an ICT security incident at your financial institution related to our services. Time, duration, and fees are part of the contract.
Audits
We conduct at least two ISMS audits per calendar year. An external party audits baseVISION’s ISMS for review and preparation for the audit by the certification body. The entire company baseVISION is ISMS certified, with no exceptions in the controls. More information can be found on our website, including the latest certificate. baseVISION grants customers the right to audits according to the contractual agreements or the General Terms and Conditions on the website. Contact the CISO for more information.
Incident Handling
We have implemented incident handling processes as part of our own Security Operations Center (SOC). The SOC processes conduct an initial analysis of security incidents and inform or escalate the incident according to the predefined escalation process. Depending on the situation, the SOC informs our incident management team for further analysis or notifies the Chief Information Security Officer (CISO).
In the event of a critical security incident that endangers customer data, baseVISION informs customers through the agreed communication channel and in the specified format.
Penetration Testing / Assessments
At baseVISION, we conduct regular internal and external penetration tests to identify vulnerabilities in our systems. We inform our management about the types of tests conducted and provide a summary of the results and the mitigation measures taken. This approach demonstrates our commitment to continuous improvement, proactive risk management, and the protection of sensitive data and devices.
Vulnerability / Patch Management
We ensure that operating systems and their components and software are regularly updated to ensure optimal security. This proactive approach helps us avoid potential vulnerabilities and ensure the highest level of protection for our systems and data. Our Security Operations Center (SOC) conducts monthly threat analyses to identify potential risks early and reports the results to the CIO and CISO.
Awareness
At baseVISION, all new employees must complete cybersecurity training within their first weeks. Additionally, all employees are required to undergo cybersecurity training annually. These trainings cover essential topics such as confidentiality, data protection, data security, governance, and the secure use of tools. This ensures that everyone is well-informed and prepared to maintain the highest security standards within the organization.
Insolvency, Liquidation, Cessation, and Termination
We provide our services in the customer’s Microsoft Azure tenant, so the data remains in your infrastructure and you retain control over the data. We temporarily store data to create reports, which are then stored in your infrastructure.