Background
THOR (including THOR Industries, Inc. and its subsidiary companies) engages suppliers to create custom-code applications such as web sites and mobile apps. THOR has vulnerability management processes to test applications, but this testing is often done after the code is accepted and deployed. When post-deployment testing exposes issues, remediation occurs at the most expensive part of the development cycle. By this time the warranty period is often expired. In these cases, THOR is charged for time and materials to fix the application.
The intent of this Standard Operating Procedure (SOP) is to communicate our minimum standards to suppliers, to ensure that suppliers deliver secure code. Suppliers will use industry-standard testing mechanisms and provide THOR with the results.
The scope of this SOP is all custom-code applications which will Process Personal Data. We use the EU’s definition of Processing and Personal Data:
· Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
· Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person