Secure Development and Hosting

Websites must be available, reliable and secure. It is, therefore, very important that Bayer takes all necessary steps in order to ensure the security and integrity of information being distributed on websites. This means that:

• The website cannot be “hacked” and its content or data compromised by third parties.

• Visitors to a website are not at risk simply by visiting it.

• Business interests are not compromised by unreliable hosting.

As detailed in the procedure "Web Hosting" (Bayer intranet only), websites must be developed by Certified Development Agencies. Websites must either be hosted on Bayer's own infrastructure or with one of the approved hosting providers. Any exceptions to these requirements must be agreed as per exception request described in the aforementioned “procedure".

When working with an external partner either for developing or hosting a website then you must ensure that the agency or provider agrees at least to the following:

• Hosting complies with the Directive "IT Security for Bayer-managed IT" (Bayer intranet only)  and related regulations

• Implement both a service level and a maintenance agreement corresponding to business needs

• Carry out a risk analysis and provide a plan for risk minimization

• Comply with Bayer’s data protection policy

• Bayer retains all rights to the information hosted by the company

• Allow website security scans to be performed by Bayer

Every Bayer website must have a named technical contact, the “webmaster”, responsible for ensuring development, who can coordinate with the security officers to facilitate security scans or in the event of a threat. The administrative details for all Bayer websites must be managed using MIRA (Bayer intranet only).

Approved hosting providers

The Procurement Department maintains a list of approved hosting providers. All such providers have signed general contracts ensuring that the services they provide meet Bayer's requirements for secure hosting. Using an approved hosting provider is generally quicker and cheaper than with a non-approved provider, because the necessary checks have already taken place. However, any website that is not hosted on Bayer’s own infrastructure will require an exception as detailed above.

Approved hosting providers (Bayer intranet only)

Content Delivery Network

A content delivery network (CDN) consists of lots and lots of external web servers around the world which cache web site content. The CDN adds several layers of security to our websites:

1. The network itself shields Bayer websites from DDoS (denial of service) attacks.

2. Websites hosted on a standard content management system have an additional layer of protection called "Site Shield". This ensures that only Akamai servers talks to Bayer’s servers and vice versa. Direct attacks on the Bayer servers themselves are thus not possible.

3. A managed service team runs a Web Application Firewall (WAF) in close collaboration with the Bayer security teams (CCDC). The firewall offers additional defense against web application attacks like:

   • Malicious file execution, where hackers exploit an application vulnerability to remote file inclusion in order to enter hostile data and code.

   • SQL injection, where web applications and databases are overwhelmed or infiltrated by bogus database queries.

   • Cross site scripting (XSS), where attackers use vulnerabilities to execute scripts with the user’s credentials.

   • Non-HTTP/HTTPS attacks