- From: Rob Brennan <rob.brennan@dcu.ie>
- Date: Wed, 17 Apr 2019 15:18:50 +0100
- To: public-dpvcg <public-dpvcg@w3.org>
- Message-ID: <CAAr6OdMCARKq5vALtphVgDtVxhL4p97bxXfn4dLuZsp65md6dw@mail.gmail.com>
Hi All
I was involved with creating a data processing agreement and the legal team
from the other party had created a useful list of Organisational and
Technical
Measures (as a check-list) that I thought would be interesting to compare to
the vocabulary. Hence I asked (and received) permission to post it here
(see below).
They asked to remain anonymous though.:
rgds
rob
The Data Processor will, at a minimum, implement the following types of
security measures:
*1. **Physical access control*
Technical and organizational measures to prevent unauthorized persons from
gaining access to the data processing systems available in premises and
facilities (including databases, application servers and related hardware),
where Personal Data are Processed, include:
Establishing security areas, restriction of access paths;
Establishing access authorizations for employees and third parties;
Access control system (ID reader, magnetic card, chip card);
Key management, card-keys procedures;
Door locking (electric door openers etc.);
Security staff, janitors;
Surveillance facilities, video/CCTV monitor, alarm system; and
Securing decentralized data processing equipment and personal computers.
*1. **Virtual access control *
Technical and organizational measures to prevent data processing systems
from being used by unauthorized persons include:
User identification and authentication procedures;
ID/password security procedures (special characters, minimum length, change
of password);
Automatic blocking (e.g. password or timeout);
Monitoring of break-in-attempts and automatic turn-off of the user ID upon
several erroneous passwords attempts;
Creation of *one *master record per user, user-master data procedures per
data processing environment; and
Encryption of archived data media.
*2. **Data access control *
Technical and organizational measures to ensure that persons entitled to
use a data processing system gain access only to such Personal Data in
accordance with their access rights, and that Personal Data cannot be read,
copied, modified or deleted without authorization, include:
Internal policies and procedures based on known industry standards like
ISO27kx, SOC2 or others;
Control authorization schemes;
Differentiated access rights (profiles, roles, transactions
and objects);
Monitoring and logging of accesses;
Disciplinary action against employees who access Personal Data without
authorization;
Reports of access;
Access procedure;
Change procedure;
Deletion procedure; and
Encryption.
*3. **Disclosure control *
Technical and organizational measures to ensure that Personal Data cannot
be read, copied, modified or deleted without authorization during
electronic transmission, transport or storage on storage media (manual or
electronic), and that it can be verified to which companies or other legal
entities Personal Data are disclosed, include:
Encryption/tunneling;
Logging; and
Transport security.
*4. **Entry control *
Technical and organizational measures to monitor whether Personal Data have
been entered, changed or removed (deleted), and by whom, from data
processing systems, include:
Logging and reporting systems; and
Audit trails and documentation.
*5. **Control of instructions *
Technical and organizational measures to ensure that Personal Data are
Processed solely in accordance with the instructions of the Controller
include:
Unambiguous wording of the contract;
Formal commissioning (request form); and
Criteria for selecting the Processor.
*6. **Availability control *
Technical and organizational measures to ensure that Personal Data are
protected against accidental destruction or loss (physical/logical)
include:
Backup procedures;
Mirroring of hard disks (e.g. RAID technology);
Uninterruptible power supply (UPS);
Remote storage;
Anti-virus/firewall systems; and
Disaster recovery plan.
*7. **Separation control *
Technical and organizational measures to ensure that Personal Data
collected for different purposes can be Processed separately include:
Separation of databases;
“Internal client” concept / limitation of use;
Segregation of functions (production/testing); and
Procedures for storage, amendment, deletion, transmission of data for
different purposes.
*8. **Governance, risk and verification*
A governance, compliance and risk management program, verified by an
independent, reputable third-party auditor, which program includes, at a
minimum:
A risk-based program for all security decisions;
Policies and procedures that cover the entire process for the realization
of the services provided to Data Controller under the Agreement;
An internal and/or external audit program to verify the implementation and
effectiveness of the company controls at a regular cadence; and
A vulnerability management program for all technical assets used in the
realization of the services provided to Data Controller under the Agreement..
End of document
--
*
*Séanadh Ríomhphoist/Email Disclaimer*
*Tá an ríomhphost seo agus aon
chomhad a sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus sin
amháin é. Is féidir tuilleadh a léamh anseo.
<https://www4.dcu.ie/iss/seanadh-riomhphoist.shtml>*
*This e-mail and any
files transmitted with it are confidential and are intended solely for use
by the addressee. Read more here.
<https://www4.dcu.ie/iss/email-disclaimer.shtml>*
*
--
<https://www.facebook.com/DCU/> <https://twitter.com/DublinCityUni>
<https://www.linkedin.com/company/dublin-city-university>
<https://www.instagram.com/dublincityuniversity/?hl=en>
<https://www.youtube.com/user/DublinCityUniversity>
Received on Wednesday, 17 April 2019 14:20:26 UTC