- From: Rob Brennan <rob.brennan@dcu.ie>
- Date: Wed, 17 Apr 2019 15:18:50 +0100
- To: public-dpvcg <public-dpvcg@w3.org>
- Message-ID: <CAAr6OdMCARKq5vALtphVgDtVxhL4p97bxXfn4dLuZsp65md6dw@mail.gmail.com>
Hi All I was involved with creating a data processing agreement and the legal team from the other party had created a useful list of Organisational and Technical Measures (as a check-list) that I thought would be interesting to compare to the vocabulary. Hence I asked (and received) permission to post it here (see below). They asked to remain anonymous though.: rgds rob The Data Processor will, at a minimum, implement the following types of security measures: *1. **Physical access control* Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are Processed, include: Establishing security areas, restriction of access paths; Establishing access authorizations for employees and third parties; Access control system (ID reader, magnetic card, chip card); Key management, card-keys procedures; Door locking (electric door openers etc.); Security staff, janitors; Surveillance facilities, video/CCTV monitor, alarm system; and Securing decentralized data processing equipment and personal computers. *1. **Virtual access control * Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include: User identification and authentication procedures; ID/password security procedures (special characters, minimum length, change of password); Automatic blocking (e.g. password or timeout); Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; Creation of *one *master record per user, user-master data procedures per data processing environment; and Encryption of archived data media. *2. **Data access control * Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include: Internal policies and procedures based on known industry standards like ISO27kx, SOC2 or others; Control authorization schemes; Differentiated access rights (profiles, roles, transactions and objects); Monitoring and logging of accesses; Disciplinary action against employees who access Personal Data without authorization; Reports of access; Access procedure; Change procedure; Deletion procedure; and Encryption. *3. **Disclosure control * Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include: Encryption/tunneling; Logging; and Transport security. *4. **Entry control * Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include: Logging and reporting systems; and Audit trails and documentation. *5. **Control of instructions * Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include: Unambiguous wording of the contract; Formal commissioning (request form); and Criteria for selecting the Processor. *6. **Availability control * Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include: Backup procedures; Mirroring of hard disks (e.g. RAID technology); Uninterruptible power supply (UPS); Remote storage; Anti-virus/firewall systems; and Disaster recovery plan. *7. **Separation control * Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include: Separation of databases; “Internal client” concept / limitation of use; Segregation of functions (production/testing); and Procedures for storage, amendment, deletion, transmission of data for different purposes. *8. **Governance, risk and verification* A governance, compliance and risk management program, verified by an independent, reputable third-party auditor, which program includes, at a minimum: A risk-based program for all security decisions; Policies and procedures that cover the entire process for the realization of the services provided to Data Controller under the Agreement; An internal and/or external audit program to verify the implementation and effectiveness of the company controls at a regular cadence; and A vulnerability management program for all technical assets used in the realization of the services provided to Data Controller under the Agreement.. End of document -- * *Séanadh Ríomhphoist/Email Disclaimer* *Tá an ríomhphost seo agus aon chomhad a sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus sin amháin é. Is féidir tuilleadh a léamh anseo. <https://www4.dcu.ie/iss/seanadh-riomhphoist.shtml>* *This e-mail and any files transmitted with it are confidential and are intended solely for use by the addressee. Read more here. <https://www4.dcu.ie/iss/email-disclaimer.shtml>* * -- <https://www.facebook.com/DCU/> <https://twitter.com/DublinCityUni> <https://www.linkedin.com/company/dublin-city-university> <https://www.instagram.com/dublincityuniversity/?hl=en> <https://www.youtube.com/user/DublinCityUniversity>
Received on Wednesday, 17 April 2019 14:20:26 UTC