Cyber criminals can exploit configuration errors or technical vulnerabilities in applications, firewalls, or networks to access our information.
An organization must use defense-in-depth technologies to protect against, detect, and respond to cyber-attacks. The techniques should be suitable for controlling physical, logical and administrative controls.
Remote workers have their own operating guidelines, which are monitored. In addition, regular training is provided to staff to identify threats to information security arising from the use of mobile devices and remote work, and to review the guidelines.
The media used for backups and the restoration of backups are tested regularly to ensure that they can be relied on in an emergency.
Accurate and complete instructions are maintained for restoring backups. The policy is used to monitor the operation of backups and to prepare for backup failures.
Käsiteltäessä erityisiin henkilötietoryhmiin kuuluvia tai rikostuomioihin ja rikoksiin liittyviä henkilötietoja organisaatio toteuttaa asianmukaiset ja erityiset toimenpiteet rekisteröidyn oikeuksien suojaamiseksi.
Näitä erityisiä toimenpiteitä voivat olla mm.:
GDPR defines the conditions for the lawful transfer of personal data outside the EU or the EEA.
The organization shall document all data transfers and the applicable transfer criteria. Data transfers can occur, for example, based on the location of the data system, the data processing partner or the recipient of the data disclosure.
With adequate backups, all important data and programs can be restored after a disaster or media failure. An important first step in a functional backup strategy is to identify who is responsible for backing up each piece of data. Determining the responsibility for backup is the responsibility of the owners of the information assets (systems, hardware).
If the backup is the responsibility of the partner, we will find out:
If the backup is our own responsibility, we will find out:
The processors of personal data (e.g. providers of data systems, other partners using our employee or customer data) and the agreements related to the processing of personal data have been documented. The documentation includes e.g.:
The purpose of a data protection impact assessment is to help identify, assess and manage the risks involved in the processing of personal data. An impact assessment must be carried out when the processing of personal data is likely to pose a high risk to people's rights and freedoms. Risks are increased by, for example, the use of new technologies, the processing of sensitive personal data, the automation of personal characteristics or the scale of processing in general.
Task owner regularly evaluates organisation's processing of personal data, in particular, the databanks and related processing purposes and the data systems used, in order to determine the need for impact assessments. Task owner is also responsible for ensuring the identified impact assessments get conducted and documented.
A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.
Monitoring includes the following:
Organization's data systems and network must be monitored to detect abnormal use. When anomalities are detected, the organization must take the necessary measures to assess the possibility of security incident.
The monitoring should utilize tools that enable real-time or regular monitoring, taking into account the organization's requirements. Monitoring practices should be able to manage large amounts of data, adapt to changing threat environment, and send alerts immediately when necessary.
Inclusion of the following sources in the monitoring system should be considered:
li>
Organization must also establish procedures for identifying and correcting "false positive" results, including tuning monitoring software for more accurate anomaly detection.
Tietoteknisissä ympäristöissä ja niihin liittyvissä sopimuksissa on huomioitu toiminnan kannalta tärkeiden palveluiden saatavuus häiriötilanteissa.
Tärkeiden palvelujen tietotekniset ympäristöt varmennetaan esimerkiksi kahdentamalla siten, että yksittäisten komponenttien vikaantumiset eivät aiheuta toiminnan edellyttämää palvelutasoa pidempiä käyttökatkoja.
Tietotekniset ympäristöt voidaan varmentaa varavoimalla tai varavoimaliitännöillä siten, että sähkönjakelu voidaan käynnistää riittävän nopeasti ja ylläpitää sitä riittävän ajan suhteessa toiminnan vaatimuksiin.