Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.
Data system documentation must include at least:
Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:
Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:
All security incidents are addressed in a consistent manner to improve security based on what has happened.
In the incident treatment process:
The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.
In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.
Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.
When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.
An owner is assigned to each data set. The owner is responsible for the life cycle of the information asset and is responsible for performing the management tasks related to that asset.
The owner's duties include e.g.:
The owner can delegate some of the tasks, but the responsibility remains with the owner.
Personnel under the direction of the entire organization must be aware:
In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.
Our organization has pre-defined procedures through which the detected security breach will be addressed. The process may include e.g. the following things:
The organization shall have a sufficient number of trained, supervised and, where necessary, properly security cleared personnel who play key roles in information security, performing management tasks related to the information security management system.
The organization has defined:
The owner of the task regularly reviews the number and level of competence of the security personnel.
A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.
Monitoring includes the following:
Shared accounts should only be allowed if they are necessary for business or operational reasons and should be separately approved and documented.
If shared accounts are used for admin purposes, passwords must be changed as soon as possible after any user with admin rights leaves their job.
GDPR encourages the introduction of a number of general codes of conduct and certification mechanisms, data protection shields and marks, especially at the European Union level.
The idea behind all of these is to show that the processing is in line with good data processing and data protection requirements. The European Data Protection Council will gather all available certification mechanisms publicly available.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.
Anonymisation means modifying personal information so that the person can no longer be identified from it. For example, data can be roughened to a general level or data about an individual can be deleted. Identification is irreversibly prevented in anonymisation, in contrast to pseudonymisation, where data can be restored to their original form using additional information.
A large amount of valuable information in an organization has often accumulated over time into hard-to-find and manageable unstructured data — excels, text documents, intranet pages, or emails.
Once this information has been identified, a determined effort can be made to minimize its amount.Important data outside data systems is subject to one of the following decisions:
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.