Information transfer policies and procedures

The organization has developed guidelines for staff that define the acceptable use of various communication services and aim to prevent the disclosure of confidential information to, for example, a phisher or other third parties.

The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.

The selection and up-to-dateness of web browser greatly affects e.g. experience, operation and browsing security of online services. When the entire organization uses the same web browser, instructing is easier and security is improved.

IT has chosen the browser to be used, monitors the staff in using the correct and up-to-date browser and supports the staff in the use.

Removable media includes e.g. flash memories, SD memories, removable storage drives, USB sticks and DVDs.

The organization has defined which removable media is allowed to be used.

When removable media is an important part of an organisation's operations, more specific rules have been defined for securing removable media and the information they contain.

• when a removable media is transferred outside the organization, it is impossible to restore its contents if the content is no longer needed;
• the transfer of media from the organization required a permiossion and all transfers will be logged
• removable media are protected by encryption when the confidentiality and integrity of the information is important
• information on removable media is regularly passed on to unused media so that the media does not deteriorate and the data becomes unreadable before that time;
• multiple copies of valuable data are stored on different media to reduce the risk of simultaneous data damage or loss

Often, employees want access to data systems as easily as possible - from anywhere, anytime. However, in order to protect the data, it may be desirable to prevent the data from being downloaded locally outside the self-maintained network, as the security of the network cannot be guaranteed.

Often, employees want access to data systems as easily as possible - from anywhere, anytime. However, to protect data, you may want to prevent local downloading of data to devices that are not managed, for example, through the organization's mobile device management.

Anti-phishing policies can help an organization prevent impersonation-based phishing. Targeted “spear phishing” attacks in particular are often so skillfully executed that even a conscious employee finds it difficult to identify a scam.

For example, the ATP extension for Microsoft 365 can quarantine e-mail messages that impersonate our CEO or that present our own domain as the sender's domain, while forwarding them to the person in charge of security.

If a scammer gains access to a user's inbox, they can use the auto-forward feature to track communications and steal confidential information. Your own employees can also create unsafe forwarding rules, which can lead to data leakage or loss.

This can be prevented, for example, in a Microsoft 365 environment by creating a "mail flow" rule.