The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include measures for asset management.
Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.
Data system documentation must include at least:
The organization shall maintain a list of data sets contained in the data stores it manages.
The documentation shall include at least the following information:
Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.
Data store documentation must include at least:
The organization shall list all relevant protected assets to determine ownership and to ensure that security measures cover all necessary items.
A large portion of the protected assets (including data sets, data systems, personnel / units, and partners) are treated through other tasks. In addition, the organization must list other important assets, which may be, depending on the nature of its operations, e.g. hardware (servers, network equipment, workstations, printers) or infrastructure (real estate, power generation, air conditioning). In addition the organization should make sure that relevant external devices are documented.
Assets to be protected related to information and data processing services should be inventoried. The purpose is to ensure that the cyber security is focused on the necessary information assets.
Inventory can be done directly in the management system, but an organization may have other, well-functioning inventory locations for certain assets (including code repositories, databases, network devices, mobile devices, workstations, servers, or other physical assets).
Describe in this task, which lists outside the management system are related to protection of information assets.
The organization maintains documentation of interfaces and other connections between data system and the data transmission methods used in the interfaces.
The documentation concerning the interfaces shall be reviewed regularly and after significant changes to data systems.
Registrants have the same rights to their personal data, no matter in what form we store them. We need to be able to communicate processing and provide data subjects with access to personal data, whether on paper, in local files or in data systems.
We separately document personal data that is stored outside of data systems.
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.