Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:
Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:
The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.
The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.
In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.
Especially when local or unstructured data needs to be handled a lot due to the nature of the activity, it may be necessary to develop training that describes the risks involved for staff.
Common problems with local and unstructured data include e.g.:
For data you do not want to lose, that you want to control, or that is important to find in the future, staff should use data systems designed for it.
Organization has defined the areas for handling confidential information and the operating rules that are followed in all activities that take place in the corresponding areas.
In the rules, consideration should be given to the following points:
The management of the organization must ensure that the organization has up-to-date instructions on data processing, the use of information systems, data processing rights, the implementation of data management responsibilities, the implementation of access to information rights and information security measures.
In practice, the management defines how the up-to-dateness of the instructions is ensured and to which actors the instructions apply. taking care of up-to-dateness is part of it.
It is recommended to assign the responsibility for keeping the instructions up-to-date to those actors who have overall responsibility for information security, information systems, data reserves, record keeping, decision-making related to document requests, case management and archive work.