Documentation of data sets for data stores

Critical
High
Normal
Low

The organization shall maintain a list of data sets contained in the data stores it manages.

The documentation shall include at least the following information:

  • Data systems and other means used to process the data sets
  • Key categories of data in the data set (and whether it contains personal data)
  • Data retention period (discussed in more detail in a separate task)
  • Information on archiving / disposal of data (discussed in more detail in a separate task)
Connected other frameworks and requirements:
T07: Tietojen luokittelu
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
4 luku, 15 §: Tietoaineistojen turvallisuuden varmistaminen
6. Lawfulness of processing
GDPR
5. Principles relating to processing of personal data
GDPR

Documentation of data classes for data sets

Critical
High
Normal
Low

The dataset owners (or the owners of the related information asset, such as a data store or data system) are responsible for the classifications of the datasets and the correspondence of the classification to the definitions of the classes.

The owner updates the data classification over the life cycle of the asset according to variations in its value, sensitivity, and criticality.

Connected other frameworks and requirements:
T07: Tietojen luokittelu
8.2.1: Classification of information
ISO 27001
18.1.3: Protection of records
ISO 27001
ID.AM-5: Resource prioritization
NIST CSF
5.12: Classification of information
ISO 27001

Defining and documenting retention times for data sets

Critical
High
Normal
Low

Limiting the retention time is one of the principles of the processing of personal data. If the retention period of the data is not provided by law, when determining the retention periods, the following must be taken into account, for example:

  • the necessity of the data for its original processing purpose
  • implementation and verification of the interests, rights, obligations and legal protection of a natural or legal person
  • the legal effect of the contract or other legal action in civil matters
  • statutory limitation periods
  • criminal limitation periods

Describe your own process for evaluating retention periods.

Connected other frameworks and requirements:
5 luku, 21 §: Tietoaineistojen säilytystarpeen määrittäminen
5. Principles relating to processing of personal data
GDPR
18.1.3: Protection of records
ISO 27001
PR.IP-6: Data destruction
NIST CSF
A.7.4.2: Limit processing
ISO 27701

Designation of data set owners

Critical
High
Normal
Low

An owner is assigned to each data set. The owner is responsible for the life cycle of the information asset and is responsible for performing the management tasks related to that asset.

The owner's duties include e.g.:

  • ensuring the documentation of asset
  • ensuring appropriate protection of asset
  • regularly reviewing access rights
  • ensuring proper handling of information, also on disposal

The owner can delegate some of the tasks, but the responsibility remains with the owner.

Connected other frameworks and requirements:
32. Security of processing
GDPR
8.1.2: Ownership of assets
ISO 27001
18.1.3: Protection of records
ISO 27001
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
4 luku, 15 §: Tietoaineistojen turvallisuuden varmistaminen

Using data loss prevention policies

Critical
High
Normal
Low

Data Loss Prevention (DLP) policies can be used to protect sensitive data from accidental or intentional disclosure. Policies can alert, for example, when they detect sensitive data (such as personal identification numbers or credit card numbers) in email or another data system to which they would not belong.

The organization defines DLP policies related to endpoints in a risk-based manner, taking into account the data classification of the processed data.

Connected other frameworks and requirements:
18.1.2: Intellectual property rights
ISO 27001
18.1.3: Protection of records
ISO 27001
5.33: Protection of records
ISO 27001
8.12: Data leakage prevention
ISO 27001

Use of a DLP-system

Critical
High
Normal
Low

The DLP system aims to prevent the loss or leakage of sensitive data. The system can be used to prevent unwanted actions by monitoring, detecting and preventing the processing of sensitive data without meeting the desired conditions. Blocking can be done during use (in-use, terminal operations), in motion (in-transit, network traffic) or in storage locations (at-rest).

Connected other frameworks and requirements:
18.1.2: Intellectual property rights
ISO 27001
18.1.3: Protection of records
ISO 27001
8.12: Data leakage prevention
ISO 27001
No items found.