Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.
Data system documentation must include at least:
The organization shall maintain a list of data sets contained in the data stores it manages.
The documentation shall include at least the following information:
The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:
Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.
Data store documentation must include at least:
Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.
When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.
Limiting the retention time is one of the principles of the processing of personal data. If the retention period of the data is not provided by law, when determining the retention periods, the following must be taken into account, for example:
Describe your own process for evaluating retention periods.
The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.
The following should be considered to support access management:
Organization assesses cyber security risks by responding to situations where security has been mildly or severely compromised. The documentation shall include at least the following:
Registrants have the same rights to their personal data, no matter in what form we store them. We need to be able to communicate processing and provide data subjects with access to personal data, whether on paper, in local files or in data systems.
We separately document personal data that is stored outside of data systems.