12 new national NIS2 framework versions published! Read more ->
Cyberday back to normal - related blog
Establish and maintain a documented data management process. In the process, address data
sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on
sensitivity and retention standards for the enterprise. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.
Papers containing sensitive information should be disposed of in an agreed manner, for example, using a shredder or by incineration.
Especially when local or unstructured data needs to be handled a lot due to the nature of the activity, it may be necessary to develop training that describes the risks involved for staff.
Common problems with local and unstructured data include e.g.:
For data you do not want to lose, that you want to control, or that is important to find in the future, staff should use data systems designed for it.
The dataset owners (or the owners of the related information asset, such as a data store or data system) are responsible for the classifications of the datasets and the correspondence of the classification to the definitions of the classes.
The owner updates the data classification over the life cycle of the asset according to variations in its value, sensitivity, and criticality.
Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.
Data store documentation must include at least:
The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.
In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.
The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.
There are separate instructions for staff to use mobile devices. The instructions cover:
The organization shall maintain a list of data sets contained in the data stores it manages.
The documentation shall include at least the following information:
Processing of personal data is only lawful if one of the legal bases set out in the General Data Protection Regulation is met. The organization must be able to communicate the purpose of the processing and the legal basis to the data subject and, where appropriate, to the supervisory authority.
The documentation shall include at least:
The data in a data store are, in principle, only available to that controller and under the same responsibility. If you pass data on to another organization for other use, you must clearly inform about it and state e.g. the recipient of the transfer and the legal basis.
The organization's information systems collect data from internal and external sources and process essential data into information. Information supports internal control components
Information must be:
.png)
