Technical and organizational measures
Access control to premises and facilities
Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include:
- Electronic access control system, security locks
- (Issue of) keys and chip cards according to duties
- Careful selection of service personell with long term affiliation
- Chaperonage of visitors on premises
- Offline management of electronic locks
- Surveillance of facilities through a security firm
Access control to systems
Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:
- Assignment of privileges for the insertion, modification and deletion of data based on a authorisation scheme
- Periodic review of justified and up-to-date accounts in all systems; central management of system access, where possible; system specific supervision, including periodic reviews, and administration of access otherwise
- Password management, authorisation using at least username and password, MFA where possible, no access for guest users or anonymous accounts
- Application of Anti-virus and security software
- Application of VPN for network access
- Application of a firewall through trained personnel
- Secure communication protocols for external services
Access control to data
Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized [input, reading, copying, removal] modification or disclosure of data. These measures shall include:
- Application of an authorisation scheme
- Organisational training on correct behaviour; like lock screen, no password reuse, complex passwords, avoid copying of data
- Principle of least privilege for accounts, minimisation of accounts with administrative privileges
- Print-out data is destroyed using a paper shredder
- Contractual obligation for non-disclosure
- Differentiated access rights
- Access rights defined according to duties
- Automated log of user access via IT systems
- Measures to prevent the use of automated data-processing systems by unauthorized persons using data communication equipment
- Audit trail of administrative tasks on system-level
- Separation of environments and privileges for test and production
Disclosure control
Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:
- Properly secured mobile devices
- Encryption using a VPN or other encrypted protocols for remote access, transport and communication of data.
Input control
Measures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained. Measures should include:
- Personal accounts assigned according to an authorisation scheme
- Logging user activities on IT systems
Job control
Measures should be put in place to ensure that data is processed strictly in compliance with the data importer’s instructions. These measures must include:
- Careful selection of sub-processors
- DPAs with regard to GDPR are in place with sub-processors
Availability control
Measures should be put in place to ensure that data are protected against accidental destruction or loss.
These measures must include:
- Ensuring that installed systems may, in the case of interruption, be restored
- Ensure systems are functioning, and that faults are reported
- Proper electrical security measures including uninterruptible power supply (UPS) for self-hosted server facilities
- Redundancy or fail-over of systems
Organisational Control
- Periodic training of employees and sub-processors
- Employee Handbook and Instructions on data security and privacy
- Contractual obligation of non-disclosure for every employee as part of the on-boarding process
- Data protection officer