...
- personnel - trained in data security; signed AUP or Statement of Confidentiality concerning personal data
- access management - strong password or 2-factor authentication are used for authorization; access to data and data modifications are logged
- access protection - firewall or ACL protection
- stored data protection - pseudonymisation; anonymisation; database encryption; hard disk and removable media encryption; other forms of data encryption
- data transfer protection - during transfer data are protected with secure versions of encryption methods such as TLS, VPN, WPA2, SSH
- vulnerability management - software are timely patched; regular vulnerability scanning or penetration testing of applications or systems
- malware protection - end-station malware protection; email malware protection; education of personnel
- data leak protection - IDS; continuous monitoring; removable media policy
- regular backups - stored on safe place; encrypted; restore regularly checked
- incident management - incident response; timely reporting all incident to data controller
- (D)DOS protection - on network, system or application level
C | I | A | Area | Item | Organization | System admin. | Network admin. | Applications development |
---|---|---|---|---|---|---|---|---|
security policy | appropriate security policy | |||||||
personnel | trained in (personal) data security | |||||||
signed AUP or Statement of Confidentiality for (personal) data | ||||||||
access management | strong password or 2 factor authentication | |||||||
logging of data modification | ||||||||
access protection | firewall, ACL, … | |||||||
stored data protection | pseudonymisation | |||||||
anonymisation | ||||||||
database encryption | ||||||||
hard disk and removable media encryption | ||||||||
other forms of data encryption | ||||||||
data transfer protection | secure transport (IPsec, VPN, wireless, …) | |||||||
remote system access (TLS, RDP, SSH, …) | ||||||||
remote application access (TLS, SSH, …) | ||||||||
vulnerability management | timely patching | |||||||
regular vulnerability scanning of applications or systems | ||||||||
regular penetration testing of applications and systems | ||||||||
malware protection | end-station malware protection | |||||||
email malware protection | ||||||||
education of personnel | ||||||||
data leak protection | IDS | |||||||
continuous monitoring | ||||||||
removable media policy | ||||||||
personnel education | ||||||||
regular backups | backup policy | |||||||
stored on safe place | ||||||||
encrypted | ||||||||
restore regularly checked | ||||||||
incident management | incident response procedure | |||||||
timely reporting all incident to data controller | ||||||||
(D)DOS protection | on network, system or application level |
Annex 4 - data transfers outside EU
...