...
- personnel - trained in data security; signed AUP or Statement of Confidentiality concerning personal data
- access management - strong password or 2-factor authentication are used for authorization; access to data and data modifications are logged
- access protection - firewall or ACL protection
- stored data protection - pseudonymisation; anonymisation; database encryption; hard disk and removable media encryption; other forms of data encryption
- data transfer protection - during transfer data are protected with secure versions of encryption methods such as TLS, VPN, WPA2, SSH
- vulnerability management - software are timely patched; regular vulnerability scanning or penetration testing of applications or systems
- malware protection - end-station malware protection; email malware protection; education of personnel
- data leak protection - IDS; continuous monitoring; removable media policy
- regular backups - stored on safe place; encrypted; restore regularly checked
- incident management - incident response; timely reporting all incident to data controller
- (D)DOS protection - on network, system or application level
| C | I | A | Area | Item | Organization | System admin. | Network admin. | Applications development |
|---|---|---|---|---|---|---|---|---|
| security policy | appropriate security policy | |||||||
| personnel | trained in (personal) data security | |||||||
| signed AUP or Statement of Confidentiality for (personal) data | ||||||||
| access management | strong password or 2 factor authentication | |||||||
| logging of data modification | ||||||||
| access protection | firewall, ACL, … | |||||||
| stored data protection | pseudonymisation | |||||||
| anonymisation | ||||||||
| database encryption | ||||||||
| hard disk and removable media encryption | ||||||||
| other forms of data encryption | ||||||||
| data transfer protection | secure transport (IPsec, VPN, wireless, …) | |||||||
| remote system access (TLS, RDP, SSH, …) | ||||||||
| remote application access (TLS, SSH, …) | ||||||||
| vulnerability management | timely patching | |||||||
| regular vulnerability scanning of applications or systems | ||||||||
regular penetration testing of applications and systems | ||||||||
| malware protection | end-station malware protection | |||||||
| email malware protection | ||||||||
| education of personnel | ||||||||
| data leak protection | IDS | |||||||
| continuous monitoring | ||||||||
| removable media policy | ||||||||
| personnel education | ||||||||
| regular backups | backup policy | |||||||
| stored on safe place | ||||||||
| encrypted | ||||||||
| restore regularly checked | ||||||||
| incident management | incident response procedure | |||||||
| timely reporting all incident to data controller | ||||||||
| (D)DOS protection | on network, system or application level |
Annex 4 - data transfers outside EU
...