Page History

Versions Compared

Key

This line was added.
This line was removed.
Formatting was changed.

...

Contains list of all personal data which will be processed and categories of Data subjects involved.

Annex 3 - specific security measures

...

Besides general security measures defined in main part of DPA, specific security measures which should be applied by DP in order to ensure protection of personal data can be defined. When properly implemented they can provide assurance that DP can provide adequate protection of rights of data subjects. These security measures are service specific and depends on architecture, scope and other factors and those are chosen based on risk assessment. Here is list of some types of security measures which can be used as reminder. Chosen measures should be elaborated in more details as appropriate.
organization - appropriate security policy
personnel - trained in data security; signed AUP or Statement of Confidentiality concerning personal data
access management - strong password or 2-factor authentication are used for authorization; access to data and data modifications are logged
access protection - firewall or ACL protection
stored data protection - pseudonymisation; anonymisation; database encryption; hard disk and removable media encryption; other forms of data encryption
data transfer protection - during transfer data are protected with secure versions of encryption methods such as TLS, VPN, WPA2, SSHSSH, secured wireless...
vulnerability management - software are timely patched; regular vulnerability scanning or penetration testing of applications or systems
malware protection - end-station malware protection; email malware protection; education of personnel
data leak protection - IDS; continuous monitoring; removable media policy
regular backups - stored on safe place; encrypted; restore regularly checked
incident management - incident response; timely reporting all incident to data controller
(D)DOS protection - on network, system or application level
Aim of applying security measures is to ensure Confidentiality, Integrity and Availability (CIA) of personal data. The following table shows in more details which principle of CIA is improved by each class of security measures. Also, it shows applicability of each security measure to different parts of data processor: organizational, system administration, network administration and application development. Which security measures and to which extend will be implemented is usually based on risk assessment.

C I A
AreaItem
Class of security
measures
Security measure Organization System
admin. Network
admin. Applications
development

security policy appropriate security policy

personnel trained in (personal) data security

signed AUP or Statement of Confidentiality for (personal) data

access management strong password or 2 factor authentication

logging of data modification

access protection firewall, ACL, …

stored data protection pseudonymisation

anonymisation

database encryption

hard disk and removable media encryption

other forms of data encryption

data transfer protection secure transport (IPsec, VPN, wireless, …)

remote system access (TLS, RDP, SSH, …)

remote application access (TLS, SSH, …)

vulnerability management timely patching

regular vulnerability scanning of applications or systems

regular penetration testing of applications and systems

malware protection end-station malware protection

email malware protection

education of personnel

data leak protection IDS

continuous monitoring

removable media policy

personnel education

regular backups backup policy

stored on safe place

encrypted

restore regularly checked

incident management incident response procedure

timely reporting all incident to data controller

(D)DOS protection on network, system or application level

Annex 4 - data transfers outside EU

...