An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This part is on the acceptable use of the companies (and sometimes also own) means. Each company should add what is appropriate for it.
The slides come with notes that in short explain the visuals on the slides.
2. 2
- Internal - Page
Purpose Driven
Respect the purpose-bound
nature of Information Assets,
applications, devices, access
rights,…
Professional use. No private
use. No “private interest”
snooping.
Need-to-know. Do you really
need it to perform your job?
Specific purpose: e.g. fraud
prevention is not to be re-
used for marketing.
5. 5
- Internal - Page
Internet
Do not use internet-based applications
for the manipulation or storage of
confidential data, unless you have an
exception approval of the ISO or DPO.
6. 6
- Internal - Page
Internet
Do not use internet-based applications
for the manipulation or storage of
confidential data, unless you have an
exception approval of the ISO or DPO.
Do not visit inappropriate
websites on the internet.
For private use of the internet,
you should use the computers in
the cafeteria.
Only download and install
applications from the internet
with the approval of IT.
8. 8
- Internal - Page
Key Takeaways
Respect the purpose-bound nature of
(information) assets.
Write nicely.
Don’t use internet-based applications with
confidential data.
Be careful on social media.
30 sec IS/DPP survival kit
WrapUp
Editor's Notes
Welcome to the sixth part of the baseline training IS/DPP.
Herein we look at overarching requirement of accaptable use of the data, your access rights, the devices, etc.
Some aspects are already covered in the different layers.
Herein we focus on a few things that were not addressed yet.
You should always be aware of and respect the purpose bound nature of the data, the applications, devices, access rights,…
That applies on three levels: You should use the data, the applications, devices, access rights,…
only for professional purposes;
only to perform your specific function / role / task; and
only for the specific purpose it can be used for.
That also means that you should only give access to people that have a need-to-know and are authorized.
If you put data on the intranet, sharepoint, or servers, or pass it on to colleagues or third parties,
YOU must ensure that the access rights are properly limited.
If you insert information in the ABC Group systems you should also write “nicely”. That means:
that should it be requested or required, we can show it without having to redact it;
as much as possible, write objectively and include the source;
If you include an opinion, indicate that it is an opinion;
do not include medical data or judicial data, unless there is a (general) sign-off of the DPO.
Do not use internet-based applications like dropbox for the manipulation or storage of confidential data, unless you have an exception approval of the ISO or DPO.
Do not visit inappropriate websites on the internet.
For private use of the internet, you should use the computers in the cafeteria.
Only download and install applications from the internet with the approval of IT.
Be careful on social media. The world is watching.
That entails:
do not discuss (confidential) ABC Group business on social media, not even with customers;
If you refer to ABC Group (marketing) actions, make a hyperlink to the official communication;
…
That is it for this section. Here are a few key takeaways.
