An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This is an introduction explaining
- the difference between information security, data protection and privacy,
- the need and usefulness for staff engagement
The slides come with notes that in short explain the visuals on the slides.
6. 6
- Internal - Page
Training Objectives
Create awareness about IS/DPP
7. 7
- Internal - Page
Training Objectives
Create awareness about IS/DPP
Give a high-level overview of the ACG policy framework on IS/DPP
Refresh the basics and principles on IS/DPP
8. 8
- Internal - Page
Training Objectives
Create awareness about IS/DPP
Give a high-level overview of the ACG policy framework on IS/DPP
Refresh the basics and principles on IS/DPP
Answer the question: “What is my role, as a staff member, in IS/DPP?”
Give some guidance on good and bad practice.
9. 9
- Internal - Page
Training Objectives
Create awareness about IS/DPP
Give a high-level overview of the ACG policy framework on IS/DPP
Refresh the basics and principles on IS/DPP
Answer the question: “What is my role, as a staff member, in IS/DPP?”
Give some guidance on good and bad practice.
Provide signposting to where you can find more information and guidance
10. 11
- Internal - Page
What will You Learn?
What is information classification? Why is it needed? What are the
different classification levels of data handled at ABC?
11. 12
- Internal - Page
What will You Learn?
What is information classification? Why is it needed? What are the
different classification levels of data handled at ABC?
What are the general principles of IS/DPP?
12. 13
- Internal - Page
What will You Learn?
What is information classification? Why is it needed? What are the
different classification levels of data handled at ABC?
What are the general principles of IS/DPP?
What are “layers of defense”?
13. 14
- Internal - Page
What will You Learn?
What is information classification? Why is it needed? What are the
different classification levels of data handled at ABC?
What are the general principles of IS/DPP?
What are “layers of defense”?
How do I, as a staff member, contribute to those layers of defense?
22. 24
- Internal - Page
IS/DPP is also… thinking like an attacker
23. 25
- Internal - Page
IS/DPP is not… new
Code of Conduct:
I. I act fairly, honestly and transparently
II. I respect others
III. I comply with the law and professional standards
IV. I comply with instructions
V. I manage conflicts of interest
VI. I comply with data protection and information security
VII. I work in the customer’s best interest
VIII. I protect ABC’s interests
IX. I act professionally
X. I report any irregularity observed
Insert ABC’s code of conduct principles, e.g.
25. 27
- Internal - Page
ABC IS/DPP Policy Framework
About continuously
Changes
• In the regulatory environment
• In processes
• In people (JLT)
• In technology
26. 28
- Internal - Page
ABC IS/DPP Policy Framework
About continuously
Environment
Physical
Human
Device
Application
Repository
Carrier
Changes
• In the regulatory environment
• In processes
• In people (JLT)
• In technology
Network
Data
3rd Parties
27. 29
- Internal - Page
Blocks in the Course
Environment
Physical
Human
Device
Application
Repository
Carrier
Changes
• In the regulatory environment
• In processes
• In people (JLT)
• In technology
Network
Data
3rd Parties
1. Introduction
2. Why?
3. Data (Classification)
4. Layers
5. Access
6. Acceptable Use
7. Incidents
8. Monitoring
28. 30
- Internal - Page
More Information on IS/DPP at ABC
Intranet: (insert hyperlink)
29. 31
- Internal - Page
Relevant Points of Contact
IT Helpdesk Incidents
Information Security Officer
ISO
Support relating to information security (=
overall + more technical side)
Data Protection Officer
DPO
Support relating to personal data protection
Information Asset Owner
IAO
Centralization of information /
documentation on an Information Asset
Human Resources
HR
Support on Join, Leave, Transfer
Procurement Unit Support on Relationships with Third Parties
Legal Unit Support on agreements
Marketing Unit Support on use of (personal) data for
marketing
Who is Who in IS/DPP?
30. 32
- Internal - Page
What do we Expect of You?
General Mandatory “Please” “Pretty Please”
Baseline Test X
Baseline Videos X
Higher Belt Test X
Extra Videos X
Policies X
Guidelines X
Monitoring X
Useful links X
Target Group Mandatory “Please” “Pretty Please”
Classroom Training X
Test X
Welcome to the IS/DPP baseline training.
It is called a baseline training because it is a training for all staff, both internal and external, on the basics of IS/DPP.
Some staff members may be requested to follow a level up training because they need some in depth knowledge on the topic in the context of their function or role.
Information security is the broad domain of setting up technical and organisational measures
to keep information confined to a number of authorized persons (confidentiality),
to keep information unchanged so we can rely on the fact that the document we store or send to somebody is not tampered with (integrity), and
to have the information available if and when needed (availability).
Data Protection - in our context - relates to the protection of personal data as required by the law.
In Belgium that is the 1992 Personal Data Protection Act. That act was later slightly amended to meet the requirements of a 1995 European Directive on the topic. As from 25 May 2018 that legislation will largely be replaced by the European General Data Protection Regulation (generally shortened to GDPR).
We also keep in mind that next to that general data protection legislation, there are a number of specific statutes and regulations.
For example the Payment Card Industry Data Security Standard (also known as PCI DSS), which applies to banks and payment institutions.
Privacy is the human right legally protected in a number of international treaties and in constitutions.
It is a concept that is not well-defined and to most people relates
to their personsal perception of the things that are only shared with family and friend and
to intimacy.
And that is the main difference with data protection, which to a great extent abstracts from that personal perception.
Why do we need training?
This training has a few objectives.
First off we consider it a way to create awareness on the topic.
Second, we want to draw attention to the ABC Group policy framework by giving a high-level overview and by refreshing the basic principles.
Third, we want to make the topic “alive” in your day to day job at ABC. We give some guidance on what is a good practice and what is not.
And last, we want to promote the channels where we have posted more information and guidance on the topic.
After this training we hope you will be able to explain
what information classifcation is and why any organisation needs it.
what th principles of IS/DPP are.
what the layers of defense are.
what your role is in all this.
After this training we hope you will be able to explain
what information classifcation is and why any organisation needs it.
what the principles of IS/DPP are.
what the layers of defense are.
what your role is in all this.
At ABC the TRUST of our customers is at the core of our business.
Protecting the (personal) data of our customers is not only a legal obligation, but more importantly is a big part of gaining their trust.
Some aspects of what we call “information security, data protection and privacy” (IS/DPP) are managed centrally, “behind the curtains”.
Nevertheless a key role in making IS/DPP work is YOU, the individual staff member.
At ABC the TRUST of our customers is at the core of our business.
Protecting the (personal) data of our customers is not only a legal obligation, but more importantly is a big part of gaining their trust.
Some aspects of what we call “information security, data protection and privacy” (IS/DPP) are managed centrally, “behind the curtains”.
Nevertheless a key role in making IS/DPP work is YOU, the individual staff member.
Using (personal) data just for the execution of your job and applying common sense in protecting that data, goes a long way.
But it helps to be reminded of some principles of IS/DPP and lift the veil of what is happening centrally to make all of us and ABC Group as a whole even better at it.
The topic is not only interesting to you as a staff member.
You are also a data subject yourself who’s data is being processed by a number of companies on a daily basis.
IS/DPP is more than just hacking. It is not only related to protection from highly skilled IT guys.
There is a lot more to it than that.
Information can be stolen, changed or deleted by a person who succeeds in talking his way through the security measures on the phone or even in our offices.
We can also have a problem when you make a mistake or when we set up the access rights incorrectly.
In any case, thinking of IS/DPP from an attackers point of view makes us more aware of (potential) vulnerabilities.
IS/DPP is also not new. It is already in the code of conduct.
As you will understand by the end of this training, rule number 6 is the explicit reference to information security and data protection, but most of the other rules have some relation to IS/DPP as well.
IS/DPP for the ABC Group has been further worked out in a comprehensive framework.
Due to the continuous changes in our operations, the legislation, potential attacks, etc. …
this framework is continuously under construction.
All policies of the framework will be communicated in full. However for the purpose of this training
we have chosen to represent it visually as a layered structure.
How does the course look? Well, we have chopped up this e-learning in different blocks.
That way, we hope, you can more easily at look at them without taking you away from your job for too long.
Also, should you want to revisit one of the topics, you should be able to do so quite easily.
Additionally, it allows us to update one block, without having to re-work the entire video.
In this training we will only touch upon the principles of IS/DPP.
For more information we refer to the folder "company policies" on the intranet.
You are an important part of ABC Group's defence. But you are not alone.
There are a number of centers of competence you can go to.
Here is a list with their functions.
If you want to put a face to it, ask your line management or check the sharepoint webportal section “who is who in IS/DPP?”
What do we expect of you?
There is basically only one thing we actually require from you: pass the baseline test (yellow belt).
However, we hope we can convince you to go beyond that and that you watch the other materials we have made available for you.
If you are a member of a target group (IT, HR, procurement, project management, …) you will additionally be requested to follow a classroom training and/or a specific test.
The test is one thing.
Our call to action for you is simple: help us protect ABC Group’s data.
And for that… thank you.