Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Training Procurement


Published on

This is an example training in the context of IS/DPP, information security, data protection and privacy.
It is a training directed to procurement officers and outsourcing managers.
The generic idea is that procurement officers and outsourcing managers support the inventory and overview of the company or group on third party relationships. By a well implemented governance through procurement officers and outsourcing managers it should be easier to upkeep the overview through the existing processes of managing (most) third party relationships, thus increasing ownership and awareness of information security and privacy.

Published in: Law
  • Be the first to comment

  • Be the first to like this

Training Procurement

  1. 1. - Classification: internal - COMPANY IS/DPP Level-up Training Sessions Procurement (date)
  2. 2. 2- Classification: internal - Page “Level-up” In addition to the baseline training for all staff Applicable to specific staff, in this case: procurement officers Why? - Procurement officers (help) manage the relationship with external parties in the organisation. They are the center of competence and (single) point of contact on the matter. - Therefore project manager are well-placed champions for IS/DPP. - The business (as usual) should be able to attract, contract, and follow-up the external relationshiop, which should (a) working with untrustworthy counterparties, and (b) allow enforcement of compliance.
  3. 3. 3- Classification: internal - Page YOUR MISSION, should you choose to accept it… Support in and as the Business-As-Usual the organisational aspect of IS/DPP by  acting as center of competence with regard to relationship management of external parties – selecting counterparties – contract negotiations – follow up  screening & vetting candidates  documenting commitment  guiding (and triggering) follow-up
  4. 4. Center of Competence
  5. 5. 5- Classification: internal - Page Masters of the Process Select • RFI, RFP, BaFO • Questionnaires and Questions Contract • Negotiations (need-to-have v nice-to-have) • Risk Acceptance (as the case may be) • Execution (and retention) Follow-up • Informal: “wine and dine”, relationship management, … • Formal: questionnaires, audit, … • Special: rights of data subjects (e.g. rectification, block)
  6. 6. 6- Classification: internal - Page External Parties 6 COMPANY proc. group Vendor SP Client Client Client Client Client Client Client Vendor Service Provider Sub- processor 1. Confidentiality 2. Personal Data: DP schedule Enforcement
  7. 7. 7- Classification: internal - Page Personal Data Protection: Different Levels Internal Processor in a “safe country” Processor in an “unsafe country”
  8. 8. 8- Classification: internal - Page Internal (FYI) Concentric circle controls 1 Perimeter control: controlled access to the buildings e.g. zoning on a risk basis, security alarms, locked doors, surveillance cameras, security guards (day/night), enterance controls (badge, biometrics,…), identified and guided visitors, 2 Network control: controlled access to the network e.g. firewalls, virus scans (incl. malware, spyware, …), 3 Server access control: zoning on a risk basis, monitoring (high-level permanent/sample or exception based periodic), 4 Secure data deletion: shredders, instructions, waste baskets, … 5 Data loss prevention DP training for legal and quality 24 November 2014 Slide 8 Summary Content Equipment access control deny unauthorised persons access to data-processing equipment used for processing personal data Data media control prevent the unauthorised reading, copying, modification or removal of data media Storage control prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data User control prevent the use of automated data-processing systems by unauthorised persons using data communication equipment Data access control ensure that persons authorised to use an automated data-processing system only have access to the data covered by their access authorisation Communication control ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment Input control ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data were input Transport control prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media Recovery ensure that installed systems may, in case of interruption, be restored Reliability & Integrity ensure that the functions of the system perform, that the appearance of faults in the functions is reported and that stored data cannot be corrupted by means of a Insert policy overview / visualisation
  9. 9. 9- Classification: internal - Page Gradations of topo-risk Argentina Australia Canada Faeroe Islands Guersney Isle of Man Israel Jersey Switzerland Uruguay (USA) Norway Lichtenstein Iceland No adequate level of protection - Contractual clauses - Other
  10. 10. 10- Classification: internal - Page Processor in a “safe” country Part of the selection process Binding clauses Follow-up Sufficient guarantees on measures wrt the data processing operation - Processors only acts on instruction of the controller - Legal requirements of internal measures must bind the processor Ensure compliance with measures wrt the data processing operation OR NOT, if you have a template
  11. 11. 11- Classification: internal - Page Processor in an “unsafe” country Reference is made to the legitimacy topic. Controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights which are authorized under applicable (national) law. Same as other processors Binding clauses Specific basis for legitimacy Balance test Legal requirement Implied consent Explicit consentlimitedSCC
  12. 12. Screening & Vetting Internal staff = HR External staff = insert
  13. 13. 13- Classification: internal - Page Environment Physical Human Device Application Repository Carrier Layers & Dimensions Changes • In the regulatory environment • In processes • In people (JLT) • In technology Network Data 3rd Parties We are going to give this person access to - our premises? - our network? - our devices? - our applications? - our data? - …
  14. 14. 14- Classification: internal - Page Input: Risk Assessment (Privacy Impact Assessment)  Data set and data flow description  Risk mitigating / sharing measures (as foreseen) Technical measures (+ point of contact) Organisational measures  documented (a.o. who can/should have access?)  communication/training/awareness [plan]  Residual risk acceptance (if any, may come after negotiations)  Risk assessment (different versions) Before “outsourcing” (legacy = absent) After “outsourcing”
  15. 15. 15- Classification: internal - Page Document: Data Sets (first 3 criteria) Source of the data Objective / Subjective Data Subject / Generated ourselves / 3rd party / … Purpose for the data Credit review, AML screening, profiling, contact in execution of agreement, marketing, segmentation, … Data subject Customer, cardholder, prospect, candidate, staff member, contact at supplier, contact at corporate customer,… Data fields Free fields: Name, address, free comment, meeting report, … Dropdown lists: Country, Title, Status,… Special categories of data Financial data, card data (PCI), … Relating to race, ethnic origin, (political, philosophical, religious) beliefs, trade union membership, sexual life Health data / Judicial data (related to litigation, criminal sanctions, presumptions of criminal facts,…) (Estimated) volume By number of data subjects, by number of data fields per data subject, …
  16. 16. 16- Classification: internal - Page Document: Risks Data Classification Give the full data classification per data set. Risks identified What risks were identified in terms of the different layers of information security and data protection? Qualitative measure of the risk Likelihood x impact Quantitative measure of the risk (if possible) more detailed calculations based on statistical models (e.g. monte carlo) Validation by CISO The CISO has to validate all information risk assessments. Validation by DPO (for personal data) The DPO has to validate all personal data related risk assessments.
  17. 17. 17- Classification: internal - Page Document: Risk Approach Risk Mitigating Measures For every risk identified, the mitigating measures: technically and/or organisationally (incl. first line controls). Risk Sharing Measures For every risk identified, if applied, the risk sharing measures: agreements, insurances, etc; Residual Risk For every risk identified, the residual risk (incl. assessment in terms of likelihood and impact). Comparison to 1st Risk Assessment Preferably visually (matrix) Validation by CISO The CISO has to validate all information risk approaches. Validation by DPO (for personal data) The DPO has to validate all personal data related risk approaches. Residual Risk Acceptance (if any) The decision by the ExCo or, as the case may be, a steering committee to which the project follow-up was delegated. New risk acceptance or measures, if and when the risk assessment has shown change in risk profile.  Escalate via CISO or DPO
  18. 18. 18- Classification: internal - Page Document: Data Flows Data set transferred (see data set for further detail) Source of the data In principle the repository you are responsible for as Information Asset Owner Recipient of the data Within company / between GROUP companies / Third Party (processing on COMPANY’s behalf) / Third Party (processing on own behalf) Purpose for use by the recipient To allow alignment with the original purpose and fitness of the data set Operational description of transfer Automatic or manual intervention, format (xls, xml, CODA, …), channel, frequency of the transfer, … Security of the transfer Measures taken to ensure the secure transfer, both technical (e.g. encryption) and organisational (e.g. double channel for transfer of package and key) Assurance by recipient To keep the data secure and confidential, not to use the data for other purposes than described, not to further transfer the data, to update the data at request of IAO,… Validation Validation by CISO (always) and DPO (personal data)
  19. 19. 19- Classification: internal - Page Getting started • Screen • RFI Recruit • Vet • RFP Select … Employees: HR + line External provider and/or staff: Procurement + sponsor …
  20. 20. Documenting
  21. 21. 21- Classification: internal - Page People onboarding, leaving, changing functions • Documents • Onboard • Checklist • Assets / Access • Training Contract • Training • Evaluation Execute • Documents • Exit • Checklist • Retrieval Exit Employees: HR + line HR + sponsor Change / Transfer Join Leave External staff: Procurement -
  22. 22. 22- Classification: internal - Page Data exporter Different capacities possible: controller or processor. Data importer Different capacities possible: controller or (sub-)processor. So: Controller Controller Processor Controller Processor Adde the geographic aspect Data Export – Data Import
  23. 23. Follow-up
  24. 24. 24- Classification: internal - Page Principles of Follow-Up Period risk-based review of the relations. Risk Time Informal Audit Assurance Questionnaire Relationship management On Site Visit Approaches
  25. 25. Useful Additional Information
  26. 26. 26- Classification: internal - Page Especially Relevant Policy Documents • Outsourcing Policy • Third Party Assessment Procedure • Third Party Contracting Procedure • Third Party Follow-up Procedure • Secure Information Exchange Procedure • Secure Development Policy • JLT Procedure • Joiner Checklist template • Leaver Checklist template • Transfer = Leaver + Joiner (Sharepoint) (Folder) x:HROnboarding Docs x:HROnboarding x:HRLeavers
  27. 27. 27- Classification: internal - Page Especially Relevant Policy Documents • Outsourcing Documents • IS/DPP questionnaire • Bodyshopping template • IS/DPP Contract Schedule (basic) • EU Standard Contractual Clauses • Controller-to-Controller • Controller-to-Processor • Templates for specific situations (project “NDAs”, etc.) (Sharepoint) (Folder)
  28. 28. 28- Classification: internal - Page Relevent Points of Contact Input for the assessment Project manager Information Asset Owner (see Inventory) Sounding board and support on contracting Legal  (name) Sparring partner for follow- up Information Asset Owner (see Inventory) Review of IS/DPP questionnaire answers CISO  (name) DPO (personal data)  (name)
  29. 29. 29- Classification: internal - Page Processes (add processes of JLT procedure)