SlideShare a Scribd company logo

ISMS IS/DPP TOP POLICY - example (governance)

Download as DOCX, PDF
T
Tommy Vandepitte

An example of an information security / data protection & privacy overarching policy, in which you define the principle, the main pillars in the governance (bodies, persons and "policies").

1 of 14
EXAMPLE IS/DPP TOP POLICY 1 1. General...................................................................................................................................2 1.1 Scope................................................................................................................................2 1.2 Management Buy-In .........................................................................................................2 2. Principles ................................................................................................................................3 3. Accountability and Governance .............................................................................................4 3.1 BoD...................................................................................................................................4 3.2 Executive Committee........................................................................................................4 3.3 Risk management Committee..........................................................................................4 3.4 Executive Sponsor............................................................................................................5 3.5 Information Security Team ...............................................................................................5 3.6 CISO .................................................................................................................................6 3.7 DPO ..................................................................................................................................7 3.8 Legal Department.............................................................................................................9 3.9 Risk management.............................................................................................................9 3.10 Internal Audit...................................................................................................................9 3.11 Project Managers .........................................................................................................10 3.12 Information Asset Owners............................................................................................10 3.13 Staff...............................................................................................................................11 4. Policy framework..................................................................................................................12 4.1 Policy documents............................................................................................................12 4.2 Policy Definition Process................................................................................................12 4.3 Exceptions management................................................................................................12 5. Communication.....................................................................................................................13 5.1 Communication...............................................................................................................13 5.2 Training ...........................................................................................................................13 5.3 Awareness ......................................................................................................................13 6. Enforcement.........................................................................................................................13 7. Reporting ..............................................................................................................................14 7.1 Top level: Risk Management Committee.......................................................................14 7.2 Lower levels ....................................................................................................................14
EXAMPLE IS/DPP TOP POLICY 2 1. General 1.1 SCOPE This policy relates to information security, data protection and privacy (IS/DPP) and applies to CORPORATION. 1.2 MANAGEMENT BUY-IN The top management of CORPORATION - acknowledges the importance of IS/DPP - appoints the COO as the executive sponsor for CORPORATION’s program IS/DPP - champions o robust information security in line with the state-of-the-art in the industry o transparent data protection o to raise the maturity of IS/DPP to a level where it is well-known and managed throughout the organisation and keep it at that level o to keep the risk in relation to IS/DPP in general at a low risk level, that is a level that  does not reasonably lead to criminal sanctions for the company or any of its staff  does not foreseeably exceed a financial risk of xxx EUR  does not reasonably lead to negative exposure in a nationally and/or internationally distributed media (such as newspapers)  doesn’t harm the top xxx customers and/or a cluster of more than xxx customers - commits to o lead by example o reasonably supplying the means  to bring the technology up to standard  to communicate to the staff to raise knowledge and awareness on IS/DPP o supporting the CISO and the DPO, a.o. by giving them access to all the means and staff of the organisation, giving them access to (personal) data and processing operations, ensuring they can maintain their respective expert knowledge, ensuring that they are involved, properly and in a timely manner, in all issues which relate to the protection of (personal) data, … o not instructing the DPO with regard to the exercise of the DPO’s (legal) tasks o acknowledge, adopt and enforce the reasonable policy documents the CISO and/or the DPO present
EXAMPLE IS/DPP TOP POLICY 3 2. Principles CORPORATION sets the following guiding principles on Information security, data protection and privacy (IS/DPP):  IS/DPP is not only compliance driven, but also flows from the ethical stature of CORPORATION and serves to protect CORPORATION, its business, its staff and its customers.  IS/DPP is a point of attention for everybodyin the organisation.  IS/DPP is applied in a risk-based manner, which includes that the risk should be known internally; risks should be in line with CORPORATION’s risk appetite; the risk assessment should take into account the nature, scope, context and purposes of processing; etc.  CORPORATION wants to set up processes and procedures that are future-proof, and thus should take into account potential future risks, should be privacy-by-design and privacy-by-default.  CORPORATION uses the following major benchmarks for its IS/DPP framework: o the General Data Protection Regulation o the reference measures issued by the Belgian Data Protection Authority, which inherently refer to the ISO 27000-series
EXAMPLE IS/DPP TOP POLICY 4 3. Accountability and Governance Within the CORPORATION’s organisation everybody can and should contribute to IS/DPP. To streamline the governance some bodies and persons in the organisation are designated to decide on or implement aspects of the IS/DPP framework. 3.1 BOD The Board of Directors is at a strategic and final level accountable for the IS/DPP within the CORPORATION organisation. The Board of Directors adopts the strategy on IS/DPP. That is the highest policy document on IS/DPP in the CORPORATION organisation. The Board of Directors ensures that IS/DPP is taken into account in all documents it (legally) must adopt or acknowledge, such as the governance memorandum, the internal control statement, etc. The Board of Directors can evocate and review any decision in the organisation on IS/DPP. 3.2 EXECUTIVE COMMITTEE The Executive Committee is at the highest operational level accountable for the IS/DPP within the CORPORATION organisation. Key responsibilities of the Executive Committee in the context of IS/DPP are: - reviewing and ratifying IS/DPP policy documents, as the case may be ensuring that they are in line with the organisation’s business strategy - interpreting and finetuning the risk appetite determined by the Board of Directors - supporting the awareness efforts in the context of IS/DPP by by their collective and individual decisions and actions (“tone at the top”) - providing the necessary means o to support the IS/DPP measures in the field of ICT as part of the ICT budget o to support the IS/DPP measures in the field of facilities as part of the facilities budget o to support the IS/DPP measures in the field of communication, training and awareness of the staff as part of the HR budget o to support the IS/DPP third line control as part of the audit budget o to comply to the data protection and privacy legislation, in as far as not covered by (the above) other budgets, as part of the compliance budget; - decide on issues brought to its attention by the DPO with a request for a decision; - reviewing escalations from the Risk Management Committee with regard to the reporting set up under this IS/DPP framework. 3.3 RISK MANAGEMENT COMMITTEE Key responsibilities of The Risk Management Committee in the context of IS/DPP are: - reviewing IS/DPP policy documents and providing an advice to the Management Committee - reviewing the top level reporting set up under this IS/DPP and escalating issues to the Executive Committee
EXAMPLE IS/DPP TOP POLICY 5 3.4 EXECUTIVE SPONSOR Key responsibilities of the Executive Sponsor in the context of IS/DPP are: - “representing” the topic of IS/DPP around the table of the Executive Committee in all topics on its agenda - acting as a sounding board for the DPO and the CISO on a regular and ad hoc basis - acting as a channel to the Risk Management Committee and the Executive Committee at times the DPO and CISO want to bring an item to those for a 3.5 INFORMATION SECURITY TEAM The core Information Security Team is composed of : - the Executive Sponsor - the DPO - the CISO - the head of HR The Information Security Team can, at the request of one of its core members, be joined by any other relevant party, e.g. - the head of facilities - the head of IT - a representative of legal department - a representative of risk management - a representative of internal audit - an external expert on IS/DPP Key responsibilities of the Information Security Team are: - to, on a yearly basis or in a shorter interval when needed, present o a high-level risk assessment (via the reporting) on the IS/DPP risk posture, o a gap analysis with the position wanted on the critical points and other major points o an action plan with regard to the critical points and other major points o an overview and analysis of the (upcoming) changes that (may) impact the organisation - follow up (upcoming) changes that (may) impact the organisation, which includes changes to the regulatory environment (legislation, case law, interpretation, etc.), to the IT and security architecture, … - preparing (binding) IS/DPP policy documents, reviewing them at regular intervals (to be determined by the Information Security Team) or when such is triggered by a change (in the law, in the organisation, …) and proposing actualisations, updates and improvements - issuing (and periodically updating) IS/DPP guidance - coordinating the different aspects of IS/DPP to improve the cooperation and alignment between the actors involved and avoid parallel or crossing initiatives or activities, a.o. in the field of o communication, training and awareness raising on IS/DPP o first, second and third line controls - managing IS/DPP related critical incidents from notification through to resolution, mainly through coordination - supervising and coordinating the different aspects of IS/DPP in programs and projects, such as
EXAMPLE IS/DPP TOP POLICY 6 o reviewing program and project solutions are compliant with IS/DPP policy documents, if not tackled at another level (e.g. in the program or project steering committee) o approving program and project level exceptions to IS/DPP policy documents o reviewing and resolving key cross-program or cross-project IS/DPP issues - ensuring regular IS/DPP second and third line controls are undertaken and findings are followed-up and resolved within reasonable, required timeframes - preparing the overarching IS/DPP reporting to the top management The roles, functions and tasks of the information security team can be further elaborated in other (lower-level) policy documents. 3.6 CISO A member of the IT team is appointed as chief information security officer (CISO). Key responsibilities of the CISO are: - suggesting guidance to the Information Security Team - advising on, stimulating, verifying, and documenting the implementation of measures related to IS/DPP – with a focus on information security as defined by the best practices -, in particular in relation to o (information) asset management1 , as in keeping the architecture and overview of hardware, software, databases, data sets o security at the level of the medium o device security o network security o business continuity o incident management - cooperating and aligning with the DPO on IS/DPP, a.o. on o reviewing policies in the IS/DPP framework to also include aspects relating to data protection and privacy o communicating, training and raising awareness on IS/DPP o implementing organizational and technical measures to protect (personal) data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorized disclosure, dissemination or access, or alteration of personal data, hereby ensuring compliance with the relevant laws and regulations o tackling and reviewing incidents related to IS/DPP - stimulating and coordinating the efforts on communication, training and awareness - supervising the joiner/leaver/transfer process - with regard to third parties with an impact on the IS/DPP posture of the organization o ensuring the documented prior screening of such third parties with an impact on the IS/DPP posture of the organization o ensuring the documented follow-up of such third parties - coordinating and consolidating the reporting on o efforts on communication, training and awareness o the effectiveness of access management o the application of joiner/leaver/transfer process o service levels  imposed on third parties relating to IS/DPP  relating to IS/DPP defined by the Information Security Team 1 Not to be confused with financial asset management.
EXAMPLE IS/DPP TOP POLICY 7 o key performance indicators relating to IS/DPP defined by the Information Security Team o assurance from third parties relating to IS/DPP o the results of controls performed o IS/DPP incidents o IS/DPP risks The roles, functions and tasks of the CISO can be further elaborated in other (lower-level) policy documents. In order to fulfill his mission, the CISO - receives sufficient resources (time, staffing, equipment and budget) - has unhindered access to the information necessary to perform his function. 3.7 DPO 3.7.1 DPO The compliance officer is (also) assigned as data protection officer. The mission of the data protection officer includes all the tasks allocated to the data protection officer in the law, e.g. - towards Identifin / the National Register - towards the Crossroads Database on Social Security (with regard to work related accidents) Key responsibilities of the DPO are: - performing the tasks that are adjudicated to him by law - cooperating and aligning with the CISO on IS/DPP, a.o. on o reviewing policies in the IS/DPP framework to also include aspects relating to data protection and privacy o communicating, training and raising awareness on IS/DPP o implementing organizational and technical measures to protect (personal) data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorized disclosure, dissemination or access, or alteration of personal data, hereby ensuring compliance with the relevant laws and regulations o tackling and reviewing incidents related to IS/DPP - liaising and consulting with Legal, if and when necessary, in advising on personal data protection and privacy legislation - operating as external Single Point of Contact (SPOC) o at least in second line (after the complaints handling team and/or team handling the requests from data subjects), within the organisation regarding all matters related to personal data protection and privacy o for the organisation to the authorities regarding all matters related to personal data protection and privacy - advising on, stimulating, verifying, and documenting the compliance with applicable data protection and privacy legislation, including but not limited to o informing and advising the organisation and the staff who carry out processing of their obligations pursuant to the legislation o advising when prior checking with the authorities should be considered - ensure the proper translation of personal data protection principles into the IS/DPP policy documents and the proper implementation thereof - suggesting guidance to the Information Security Team
EXAMPLE IS/DPP TOP POLICY 8 - supporting the organization, in particular the project managers and information asset owners, in documenting the data processing and making privacy impact assessments on o new initiatives and projects o existing data processing, including updating such documentation - provide advice on any use of personal data in circumstances that are not steered by policy documents or when policy documents require interpretation - giving a (conditional) sign-off on o the use of personal data for uses that are not yet (fully) defined, e.g. in tests or in projects that have not been delivered yet o the texts and/or processes used to meet the transparency requirements or to capture consent of the data subject o the texts, templates and/or processes used to meet the requirements on properly binding third parties with an impact on the IS/DPP posture of the organization - advising on and supervising proper transparency towards o data subjects o data protection authorities o the public - coordinating and consolidating reporting on IS/DPP matters that are not covered by other reporting lines, amongst others on o new IS/DPP relevant legislation In order to fulfill his mission, the DPO - receives sufficient resources (time, staffing, equipment, training and budget) - has unhindered access to the information necessary to perform his function - should remain in an independent position and thus o hold no other functions which could result in a conflict of interest pertaining to his role o not receive (binding) instructions on the execution of the role as DPO The DPO has the right to veto all initiatives that are not in line with IS/DPP policies, laws or security requirements. Such veto can only be overruled in writing by the Executive Committee. The DPO can report and escalate directly to the Executive Committee and/or (the chair of) the Board of Directors, if he considers the other reporting lines insufficient. The DPO is bound by a professional duty of secrecy. 3.7.2 DEPUTY DPOS The Executive Committee can, advised by the DPO, appoint (a) deputy data protection officer(s) which focuse(s) on data protection relating to - staff data - health data - judicial data The deputy DPO supports the DPO in the focus area that is assigned to him and in concert with the DPO performs the jobs of the DPO in that focus area. For the avoidance of doubt, there is no hierarchical link between the deputy DPOs and the DPO, but only a functional link. The tasks as deputy DPO are considered to be part of the function of the deputy DPOs and are evaluated in the generic evaluation of the deputy DPOs.
EXAMPLE IS/DPP TOP POLICY 9 The roles, functions and tasks of the Deputy DPOs can be further elaborated in other (lower- level) policy documents and in arragements between the DPO and the respective deputy DPOs. 3.8 LEGAL DEPARTMENT The legal department acts as support function for the Data Protection Officer for all legal and regulatory issues. The key responsibilities of the Legal Department in the context of IS/DPP are to: - support the Data Protection Officer in all relevant legal aspects, such as o his advices on the personal data processing aspects of the various products and services of the organisation; o checks of legal documentation with regard to data processing (incl. agreements, SOC assurance documents, …) - follow the progress of legal and regulatory developments in the domain of personal data protection laws that are or may be relevant for the organisation (incl. EU, Belgium, PCI DSS) - assess the impact of existing, new and upcoming legislation with the view towards policy setting within the organisation - provide in-depth knowledge and documentation on the legal aspects of o the products and services of the companies o the relationship with third party providers and partners The roles, functions and tasks of the legal department – within the scope of this policy - can be further elaborated in other (lower-level) policy documents. 3.9 RISK MANAGEMENT The risk management function embeds the IS/DPP risks in the overal risk management framework. Key responsibilities of the risk management function in the context of IS/DPP are: - cooperating and aligning with the CISO and DPO on IS/DPP, a.o. on o reviewing policies in the risk mangement framework to also include aspects relating to IS/DPP o communicating, training and raising awareness on risk for it to include (reference to) IS/DPP o tackling and reviewing incidents that are also related to IS/DPP o organising second line controls which may also relate to IS/DPP The roles, functions and tasks of the risk management function – within the scope of this policy - can be further elaborated in other (lower-level) policy documents. They may however never infringe the independence of the internal audit function. 3.10 INTERNAL AUDIT The internal audit function embeds IS/DPP in the overal (internal) audit framework. Key responsibilities of the internal audit function in the context of IS/DPP are: - cooperating and aligning with the CISO and DPO on IS/DPP, a.o. on o organising first, second and third line controls that relate to IS/DPP in a way that covers the broadest scope possible a.o. by reasonably avoiding overlap
EXAMPLE IS/DPP TOP POLICY 10 and by using the result of controls of the other lines to improve the controls of the own line o tackling and reviewing incidents that are also related to IS/DPP The roles, functions and tasks of the internal audit function – within the scope of this policy - can be further elaborated in other (lower-level) policy documents. They may however never infringe the independence of the internal audit function. 3.11 PROJECT MANAGERS Project managers must embed IS/DPP in the overal project documentation from the start of the project . Key responsibilities of project managers in the context of IS/DPP are: - If no issues are IS/DPP are to be addressed this is to be explicilty documented in the project documentation. - If issues are IS/DPP are to be addressed (mainly because personal data is being processed at one point during the project and/or the project end product of the project), then the data processing must be described and documented and a privacy impact assessment has to be made following the relevant policy document and, as the case may be, supported by (members of) the Information Security Team. The roles, functions and tasks of the project managers – within the scope of this policy - can be further elaborated in other (lower-level) policy documents. 3.12 INFORMATION ASSET OWNERS An Information Asset Owner (IAO) is appointed per (major) Information Asset of the organsation, i.e. a database of data used for a separate purpose, an application containing data used for a separate purpose,… IAOs are appointed by the line management, advised by the Information Security Team. Key responsibilities of IAOs in the context of IS/DPP are: - in general o to act as the gatekeeper for the access to the information asset, a.o. by supporting in the implementation and review of access rights o to support of the DPO in collecting and providing information on the data processing within the organisation o to document the information asset, including any project documentation relating to the setup, a privacy impact assessment (or at least a description of the data set), a view on where that information asset is embedded in the information management architecture of the organisation, any dependencies on respectively of other information assets within or outside of the organisation o to suggest (specific) acceptable use rules or other instructions to the persons with access rights to the DPO o to communicate acceptable use rules or other instructions to the persons with access rights and raise awareness on them o to proactively raise issues they have in managing the information asset to the DPO and/or the CISO - if the information asset is a primary source within the organisation
EXAMPLE IS/DPP TOP POLICY 11 o to document arrangements with any secondary sources a.o. on data minimization, secure and timely delivery, and business continuity, as the case may be following the instructions and templates of the DPO o to detect and report to the DPO of derived use of the primary source data he did not prior approve, a.o. by (periodic) checks on the use - if the information asset is a secondary source within the organisation o to ensure that the data is used in line with the arrangements made with the primary source o to ensure that the data is not further processed (incl. disseminated or used), without the formal approval of the IAO of the primary source which should be documented and based on full information of such further processing (which should in principle be covered by a privacy impact assessment) and a clear argumentation why the connection is not made with the primary source The roles, functions and tasks of the IAOs can be further elaborated in other (lower-level) policy documents. 3.13 STAFF Employees and other staff of the organisation must - comply to the legal requirements related to data protection and privacy - respect the principles set out and communicated by the organisation in relation to data protection and privacy - not use their access rights (in the broadest sense) if and when they do not have a demonstrable, professional need-to-know of the data - respect the information classification given to data and even upgrade it (never downgrade it) if that - follow the instructions of the organisation with regard to data processing Employees and other staff of the organisation should - act as gatekeeper, even to colleagues, for the personal data they have access to - upgrade the information classification of data to a level that is more restricted (never downgrade it) if and when that seems appropriate - support other staff members in protecting (personal) data - proactively notify the information asset owner if they no longer need certain access rights - notify (potential) breaches or vulnerabilities in the data protection and privacy setup to the DPO and/or the CISO The roles, functions and tasks of the staff members can be further elaborated in other (lower- level) policy documents.
EXAMPLE IS/DPP TOP POLICY 12 4. Policy framework 4.1 POLICY DOCUMENTS Whereas this overarching policy is the highest norm within the organsation with regard to IS/DPP, other policy documents on the topic will be developped, established, communicated to the (relevant) staff members, and enforced. Type of norm Description Decision level Procedures Policy documents that define a procedure to be followed, mainly aimed at involving centers of competence Information Security Team Instructions Policy documents that define instructions to the staff that the staff MUST follow. They can be issued on an “all staff” level, on a unit level or on a staff member level. Executive Committee Specifications Policy documents that define technical specifications or requirements that support IS/DPP. Executive Committee Standards Policy documents that define “comply or explain” requirements that SHOULD be followed unless there is a solid, document explanation to divert which is not vetoed by the CISO or the DPO. Executive Committee Guidelines Policy documents that attempt to provide guidance to avoid harm to the data subjects, the staff members or the organization. Information Security Team, CISO or DPO 4.2 POLICY DEFINITION PROCESS The Information Security Team defines the policy definition process – from idea to pubication - respecting the (decision) elements defined in the current policy. 4.3 EXCEPTIONS MANAGEMENT Exceptions to compliance with a policy document must be decided at the appropriate level, which if not indicated differently in the policy document to which an exception is made, is the member of the Executive Committee responsible for the department to which the exception applies. Such member of the Executive Committee must always be included for any exception whereof the impact may be above the risk level defined in the first part of this policy. Exceptions to compliance with a policy document must be documented, irrespective of the type of norm (must, should, can). The documentation must include the rule diverted from, the extent of the exception (department, rule, term, …), the impact of the exception (scope of the impact a.o. number of data subjects, types of data,…; relation of the impact v the risk appetite of the orgnisation ), the advice of the CISO and the DPO on the exception, the decision of the appropriate decision taker and the signature of the decision taker. The documentation must be provided to the DPO, who shall keep a register thereof. The register is taken into account in the reporting on the IS/DPP risk. The exception management can be further elaborated in other (lower-level) policy documents.
EXAMPLE IS/DPP TOP POLICY 13 5. Communication 5.1 COMMUNICATION The DPO and the CISO, in concert, ensure the communication of the IS/DPP policies to the relevant target groups. Coordination is done at the level of the Information Security Team. The evidence of the communication and, as the case may be, the target group, should be provided to and kept by the DPO. 5.2 TRAINING The DPO and the CISO, in concert, ensure the training on IS/DPP to the relevant target groups. Coordination is done at the level of the Information Security Team. Each new employee and on premis staff member should attend a basic training on IS/DPP within the first month of employment within the organisation. Each employee and on premis staff member should attend a training on (selected) key elements of IS/DPP at least once every year. The training material should be validated by the Information Security Team. The evidence of the training and, as the case may be, the target group, should be provided to and kept by the DPO. 5.3 AWARENESS The Information Security Team decides on the awareness raising actions to be set up. The DPO and the CISO make suggestions for such actions. There should be at least 1 awareness raising action directed to all employees and on premis staff members per three months. The awareness raising material should be validated by the Information Security Team. The evidence of the awareness raising actions and, as the case may be, the target group, should be provided to and kept by the DPO. 6. Enforcement Any IS/DPP incident should lead to a root cause analysis, the definition of lessons learned and the implementation of improvement actions. Any IS/DPP incident can lead to enforcement actions from the line management towards the staff members involved. Enforcement action can range very broadly from the requirement to (again) follow IS/DPP traning up to any sanction as defined in the relevant documents (e.g. the agreement with the processor, the employment agreement, …).
EXAMPLE IS/DPP TOP POLICY 14 7. Reporting 7.1 TOP LEVEL: RISK MANAGEMENT COMMITTEE The reporting to the top management is a compilation of - relevant changes, such as changes in the regulatory environment and the organisation - key (IS/DPP) risk indicators - progress on the IS/DPP action plan - the efforts on the communication, training and awareness actions - the major incidents in the past reporting period - the results of the first, second and third line controls The reporting requirement, including its content and its frequency, can be further elaborated by the Risk Management Committee in other policy documents. 7.2 LOWER LEVELS The reporting requirement to the Information Security Team, the CISO and the DPO respectively can be further elaborated by the recipient of such reporting in other (lower-level) policy documents.

Recommended

Strategic role of compensation, strategic compensation policy, total compensa...
Strategic role of compensation, strategic compensation policy, total compensa...Strategic role of compensation, strategic compensation policy, total compensa...
Strategic role of compensation, strategic compensation policy, total compensa...
Ramona Beharry
 
114123215 promotion-transfer-and-demotion
114123215 promotion-transfer-and-demotion114123215 promotion-transfer-and-demotion
114123215 promotion-transfer-and-demotion
IT
 
Pom unit-iv, Principles of Management notes BBA I Semester OU
Pom unit-iv, Principles of Management notes BBA I Semester OUPom unit-iv, Principles of Management notes BBA I Semester OU
Pom unit-iv, Principles of Management notes BBA I Semester OU
Balasri Kamarapu
 
Chapter 1 (introduction to management)
Chapter 1 (introduction to management)Chapter 1 (introduction to management)
Chapter 1 (introduction to management)
Atiqa Maher
 
Compensation [ Outline, Definitions and Importance ]
Compensation [ Outline, Definitions and Importance ]Compensation [ Outline, Definitions and Importance ]
Compensation [ Outline, Definitions and Importance ]
Mohamed Dawod
 
Compensation management
Compensation managementCompensation management
Compensation management
Dr. Saswat Barpanda
 
Directing ppt
Directing pptDirecting ppt
Directing ppt
Home
 
Compensation management
Compensation managementCompensation management
Compensation management
Usha Vaidehi
 

Recommended

Strategic role of compensation, strategic compensation policy, total compensa...
Strategic role of compensation, strategic compensation policy, total compensa...Strategic role of compensation, strategic compensation policy, total compensa...
Strategic role of compensation, strategic compensation policy, total compensa...
Ramona Beharry
 
114123215 promotion-transfer-and-demotion
114123215 promotion-transfer-and-demotion114123215 promotion-transfer-and-demotion
114123215 promotion-transfer-and-demotion
IT
 
Pom unit-iv, Principles of Management notes BBA I Semester OU
Pom unit-iv, Principles of Management notes BBA I Semester OUPom unit-iv, Principles of Management notes BBA I Semester OU
Pom unit-iv, Principles of Management notes BBA I Semester OU
Balasri Kamarapu
 
Chapter 1 (introduction to management)
Chapter 1 (introduction to management)Chapter 1 (introduction to management)
Chapter 1 (introduction to management)
Atiqa Maher
 
Compensation [ Outline, Definitions and Importance ]
Compensation [ Outline, Definitions and Importance ]Compensation [ Outline, Definitions and Importance ]
Compensation [ Outline, Definitions and Importance ]
Mohamed Dawod
 
Compensation management
Compensation managementCompensation management
Compensation management
Dr. Saswat Barpanda
 
Directing ppt
Directing pptDirecting ppt
Directing ppt
Home
 
Compensation management
Compensation managementCompensation management
Compensation management
Usha Vaidehi
 
3. incentives & benifits
3. incentives & benifits3. incentives & benifits
3. incentives & benifits
Dr. Gandhali Kharge
 
Totally integrated employee benefits
Totally integrated employee benefitsTotally integrated employee benefits
Totally integrated employee benefits
Al-Qurmoshi Institute of Business Management, Hyderabad
 
Wage & Salary Administration class 2
Wage & Salary Administration class 2Wage & Salary Administration class 2
Wage & Salary Administration class 2
Anantha Bellary
 
5.employee orientation training and development
5.employee orientation training and development5.employee orientation training and development
5.employee orientation training and development
Tufail Ahmed
 
Strategic HR issues in Global Assignments
Strategic HR issues in Global AssignmentsStrategic HR issues in Global Assignments
Strategic HR issues in Global Assignments
Pankaj Saha
 
Aplicación de la metodología integradora de procesos empresariales (mipe) crm...
Aplicación de la metodología integradora de procesos empresariales (mipe) crm...Aplicación de la metodología integradora de procesos empresariales (mipe) crm...
Aplicación de la metodología integradora de procesos empresariales (mipe) crm...
cynthiasd
 
HRM in changing environment
HRM in changing environmentHRM in changing environment
HRM in changing environment
SHANTO-MARIAM UNIVERSITY OF CREATIVE AND TECHNOLOGY
 
Management Function of an Entrepreneur - Entrepreneurship 9
Management Function of an Entrepreneur - Entrepreneurship 9Management Function of an Entrepreneur - Entrepreneurship 9
Management Function of an Entrepreneur - Entrepreneurship 9
AngelgraceDolliente
 
Compensation Package PowerPoint Presentation Slides
Compensation Package PowerPoint Presentation Slides Compensation Package PowerPoint Presentation Slides
Compensation Package PowerPoint Presentation Slides
SlideTeam
 
Compensation Management and Types of Compensation Management
Compensation Management and Types of Compensation ManagementCompensation Management and Types of Compensation Management
Compensation Management and Types of Compensation Management
Naheed Mir
 
Compensation administration
Compensation administrationCompensation administration
Compensation administration
shweta_srivastava
 
Transfer and Its Types
Transfer and Its TypesTransfer and Its Types
Transfer and Its Types
New Delhi Institute of Management Studies
 
Incentive plans
Incentive plansIncentive plans
Incentive plans
Neelam Soni
 
Management practice
Management practiceManagement practice
Management practice
Kholisile Mazaza
 
Corporate Health and Safety Policy.pdf
Corporate Health and Safety Policy.pdfCorporate Health and Safety Policy.pdf
Corporate Health and Safety Policy.pdf
Misbah Ul Haq Labeed Aziz
 
Business policy n strategic analysis www.it-workss.com
Business policy n strategic analysis www.it-workss.comBusiness policy n strategic analysis www.it-workss.com
Business policy n strategic analysis www.it-workss.com
Varunraj Kalse
 
Corporate Communications Policy Issue date 2005-12-20 .docx
Corporate Communications Policy Issue date 2005-12-20 .docxCorporate Communications Policy Issue date 2005-12-20 .docx
Corporate Communications Policy Issue date 2005-12-20 .docx
faithxdunce63732
 
Corporate Communications Policy Issue date 2005-12-20 .docx
Corporate Communications Policy Issue date 2005-12-20 .docxCorporate Communications Policy Issue date 2005-12-20 .docx
Corporate Communications Policy Issue date 2005-12-20 .docx
vanesaburnand
 
Environmental Systems Management (EMS) Manual
Environmental Systems Management (EMS) ManualEnvironmental Systems Management (EMS) Manual
Environmental Systems Management (EMS) Manual
The Pathway Group
 
Business policy
Business policyBusiness policy
Business policy
Raj vardhan
 
Business policy unit 1
Business policy unit 1Business policy unit 1
Business policy unit 1
Raj vardhan
 
Strategic Planning: Policy Formulation by MRS
Strategic Planning: Policy Formulation by MRSStrategic Planning: Policy Formulation by MRS
Strategic Planning: Policy Formulation by MRS
Jo Balucanag - Bitonio
 

More Related Content

What's hot

3. incentives & benifits
3. incentives & benifits3. incentives & benifits
3. incentives & benifits
Dr. Gandhali Kharge
 
Totally integrated employee benefits
Totally integrated employee benefitsTotally integrated employee benefits
Totally integrated employee benefits
Al-Qurmoshi Institute of Business Management, Hyderabad
 
Wage & Salary Administration class 2
Wage & Salary Administration class 2Wage & Salary Administration class 2
Wage & Salary Administration class 2
Anantha Bellary
 
5.employee orientation training and development
5.employee orientation training and development5.employee orientation training and development
5.employee orientation training and development
Tufail Ahmed
 
Strategic HR issues in Global Assignments
Strategic HR issues in Global AssignmentsStrategic HR issues in Global Assignments
Strategic HR issues in Global Assignments
Pankaj Saha
 
Aplicación de la metodología integradora de procesos empresariales (mipe) crm...
Aplicación de la metodología integradora de procesos empresariales (mipe) crm...Aplicación de la metodología integradora de procesos empresariales (mipe) crm...
Aplicación de la metodología integradora de procesos empresariales (mipe) crm...
cynthiasd
 
HRM in changing environment
HRM in changing environmentHRM in changing environment
HRM in changing environment
SHANTO-MARIAM UNIVERSITY OF CREATIVE AND TECHNOLOGY
 
Management Function of an Entrepreneur - Entrepreneurship 9
Management Function of an Entrepreneur - Entrepreneurship 9Management Function of an Entrepreneur - Entrepreneurship 9
Management Function of an Entrepreneur - Entrepreneurship 9
AngelgraceDolliente
 
Compensation Package PowerPoint Presentation Slides
Compensation Package PowerPoint Presentation Slides Compensation Package PowerPoint Presentation Slides
Compensation Package PowerPoint Presentation Slides
SlideTeam
 
Compensation Management and Types of Compensation Management
Compensation Management and Types of Compensation ManagementCompensation Management and Types of Compensation Management
Compensation Management and Types of Compensation Management
Naheed Mir
 
Compensation administration
Compensation administrationCompensation administration
Compensation administration
shweta_srivastava
 
Transfer and Its Types
Transfer and Its TypesTransfer and Its Types
Transfer and Its Types
New Delhi Institute of Management Studies
 
Incentive plans
Incentive plansIncentive plans
Incentive plans
Neelam Soni
 
Management practice
Management practiceManagement practice
Management practice
Kholisile Mazaza
 

What's hot (14)

3. incentives & benifits
3. incentives & benifits3. incentives & benifits
3. incentives & benifits
 
Totally integrated employee benefits
Totally integrated employee benefitsTotally integrated employee benefits
Totally integrated employee benefits
 
Wage & Salary Administration class 2
Wage & Salary Administration class 2Wage & Salary Administration class 2
Wage & Salary Administration class 2
 
5.employee orientation training and development
5.employee orientation training and development5.employee orientation training and development
5.employee orientation training and development
 
Strategic HR issues in Global Assignments
Strategic HR issues in Global AssignmentsStrategic HR issues in Global Assignments
Strategic HR issues in Global Assignments
 
Aplicación de la metodología integradora de procesos empresariales (mipe) crm...
Aplicación de la metodología integradora de procesos empresariales (mipe) crm...Aplicación de la metodología integradora de procesos empresariales (mipe) crm...
Aplicación de la metodología integradora de procesos empresariales (mipe) crm...
 
HRM in changing environment
HRM in changing environmentHRM in changing environment
HRM in changing environment
 
Management Function of an Entrepreneur - Entrepreneurship 9
Management Function of an Entrepreneur - Entrepreneurship 9Management Function of an Entrepreneur - Entrepreneurship 9
Management Function of an Entrepreneur - Entrepreneurship 9
 
Compensation Package PowerPoint Presentation Slides
Compensation Package PowerPoint Presentation Slides Compensation Package PowerPoint Presentation Slides
Compensation Package PowerPoint Presentation Slides
 
Compensation Management and Types of Compensation Management
Compensation Management and Types of Compensation ManagementCompensation Management and Types of Compensation Management
Compensation Management and Types of Compensation Management
 
Compensation administration
Compensation administrationCompensation administration
Compensation administration
 
Transfer and Its Types
Transfer and Its TypesTransfer and Its Types
Transfer and Its Types
 
Incentive plans
Incentive plansIncentive plans
Incentive plans
 
Management practice
Management practiceManagement practice
Management practice
 

Similar to ISMS IS/DPP TOP POLICY - example (governance)

Corporate Health and Safety Policy.pdf
Corporate Health and Safety Policy.pdfCorporate Health and Safety Policy.pdf
Corporate Health and Safety Policy.pdf
Misbah Ul Haq Labeed Aziz
 
Business policy n strategic analysis www.it-workss.com
Business policy n strategic analysis www.it-workss.comBusiness policy n strategic analysis www.it-workss.com
Business policy n strategic analysis www.it-workss.com
Varunraj Kalse
 
Corporate Communications Policy Issue date 2005-12-20 .docx
Corporate Communications Policy Issue date 2005-12-20 .docxCorporate Communications Policy Issue date 2005-12-20 .docx
Corporate Communications Policy Issue date 2005-12-20 .docx
faithxdunce63732
 
Corporate Communications Policy Issue date 2005-12-20 .docx
Corporate Communications Policy Issue date 2005-12-20 .docxCorporate Communications Policy Issue date 2005-12-20 .docx
Corporate Communications Policy Issue date 2005-12-20 .docx
vanesaburnand
 
Environmental Systems Management (EMS) Manual
Environmental Systems Management (EMS) ManualEnvironmental Systems Management (EMS) Manual
Environmental Systems Management (EMS) Manual
The Pathway Group
 
Business policy
Business policyBusiness policy
Business policy
Raj vardhan
 
Business policy unit 1
Business policy unit 1Business policy unit 1
Business policy unit 1
Raj vardhan
 
Strategic Planning: Policy Formulation by MRS
Strategic Planning: Policy Formulation by MRSStrategic Planning: Policy Formulation by MRS
Strategic Planning: Policy Formulation by MRS
Jo Balucanag - Bitonio
 
Business Continuity Planning Statement
Business Continuity Planning StatementBusiness Continuity Planning Statement
Business Continuity Planning Statement
The Pathway Group
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Presentation manage risk
Presentation manage riskPresentation manage risk
Presentation manage risk
Michael Curtis
 
Safeguarding Policy
Safeguarding PolicySafeguarding Policy
Safeguarding Policy
The Pathway Group
 
Environmental Policy
Environmental PolicyEnvironmental Policy
Environmental Policy
The Pathway Group
 
#Contract Risk Audit# By SN panigrahi
#Contract Risk Audit# By SN panigrahi#Contract Risk Audit# By SN panigrahi
#Contract Risk Audit# By SN panigrahi
SN Panigrahi, PMP
 
Nebosh oil-and-gas-certificate-e book
Nebosh oil-and-gas-certificate-e bookNebosh oil-and-gas-certificate-e book
Nebosh oil-and-gas-certificate-e book
دكتور تامر عبدالله شراكى
 
Knowledge of occupational safety and health in the workplace academic essay...
Knowledge of occupational safety and health in the workplace academic essay...Knowledge of occupational safety and health in the workplace academic essay...
Knowledge of occupational safety and health in the workplace academic essay...
Top Grade Papers
 
Unido tool kit 2-textbook
Unido tool kit 2-textbookUnido tool kit 2-textbook
Unido tool kit 2-textbook
zubeditufail
 
Putting policy into practice
Putting policy into practicePutting policy into practice
Putting policy into practice
rm4dummies
 
· Recommend strategies to lead organizational change· Justify pl.docx
· Recommend strategies to lead organizational change· Justify pl.docx· Recommend strategies to lead organizational change· Justify pl.docx
· Recommend strategies to lead organizational change· Justify pl.docx
odiliagilby
 
dana holdings CorporateGovernanceGuidelines_013108
dana holdings CorporateGovernanceGuidelines_013108dana holdings CorporateGovernanceGuidelines_013108
dana holdings CorporateGovernanceGuidelines_013108
finance42
 

Similar to ISMS IS/DPP TOP POLICY - example (governance) (20)

Corporate Health and Safety Policy.pdf
Corporate Health and Safety Policy.pdfCorporate Health and Safety Policy.pdf
Corporate Health and Safety Policy.pdf
 
Business policy n strategic analysis www.it-workss.com
Business policy n strategic analysis www.it-workss.comBusiness policy n strategic analysis www.it-workss.com
Business policy n strategic analysis www.it-workss.com
 
Corporate Communications Policy Issue date 2005-12-20 .docx
Corporate Communications Policy Issue date 2005-12-20 .docxCorporate Communications Policy Issue date 2005-12-20 .docx
Corporate Communications Policy Issue date 2005-12-20 .docx
 
Corporate Communications Policy Issue date 2005-12-20 .docx
Corporate Communications Policy Issue date 2005-12-20 .docxCorporate Communications Policy Issue date 2005-12-20 .docx
Corporate Communications Policy Issue date 2005-12-20 .docx
 
Environmental Systems Management (EMS) Manual
Environmental Systems Management (EMS) ManualEnvironmental Systems Management (EMS) Manual
Environmental Systems Management (EMS) Manual
 
Business policy
Business policyBusiness policy
Business policy
 
Business policy unit 1
Business policy unit 1Business policy unit 1
Business policy unit 1
 
Strategic Planning: Policy Formulation by MRS
Strategic Planning: Policy Formulation by MRSStrategic Planning: Policy Formulation by MRS
Strategic Planning: Policy Formulation by MRS
 
Business Continuity Planning Statement
Business Continuity Planning StatementBusiness Continuity Planning Statement
Business Continuity Planning Statement
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
 
Presentation manage risk
Presentation manage riskPresentation manage risk
Presentation manage risk
 
Safeguarding Policy
Safeguarding PolicySafeguarding Policy
Safeguarding Policy
 
Environmental Policy
Environmental PolicyEnvironmental Policy
Environmental Policy
 
#Contract Risk Audit# By SN panigrahi
#Contract Risk Audit# By SN panigrahi#Contract Risk Audit# By SN panigrahi
#Contract Risk Audit# By SN panigrahi
 
Nebosh oil-and-gas-certificate-e book
Nebosh oil-and-gas-certificate-e bookNebosh oil-and-gas-certificate-e book
Nebosh oil-and-gas-certificate-e book
 
Knowledge of occupational safety and health in the workplace academic essay...
Knowledge of occupational safety and health in the workplace academic essay...Knowledge of occupational safety and health in the workplace academic essay...
Knowledge of occupational safety and health in the workplace academic essay...
 
Unido tool kit 2-textbook
Unido tool kit 2-textbookUnido tool kit 2-textbook
Unido tool kit 2-textbook
 
Putting policy into practice
Putting policy into practicePutting policy into practice
Putting policy into practice
 
· Recommend strategies to lead organizational change· Justify pl.docx
· Recommend strategies to lead organizational change· Justify pl.docx· Recommend strategies to lead organizational change· Justify pl.docx
· Recommend strategies to lead organizational change· Justify pl.docx
 
dana holdings CorporateGovernanceGuidelines_013108
dana holdings CorporateGovernanceGuidelines_013108dana holdings CorporateGovernanceGuidelines_013108
dana holdings CorporateGovernanceGuidelines_013108
 

More from Tommy Vandepitte

DPIA template
DPIA templateDPIA template
DPIA template
Tommy Vandepitte
 
Gegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdrachtGegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdracht
Tommy Vandepitte
 
20190131 - Presentation Q&A on legislation's influence (on travel management)
20190131 - Presentation Q&A on legislation's influence (on travel management)20190131 - Presentation Q&A on legislation's influence (on travel management)
20190131 - Presentation Q&A on legislation's influence (on travel management)
Tommy Vandepitte
 
GDPR toegepast op huur-verhuur (Dutch)
GDPR toegepast op huur-verhuur (Dutch)GDPR toegepast op huur-verhuur (Dutch)
GDPR toegepast op huur-verhuur (Dutch)
Tommy Vandepitte
 
Controller-to-processor agreements
Controller-to-processor agreementsController-to-processor agreements
Controller-to-processor agreements
Tommy Vandepitte
 
Gegevensbescherming makelaars
Gegevensbescherming makelaarsGegevensbescherming makelaars
Gegevensbescherming makelaars
Tommy Vandepitte
 
EEAS - Cultivate your data protection
EEAS - Cultivate your data protectionEEAS - Cultivate your data protection
EEAS - Cultivate your data protection
Tommy Vandepitte
 
Presentation for the LSEC GDPR event - 20171130
Presentation for the LSEC GDPR event - 20171130Presentation for the LSEC GDPR event - 20171130
Presentation for the LSEC GDPR event - 20171130
Tommy Vandepitte
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
Tommy Vandepitte
 
GDPR voor steden en gemeenten (Dutch)
GDPR voor steden en gemeenten (Dutch)GDPR voor steden en gemeenten (Dutch)
GDPR voor steden en gemeenten (Dutch)
Tommy Vandepitte
 
GDPR project board deck (example)
GDPR project board deck (example)GDPR project board deck (example)
GDPR project board deck (example)
Tommy Vandepitte
 
IS/DPP for staff #8 - Monitoring
IS/DPP for staff #8 - MonitoringIS/DPP for staff #8 - Monitoring
IS/DPP for staff #8 - Monitoring
Tommy Vandepitte
 
IS/DPP for staff #7 - Incidents
IS/DPP for staff #7 - IncidentsIS/DPP for staff #7 - Incidents
IS/DPP for staff #7 - Incidents
Tommy Vandepitte
 
IS/DPP for staff #6 - Acceptable use
IS/DPP for staff #6 - Acceptable useIS/DPP for staff #6 - Acceptable use
IS/DPP for staff #6 - Acceptable use
Tommy Vandepitte
 
IS/DPP for staff #5b - Passwords
IS/DPP for staff #5b - PasswordsIS/DPP for staff #5b - Passwords
IS/DPP for staff #5b - Passwords
Tommy Vandepitte
 
IS/DPP for staff #5a - Access
IS/DPP for staff #5a - AccessIS/DPP for staff #5a - Access
IS/DPP for staff #5a - Access
Tommy Vandepitte
 
IS/DPP for staff #3b - Data Classification
IS/DPP for staff #3b - Data ClassificationIS/DPP for staff #3b - Data Classification
IS/DPP for staff #3b - Data Classification
Tommy Vandepitte
 
IS/DPP for staff #3a - Data
IS/DPP for staff #3a - DataIS/DPP for staff #3a - Data
IS/DPP for staff #3a - Data
Tommy Vandepitte
 
IS/DPP for staff #2 - Why?
IS/DPP for staff #2 - Why?IS/DPP for staff #2 - Why?
IS/DPP for staff #2 - Why?
Tommy Vandepitte
 
IS/DPP for staff #1 - intro
IS/DPP for staff #1 - introIS/DPP for staff #1 - intro
IS/DPP for staff #1 - intro
Tommy Vandepitte
 

More from Tommy Vandepitte (20)

DPIA template
DPIA templateDPIA template
DPIA template
 
Gegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdrachtGegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdracht
 
20190131 - Presentation Q&A on legislation's influence (on travel management)
20190131 - Presentation Q&A on legislation's influence (on travel management)20190131 - Presentation Q&A on legislation's influence (on travel management)
20190131 - Presentation Q&A on legislation's influence (on travel management)
 
GDPR toegepast op huur-verhuur (Dutch)
GDPR toegepast op huur-verhuur (Dutch)GDPR toegepast op huur-verhuur (Dutch)
GDPR toegepast op huur-verhuur (Dutch)
 
Controller-to-processor agreements
Controller-to-processor agreementsController-to-processor agreements
Controller-to-processor agreements
 
Gegevensbescherming makelaars
Gegevensbescherming makelaarsGegevensbescherming makelaars
Gegevensbescherming makelaars
 
EEAS - Cultivate your data protection
EEAS - Cultivate your data protectionEEAS - Cultivate your data protection
EEAS - Cultivate your data protection
 
Presentation for the LSEC GDPR event - 20171130
Presentation for the LSEC GDPR event - 20171130Presentation for the LSEC GDPR event - 20171130
Presentation for the LSEC GDPR event - 20171130
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
 
GDPR voor steden en gemeenten (Dutch)
GDPR voor steden en gemeenten (Dutch)GDPR voor steden en gemeenten (Dutch)
GDPR voor steden en gemeenten (Dutch)
 
GDPR project board deck (example)
GDPR project board deck (example)GDPR project board deck (example)
GDPR project board deck (example)
 
IS/DPP for staff #8 - Monitoring
IS/DPP for staff #8 - MonitoringIS/DPP for staff #8 - Monitoring
IS/DPP for staff #8 - Monitoring
 
IS/DPP for staff #7 - Incidents
IS/DPP for staff #7 - IncidentsIS/DPP for staff #7 - Incidents
IS/DPP for staff #7 - Incidents
 
IS/DPP for staff #6 - Acceptable use
IS/DPP for staff #6 - Acceptable useIS/DPP for staff #6 - Acceptable use
IS/DPP for staff #6 - Acceptable use
 
IS/DPP for staff #5b - Passwords
IS/DPP for staff #5b - PasswordsIS/DPP for staff #5b - Passwords
IS/DPP for staff #5b - Passwords
 
IS/DPP for staff #5a - Access
IS/DPP for staff #5a - AccessIS/DPP for staff #5a - Access
IS/DPP for staff #5a - Access
 
IS/DPP for staff #3b - Data Classification
IS/DPP for staff #3b - Data ClassificationIS/DPP for staff #3b - Data Classification
IS/DPP for staff #3b - Data Classification
 
IS/DPP for staff #3a - Data
IS/DPP for staff #3a - DataIS/DPP for staff #3a - Data
IS/DPP for staff #3a - Data
 
IS/DPP for staff #2 - Why?
IS/DPP for staff #2 - Why?IS/DPP for staff #2 - Why?
IS/DPP for staff #2 - Why?
 
IS/DPP for staff #1 - intro
IS/DPP for staff #1 - introIS/DPP for staff #1 - intro
IS/DPP for staff #1 - intro
 

Recently uploaded

原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样
原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样
原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样
abondo3
 
Presentation (1).pptx Human rights of LGBTQ people in India, constitutional a...
Presentation (1).pptx Human rights of LGBTQ people in India, constitutional a...Presentation (1).pptx Human rights of LGBTQ people in India, constitutional a...
Presentation (1).pptx Human rights of LGBTQ people in India, constitutional a...
SKshi
 
AN INTRODUCTION TO PUBLIC ADMINISTRATION.pptx
AN INTRODUCTION TO PUBLIC ADMINISTRATION.pptxAN INTRODUCTION TO PUBLIC ADMINISTRATION.pptx
AN INTRODUCTION TO PUBLIC ADMINISTRATION.pptx
schubergbestrong
 
在线办理(SU毕业证书)美国雪城大学毕业证成绩单一模一样
在线办理(SU毕业证书)美国雪城大学毕业证成绩单一模一样在线办理(SU毕业证书)美国雪城大学毕业证成绩单一模一样
在线办理(SU毕业证书)美国雪城大学毕业证成绩单一模一样
osenwakm
 
在线办理(UNE毕业证书)新英格兰大学毕业证成绩单一模一样
在线办理(UNE毕业证书)新英格兰大学毕业证成绩单一模一样在线办理(UNE毕业证书)新英格兰大学毕业证成绩单一模一样
在线办理(UNE毕业证书)新英格兰大学毕业证成绩单一模一样
15e6o6u
 
It's the Law: Recent Court and Administrative Decisions of Interest
It's the Law: Recent Court and Administrative Decisions of InterestIt's the Law: Recent Court and Administrative Decisions of Interest
It's the Law: Recent Court and Administrative Decisions of Interest
Parsons Behle & Latimer
 
V.-SENTHIL-BALAJI-SLP-C-8939-8940-2023-SC-Judgment-07-August-2023.pdf
V.-SENTHIL-BALAJI-SLP-C-8939-8940-2023-SC-Judgment-07-August-2023.pdfV.-SENTHIL-BALAJI-SLP-C-8939-8940-2023-SC-Judgment-07-August-2023.pdf
V.-SENTHIL-BALAJI-SLP-C-8939-8940-2023-SC-Judgment-07-August-2023.pdf
bhavenpr
 
The Work Permit for Self-Employed Persons in Italy
The Work Permit for Self-Employed Persons in ItalyThe Work Permit for Self-Employed Persons in Italy
The Work Permit for Self-Employed Persons in Italy
BridgeWest.eu
 
Search Warrants for NH Law Enforcement Officers
Search Warrants for NH Law Enforcement OfficersSearch Warrants for NH Law Enforcement Officers
Search Warrants for NH Law Enforcement Officers
RichardTheberge
 
San Remo Manual on International Law Applicable to Armed Conflict at Sea
San Remo Manual on International Law Applicable to Armed Conflict at SeaSan Remo Manual on International Law Applicable to Armed Conflict at Sea
San Remo Manual on International Law Applicable to Armed Conflict at Sea
Justin Ordoyo
 
Safeguarding Against Financial Crime: AML Compliance Regulations Demystified
Safeguarding Against Financial Crime: AML Compliance Regulations DemystifiedSafeguarding Against Financial Crime: AML Compliance Regulations Demystified
Safeguarding Against Financial Crime: AML Compliance Regulations Demystified
PROF. PAUL ALLIEU KAMARA
 
一比一原版(Lincoln毕业证)新西兰林肯大学毕业证如何办理
一比一原版(Lincoln毕业证)新西兰林肯大学毕业证如何办理一比一原版(Lincoln毕业证)新西兰林肯大学毕业证如何办理
一比一原版(Lincoln毕业证)新西兰林肯大学毕业证如何办理
gjsma0ep
 
17-03 2022 -full agreement full version .pdf
17-03 2022 -full agreement full version .pdf17-03 2022 -full agreement full version .pdf
17-03 2022 -full agreement full version .pdf
ssuser0dfed9
 
Receivership and liquidation Accounts Prof. Oyedokun.pptx
Receivership and liquidation Accounts Prof. Oyedokun.pptxReceivership and liquidation Accounts Prof. Oyedokun.pptx
Receivership and liquidation Accounts Prof. Oyedokun.pptx
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
The Future of Criminal Defense Lawyer in India.pdf
The Future of Criminal Defense Lawyer in India.pdfThe Future of Criminal Defense Lawyer in India.pdf
The Future of Criminal Defense Lawyer in India.pdf
veteranlegal
 
Business Laws Sunita saha
Business Laws Sunita sahaBusiness Laws Sunita saha
Business Laws Sunita saha
sunitasaha5
 
Should AI hold Intellectual Property Rights?
Should AI hold Intellectual Property Rights?Should AI hold Intellectual Property Rights?
Should AI hold Intellectual Property Rights?
RoseZubler1
 
Sangyun Lee, 'Why Korea's Merger Control Occasionally Fails: A Public Choice ...
Sangyun Lee, 'Why Korea's Merger Control Occasionally Fails: A Public Choice ...Sangyun Lee, 'Why Korea's Merger Control Occasionally Fails: A Public Choice ...
Sangyun Lee, 'Why Korea's Merger Control Occasionally Fails: A Public Choice ...
Sangyun Lee
 
From Promise to Practice. Implementing AI in Legal Environments
From Promise to Practice. Implementing AI in Legal EnvironmentsFrom Promise to Practice. Implementing AI in Legal Environments
From Promise to Practice. Implementing AI in Legal Environments
ssusera97a2f
 
Corporate Governance : Scope and Legal Framework
Corporate Governance : Scope and Legal FrameworkCorporate Governance : Scope and Legal Framework
Corporate Governance : Scope and Legal Framework
devaki57
 

Recently uploaded (20)

原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样
原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样
原版定做(sheffield学位证书)英国谢菲尔德大学毕业证文凭证书原版一模一样
 
Presentation (1).pptx Human rights of LGBTQ people in India, constitutional a...
Presentation (1).pptx Human rights of LGBTQ people in India, constitutional a...Presentation (1).pptx Human rights of LGBTQ people in India, constitutional a...
Presentation (1).pptx Human rights of LGBTQ people in India, constitutional a...
 
AN INTRODUCTION TO PUBLIC ADMINISTRATION.pptx
AN INTRODUCTION TO PUBLIC ADMINISTRATION.pptxAN INTRODUCTION TO PUBLIC ADMINISTRATION.pptx
AN INTRODUCTION TO PUBLIC ADMINISTRATION.pptx
 
在线办理(SU毕业证书)美国雪城大学毕业证成绩单一模一样
在线办理(SU毕业证书)美国雪城大学毕业证成绩单一模一样在线办理(SU毕业证书)美国雪城大学毕业证成绩单一模一样
在线办理(SU毕业证书)美国雪城大学毕业证成绩单一模一样
 
在线办理(UNE毕业证书)新英格兰大学毕业证成绩单一模一样
在线办理(UNE毕业证书)新英格兰大学毕业证成绩单一模一样在线办理(UNE毕业证书)新英格兰大学毕业证成绩单一模一样
在线办理(UNE毕业证书)新英格兰大学毕业证成绩单一模一样
 
It's the Law: Recent Court and Administrative Decisions of Interest
It's the Law: Recent Court and Administrative Decisions of InterestIt's the Law: Recent Court and Administrative Decisions of Interest
It's the Law: Recent Court and Administrative Decisions of Interest
 
V.-SENTHIL-BALAJI-SLP-C-8939-8940-2023-SC-Judgment-07-August-2023.pdf
V.-SENTHIL-BALAJI-SLP-C-8939-8940-2023-SC-Judgment-07-August-2023.pdfV.-SENTHIL-BALAJI-SLP-C-8939-8940-2023-SC-Judgment-07-August-2023.pdf
V.-SENTHIL-BALAJI-SLP-C-8939-8940-2023-SC-Judgment-07-August-2023.pdf
 
The Work Permit for Self-Employed Persons in Italy
The Work Permit for Self-Employed Persons in ItalyThe Work Permit for Self-Employed Persons in Italy
The Work Permit for Self-Employed Persons in Italy
 
Search Warrants for NH Law Enforcement Officers
Search Warrants for NH Law Enforcement OfficersSearch Warrants for NH Law Enforcement Officers
Search Warrants for NH Law Enforcement Officers
 
San Remo Manual on International Law Applicable to Armed Conflict at Sea
San Remo Manual on International Law Applicable to Armed Conflict at SeaSan Remo Manual on International Law Applicable to Armed Conflict at Sea
San Remo Manual on International Law Applicable to Armed Conflict at Sea
 
Safeguarding Against Financial Crime: AML Compliance Regulations Demystified
Safeguarding Against Financial Crime: AML Compliance Regulations DemystifiedSafeguarding Against Financial Crime: AML Compliance Regulations Demystified
Safeguarding Against Financial Crime: AML Compliance Regulations Demystified
 
一比一原版(Lincoln毕业证)新西兰林肯大学毕业证如何办理
一比一原版(Lincoln毕业证)新西兰林肯大学毕业证如何办理一比一原版(Lincoln毕业证)新西兰林肯大学毕业证如何办理
一比一原版(Lincoln毕业证)新西兰林肯大学毕业证如何办理
 
17-03 2022 -full agreement full version .pdf
17-03 2022 -full agreement full version .pdf17-03 2022 -full agreement full version .pdf
17-03 2022 -full agreement full version .pdf
 
Receivership and liquidation Accounts Prof. Oyedokun.pptx
Receivership and liquidation Accounts Prof. Oyedokun.pptxReceivership and liquidation Accounts Prof. Oyedokun.pptx
Receivership and liquidation Accounts Prof. Oyedokun.pptx
 
The Future of Criminal Defense Lawyer in India.pdf
The Future of Criminal Defense Lawyer in India.pdfThe Future of Criminal Defense Lawyer in India.pdf
The Future of Criminal Defense Lawyer in India.pdf
 
Business Laws Sunita saha
Business Laws Sunita sahaBusiness Laws Sunita saha
Business Laws Sunita saha
 
Should AI hold Intellectual Property Rights?
Should AI hold Intellectual Property Rights?Should AI hold Intellectual Property Rights?
Should AI hold Intellectual Property Rights?
 
Sangyun Lee, 'Why Korea's Merger Control Occasionally Fails: A Public Choice ...
Sangyun Lee, 'Why Korea's Merger Control Occasionally Fails: A Public Choice ...Sangyun Lee, 'Why Korea's Merger Control Occasionally Fails: A Public Choice ...
Sangyun Lee, 'Why Korea's Merger Control Occasionally Fails: A Public Choice ...
 
From Promise to Practice. Implementing AI in Legal Environments
From Promise to Practice. Implementing AI in Legal EnvironmentsFrom Promise to Practice. Implementing AI in Legal Environments
From Promise to Practice. Implementing AI in Legal Environments
 
Corporate Governance : Scope and Legal Framework
Corporate Governance : Scope and Legal FrameworkCorporate Governance : Scope and Legal Framework
Corporate Governance : Scope and Legal Framework
 

ISMS IS/DPP TOP POLICY - example (governance)

  • 1. EXAMPLE IS/DPP TOP POLICY 1 1. General...................................................................................................................................2 1.1 Scope................................................................................................................................2 1.2 Management Buy-In .........................................................................................................2 2. Principles ................................................................................................................................3 3. Accountability and Governance .............................................................................................4 3.1 BoD...................................................................................................................................4 3.2 Executive Committee........................................................................................................4 3.3 Risk management Committee..........................................................................................4 3.4 Executive Sponsor............................................................................................................5 3.5 Information Security Team ...............................................................................................5 3.6 CISO .................................................................................................................................6 3.7 DPO ..................................................................................................................................7 3.8 Legal Department.............................................................................................................9 3.9 Risk management.............................................................................................................9 3.10 Internal Audit...................................................................................................................9 3.11 Project Managers .........................................................................................................10 3.12 Information Asset Owners............................................................................................10 3.13 Staff...............................................................................................................................11 4. Policy framework..................................................................................................................12 4.1 Policy documents............................................................................................................12 4.2 Policy Definition Process................................................................................................12 4.3 Exceptions management................................................................................................12 5. Communication.....................................................................................................................13 5.1 Communication...............................................................................................................13 5.2 Training ...........................................................................................................................13 5.3 Awareness ......................................................................................................................13 6. Enforcement.........................................................................................................................13 7. Reporting ..............................................................................................................................14 7.1 Top level: Risk Management Committee.......................................................................14 7.2 Lower levels ....................................................................................................................14
  • 2. EXAMPLE IS/DPP TOP POLICY 2 1. General 1.1 SCOPE This policy relates to information security, data protection and privacy (IS/DPP) and applies to CORPORATION. 1.2 MANAGEMENT BUY-IN The top management of CORPORATION - acknowledges the importance of IS/DPP - appoints the COO as the executive sponsor for CORPORATION’s program IS/DPP - champions o robust information security in line with the state-of-the-art in the industry o transparent data protection o to raise the maturity of IS/DPP to a level where it is well-known and managed throughout the organisation and keep it at that level o to keep the risk in relation to IS/DPP in general at a low risk level, that is a level that  does not reasonably lead to criminal sanctions for the company or any of its staff  does not foreseeably exceed a financial risk of xxx EUR  does not reasonably lead to negative exposure in a nationally and/or internationally distributed media (such as newspapers)  doesn’t harm the top xxx customers and/or a cluster of more than xxx customers - commits to o lead by example o reasonably supplying the means  to bring the technology up to standard  to communicate to the staff to raise knowledge and awareness on IS/DPP o supporting the CISO and the DPO, a.o. by giving them access to all the means and staff of the organisation, giving them access to (personal) data and processing operations, ensuring they can maintain their respective expert knowledge, ensuring that they are involved, properly and in a timely manner, in all issues which relate to the protection of (personal) data, … o not instructing the DPO with regard to the exercise of the DPO’s (legal) tasks o acknowledge, adopt and enforce the reasonable policy documents the CISO and/or the DPO present
  • 3. EXAMPLE IS/DPP TOP POLICY 3 2. Principles CORPORATION sets the following guiding principles on Information security, data protection and privacy (IS/DPP):  IS/DPP is not only compliance driven, but also flows from the ethical stature of CORPORATION and serves to protect CORPORATION, its business, its staff and its customers.  IS/DPP is a point of attention for everybodyin the organisation.  IS/DPP is applied in a risk-based manner, which includes that the risk should be known internally; risks should be in line with CORPORATION’s risk appetite; the risk assessment should take into account the nature, scope, context and purposes of processing; etc.  CORPORATION wants to set up processes and procedures that are future-proof, and thus should take into account potential future risks, should be privacy-by-design and privacy-by-default.  CORPORATION uses the following major benchmarks for its IS/DPP framework: o the General Data Protection Regulation o the reference measures issued by the Belgian Data Protection Authority, which inherently refer to the ISO 27000-series
  • 4. EXAMPLE IS/DPP TOP POLICY 4 3. Accountability and Governance Within the CORPORATION’s organisation everybody can and should contribute to IS/DPP. To streamline the governance some bodies and persons in the organisation are designated to decide on or implement aspects of the IS/DPP framework. 3.1 BOD The Board of Directors is at a strategic and final level accountable for the IS/DPP within the CORPORATION organisation. The Board of Directors adopts the strategy on IS/DPP. That is the highest policy document on IS/DPP in the CORPORATION organisation. The Board of Directors ensures that IS/DPP is taken into account in all documents it (legally) must adopt or acknowledge, such as the governance memorandum, the internal control statement, etc. The Board of Directors can evocate and review any decision in the organisation on IS/DPP. 3.2 EXECUTIVE COMMITTEE The Executive Committee is at the highest operational level accountable for the IS/DPP within the CORPORATION organisation. Key responsibilities of the Executive Committee in the context of IS/DPP are: - reviewing and ratifying IS/DPP policy documents, as the case may be ensuring that they are in line with the organisation’s business strategy - interpreting and finetuning the risk appetite determined by the Board of Directors - supporting the awareness efforts in the context of IS/DPP by by their collective and individual decisions and actions (“tone at the top”) - providing the necessary means o to support the IS/DPP measures in the field of ICT as part of the ICT budget o to support the IS/DPP measures in the field of facilities as part of the facilities budget o to support the IS/DPP measures in the field of communication, training and awareness of the staff as part of the HR budget o to support the IS/DPP third line control as part of the audit budget o to comply to the data protection and privacy legislation, in as far as not covered by (the above) other budgets, as part of the compliance budget; - decide on issues brought to its attention by the DPO with a request for a decision; - reviewing escalations from the Risk Management Committee with regard to the reporting set up under this IS/DPP framework. 3.3 RISK MANAGEMENT COMMITTEE Key responsibilities of The Risk Management Committee in the context of IS/DPP are: - reviewing IS/DPP policy documents and providing an advice to the Management Committee - reviewing the top level reporting set up under this IS/DPP and escalating issues to the Executive Committee
  • 5. EXAMPLE IS/DPP TOP POLICY 5 3.4 EXECUTIVE SPONSOR Key responsibilities of the Executive Sponsor in the context of IS/DPP are: - “representing” the topic of IS/DPP around the table of the Executive Committee in all topics on its agenda - acting as a sounding board for the DPO and the CISO on a regular and ad hoc basis - acting as a channel to the Risk Management Committee and the Executive Committee at times the DPO and CISO want to bring an item to those for a 3.5 INFORMATION SECURITY TEAM The core Information Security Team is composed of : - the Executive Sponsor - the DPO - the CISO - the head of HR The Information Security Team can, at the request of one of its core members, be joined by any other relevant party, e.g. - the head of facilities - the head of IT - a representative of legal department - a representative of risk management - a representative of internal audit - an external expert on IS/DPP Key responsibilities of the Information Security Team are: - to, on a yearly basis or in a shorter interval when needed, present o a high-level risk assessment (via the reporting) on the IS/DPP risk posture, o a gap analysis with the position wanted on the critical points and other major points o an action plan with regard to the critical points and other major points o an overview and analysis of the (upcoming) changes that (may) impact the organisation - follow up (upcoming) changes that (may) impact the organisation, which includes changes to the regulatory environment (legislation, case law, interpretation, etc.), to the IT and security architecture, … - preparing (binding) IS/DPP policy documents, reviewing them at regular intervals (to be determined by the Information Security Team) or when such is triggered by a change (in the law, in the organisation, …) and proposing actualisations, updates and improvements - issuing (and periodically updating) IS/DPP guidance - coordinating the different aspects of IS/DPP to improve the cooperation and alignment between the actors involved and avoid parallel or crossing initiatives or activities, a.o. in the field of o communication, training and awareness raising on IS/DPP o first, second and third line controls - managing IS/DPP related critical incidents from notification through to resolution, mainly through coordination - supervising and coordinating the different aspects of IS/DPP in programs and projects, such as
  • 6. EXAMPLE IS/DPP TOP POLICY 6 o reviewing program and project solutions are compliant with IS/DPP policy documents, if not tackled at another level (e.g. in the program or project steering committee) o approving program and project level exceptions to IS/DPP policy documents o reviewing and resolving key cross-program or cross-project IS/DPP issues - ensuring regular IS/DPP second and third line controls are undertaken and findings are followed-up and resolved within reasonable, required timeframes - preparing the overarching IS/DPP reporting to the top management The roles, functions and tasks of the information security team can be further elaborated in other (lower-level) policy documents. 3.6 CISO A member of the IT team is appointed as chief information security officer (CISO). Key responsibilities of the CISO are: - suggesting guidance to the Information Security Team - advising on, stimulating, verifying, and documenting the implementation of measures related to IS/DPP – with a focus on information security as defined by the best practices -, in particular in relation to o (information) asset management1 , as in keeping the architecture and overview of hardware, software, databases, data sets o security at the level of the medium o device security o network security o business continuity o incident management - cooperating and aligning with the DPO on IS/DPP, a.o. on o reviewing policies in the IS/DPP framework to also include aspects relating to data protection and privacy o communicating, training and raising awareness on IS/DPP o implementing organizational and technical measures to protect (personal) data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorized disclosure, dissemination or access, or alteration of personal data, hereby ensuring compliance with the relevant laws and regulations o tackling and reviewing incidents related to IS/DPP - stimulating and coordinating the efforts on communication, training and awareness - supervising the joiner/leaver/transfer process - with regard to third parties with an impact on the IS/DPP posture of the organization o ensuring the documented prior screening of such third parties with an impact on the IS/DPP posture of the organization o ensuring the documented follow-up of such third parties - coordinating and consolidating the reporting on o efforts on communication, training and awareness o the effectiveness of access management o the application of joiner/leaver/transfer process o service levels  imposed on third parties relating to IS/DPP  relating to IS/DPP defined by the Information Security Team 1 Not to be confused with financial asset management.
  • 7. EXAMPLE IS/DPP TOP POLICY 7 o key performance indicators relating to IS/DPP defined by the Information Security Team o assurance from third parties relating to IS/DPP o the results of controls performed o IS/DPP incidents o IS/DPP risks The roles, functions and tasks of the CISO can be further elaborated in other (lower-level) policy documents. In order to fulfill his mission, the CISO - receives sufficient resources (time, staffing, equipment and budget) - has unhindered access to the information necessary to perform his function. 3.7 DPO 3.7.1 DPO The compliance officer is (also) assigned as data protection officer. The mission of the data protection officer includes all the tasks allocated to the data protection officer in the law, e.g. - towards Identifin / the National Register - towards the Crossroads Database on Social Security (with regard to work related accidents) Key responsibilities of the DPO are: - performing the tasks that are adjudicated to him by law - cooperating and aligning with the CISO on IS/DPP, a.o. on o reviewing policies in the IS/DPP framework to also include aspects relating to data protection and privacy o communicating, training and raising awareness on IS/DPP o implementing organizational and technical measures to protect (personal) data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorized disclosure, dissemination or access, or alteration of personal data, hereby ensuring compliance with the relevant laws and regulations o tackling and reviewing incidents related to IS/DPP - liaising and consulting with Legal, if and when necessary, in advising on personal data protection and privacy legislation - operating as external Single Point of Contact (SPOC) o at least in second line (after the complaints handling team and/or team handling the requests from data subjects), within the organisation regarding all matters related to personal data protection and privacy o for the organisation to the authorities regarding all matters related to personal data protection and privacy - advising on, stimulating, verifying, and documenting the compliance with applicable data protection and privacy legislation, including but not limited to o informing and advising the organisation and the staff who carry out processing of their obligations pursuant to the legislation o advising when prior checking with the authorities should be considered - ensure the proper translation of personal data protection principles into the IS/DPP policy documents and the proper implementation thereof - suggesting guidance to the Information Security Team
  • 8. EXAMPLE IS/DPP TOP POLICY 8 - supporting the organization, in particular the project managers and information asset owners, in documenting the data processing and making privacy impact assessments on o new initiatives and projects o existing data processing, including updating such documentation - provide advice on any use of personal data in circumstances that are not steered by policy documents or when policy documents require interpretation - giving a (conditional) sign-off on o the use of personal data for uses that are not yet (fully) defined, e.g. in tests or in projects that have not been delivered yet o the texts and/or processes used to meet the transparency requirements or to capture consent of the data subject o the texts, templates and/or processes used to meet the requirements on properly binding third parties with an impact on the IS/DPP posture of the organization - advising on and supervising proper transparency towards o data subjects o data protection authorities o the public - coordinating and consolidating reporting on IS/DPP matters that are not covered by other reporting lines, amongst others on o new IS/DPP relevant legislation In order to fulfill his mission, the DPO - receives sufficient resources (time, staffing, equipment, training and budget) - has unhindered access to the information necessary to perform his function - should remain in an independent position and thus o hold no other functions which could result in a conflict of interest pertaining to his role o not receive (binding) instructions on the execution of the role as DPO The DPO has the right to veto all initiatives that are not in line with IS/DPP policies, laws or security requirements. Such veto can only be overruled in writing by the Executive Committee. The DPO can report and escalate directly to the Executive Committee and/or (the chair of) the Board of Directors, if he considers the other reporting lines insufficient. The DPO is bound by a professional duty of secrecy. 3.7.2 DEPUTY DPOS The Executive Committee can, advised by the DPO, appoint (a) deputy data protection officer(s) which focuse(s) on data protection relating to - staff data - health data - judicial data The deputy DPO supports the DPO in the focus area that is assigned to him and in concert with the DPO performs the jobs of the DPO in that focus area. For the avoidance of doubt, there is no hierarchical link between the deputy DPOs and the DPO, but only a functional link. The tasks as deputy DPO are considered to be part of the function of the deputy DPOs and are evaluated in the generic evaluation of the deputy DPOs.
  • 9. EXAMPLE IS/DPP TOP POLICY 9 The roles, functions and tasks of the Deputy DPOs can be further elaborated in other (lower- level) policy documents and in arragements between the DPO and the respective deputy DPOs. 3.8 LEGAL DEPARTMENT The legal department acts as support function for the Data Protection Officer for all legal and regulatory issues. The key responsibilities of the Legal Department in the context of IS/DPP are to: - support the Data Protection Officer in all relevant legal aspects, such as o his advices on the personal data processing aspects of the various products and services of the organisation; o checks of legal documentation with regard to data processing (incl. agreements, SOC assurance documents, …) - follow the progress of legal and regulatory developments in the domain of personal data protection laws that are or may be relevant for the organisation (incl. EU, Belgium, PCI DSS) - assess the impact of existing, new and upcoming legislation with the view towards policy setting within the organisation - provide in-depth knowledge and documentation on the legal aspects of o the products and services of the companies o the relationship with third party providers and partners The roles, functions and tasks of the legal department – within the scope of this policy - can be further elaborated in other (lower-level) policy documents. 3.9 RISK MANAGEMENT The risk management function embeds the IS/DPP risks in the overal risk management framework. Key responsibilities of the risk management function in the context of IS/DPP are: - cooperating and aligning with the CISO and DPO on IS/DPP, a.o. on o reviewing policies in the risk mangement framework to also include aspects relating to IS/DPP o communicating, training and raising awareness on risk for it to include (reference to) IS/DPP o tackling and reviewing incidents that are also related to IS/DPP o organising second line controls which may also relate to IS/DPP The roles, functions and tasks of the risk management function – within the scope of this policy - can be further elaborated in other (lower-level) policy documents. They may however never infringe the independence of the internal audit function. 3.10 INTERNAL AUDIT The internal audit function embeds IS/DPP in the overal (internal) audit framework. Key responsibilities of the internal audit function in the context of IS/DPP are: - cooperating and aligning with the CISO and DPO on IS/DPP, a.o. on o organising first, second and third line controls that relate to IS/DPP in a way that covers the broadest scope possible a.o. by reasonably avoiding overlap
  • 10. EXAMPLE IS/DPP TOP POLICY 10 and by using the result of controls of the other lines to improve the controls of the own line o tackling and reviewing incidents that are also related to IS/DPP The roles, functions and tasks of the internal audit function – within the scope of this policy - can be further elaborated in other (lower-level) policy documents. They may however never infringe the independence of the internal audit function. 3.11 PROJECT MANAGERS Project managers must embed IS/DPP in the overal project documentation from the start of the project . Key responsibilities of project managers in the context of IS/DPP are: - If no issues are IS/DPP are to be addressed this is to be explicilty documented in the project documentation. - If issues are IS/DPP are to be addressed (mainly because personal data is being processed at one point during the project and/or the project end product of the project), then the data processing must be described and documented and a privacy impact assessment has to be made following the relevant policy document and, as the case may be, supported by (members of) the Information Security Team. The roles, functions and tasks of the project managers – within the scope of this policy - can be further elaborated in other (lower-level) policy documents. 3.12 INFORMATION ASSET OWNERS An Information Asset Owner (IAO) is appointed per (major) Information Asset of the organsation, i.e. a database of data used for a separate purpose, an application containing data used for a separate purpose,… IAOs are appointed by the line management, advised by the Information Security Team. Key responsibilities of IAOs in the context of IS/DPP are: - in general o to act as the gatekeeper for the access to the information asset, a.o. by supporting in the implementation and review of access rights o to support of the DPO in collecting and providing information on the data processing within the organisation o to document the information asset, including any project documentation relating to the setup, a privacy impact assessment (or at least a description of the data set), a view on where that information asset is embedded in the information management architecture of the organisation, any dependencies on respectively of other information assets within or outside of the organisation o to suggest (specific) acceptable use rules or other instructions to the persons with access rights to the DPO o to communicate acceptable use rules or other instructions to the persons with access rights and raise awareness on them o to proactively raise issues they have in managing the information asset to the DPO and/or the CISO - if the information asset is a primary source within the organisation
  • 11. EXAMPLE IS/DPP TOP POLICY 11 o to document arrangements with any secondary sources a.o. on data minimization, secure and timely delivery, and business continuity, as the case may be following the instructions and templates of the DPO o to detect and report to the DPO of derived use of the primary source data he did not prior approve, a.o. by (periodic) checks on the use - if the information asset is a secondary source within the organisation o to ensure that the data is used in line with the arrangements made with the primary source o to ensure that the data is not further processed (incl. disseminated or used), without the formal approval of the IAO of the primary source which should be documented and based on full information of such further processing (which should in principle be covered by a privacy impact assessment) and a clear argumentation why the connection is not made with the primary source The roles, functions and tasks of the IAOs can be further elaborated in other (lower-level) policy documents. 3.13 STAFF Employees and other staff of the organisation must - comply to the legal requirements related to data protection and privacy - respect the principles set out and communicated by the organisation in relation to data protection and privacy - not use their access rights (in the broadest sense) if and when they do not have a demonstrable, professional need-to-know of the data - respect the information classification given to data and even upgrade it (never downgrade it) if that - follow the instructions of the organisation with regard to data processing Employees and other staff of the organisation should - act as gatekeeper, even to colleagues, for the personal data they have access to - upgrade the information classification of data to a level that is more restricted (never downgrade it) if and when that seems appropriate - support other staff members in protecting (personal) data - proactively notify the information asset owner if they no longer need certain access rights - notify (potential) breaches or vulnerabilities in the data protection and privacy setup to the DPO and/or the CISO The roles, functions and tasks of the staff members can be further elaborated in other (lower- level) policy documents.
  • 12. EXAMPLE IS/DPP TOP POLICY 12 4. Policy framework 4.1 POLICY DOCUMENTS Whereas this overarching policy is the highest norm within the organsation with regard to IS/DPP, other policy documents on the topic will be developped, established, communicated to the (relevant) staff members, and enforced. Type of norm Description Decision level Procedures Policy documents that define a procedure to be followed, mainly aimed at involving centers of competence Information Security Team Instructions Policy documents that define instructions to the staff that the staff MUST follow. They can be issued on an “all staff” level, on a unit level or on a staff member level. Executive Committee Specifications Policy documents that define technical specifications or requirements that support IS/DPP. Executive Committee Standards Policy documents that define “comply or explain” requirements that SHOULD be followed unless there is a solid, document explanation to divert which is not vetoed by the CISO or the DPO. Executive Committee Guidelines Policy documents that attempt to provide guidance to avoid harm to the data subjects, the staff members or the organization. Information Security Team, CISO or DPO 4.2 POLICY DEFINITION PROCESS The Information Security Team defines the policy definition process – from idea to pubication - respecting the (decision) elements defined in the current policy. 4.3 EXCEPTIONS MANAGEMENT Exceptions to compliance with a policy document must be decided at the appropriate level, which if not indicated differently in the policy document to which an exception is made, is the member of the Executive Committee responsible for the department to which the exception applies. Such member of the Executive Committee must always be included for any exception whereof the impact may be above the risk level defined in the first part of this policy. Exceptions to compliance with a policy document must be documented, irrespective of the type of norm (must, should, can). The documentation must include the rule diverted from, the extent of the exception (department, rule, term, …), the impact of the exception (scope of the impact a.o. number of data subjects, types of data,…; relation of the impact v the risk appetite of the orgnisation ), the advice of the CISO and the DPO on the exception, the decision of the appropriate decision taker and the signature of the decision taker. The documentation must be provided to the DPO, who shall keep a register thereof. The register is taken into account in the reporting on the IS/DPP risk. The exception management can be further elaborated in other (lower-level) policy documents.
  • 13. EXAMPLE IS/DPP TOP POLICY 13 5. Communication 5.1 COMMUNICATION The DPO and the CISO, in concert, ensure the communication of the IS/DPP policies to the relevant target groups. Coordination is done at the level of the Information Security Team. The evidence of the communication and, as the case may be, the target group, should be provided to and kept by the DPO. 5.2 TRAINING The DPO and the CISO, in concert, ensure the training on IS/DPP to the relevant target groups. Coordination is done at the level of the Information Security Team. Each new employee and on premis staff member should attend a basic training on IS/DPP within the first month of employment within the organisation. Each employee and on premis staff member should attend a training on (selected) key elements of IS/DPP at least once every year. The training material should be validated by the Information Security Team. The evidence of the training and, as the case may be, the target group, should be provided to and kept by the DPO. 5.3 AWARENESS The Information Security Team decides on the awareness raising actions to be set up. The DPO and the CISO make suggestions for such actions. There should be at least 1 awareness raising action directed to all employees and on premis staff members per three months. The awareness raising material should be validated by the Information Security Team. The evidence of the awareness raising actions and, as the case may be, the target group, should be provided to and kept by the DPO. 6. Enforcement Any IS/DPP incident should lead to a root cause analysis, the definition of lessons learned and the implementation of improvement actions. Any IS/DPP incident can lead to enforcement actions from the line management towards the staff members involved. Enforcement action can range very broadly from the requirement to (again) follow IS/DPP traning up to any sanction as defined in the relevant documents (e.g. the agreement with the processor, the employment agreement, …).
  • 14. EXAMPLE IS/DPP TOP POLICY 14 7. Reporting 7.1 TOP LEVEL: RISK MANAGEMENT COMMITTEE The reporting to the top management is a compilation of - relevant changes, such as changes in the regulatory environment and the organisation - key (IS/DPP) risk indicators - progress on the IS/DPP action plan - the efforts on the communication, training and awareness actions - the major incidents in the past reporting period - the results of the first, second and third line controls The reporting requirement, including its content and its frequency, can be further elaborated by the Risk Management Committee in other policy documents. 7.2 LOWER LEVELS The reporting requirement to the Information Security Team, the CISO and the DPO respectively can be further elaborated by the recipient of such reporting in other (lower-level) policy documents.