This is an example training in the context of IS/DPP, information security, data protection and privacy. It is a training directed to IAOs, information assets owners. The generic idea is that IAOs support the inventory and overview of the company or group on information assets (which can, but don't per se have to include personal data). By a well implemented governance through IAOs it should be easier to upkeep the overview close to the actual users, thus increasing ownership and awareness of information security and privacy.

1. - Classification : internal -
COMPANY
IS/DPP Level-Up Training Sessions
Informantion Asset Owners
(date)

2. 2
- Classification: Internal - Page
“Level-up”
In addition to the baseline training for all staff
Applicable to specific staff, in this case: information asset owners
Why?
- Information asset owners are the primary responsible indivuals for a
specific internal or external data source. They form a pivotal role in
the information asset architecture and management as they are the
single points of contact for the data sources of the organisation.
- Therefore information asset owners are well-placed champions for
IS/DPP.

3. 3
- Classification: Internal - Page
YOUR MISSION, should you choose to accept it…
Take up active ownership of Information Assets assigned to you in the
Business-As-Usual
by
 Keeping the IS/DPP documentation on the Information Assets and
keeping it up-to-date, especially additional uses.
 Liaise with the CISO so he can keep the overview,
a.o. via the Information Asset Inventory
 Guard (the access to) the Information Assets,
their quality and their perimeter throughout their lifecycle.
 Support the Access Management.

4. Q1: Why is there a setup with Information Asset
Owners?

5. 5
- Classification: Internal - Page
Data is everywhere.

6. 6
- Classification: Internal - Page
Data is everywhere, we organise it

7. 7
- Classification: Internal - Page
Data is everywhere, we organise it, to be able to manage it

8. 8
- Classification: Internal - Page
Architectural benefit
• Overview.
• Easier to grasp.
• Support / Single Point of Contact for certain data sets.
• Future ?
• Single (“authentic”) source for certain data.
• Agile, decentralized deployment.

9. Q2: What documentation should I keep?

10. 10
- Classification: Internal - Page
Checklist
 Data set and data flow description
 Risk mitigating / sharing measures (as implemented)
Technical measures (+ point of contact)
Organisational measures
 documented (a.o. who can/should have access?)
 communication/training/awareness [plan]
 Residual risk acceptance (if any, documented)
 Risk assessment (different versions)
After implementation project (legacy = absent)
Regular reviews
 Periodic (norm : 1 / year)
 Due to changes

11. 11
- Classification: Internal - Page
Document: Data Sets (first 3 criteria)
Source of the data Objective / Subjective
Data Subject / Generated ourselves / 3rd party / …
Purpose for the
data
Credit review, AML screening, profiling, contact in execution
of agreement, marketing, segmentation, …
Data subject Customer, cardholder, prospect,
candidate, staff member, contact at
supplier, contact at corporate customer,…
Data fields Free fields: Name, address, free comment, meeting report,
…
Dropdown lists: Country, Title, Status,…
Special categories
of data
Financial data, card data (PCI), …
Relating to race, ethnic origin, (political, philosophical,
religious) beliefs, trade union membership, sexual life
Health data / Judicial data (related to litigation, criminal
sanctions, presumptions of criminal facts,…)
(Estimated) volume By number of data subjects, by number of data fields per
data subject, …

12. 12
- Classification: Internal - Page
Scope = DATA
Idea
Process
Texts
“Image”
Card(holder) Data
Personal Data
Customer Data
Copyright
Patent
Trade Mark
Data Subject
Competitive advantage
Legal protection
(when in the open)Want to
protect
Have to
protect
(by obscurity)
Duty of discretion
PCI DSS (PSD)
Personal Data Protection
Privileged Information Market Abuse

13. 13
- Classification: Internal - Page
Other data
Personal
data
Other
personal data
Perceived as
private
Perceived as
public
Special
categories
Sensitive
Health
Judicial
IGA
Special Categories of Data
PCI
Nat Reg

14. 14
- Classification: Internal - Page
Document: Risks
Data Classification Give the full data classification per data set.
Risks identified What risks were identified in terms of the different layers of
information security and data protection?
Qualitative measure
of the risk
Likelihood x impact
Quantitative
measure of the risk
(if possible) more detailed calculations based on statistical
models (e.g. monte carlo)
Validation by CISO The CISO has to validate all information risk assessments.
Validation by DPO
(for personal data)
The DPO has to validate all personal data related risk
assessments.

15. 15
- Classification: Internal - Page
Document: Risk Approach
Risk Mitigating
Measures
For every risk identified, the mitigating measures:
technically and/or organisationally (incl. first line controls).
Risk Sharing
Measures
For every risk identified, if applied, the risk sharing
measures: agreements, insurances, etc;
Residual Risk For every risk identified, the residual risk (incl. assessment
in terms of likelihood and impact).
Comparison to 1st
Risk Assessment
Preferably visually (matrix)
Validation by CISO The CISO has to validate all information risk approaches.
Validation by DPO
(for personal data)
The DPO has to validate all personal data related risk
approaches.
Residual Risk
Acceptance (if any)
The decision by the ExCo or, as the case may be, a
steering committee to which the project follow-up was
delegated.
New risk acceptance or measures, if and when
the risk assessment has shown change in risk profile.
 Escalate via CISO or DPO

16. 16
- Classification: Internal - Page
Document: Data Flows
Data set transferred (see data set for further detail)
Source of the data In principle the repository you are
responsible for as Information Asset Owner
Recipient of the data Within company / between GROUP companies /
Third Party (processing on COMPANY’s behalf) / Third
Party (processing on own behalf)
Purpose for use by the
recipient
To allow alignment with the original purpose and fitness
of the data set
Operational
description of transfer
Automatic or manual intervention, format (xls, xml,
CODA, …), channel, frequency of the transfer, …
Security of the transfer Measures taken to ensure the secure transfer, both
technical (e.g. encryption) and organisational (e.g.
double channel for transfer of package and key)
Assurance by recipient To keep the data secure and confidential, not to use the
data for other purposes than described, not to further
transfer the data, to update the data at request of IAO,…
Validation Validation by CISO (always) and DPO (personal data)

17. Q3: What to consider when re-assessing?
?

18. 18
- Classification: Internal - Page
Re-Assess
Assessment Who? When?
Original (0.1) Project manager Start of project
First version (1.0) Project manager End of project
Addendum due to
(significant) change (2.0)
Project manager End of project
Periodic review (2.1 or
2.0 confirmed)
Information Asset Owner 1/year
Ad hoc review due to
(minor) change in
process, regulation, …
(2.1 or 2.0 confirmed)
Information Asset Owner when needed
(note: not always
externally triggered !)
Planned control review CISO or DPO (personal
data)
second line control
planning
Ad hoc control review CISO or DPO (personal
data)
event (e.g. data breach
or supervisor request)

19. 19
- Classification: Internal - Page
Data Classifications indicate Risks
Category Classifications
Confidentiality Public, Internal, Restricted and Secret.
Integrity Accurate, Vital and Absolute.
Availability Non-Essential, Essential, Critical and Highly Critical.
Traceability Non-Traceable, Sensitive and Critical.
Retention No Retention, Short-Term, Mid-Term and Long-Term.
+
“Privacy” Use within the boundaries of the (original) purpose
Information Classification Policy

20. 20
- Classification: Internal - Page
Environment
Physical
Human
Device
Application
Repository
Carrier
Layers & Dimensions
Changes
• In the regulatory environment
• In processes
• In people (JLT)
• In technology
Network
Data
3rd Parties

21. 21
- Classification: Internal - Page
Take into Account the Entire Data Lifecycle
Less people can
reach it  gatekeepers
Data retention forces at work
Can we legitimately collect / create
the data (for that purpose)? (legal
constraints, contractual constraints,…)
Is the storage secure? Which
functions / roles need access?
Everybody else should be
kept out.
Is the integrity guarded?
Is the availability up to standard?
Can we legitimately use the data for
that purpose?
Is everybody with access bound by
confidentiality?
Can we legitimately share the data
(for that purpose)?
Do we want to share that data?

22. 22
- Classification: Internal - Page
Finality (Data Protection Act / GDPR)

23. 23
- Classification: Internal - Page
Balance
test
Legal
requirement
Implied
consent
Explicit
consent
written?
formality v. evidence
Legitimacy (Data Protection Act /GDPR)

24. 24
- Classification: Internal - Page
Forces at Work in Data Retention
Legal requirement
Min. retention
Purpose
Relevance
Archive
Evidence
Legal requirement
Max. retention
Facilities
Capacity, readibility,…,
Personal data protection
Relevance
HAVE TO
USEFUL
WANT TO
HAVE TO
HAVE TO
WANT TO
Legal
Lack of evidence
Data protection
Protection
WANT TO
USEFUL

25. 25
- Classification: Internal - Page
Measure the risk
Risk = likelihood x impact
(base on “trusted” sources)

26. 26
- Classification: Internal - Page
Remember: Possible Positions towards Risk
In principle only
LOW risk
If this “pops up”:
escalate via
CISO or DPO.

27. Q4: How do I, as Information Asset Owner, guard the
Information Asset?

28. 28
- Classification: Internal - Page
Focus on the GOAL (“purpose”)
Purpose(s) should have been
clearly defined @ start.
Other purposes are
in principle not allowed.
Purpose helps define
when to move data to
archive (lower access).
Purpose helps define
when to delete data and
triggers deletion. Data transfers must be documented.
IAO support HR, IT and CISO
to periodically review the
authorizations to the data set(s)
in his ownership (lateral control).
IAO is a first line control, next to
line management, to assess
authorizations to the data set(s)
in his ownership (lateral control).
The data quality (fit-4-purpose)
should be maintained.

29. 29
- Classification: Internal - Page
Escalate if and when necessary
An Information Asset Owner can and should escalate any issue with
the processing / handling of the Information Assets in his ownership
to the CISO and the DPO (for personal data).
Issues are e.g. (there is no exhaustive list)
 The data quality has significantly deteriorated, yet someone prevents the
deletion of the data.
 The foreseen data retention date or the use for the data given the purpose,
has expired, yet someone prevents the deletion of the data.
 A data recipient does not want to document the arrangements.
 There is a discussion on the authorizations (give or not, or type of
authorization (create/read/write/delete).
 A project manager did not deliver the proper documentation at the end of the
project.

30. Useful Additional Information

31. 31
- Classification: Internal - Page
Especially Relevant Policy Documents
• Information Ownership Policy
• Information Asset Inventory
• Information Asset Architecture and Management
• Information Classification Policy
• (other)
(Sharepoint)
(Folder)

32. 32
- Classification: Internal - Page
Relevent Points of Contact
as sounding boards
(and support) CISO (Chief Information Security Officer)
 (name)
DPO (Data Protection Officer)
 (name)
for arrangements with
secondary data users
within COMPANY (in as far
as the template does not
cover it)
for agreements with third
parties
Procurement  (name)
Legal  (name)