This is an example training in the context of IS/DPP, information security, data protection and privacy.
It is a training directed to IAOs, information assets owners.
The generic idea is that IAOs support the inventory and overview of the company or group on information assets (which can, but don't per se have to include personal data). By a well implemented governance through IAOs it should be easier to upkeep the overview close to the actual users, thus increasing ownership and awareness of information security and privacy.
1. - Classification : internal -
COMPANY
IS/DPP Level-Up Training Sessions
Informantion Asset Owners
(date)
2. 2
- Classification: Internal - Page
“Level-up”
In addition to the baseline training for all staff
Applicable to specific staff, in this case: information asset owners
Why?
- Information asset owners are the primary responsible indivuals for a
specific internal or external data source. They form a pivotal role in
the information asset architecture and management as they are the
single points of contact for the data sources of the organisation.
- Therefore information asset owners are well-placed champions for
IS/DPP.
3. 3
- Classification: Internal - Page
YOUR MISSION, should you choose to accept it…
Take up active ownership of Information Assets assigned to you in the
Business-As-Usual
by
Keeping the IS/DPP documentation on the Information Assets and
keeping it up-to-date, especially additional uses.
Liaise with the CISO so he can keep the overview,
a.o. via the Information Asset Inventory
Guard (the access to) the Information Assets,
their quality and their perimeter throughout their lifecycle.
Support the Access Management.
4. Q1: Why is there a setup with Information Asset
Owners?
8. 8
- Classification: Internal - Page
Architectural benefit
• Overview.
• Easier to grasp.
• Support / Single Point of Contact for certain data sets.
• Future ?
• Single (“authentic”) source for certain data.
• Agile, decentralized deployment.
10. 10
- Classification: Internal - Page
Checklist
Data set and data flow description
Risk mitigating / sharing measures (as implemented)
Technical measures (+ point of contact)
Organisational measures
documented (a.o. who can/should have access?)
communication/training/awareness [plan]
Residual risk acceptance (if any, documented)
Risk assessment (different versions)
After implementation project (legacy = absent)
Regular reviews
Periodic (norm : 1 / year)
Due to changes
11. 11
- Classification: Internal - Page
Document: Data Sets (first 3 criteria)
Source of the data Objective / Subjective
Data Subject / Generated ourselves / 3rd party / …
Purpose for the
data
Credit review, AML screening, profiling, contact in execution
of agreement, marketing, segmentation, …
Data subject Customer, cardholder, prospect,
candidate, staff member, contact at
supplier, contact at corporate customer,…
Data fields Free fields: Name, address, free comment, meeting report,
…
Dropdown lists: Country, Title, Status,…
Special categories
of data
Financial data, card data (PCI), …
Relating to race, ethnic origin, (political, philosophical,
religious) beliefs, trade union membership, sexual life
Health data / Judicial data (related to litigation, criminal
sanctions, presumptions of criminal facts,…)
(Estimated) volume By number of data subjects, by number of data fields per
data subject, …
12. 12
- Classification: Internal - Page
Scope = DATA
Idea
Process
Texts
“Image”
Card(holder) Data
Personal Data
Customer Data
Copyright
Patent
Trade Mark
Data Subject
Competitive advantage
Legal protection
(when in the open)Want to
protect
Have to
protect
(by obscurity)
Duty of discretion
PCI DSS (PSD)
Personal Data Protection
Privileged Information Market Abuse
13. 13
- Classification: Internal - Page
Other data
Personal
data
Other
personal data
Perceived as
private
Perceived as
public
Special
categories
Sensitive
Health
Judicial
IGA
Special Categories of Data
PCI
Nat Reg
14. 14
- Classification: Internal - Page
Document: Risks
Data Classification Give the full data classification per data set.
Risks identified What risks were identified in terms of the different layers of
information security and data protection?
Qualitative measure
of the risk
Likelihood x impact
Quantitative
measure of the risk
(if possible) more detailed calculations based on statistical
models (e.g. monte carlo)
Validation by CISO The CISO has to validate all information risk assessments.
Validation by DPO
(for personal data)
The DPO has to validate all personal data related risk
assessments.
15. 15
- Classification: Internal - Page
Document: Risk Approach
Risk Mitigating
Measures
For every risk identified, the mitigating measures:
technically and/or organisationally (incl. first line controls).
Risk Sharing
Measures
For every risk identified, if applied, the risk sharing
measures: agreements, insurances, etc;
Residual Risk For every risk identified, the residual risk (incl. assessment
in terms of likelihood and impact).
Comparison to 1st
Risk Assessment
Preferably visually (matrix)
Validation by CISO The CISO has to validate all information risk approaches.
Validation by DPO
(for personal data)
The DPO has to validate all personal data related risk
approaches.
Residual Risk
Acceptance (if any)
The decision by the ExCo or, as the case may be, a
steering committee to which the project follow-up was
delegated.
New risk acceptance or measures, if and when
the risk assessment has shown change in risk profile.
Escalate via CISO or DPO
16. 16
- Classification: Internal - Page
Document: Data Flows
Data set transferred (see data set for further detail)
Source of the data In principle the repository you are
responsible for as Information Asset Owner
Recipient of the data Within company / between GROUP companies /
Third Party (processing on COMPANY’s behalf) / Third
Party (processing on own behalf)
Purpose for use by the
recipient
To allow alignment with the original purpose and fitness
of the data set
Operational
description of transfer
Automatic or manual intervention, format (xls, xml,
CODA, …), channel, frequency of the transfer, …
Security of the transfer Measures taken to ensure the secure transfer, both
technical (e.g. encryption) and organisational (e.g.
double channel for transfer of package and key)
Assurance by recipient To keep the data secure and confidential, not to use the
data for other purposes than described, not to further
transfer the data, to update the data at request of IAO,…
Validation Validation by CISO (always) and DPO (personal data)
18. 18
- Classification: Internal - Page
Re-Assess
Assessment Who? When?
Original (0.1) Project manager Start of project
First version (1.0) Project manager End of project
Addendum due to
(significant) change (2.0)
Project manager End of project
Periodic review (2.1 or
2.0 confirmed)
Information Asset Owner 1/year
Ad hoc review due to
(minor) change in
process, regulation, …
(2.1 or 2.0 confirmed)
Information Asset Owner when needed
(note: not always
externally triggered !)
Planned control review CISO or DPO (personal
data)
second line control
planning
Ad hoc control review CISO or DPO (personal
data)
event (e.g. data breach
or supervisor request)
19. 19
- Classification: Internal - Page
Data Classifications indicate Risks
Category Classifications
Confidentiality Public, Internal, Restricted and Secret.
Integrity Accurate, Vital and Absolute.
Availability Non-Essential, Essential, Critical and Highly Critical.
Traceability Non-Traceable, Sensitive and Critical.
Retention No Retention, Short-Term, Mid-Term and Long-Term.
+
“Privacy” Use within the boundaries of the (original) purpose
Information Classification Policy
20. 20
- Classification: Internal - Page
Environment
Physical
Human
Device
Application
Repository
Carrier
Layers & Dimensions
Changes
• In the regulatory environment
• In processes
• In people (JLT)
• In technology
Network
Data
3rd Parties
21. 21
- Classification: Internal - Page
Take into Account the Entire Data Lifecycle
Less people can
reach it gatekeepers
Data retention forces at work
Can we legitimately collect / create
the data (for that purpose)? (legal
constraints, contractual constraints,…)
Is the storage secure? Which
functions / roles need access?
Everybody else should be
kept out.
Is the integrity guarded?
Is the availability up to standard?
Can we legitimately use the data for
that purpose?
Is everybody with access bound by
confidentiality?
Can we legitimately share the data
(for that purpose)?
Do we want to share that data?
24. 24
- Classification: Internal - Page
Forces at Work in Data Retention
Legal requirement
Min. retention
Purpose
Relevance
Archive
Evidence
Legal requirement
Max. retention
Facilities
Capacity, readibility,…,
Personal data protection
Relevance
HAVE TO
USEFUL
WANT TO
HAVE TO
HAVE TO
WANT TO
Legal
Lack of evidence
Data protection
Protection
WANT TO
USEFUL
26. 26
- Classification: Internal - Page
Remember: Possible Positions towards Risk
In principle only
LOW risk
If this “pops up”:
escalate via
CISO or DPO.
27. Q4: How do I, as Information Asset Owner, guard the
Information Asset?
28. 28
- Classification: Internal - Page
Focus on the GOAL (“purpose”)
Purpose(s) should have been
clearly defined @ start.
Other purposes are
in principle not allowed.
Purpose helps define
when to move data to
archive (lower access).
Purpose helps define
when to delete data and
triggers deletion. Data transfers must be documented.
IAO support HR, IT and CISO
to periodically review the
authorizations to the data set(s)
in his ownership (lateral control).
IAO is a first line control, next to
line management, to assess
authorizations to the data set(s)
in his ownership (lateral control).
The data quality (fit-4-purpose)
should be maintained.
29. 29
- Classification: Internal - Page
Escalate if and when necessary
An Information Asset Owner can and should escalate any issue with
the processing / handling of the Information Assets in his ownership
to the CISO and the DPO (for personal data).
Issues are e.g. (there is no exhaustive list)
The data quality has significantly deteriorated, yet someone prevents the
deletion of the data.
The foreseen data retention date or the use for the data given the purpose,
has expired, yet someone prevents the deletion of the data.
A data recipient does not want to document the arrangements.
There is a discussion on the authorizations (give or not, or type of
authorization (create/read/write/delete).
A project manager did not deliver the proper documentation at the end of the
project.
31. 31
- Classification: Internal - Page
Especially Relevant Policy Documents
• Information Ownership Policy
• Information Asset Inventory
• Information Asset Architecture and Management
• Information Classification Policy
• (other)
(Sharepoint)
(Folder)
32. 32
- Classification: Internal - Page
Relevent Points of Contact
as sounding boards
(and support) CISO (Chief Information Security Officer)
(name)
DPO (Data Protection Officer)
(name)
for arrangements with
secondary data users
within COMPANY (in as far
as the template does not
cover it)
for agreements with third
parties
Procurement (name)
Legal (name)
Editor's Notes
-/ Definitions
=> Sensitive data
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership,
- personal data concerning health or sex life
=> Judicial data
- data relating to offences, criminal convictions or security measures
- data relating to administrative sanctions or judgements in civil cases
=> Identifier of general application (IGA)
National identification number or any other identifier of general application
-/ For processing sensitive data, such legitimate basis can only be found when
the data subject has given his explicit consent to the processing of those data, except where applicable law provides that this cannot be considered a legitimate basis; or
processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by applicable (national) law providing for adequate safeguards; or
processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or
processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or
the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims;
processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed
by a health professional subject (under national law or rules established by national competent bodies) to the obligation of professional secrecy or
by another person also subject to an equivalent obligation of secrecy;
-/ For processing judicial data, such legitimate basis can only be found when the processing is covered by a specific exemption under applicable (national) law.
-/ For IGAs such legitimate basis has to be found in applicable (national) law.
-/ With regard to personal data that is in scope of the professional duty of confidentiality, legitimacy for making the data available has to be found in an exemption in the law and/or the consent of the data subject.
Note that a definition of judicial data that is narrower than the one given in this rule can be considered a specific exemption.
the data subject has unambiguously given his consent; or
processing is necessary in order to take steps at the request of the data subject prior to entering into a contract; or processing is necessary for the performance of a contract to which the data subject is party; or
E.g. when a data subject requests a credit, it is legitimate to request, receive and process some personal data on that data subject, to determine whether or not it is opportune to grant a credit or not.
processing is necessary for compliance with a legal obligation to which the controller is subject; or
Note: generally only national legislation is considered as a source of legitimacy under this provision.
E.g. the collection of personal data as imposed by AML regulation (Know-Your-Customer), collection of personal data as imposed by MiFID regulation (Know-Your-Customer: appropriateness / suitability), transferring data to (tax or supervisory) authorities which act under legal investigation powers, …
processing is necessary in order to protect the vital interests of the data subject; or
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject, and in particular their right to privacy with respect to the processing of personal data.
E.g. processing medical data of a patient in coma to ensure that the necessary treatment is provided.