Post on 14-Apr-2017
- Classification : internal -
COMPANYIS/DPP Level-Up Training SessionsInformantion Asset Owners
(date)
2- Classification: Internal - Page
“Level-up”
In addition to the baseline training for all staff
Applicable to specific staff, in this case: information asset owners
Why? - Information asset owners are the primary responsible indivuals for a
specific internal or external data source. They form a pivotal role in the information asset architecture and management as they are the single points of contact for the data sources of the organisation.
- Therefore information asset owners are well-placed champions for IS/DPP.
3- Classification: Internal - Page
YOUR MISSION, should you choose to accept it…
Take up active ownership of Information Assets assigned to you in the Business-As-Usual
by
Keeping the IS/DPP documentation on the Information Assets and keeping it up-to-date, especially additional uses.
Liaise with the CISO so he can keep the overview,
a.o. via the Information Asset Inventory Guard (the access to) the Information Assets,
their quality and their perimeter throughout their lifecycle. Support the Access Management.
Important note: this is a continuous mission !
Q1: Why is there a setup with Information Asset Owners?
5- Classification: Internal - Page
Data is everywhere.
6- Classification: Internal - Page
Data is everywhere, we organise it
7- Classification: Internal - Page
Data is everywhere, we organise it, to be able to manage it
8- Classification: Internal - Page
Architectural benefit
• Overview.
• Easier to grasp.
• Support / Single Point of Contact for certain data sets.
• Future ?
• Single (“authentic”) source for certain data.
• Agile, decentralized deployment.
Q2: What documentation should I keep?
10- Classification: Internal - Page
Checklist
Data set and data flow description Risk mitigating / sharing measures (as implemented)
Technical measures (+ point of contact)Organisational measures
documented (a.o. who can/should have access?) communication/training/awareness [plan]
Residual risk acceptance (if any, documented) Risk assessment (different versions)
After implementation project (legacy = absent)Regular reviews
Periodic (norm : 1 / year) Due to changes
11- Classification: Internal - Page
Document: Data Sets (first 3 criteria)
Source of the data Objective / SubjectiveData Subject / Generated ourselves / 3rd party / …
Purpose for the data
Credit review, AML screening, profiling, contact in execution of agreement, marketing, segmentation, …
Data subject Customer, cardholder, prospect, candidate, staff member, contact at supplier, contact at corporate customer,…
Data fields Free fields: Name, address, free comment, meeting report, …Dropdown lists: Country, Title, Status,…
Special categories of data
Financial data, card data (PCI), …Relating to race, ethnic origin, (political, philosophical, religious) beliefs, trade union membership, sexual lifeHealth data / Judicial data (related to litigation, criminal sanctions, presumptions of criminal facts,…)
(Estimated) volume By number of data subjects, by number of data fields per data subject, …
12- Classification: Internal - Page
Scope = DATA
Idea
Process
Texts
“Image”
Card(holder) Data
Personal Data
Customer Data
Copyright
Patent
Trade Mark
Data Subject
Competitive advantage
Legal protection (when in the open)Want to
protect
Have to protect(by obscurity)
Duty of discretion
PCI DSS (PSD)
Personal Data Protection
Privileged Information Market Abuse
13- Classification: Internal - Page
Other data
Personal data
Other personal data
Perceived as private
Perceived as public
Special categories
Sensitive
Health
Judicial
IGA
Special Categories of Data
PCI
Nat Reg
14- Classification: Internal - Page
Document: Risks
Data Classification Give the full data classification per data set.
Risks identified What risks were identified in terms of the different layers of information security and data protection?
Qualitative measure of the risk
Likelihood x impact
Quantitative measure of the risk
(if possible) more detailed calculations based on statistical models (e.g. monte carlo)
Validation by CISO The CISO has to validate all information risk assessments.
Validation by DPO (for personal data)
The DPO has to validate all personal data related risk assessments.
Frequently re-evaluate
15- Classification: Internal - Page
Document: Risk Approach
Risk Mitigating Measures
For every risk identified, the mitigating measures: technically and/or organisationally (incl. first line controls).
Risk Sharing Measures
For every risk identified, if applied, the risk sharing measures: agreements, insurances, etc;
Residual Risk For every risk identified, the residual risk (incl. assessment in terms of likelihood and impact).
Comparison to 1st Risk Assessment
Preferably visually (matrix)
Validation by CISO The CISO has to validate all information risk approaches.
Validation by DPO (for personal data)
The DPO has to validate all personal data related risk approaches.
Residual Risk Acceptance (if any)
The decision by the ExCo or, as the case may be, a steering committee to which the project follow-up was delegated.
New risk acceptance or measures, if and when the risk assessment has shown change in risk profile. Escalate via CISO or DPO
16- Classification: Internal - Page
Document: Data Flows
Data set transferred (see data set for further detail)Source of the data In principle the repository you are
responsible for as Information Asset OwnerRecipient of the data Within company / between GROUP companies /
Third Party (processing on COMPANY’s behalf) / Third Party (processing on own behalf)
Purpose for use by the recipient
To allow alignment with the original purpose and fitness of the data set
Operational description of transfer
Automatic or manual intervention, format (xls, xml, CODA, …), channel, frequency of the transfer, …
Security of the transfer Measures taken to ensure the secure transfer, both technical (e.g. encryption) and organisational (e.g. double channel for transfer of package and key)
Assurance by recipient To keep the data secure and confidential, not to use the data for other purposes than described, not to further transfer the data, to update the data at request of IAO,…
Validation Validation by CISO (always) and DPO (personal data)
Q3: What to consider when re-assessing?
?
18- Classification: Internal - Page
Re-Assess
Assessment Who? When?Original (0.1) Project manager Start of project
First version (1.0) Project manager End of project
Addendum due to (significant) change (2.0)
Project manager End of project
Periodic review (2.1 or 2.0 confirmed)
Information Asset Owner 1/year
Ad hoc review due to (minor) change in process, regulation, … (2.1 or 2.0 confirmed)
Information Asset Owner when needed (note: not always externally triggered !)
Planned control review CISO or DPO (personal data)
second line control planning
Ad hoc control review CISO or DPO (personal data)
event (e.g. data breach or supervisor request)
19- Classification: Internal - Page
Data Classifications indicate Risks
Category Classifications
Confidentiality Public, Internal, Restricted and Secret.
Integrity Accurate, Vital and Absolute.
Availability Non-Essential, Essential, Critical and Highly Critical.
Traceability Non-Traceable, Sensitive and Critical.
Retention No Retention, Short-Term, Mid-Term and Long-Term.
+“Privacy” Use within the boundaries of the (original) purpose
Information Classification Policy
20- Classification: Internal - Page
Environment
Physical
HumanDevice
Application
Repository
Carrier
Layers & Dimensions
Changes• In the regulatory environment• In processes• In people (JLT)• In technology
Net
wor
k
Data
3rd Parties
21- Classification: Internal - Page
Take into Account the Entire Data Lifecycle
Less people can reach it gatekeepers
Data retention forces at work
Can we legitimately collect / create the data (for that purpose)? (legal constraints, contractual constraints,…)
Is the storage secure? Whichfunctions / roles need access? Everybody else should be kept out.Is the integrity guarded?Is the availability up to standard?
Can we legitimately use the data for that purpose?Is everybody with access bound by confidentiality?
Can we legitimately share the data (for that purpose)?Do we want to share that data?
22- Classification: Internal - Page
Finality (Data Protection Act / GDPR)
Relevance
Up-to-date Retention
@Start
@End
Ongoing
Minimisation
Quality
23- Classification: Internal - Page
Balance test
Legal requirement
Implied consent
Explicit consent
Controller’s legitimate interest
Data subjects fundamental
rights
written? formality v. evidence
Legitimacy (Data Protection Act /GDPR)
24- Classification: Internal - Page
Forces at Work in Data Retention
Legal requirementMin. retention
PurposeRelevance
ArchiveEvidence
Legal requirementMax. retention
FacilitiesCapacity, readibility,…,
Personal data protectionRelevance
HAVE TO
USEFUL
WANT TO
HAVE TO
HAVE TO
WANT TO
LegalLack of evidence
Data protectionProtection
WANT TO
USEFUL
25- Classification: Internal - Page
Measure the risk
Risk = likelihood x impact(base on “trusted” sources)
26- Classification: Internal - Page
Remember: Possible Positions towards Risk
In principle only LOW risk
If this “pops up”:escalate via CISO or DPO.
Q4: How do I, as Information Asset Owner, guard the Information Asset?
28- Classification: Internal - Page
Focus on the GOAL (“purpose”)
Purpose(s) should have been clearly defined @ start.
Other purposes are in principle not allowed.
Exceptions should
be validated by CISO and DPO
(for personal data).
Purpose helps define when to move data to archive (lower access).
Purpose helps define when to delete data and triggers deletion. Data transfers must be documented.
IAO support HR, IT and CISO to periodically review the authorizations to the data set(s) in his ownership (lateral control).
IAO is a first line control, next to line management, to assessauthorizations to the data set(s) in his ownership (lateral control).
The data quality (fit-4-purpose) should be maintained.
29- Classification: Internal - Page
Escalate if and when necessary
An Information Asset Owner can and should escalate any issue with the processing / handling of the Information Assets in his ownership to the CISO and the DPO (for personal data).
Issues are e.g. (there is no exhaustive list)
The data quality has significantly deteriorated, yet someone prevents the deletion of the data.
The foreseen data retention date or the use for the data given the purpose, has expired, yet someone prevents the deletion of the data.
A data recipient does not want to document the arrangements. There is a discussion on the authorizations (give or not, or type of
authorization (create/read/write/delete). A project manager did not deliver the proper documentation at the end of the
project.
Useful Additional Information
31- Classification: Internal - Page
Especially Relevant Policy Documents
• Information Ownership Policy
• Information Asset Inventory
• Information Asset Architecture and Management
• Information Classification Policy
• (other)
(Sharepoint)
(Folder)
32- Classification: Internal - Page
Relevent Points of Contact
as sounding boards(and support) CISO (Chief Information Security Officer)
(name)
DPO (Data Protection Officer) (name)
for arrangements with secondary data users within COMPANY (in as far as the template does not cover it)
for agreements with third parties
Procurement (name)Legal (name)