Training Procurement
-
Upload
tommy-vandepitte -
Category
Law
-
view
23 -
download
0
Transcript of Training Procurement
- Classification: internal -
COMPANYIS/DPP Level-up Training SessionsProcurement
(date)
2- Classification: internal - Page
“Level-up”
In addition to the baseline training for all staff
Applicable to specific staff, in this case: procurement officers
Why? - Procurement officers (help) manage the relationship with external
parties in the organisation. They are the center of competence and (single) point of contact on the matter.
- Therefore project manager are well-placed champions for IS/DPP.- The business (as usual) should be able to attract, contract, and
follow-up the external relationshiop, which should (a) working with untrustworthy counterparties, and (b) allow enforcement of compliance.
3- Classification: internal - Page
YOUR MISSION, should you choose to accept it…
Support in and as the Business-As-Usual the organisational aspect of IS/DPP by acting as center of competence
with regard to relationship
management of external parties – selecting counterparties– contract negotiations– follow up
screening & vetting candidates documenting commitment guiding (and triggering) follow-up
Center of Competence
5- Classification: internal - Page
Masters of the Process
Select
• RFI, RFP, BaFO• Questionnaires and Questions
Contract
• Negotiations (need-to-have v nice-to-have)• Risk Acceptance (as the case may be)• Execution (and retention)
Follow-up
• Informal: “wine and dine”, relationship management, …• Formal: questionnaires, audit, …• Special: rights of data subjects (e.g. rectification, block)
6- Classification: internal - Page
External Parties
6
COMPANY
proc.
group
Vendor
SP
ClientClientClientClientClientClientClient
Vendor
Service Provider
Sub-processor
1. Confidentiality2. Personal Data: DP schedule
Enforcement
7- Classification: internal - Page
Personal Data Protection: Different Levels
Internal
Processor in a “safe country”
Processor in an “unsafe country”
8- Classification: internal - Page
Internal (FYI)
Concentric circle controls1 Perimeter control: controlled access to the buildings
e.g. zoning on a risk basis, security alarms, locked doors, surveillance cameras, security guards (day/night), enterance controls (badge, biometrics,…), identified and guided visitors,
2 Network control: controlled access to the networke.g. firewalls, virus scans (incl. malware, spyware, …),
3 Server access control: zoning on a risk basis, monitoring (high-level permanent/sample or exception based periodic),
4 Secure data deletion: shredders, instructions, waste baskets, …
5 Data loss prevention
DP training for legal and quality24 November 2014
Slide 8
Summary ContentEquipment access control deny unauthorised persons access to data-processing equipment used for processing
personal data
Data media control prevent the unauthorised reading, copying, modification or removal of data media
Storage control prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data
User control prevent the use of automated data-processing systems by unauthorised persons using data communication equipment
Data access control ensure that persons authorised to use an automated data-processing system only have access to the data covered by their access authorisation
Communication control ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment
Input control ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data were input
Transport control prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media
Recovery ensure that installed systems may, in case of interruption, be restored
Reliability & Integrity ensure that the functions of the system perform, that the appearance of faults in the functions is reported and that stored data cannot be corrupted by means of a malfunctioning of the system
ISO 27002NIST SP800-53
Minimum security requirements
Customer auditors
Agreements with controllersInsert policy overview / visualisation
9- Classification: internal - Page
Gradations of topo-risk EU
EEA
Positively Assessed by EU Commisson
Other
ArgentinaAustraliaCanada
Faeroe IslandsGuersney
Isle of ManIsrael
JerseySwitzerland
Uruguay(USA)
NorwayLichtenstein
Iceland
No adequate level of protection- Contractual clauses- Other
10- Classification: internal - Page
Processor in a “safe” country
Part of the selection process1
2
3
Binding clauses
Follow-up
Sufficient guarantees on measures wrt the data processing operation
- Processors only acts on instruction of the controller- Legal requirements of internal measures must bind the processor
Ensure compliance with measures wrt the data processing operation
COMPProvider
OR NOT, if you have a template
11- Classification: internal - Page
Processor in an “unsafe” country
Reference is made to the legitimacy topic.
Controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights which are authorized under applicable (national) law.
Same as other processors1
2
2’
Binding clauses
Specific basis for legitimacy
Balance test
Legal requirement
Implied consent
Explicit consentlimited
becauseYOU CAN
DO THIS
SCC
COMPProvider
Screening & Vetting
Internal staff = HRExternal staff= insert
13- Classification: internal - Page
Environment
Physical
HumanDevice
Application
Repository
Carrier
Layers & Dimensions
Changes• In the regulatory environment• In processes• In people (JLT)• In technology
Net
wor
k
Data
3rd Parties
We are going to give this person access to - our premises?- our network?- our devices?- our applications?- our data?- …
14- Classification: internal - Page
Input: Risk Assessment (Privacy Impact Assessment)
Data set and data flow description Risk mitigating / sharing measures (as foreseen)
Technical measures (+ point of contact)Organisational measures
documented (a.o. who can/should have access?) communication/training/awareness [plan]
Residual risk acceptance (if any, may come after negotiations) Risk assessment (different versions)
Before “outsourcing” (legacy = absent)After “outsourcing”
15- Classification: internal - Page
Document: Data Sets (first 3 criteria)
Source of the data Objective / SubjectiveData Subject / Generated ourselves / 3rd party / …
Purpose for the data
Credit review, AML screening, profiling, contact in execution of agreement, marketing, segmentation, …
Data subject Customer, cardholder, prospect, candidate, staff member, contact at supplier, contact at corporate customer,…
Data fields Free fields: Name, address, free comment, meeting report, …Dropdown lists: Country, Title, Status,…
Special categories of data
Financial data, card data (PCI), …Relating to race, ethnic origin, (political, philosophical, religious) beliefs, trade union membership, sexual lifeHealth data / Judicial data (related to litigation, criminal sanctions, presumptions of criminal facts,…)
(Estimated) volume By number of data subjects, by number of data fields per data subject, …
16- Classification: internal - Page
Document: Risks
Data Classification Give the full data classification per data set.
Risks identified What risks were identified in terms of the different layers of information security and data protection?
Qualitative measure of the risk
Likelihood x impact
Quantitative measure of the risk
(if possible) more detailed calculations based on statistical models (e.g. monte carlo)
Validation by CISO The CISO has to validate all information risk assessments.
Validation by DPO (for personal data)
The DPO has to validate all personal data related risk assessments.
Frequently re-evaluate
17- Classification: internal - Page
Document: Risk Approach
Risk Mitigating Measures
For every risk identified, the mitigating measures: technically and/or organisationally (incl. first line controls).
Risk Sharing Measures
For every risk identified, if applied, the risk sharing measures: agreements, insurances, etc;
Residual Risk For every risk identified, the residual risk (incl. assessment in terms of likelihood and impact).
Comparison to 1st Risk Assessment
Preferably visually (matrix)
Validation by CISO The CISO has to validate all information risk approaches.
Validation by DPO (for personal data)
The DPO has to validate all personal data related risk approaches.
Residual Risk Acceptance (if any)
The decision by the ExCo or, as the case may be, a steering committee to which the project follow-up was delegated.
New risk acceptance or measures, if and when the risk assessment has shown change in risk profile. Escalate via CISO or DPO
18- Classification: internal - Page
Document: Data Flows
Data set transferred (see data set for further detail)Source of the data In principle the repository you are
responsible for as Information Asset OwnerRecipient of the data Within company / between GROUP companies /
Third Party (processing on COMPANY’s behalf) / Third Party (processing on own behalf)
Purpose for use by the recipient
To allow alignment with the original purpose and fitness of the data set
Operational description of transfer
Automatic or manual intervention, format (xls, xml, CODA, …), channel, frequency of the transfer, …
Security of the transfer Measures taken to ensure the secure transfer, both technical (e.g. encryption) and organisational (e.g. double channel for transfer of package and key)
Assurance by recipient To keep the data secure and confidential, not to use the data for other purposes than described, not to further transfer the data, to update the data at request of IAO,…
Validation Validation by CISO (always) and DPO (personal data)
19- Classification: internal - Page
Getting started
• Screen • RFI Recruit
• Vet• RFPSelect …
Employees: HR + line
External provider and/or staff: Procurement + sponsor
http://kbopub.economie.fgov.be/
https://www.nbb.be/nl/balanscentrale
myownwebsite.be
…
Q&A
Documenting
21- Classification: internal - Page
People onboarding, leaving, changing functions
• Documents• Onboard
• Checklist• Assets / Access• Training
Contract• Training• EvaluationExecute
• Documents• Exit
• Checklist• Retrieval
Exit
Employees: HR + line
HR + sponsor
Change / Transfer
Join Leave
External staff: Procurement -
22- Classification: internal - Page
Data exporterDifferent capacities
possible: controller or processor.
Data importerDifferent capacities
possible: controller or (sub-)processor.
So:
Controller Controller
ProcessorController
Processor
Adde the geographic aspect
Data Export – Data Import
Follow-up
24- Classification: internal - Page
Principles of Follow-Up
Period risk-based review of the relations.
Risk
Time1 y 2 y
3 y
Informal
AuditAssurance
Questionnaire
Relationship management
On Site Visit
Approaches
Useful Additional Information
26- Classification: internal - Page
Especially Relevant Policy Documents
• Outsourcing Policy
• Third Party Assessment Procedure
• Third Party Contracting Procedure
• Third Party Follow-up Procedure
• Secure Information Exchange Procedure
• Secure Development Policy
• JLT Procedure
• Joiner Checklist template
• Leaver Checklist template
• Transfer = Leaver + Joiner
(Sharepoint)
(Folder)
x:\HR\Onboarding Docs
x:\HR\Onboardingx:\HR\Leavers
27- Classification: internal - Page
Especially Relevant Policy Documents
• Outsourcing Documents
• IS/DPP questionnaire
• Bodyshopping template
• IS/DPP Contract Schedule (basic)
• EU Standard Contractual Clauses • Controller-to-Controller• Controller-to-Processor
• Templates for specific situations (project “NDAs”, etc.)
(Sharepoint)
(Folder)
28- Classification: internal - Page
Relevent Points of Contact
Input for the assessment Project managerInformation Asset Owner (see Inventory)
Sounding board and support on contracting
Legal (name)
Sparring partner for follow-up
Information Asset Owner (see Inventory)
Review of IS/DPP questionnaire answers
CISO (name)DPO (personal data) (name)
29- Classification: internal - Page
Processes
(add processes of JLT procedure)