Training Procurement

- Classification: internal -

COMPANYIS/DPP Level-up Training SessionsProcurement

(date)

2- Classification: internal - Page

“Level-up”

In addition to the baseline training for all staff

Applicable to specific staff, in this case: procurement officers

Why? - Procurement officers (help) manage the relationship with external

parties in the organisation. They are the center of competence and (single) point of contact on the matter.

- Therefore project manager are well-placed champions for IS/DPP.- The business (as usual) should be able to attract, contract, and

follow-up the external relationshiop, which should (a) working with untrustworthy counterparties, and (b) allow enforcement of compliance.


YOUR MISSION, should you choose to accept it…

Support in and as the Business-As-Usual the organisational aspect of IS/DPP by acting as center of competence

with regard to relationship

management of external parties – selecting counterparties– contract negotiations– follow up

screening & vetting candidates documenting commitment guiding (and triggering) follow-up

Center of Competence


Masters of the Process

Select

• RFI, RFP, BaFO• Questionnaires and Questions

Contract

• Negotiations (need-to-have v nice-to-have)• Risk Acceptance (as the case may be)• Execution (and retention)

Follow-up

• Informal: “wine and dine”, relationship management, …• Formal: questionnaires, audit, …• Special: rights of data subjects (e.g. rectification, block)


External Parties

6

COMPANY

proc.

group

Vendor

SP

ClientClientClientClientClientClientClient

Vendor

Service Provider

Sub-processor

1. Confidentiality2. Personal Data: DP schedule

Enforcement


Personal Data Protection: Different Levels

Internal

Processor in a “safe country”

Processor in an “unsafe country”


Internal (FYI)

Concentric circle controls1 Perimeter control: controlled access to the buildings

e.g. zoning on a risk basis, security alarms, locked doors, surveillance cameras, security guards (day/night), enterance controls (badge, biometrics,…), identified and guided visitors,

2 Network control: controlled access to the networke.g. firewalls, virus scans (incl. malware, spyware, …),

3 Server access control: zoning on a risk basis, monitoring (high-level permanent/sample or exception based periodic),

4 Secure data deletion: shredders, instructions, waste baskets, …

5 Data loss prevention

DP training for legal and quality24 November 2014

Slide 8

Summary ContentEquipment access control deny unauthorised persons access to data-processing equipment used for processing

personal data

Data media control prevent the unauthorised reading, copying, modification or removal of data media

Storage control prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data

User control prevent the use of automated data-processing systems by unauthorised persons using data communication equipment

Data access control ensure that persons authorised to use an automated data-processing system only have access to the data covered by their access authorisation

Communication control ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment

Input control ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data were input

Transport control prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media

Recovery ensure that installed systems may, in case of interruption, be restored

Reliability & Integrity ensure that the functions of the system perform, that the appearance of faults in the functions is reported and that stored data cannot be corrupted by means of a malfunctioning of the system

ISO 27002NIST SP800-53

Minimum security requirements

Customer auditors

Agreements with controllersInsert policy overview / visualisation


Gradations of topo-risk EU

EEA

Positively Assessed by EU Commisson

Other

ArgentinaAustraliaCanada

Faeroe IslandsGuersney

Isle of ManIsrael

JerseySwitzerland

Uruguay(USA)

NorwayLichtenstein

Iceland

No adequate level of protection- Contractual clauses- Other


Processor in a “safe” country

Part of the selection process1

2

3

Binding clauses

Follow-up

Sufficient guarantees on measures wrt the data processing operation

- Processors only acts on instruction of the controller- Legal requirements of internal measures must bind the processor

Ensure compliance with measures wrt the data processing operation

COMPProvider

OR NOT, if you have a template


Processor in an “unsafe” country

Reference is made to the legitimacy topic.

Controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights which are authorized under applicable (national) law.

Same as other processors1

2

2’

Binding clauses

Specific basis for legitimacy

Balance test

Legal requirement

Implied consent

Explicit consentlimited

becauseYOU CAN

DO THIS

SCC

COMPProvider

Screening & Vetting

Internal staff = HRExternal staff= insert


Environment

Physical

HumanDevice

Application

Repository

Carrier

Layers & Dimensions

Changes• In the regulatory environment• In processes• In people (JLT)• In technology

Net

wor

k

Data

3rd Parties

We are going to give this person access to - our premises?- our network?- our devices?- our applications?- our data?- …


Input: Risk Assessment (Privacy Impact Assessment)

Data set and data flow description Risk mitigating / sharing measures (as foreseen)

Technical measures (+ point of contact)Organisational measures

documented (a.o. who can/should have access?) communication/training/awareness [plan]

Residual risk acceptance (if any, may come after negotiations) Risk assessment (different versions)

Before “outsourcing” (legacy = absent)After “outsourcing”


Document: Data Sets (first 3 criteria)

Source of the data Objective / SubjectiveData Subject / Generated ourselves / 3rd party / …

Purpose for the data

Credit review, AML screening, profiling, contact in execution of agreement, marketing, segmentation, …

Data subject Customer, cardholder, prospect, candidate, staff member, contact at supplier, contact at corporate customer,…

Data fields Free fields: Name, address, free comment, meeting report, …Dropdown lists: Country, Title, Status,…

Special categories of data

Financial data, card data (PCI), …Relating to race, ethnic origin, (political, philosophical, religious) beliefs, trade union membership, sexual lifeHealth data / Judicial data (related to litigation, criminal sanctions, presumptions of criminal facts,…)

(Estimated) volume By number of data subjects, by number of data fields per data subject, …


Document: Risks

Data Classification Give the full data classification per data set.

Risks identified What risks were identified in terms of the different layers of information security and data protection?

Qualitative measure of the risk

Likelihood x impact

Quantitative measure of the risk

(if possible) more detailed calculations based on statistical models (e.g. monte carlo)

Validation by CISO The CISO has to validate all information risk assessments.

Validation by DPO (for personal data)

The DPO has to validate all personal data related risk assessments.

Frequently re-evaluate


Document: Risk Approach

Risk Mitigating Measures

For every risk identified, the mitigating measures: technically and/or organisationally (incl. first line controls).

Risk Sharing Measures

For every risk identified, if applied, the risk sharing measures: agreements, insurances, etc;

Residual Risk For every risk identified, the residual risk (incl. assessment in terms of likelihood and impact).

Comparison to 1st Risk Assessment

Preferably visually (matrix)

Validation by CISO The CISO has to validate all information risk approaches.

Validation by DPO (for personal data)

The DPO has to validate all personal data related risk approaches.

Residual Risk Acceptance (if any)

The decision by the ExCo or, as the case may be, a steering committee to which the project follow-up was delegated.

New risk acceptance or measures, if and when the risk assessment has shown change in risk profile. Escalate via CISO or DPO


Document: Data Flows

Data set transferred (see data set for further detail)Source of the data In principle the repository you are

responsible for as Information Asset OwnerRecipient of the data Within company / between GROUP companies /

Third Party (processing on COMPANY’s behalf) / Third Party (processing on own behalf)

Purpose for use by the recipient

To allow alignment with the original purpose and fitness of the data set

Operational description of transfer

Automatic or manual intervention, format (xls, xml, CODA, …), channel, frequency of the transfer, …

Security of the transfer Measures taken to ensure the secure transfer, both technical (e.g. encryption) and organisational (e.g. double channel for transfer of package and key)

Assurance by recipient To keep the data secure and confidential, not to use the data for other purposes than described, not to further transfer the data, to update the data at request of IAO,…

Validation Validation by CISO (always) and DPO (personal data)


Getting started

• Screen • RFI Recruit

• Vet• RFPSelect …

Employees: HR + line

External provider and/or staff: Procurement + sponsor

http://kbopub.economie.fgov.be/

https://www.nbb.be/nl/balanscentrale

myownwebsite.be

…

Q&A

Documenting


People onboarding, leaving, changing functions

• Documents• Onboard

• Checklist• Assets / Access• Training

Contract• Training• EvaluationExecute

• Documents• Exit

• Checklist• Retrieval

Exit

Employees: HR + line

HR + sponsor

Change / Transfer

Join Leave

External staff: Procurement -


Data exporterDifferent capacities

possible: controller or processor.

Data importerDifferent capacities

possible: controller or (sub-)processor.

So:

Controller Controller

ProcessorController

Processor

Adde the geographic aspect

Data Export – Data Import

Follow-up


Principles of Follow-Up

Period risk-based review of the relations.

Risk

Time1 y 2 y

3 y

Informal

AuditAssurance

Questionnaire

Relationship management

On Site Visit

Approaches

Useful Additional Information


Especially Relevant Policy Documents

• Outsourcing Policy

• Third Party Assessment Procedure

• Third Party Contracting Procedure

• Third Party Follow-up Procedure

• Secure Information Exchange Procedure

• Secure Development Policy

• JLT Procedure

• Joiner Checklist template

• Leaver Checklist template

• Transfer = Leaver + Joiner

(Sharepoint)

(Folder)

x:\HR\Onboarding Docs

x:\HR\Onboardingx:\HR\Leavers


Especially Relevant Policy Documents

• Outsourcing Documents

• IS/DPP questionnaire

• Bodyshopping template

• IS/DPP Contract Schedule (basic)

• EU Standard Contractual Clauses • Controller-to-Controller• Controller-to-Processor

• Templates for specific situations (project “NDAs”, etc.)

(Sharepoint)

(Folder)


Relevent Points of Contact

Input for the assessment Project managerInformation Asset Owner (see Inventory)

Sounding board and support on contracting

Legal (name)

Sparring partner for follow-up

Information Asset Owner (see Inventory)

Review of IS/DPP questionnaire answers

CISO (name)DPO (personal data) (name)


Processes

(add processes of JLT procedure)

Training Procurement

Law

Transcript of Training Procurement