The assessment of risks is the first step towards the adoption of appropriate security measures for the protection of personal data. Within the next steps we present a simplified approach that can guide the SMEs through their specific data processing operation and help them evaluate the relevant security risks. As such, the proposed approach does not present a new risk assessment methodology but rather builds on existing work in the field ( CNIL – Managing Privacy Risks Methodology, ENISA - Recommendations for a methodology of the assessment of severity of personal data breaches, ENISA - Risk Management and Risk Assessment for SMEs) to provide guidance to SMEs. It should be noted that the proposed approach is meant to support data controllers/processors and not act as a compliance mechanism.

It should also be noted that the work is focused solely on security risk assessment in the context of personal data processing operations and should not be confused with data protection impact assessment (DPIA - Article 35 GDPR). Indeed, while, the former is a critical part of the latter, a DPIA takes into account several other parameters that are related to the processing of personal data and go beyond security. Still, the proposed approach could also be useful in the context of a DPIA and/or could be extended in the future to also cover DPIA conduction.

Please note that none of the data/information entered in our platform is saved and it will not be available should the browser is closed. It is therefore advisable that you perform the whole assessment at once.

At the last step of the risk assessment, you will be able to export all the information entered along to identified level of risk of the processing operations in addition the proposed security (technical and organizational) measures (in PDF format).

1. Definition and Context of the Processing Operation

This step is the starting point of the risk assessment and is fundamental in order to define the boundaries of the data processing operation (under assessment) and its relevant context. In doing so, the organization needs to consider the different phases of the data processing (collection, storage, use, transfer, disposal, etc.) and their subsequent parameters. Specific attention has to be paid to the fact that the analysis below regards a specific processing operation; a data processing system may comprise of more than one data processing operations. The analysis below has to be performed for each processing operation.

An overview of the output and provisional examples on how to describe data processing operations are available within the uses cases (Sections 4,5,6 & 7) of the ENISA report “Handbook on Security of Personal Data Processing”.

Recipients of Personal Data
External:
Internal:
X
+ Add line

2a. Confidentiality

Please reflect on the impact that an unauthorized disclosure (loss of confidentiality) of personal data - in the context where your business activity takes place - could have on the individual and express a rating accordingly.

Examples/scenarios of loss of confidentiality:
  • A paper file or laptop containing personal data is lost during transit.
  • Equipment has been disposed without destruction of the personal data.
  • Personal data are wrongly sent to a number of unauthorized recipients.
  • Some customers could access other customers’ accounts in an online service.
  • Personal data are published on an internet message board or p2p site.
  • A CD-ROM with customer data has been stolen from premises.
  • A wrongly configured website makes publically accessible on internet data from internal users.

2b. Integrity

Please reflect on the impact that an unauthorized alteration (loss of integrity) of personal data - in the context where your business activity takes place - could have on the individual and express a rating accordingly.

Examples/scenarios of loss of integrity:
  • A record that is necessary for the provision of an online social service has been changed and the individual needs to ask for the service in an offline way.
  • A record that is important for the accuracy of an individual’s file in an online medical service has been changed.

2c. Availability

Please reflect on the impact that an unauthorized destruction or loss (loss of availability) of personal data - in the context where your business activity takes place - could have on the individual and express a rating accordingly.

Examples/scenarios of loss of availability:
  • A customer database is corrupted and some processing High is required to bring the service online again.
  • A personnel file is lost and the individual needs to provide again some information to the company.
  • A file is lost/database corrupted and there is not back up of this information.
  • A critical service (e.g. online medical record) is down and cannot be immediately recovered.

3a. Network and Technical Resources

Please reflect on the threat occurrence probability of Network and Technical resources.

For each question please do select either option and add a brief explanatory note. At the bottom of the page please assess the threat occurrence probability for this evaluation area.

Is any part of the processing of personal data performed through the internet?
When the processing of personal data is performed fully or partially through the open Internet, possible threats from external online attackers increase (e.g. Denial of Service, SQL injection, Man-in-the-Middle attacks), especially when the service is available (and, thus, traceable/known) to all internet users.
Examples:
  • An e-marketplace offering the possibility of online purchase of goods
  • An e-news portal providing personalised information for registered users
  • A CRM system offered through a cloud as a service solution.
Is it possible to provide access to an internal personal data processing system through the internet (e.g. for certain users or groups of users)?
When access to an internal data processing system is provided through the internet, the likelihood of external threats increases (e.g. due to external online attackers). At the same time the likelihood of (accidental or intentional) misuse of data by the users also increases (e.g. accidental disclosure of personal data when working in public spaces). Special attention should be given to cases where remote management/administration of the IT system is allowed attacks), especially when the service is available (and, thus, traceable/known) to all internet users.
Examples:
  • An insurance company allows remote access (through the internet) for managers to the clients’ files.
  • A consulting company allows staff to access the internal system for managing leaves and missions through the internet.
  • A company provides remote access to the system to external contractors for IT maintenance and support.
Is the personal data processing system interconnected to another external or internal (to your organization) IT system or service?
Connection to external IT systems may introduce additional threats due to the threats (and potential security flaws) that are inherent to those systems. The same applies also to internal systems, taking into account that, if not appropriately configured, such connections may allow access (to the personal data) to more persons within the organization (which are not in principle authorized for such access).
Examples:
  • An e-bookshop is connected to an online payment system (to support electronic purchases).
  • A small clinic finance IT system is connected to the IT system of national insurance scheme (to validate insurance status of the patients).
  • A CRM system interconnected with the IT system processing orders and systems supporting payments and invoice issuing.
Can unauthorized individuals easily access the data processing environment?
Although focus has been put on electronic systems and services, the physical environment (relevant to these systems and services) is an important aspect that, if not adequately safeguarded, can seriously compromise security (e.g. by allowing unauthorized parties to gain physical access to the IT equipment and network components or failing to provide protection of the computer room in the event of a physical disaster).
Examples:
  • An SME does not have a dedicated computer room for administering the IT system used for the processing of personal data.
  • An SME has outsourced the storage of its data to a company offering remote data storage. It is not clear what security measures have been applied by the company to safeguard the premises of the data centre. A CRM system offered through a cloud as a service solution.
Is the personal data processing system designed, implemented or maintained without following relevant documented best practices?
Poorly designed, implemented and/or maintained hardware and software components can pose serious risks to information security. To this end, best practices accumulate the experience of prior events and can be regarded as practical guidelines of how to avoid exposure and achieve certain levels of resilience.
Examples:
  • The different network and system components are based on standard IT technologies and protocols (contrary to ad-hoc solutions).
  • Hardware and software is obtained by trusted providers and following formal contractual procedures.
  • A proper maintenance plan is in place, including regular maintenance of network and system devices and applications.

Based on the selections and justifications above, please assess the threat occurrence probability for this evaluation area.

3b. Processes/Procedures Related to the Processing of Personal Data

Please reflect on the threat occurrence probability of Processes/Procedures related to the processing of personal data.

For each question please do select either option and add a brief explanatory note. At the bottom of the page please assess the threat occurrence probability for this evaluation area.

Are the roles and responsibilities with regard to personal data processing vague or not clearly defined?
When roles and responsibilities are not clearly defined, access (and further processing) of personal data may be uncontrolled, resulting to unauthorized use of resources and compromising the overall security of the system.
Examples:
  • Assistants in the financial department cannot only enter information, but also modify and delete it, same as managers.
  • The nurses in a medical clinic can modify the patient’s medical file, although only doctors should be able to do so.
Is the acceptable use of the network, system and physical resources within the organization ambiguous or not clearly defined?
When acceptable use of resources is not clearly mandated, security threats might arise due to misunderstanding or intentional misuse of the system. The clear definition of policies for network, system and physical resources can reduce potential risks.
Examples:
  • It is not clear if employees can use their professional email address for personal communications.
  • There is no policy in place mandating the level of bandwidth usage that employees are allowed to on a daily basis.
Are the employees allowed to bring and use their own devices to connect to the personal data processing system?
Employees using their personal devices within the organization could increase the risk of data leakage or unauthorized access to the information system. Moreover, as devices are not centrally controlled, they may introduce additional bugs or viruses into the system.
Examples:
  • Employees can connect to the company’s network with their tablets or other smart devices.
  • Employees are allowed to process data using specific applications installed in their personal tables/smart devices.
Are the employees allowed to transfer, store or otherwise process personal data outside the premises of the organization?
Processing of personal data outside the premises of the organization can offer a lot of flexibility, but at the same time introduces additional risks, both related to the transmission of information through possibly insecure network channels (e.g. open Wi-Fi networks), as well as unauthorized use of this information
Examples:
  • A travel agency allows employees to use their professional laptops outside the premises of the organization in order to process clients’ data.
  • A delivery company allows employees to use dedicated tablets while making the delivery to validate details of the recipient.
Can personal data processing activities be performed without log files being created?
The lack of appropriate logging and monitoring mechanisms can increase intentional or accidental abuse of processes/procedures and resources, resulting to the subsequent abuse of personal data.
Examples:
  • There is no list of persons accessing the computer room of a company on daily basis.
  • Access to the medical files of patients in a clinic is not registered.
  • There is no policy in place mandating how the logs are monitored and what actions should be taken in case of repeated abuse of the system.

Based on the selections and justifications above, please assess the threat occurrence probability for this evaluation area.

3c. Parties/People Involved in the processing of Personal Data

Please reflect on the threat occurrence probability of parties/people involved in the processing of personal data.

For each question please do select either option and add a brief explanatory note. At the bottom of the page please assess the threat occurrence probability for this evaluation area.

Is the processing of personal data performed by an undefined number of employees?
When access (and further processing) of personal data is open to a large number of employees, the possibilities of abuse due to human factor increase. Clearly defining who really needs to access the data and limiting access only to those persons can contribute to the security of personal data.
Examples:
  • The HR ticketing system of a company can be viewed by all staff members.
  • Medical records of patients can be processed by secretaries although only treating medical staff should have access.
Is any part of the data processing operation performed by a contractor/third party (data processor)?
When the processing is performed by external contractors, the organization may lose partially the control over these data. Moreover, additional security threats may be introduced due to the threats that are inherent to these contractors. It is important for the organization to select contractors that can offer a high level of security and to clearly define what part of the processing is assigned to them, maintaining as much as possible a high level of control.
Examples:
  • The IT system of a private school is hosted at an external data centre.
  • The client files of an insurance company are being processed by external associates of the company
  • A specialised company is contracted for the destruction of patient files in a medical clinic.
  • A company uses a Cloud as a Service solution to manage internal resources.
Are the obligations of the parties/persons involved in personal data processing ambiguous or not clearly stated?
When employees are not clearly informed about their obligations, threats from accidental misuse (e.g. disclosure or destruction) of data many significantly increase.
Examples:
  • Employees are not clearly informed that they are processing confidential information which may not be disclosed to unauthorised parties.
  • External associates of a company are not given clear instructions regarding the required level of security of personal data processed by them.
Is the personnel involved in the processing of personal data unfamiliar with security matters?
When employees are not aware of the need of applying security measures, they can accidentally pose further threats to the system. Training can greatly contribute in making employees aware both of their data protection obligations, as well as the application of specific security measures.
Examples:
  • Not all persons involved in data processing are informed about possible security threats and proper use of resources.
  • The staff handling the telephone centre of a company has not been informed about possible phishing and targeted attacks.
Do the persons/parties involved in the data processing operation neglect to securely store and/or destroy personal data?
Many personal data breaches occur due to the lack of physical protection measures, such as locks and secure destruction systems. Paper based files are usually part of the input or the output of an information system, can contain personal data and should also be protected from unauthorized disclosure and re-use.
Examples:
  • HR data of employees are not kept in locked file cabinets.
  • Copies of received invoices with credit card and bank account details are not being destroyed with paper shredders, after being processed.

Based on the selections and justifications above, please assess the threat occurrence probability for this evaluation area.

3d. Business Sector and Scale of Processing

Please reflect on the threat occurrence probability of business sector and scale of processing.

For each question please do select either option and add a brief explanatory note. At the bottom of the page please assess the threat occurrence probability for this evaluation area.

Do you consider your business sector as being prone to cyberattacks?
When security attacks have already taken place in a specific business sector, there is an indication that the organization would probably need to take additional measures to avoid a similar event.
Examples:
  • A number of companies (of the same sector) were attacked during the last year.
  • Publicity has been given to possible security threats and vulnerabilities of the particular business sector (e.g. as a result of a study).
Has your organization suffered any cyberattack or other type of security breach over the last two years?
If the organization has already been attacked or there are indications that this might have been the case, additional measures need to be taken to prevent similar events in the future.
Examples:
  • The IT department has discovered an increased number of unsuccessful attempts from external systems to gain unauthorised access to the database.
  • Locks in the central data centre have been violated.
Have you received any notifications and/or complaints with regard to the security of the IT system (used for the processing of personal data) over the last year?
Security bugs/wholes can be exploited to perform attacks (cyber or physical) to systems and services. Information regarding such cases should be considerably considered.
Examples:
  • Users of the online service of an e-shop have notified that they could accidentally access accounts of other users.
  • Auditors have found that the password policy utilised by an online service is weak.
Does your processing operation concern a large volume of individuals and/or personal data?
The type and volume of personal data (scale) can make the processing operation attractive to attackers (due to the inherent value of these data).
Examples:
  • An online patient record application of a hospital which stores data of chronic disease patients all over the country.
  • An online dating site which stores profiles of hundreds of users.
Are there any security best practices specific to your business sector that have not been adequately followed?
Sector specific security measures are usually adjusted to the needs (and risks) of the particular sector. Lack of compliance with relevant best practices might be an indicator of poor security management.
Examples:
  • A company subject to specific security measures for medical devices, financial services or telecommunication services.

Based on the selections and justifications above, please assess the threat occurrence probability for this evaluation area.

Impact evaluation

Based on the analysis of Step 1, the data controller/processor at this stage must assess the impact on the fundamental rights and freedoms of the individuals, resulting from the possible loss of security of the personal data. Four levels of impact are considered (Low, Medium, High, Very High) as shown in the table below.

LEVEL OF IMPACT DESCRIPTION
Low Individuals may encounter a few minor inconveniences, which they will overcome without any problem (time spent re-entering information, annoyances, irritations, etc.).
Medium Individuals may encounter significant inconveniences, which they will be able to overcome despite a few difficulties (extra costs, denial of access to business services, fear, lack of understanding, stress, minor physical ailments, etc.).
High Individuals may encounter significant consequences, which they should be able to overcome albeit with serious difficulties (misappropriation of funds, blacklisting by financial institutions, property damage, loss of employment, subpoena, worsening of health, etc.).
Very high Individuals which may encounter significant, or even irreversible consequences, which they may not overcome (inability to work, long-term psychological or physical ailments, death, etc.).

The evaluation of impact is a qualitative process and a number of factors need to be considered by the data controller, such as the types of personal data, criticality of the processing operation, volume of personal data, special characteristics of the data controller, as well as special categories of data subjects.

2d. Overall Impact Evaluation

The overall impact evaluation for is


Impact assessment

Confidentiality Integrity Availability
Overall Impact Evaluation

Threat Analysis

A threat is any circumstance or event, which has the potential to adversely affect the security of personal data. At this step, the goal for the data controller/processor is to understand the threats related to the overall environment of the personal data processing (external or internal) and assess their likelihood (threat occurrence probability). Varying levels and types of threats to the confidentiality, integrity and availability of personal data could be considered in this respect.

Similar to the case of the evaluation of impact, the assessment of threat occurrence probability can only be qualitative, as it is very much related to the specific personal data processing environment. In the context of ENISA’s approach, three levels of threat occurrence probability are defined, namely:

  • Low: the threat is unlikely to materialize.
  • Medium: it is possible that the threat materializes.
  • High: the threat is likely to materialize.

To simplify the process for SMEs, the ENISA’s approach defines four areas of assessment for threat occurrence probability and guides the controller through them, namely:

  • Network and technical resources (hardware and software)
  • Processes/Procedures Related to the Processing of Personal Data
  • Different parties and people involved in the processing operation
  • Business sector and scale of the processing
At the end, the threat occurrence probability is obtained as the highest of the scores obtained per area.

3e. Overall Threat Analysis

The threat occurrence probability for is


Impact assessment

Assessment area Probability
Network and Technical Resources
Processes/Procedures related to the processing of personal data
Parties/People involved in the processing of personal data
Business sector and scale of processing
Overall Threat Occurrence Probability ()

4. Risk evaluation

After evaluating the impact of the personal data processing operation and the relevant threat occurence probability, the final evaluation of risk is possible as shown below.

IMPACT LEVEL
THREAT OCCURENCE PROBABILITY Low Medium High / Very High
Low Low Risk Medium Risk High Risk
Medium Low Risk Medium Risk High Risk
High Medium Risk High Risk High Risk
Legend
Low Risk
Medium Risk
High Risk

The level of risk for the processing operation described earlier is .

5. Security Measures

It should be noted that the adequacy of measures to specific risk levels should not be perceived as absolute. Depending on the context of the personal data processing, the organization can consider adopting additional measures, even if they are assigned to a higher level of risk. Furthermore, the proposed list of measures does not take into account other additional sector specific security requirements, as well as specific regulatory obligations, arising for example from the ePrivacy Directive or the NIS Directive. In an attempt to further facilitate this procedure a mapping of the proposed group of measures with the ISO/IEC 27001:2013 security controls is also included.

Please find below a list of proposed technical and organizational measures for the processing operation , which according to the information provided earlier, it’s level of risk is .

Please also note that guidance on basic categories of technical security measures is available in the ENISA report available here.

Security policy and procedures for the protection of personal data

Measure Identifier Measure Description Risk level
A.1 The organization should document its policy with regards to personal data processing as part of its information security policy.
A.2 The security policy should be reviewed and revised, if necessary, on an annual basis.
A.3 The organization should document a separate dedicated security policy with regard to the processing of personal data. The policy should be approved by management and communicated to all employees and relevant external parties
A.4 The security policy should at least refer to: the roles and responsibilities of personnel, the baseline technical and organisation measures adopted for the security of personal data, the data processors or other third parties involved in the processing of personal data.
A.5 An inventory of specific policies/procedures related to the security of personal data should be created and maintained, based on the general security policy.
A.6 The security policy should be reviewed and revised, if necessary, on a semester basis.
Related to ISO 27001:2013 - A.5 Security policy

Roles and responsibilities

Measure Identifier Measure Description Risk level
B.1 Roles and responsibilities related to the processing of personal data should be clearly defined and allocated in accordance with the security policy.
B.2 During internal re-organizations or terminations and change of employment, revocation of rights and responsibilities with respective hand over procedures should be clearly defined.
B.3 Clear appointment of persons in charge of specific security tasks should be performed, including the appointment of a security officer.
B.4 The security officer should be formally appointed (documented). The tasks and responsibilities of the security officer should also be clearly set and documented.
B.5 Conflicting duties and areas of responsibility, for examples the roles of security officer, security auditor, and DPO, should considered to be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of personal data.
Related to ISO 27001:2013 - A.6.1.1 Information security roles and responsibilities

Access control policy

Measure Identifier Measure Description Risk level
C.1 Specific access control rights should be allocated to each role (involved in the processing of personal data) following the need to know principle.
C.2 An access control policy should be detailed and documented. The organization should determine in this document the appropriate access control rules, access rights and restrictions for specific user roles towards the processes and procedures related to personal data.
C.3 Segregation of access control roles (e.g. access request, access authorization, access administration) should be clearly defined and documented.
C.4 Roles with excessive access rights should be clearly defined and assigned to limited specific members of staff.
Related to ISO 27001:2013 - A.9.1.1 Access control policy

Resource/asset management

Measure Identifier Measure Description Risk level
D.1 The organization should have a register of the IT resources used for the processing of personal data (hardware, software, and network). The register could include at least the following information: IT resource, type (e.g. server, workstation), location (physical or electronic). A specific person should be assigned the task of maintaining and updating the register (e.g. IT officer).
D.2 IT resources should be reviewed and updated on regular basis.
D.3 Roles having access to certain resources should be defined and documented.
D.4 IT resources should be reviewed and updated on annual basis.
Related to ISO 27001:2013 - A.8 Asset management

Change management

Measure Identifier Measure Description Risk level
E.1 The organization should make sure that all changes to the IT system are registered and monitored by a specific person (e.g. IT or security officer). Regular monitoring of this process should take place.
E.2 Software development should be performed in a special environment that is not connected to the IT system used for the processing of personal data. When testing is needed, dummy data should be used (not real data). In cases that this is not possible, specific procedures should be in place for the protection of personal data used in testing.
E.3 A detailed and documented change policy should be in place. It should include: a process for introducing changes, the roles/users that have change rights, timelines for introducing changes. The change policy should be regularly updated.
Related to ISO 27001:2013 - A. 12.1 Operational procedures and responsibilities

Data processors

Measure Identifier Measure Description Risk level
F.1 Formal guidelines and procedures covering the processing of personal data by data processors (contractors/outsourcing) should be defined, documented and agreed between the data controller and the data processor prior to the commencement of the processing activities. These guidelines and procedures should mandatorily establish the same level of personal data security as mandated in the organization’s security policy.
F.2 Upon finding out of a personal data breach, the data processor shall notify the controller without undue delay.
F.3 Formal requirements and obligations should be formally agreed between the data controller and the data processor. The data processor should provide sufficient documented evidence of compliance.
F.4 The data controller’s organization should regularly audit the compliance of the data processor to the agreed level of requirements and obligations.
F.5 The employees of the data processor who are processing personal data should be subject to specific documented confidentiality/ non-disclosure agreements.
Related to ISO 27001:2013 - A.15 Supplier relationships

Incidents handling / Personal data breaches

Measure Identifier Measure Description Risk level
G.1 An incident response plan with detailed procedures should be defined to ensure effective and orderly response to incidents pertaining personal data.
G.2 Personal data breaches should be reported immediately to the management. Notification procedures for the reporting of the breaches to competent authorities and data subjects should be in place, following art. 33 and 34 GDPR.
G.3 The incidents’ response plan should be documented, including a list of possible mitigation actions and clear assignment of roles.
G.4 Incidents and personal data breaches should be recorded along with details regarding the event and subsequent mitigation actions performed.
Related to ISO 27001:2013 - A.16 Information security incident management

Business continuity

Measure Identifier Measure Description Risk level
H.1 The organization should establish the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing personal data (in the event of an incident/personal data breach).
H.2 A BCP should be detailed and documented (following the general security policy). It should include clear actions and assignment of roles.
H.3 A level of guaranteed service quality should be defined in the BCP for the core business processes that provide for personal data security.
H.4 Specific personnel with the necessary responsibility, authority and competence to manage business continuity in the event of an incident/personal data breach should be nominated.
H.5 An alternative facility should be considered, depending on the organization and the acceptable downtime of the IT system.
Related to ISO 27001:2013 - A. 17 Information security aspects of business continuity management

Confidentiality of personnel

Measure Identifier Measure Description Risk level
I.1 The organization should ensure that all employees understand their responsibilities and obligations related to the processing of personal data. Roles and responsibilities should be clearly communicated during the pre-employment and/or induction process.
I.2 Prior to up taking their duties employees should be asked to review and agree on the security policy of the organization and sign respective confidentiality and non-disclosure agreements.
I.3 Employees involved in high risk processing of personal data should be bound to specific confidentiality clauses (under their employment contract or other legal act).
Related to ISO 27001:2013 - A.7 Human resource security

Training

Measure Identifier Measure Description Risk level
J.1 The organization should ensure that all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of personal data should also be properly informed about relevant data protection requirements and legal obligations through regular awareness campaigns.
J.2 The organization should have structured and regular training programmes for staff, including specific programmers for the induction (to data protection matters) of newcomers.
J.3 A training plan with defined goals and objectives should be prepared and executed on an annual basis.
Related to ISO 27001:2013 - A.7.2.2 Information security awareness, education and training

Access control and authentication

Measure Identifier Measure Description Risk level
K.1 An access control system applicable to all users accessing the IT system should be implemented. The system should allow creating, approving, reviewing and deleting user accounts.
K.2 The use of common user accounts should be avoided. In cases where this is necessary, it should be ensured that all users of the common account have the same roles and responsibilities.
K.3 An authentication mechanism should be in place, allowing access to the IT system (based on the access control policy and system). As a minimum a username/password combination should be used. Passwords should respect a certain (configurable) level of complexity.
K.4 The access control system should have the ability to detect and not allow the usage of passwords that don’t respect a certain (configurable) level of complexity.
K.5 A specific password policy should be defined and documented. The policy should include at least password length, complexity, validity period, as well as number of acceptable unsuccessful login attempts.
K.6 User passwords must be stored in a “hashed” form.
K.7 Two-factor authentication should preferably be used for accessing systems that process personal data. The authentication factors could be passwords, security tokens, USB sticks with a secret token, biometrics etc.
K.8 Device authentication should be used to guarantee that the processing of personal data is performed only through specific resources in the network.
Related to ISO 27001:2013 - A.9 Access control

Logging and monitoring

Measure Identifier Measure Description Risk level
L.1 Log files should be activated for each system/application used for the processing of personal data. They should include all types of access to data (view, modification, deletion).
L.2 Log files should be timestamped and adequately protected against tampering and unauthorized access. Clocks should be synchronised to a single reference time source
L.3 Actions of the system administrators and system operators, including addition/deletion/change of user rights should be logged.
L.4 There should be no possibility of deletion or modification of log files content. Access to the log files should also be logged in addition to monitoring for detecting unusual activity.
L.5 A monitoring system should process the log files and produce reports on the status of the system and notify for potential alerts.
Related to ISO 27001:2013 - A.12.4 Logging and monitoring

Server/Database security

Measure Identifier Measure Description Risk level
M.1 Database and applications servers should be configured to run using a separate account, with minimum OS privileges to function correctly.
M.2 Database and applications servers should only process the personal data that are actually neededs to process in order to achieve its processing purposes.
M.3 Encryption solutions should be considered on specific files or records through software or hardware implementation.
M.4 Encrypting storage drives should be considered
M.5 Pseudonymization techniques should be applied through separation of data from direct identifiers to avoid linking to data subject without additional information
M.6 Techniques supporting privacy at the database level, such as authorized queries, privacy preserving data base querying, searchable encryption, etc., should be considered.
Related to ISO 27001:2013 - A. 12 Operations security

Workstation security

Measure Identifier Measure Description Risk level
N.1 Users should not be able to deactivate or bypass security settings.
N.2 Anti-virus applications and detection signatures should be configured on a weekly basis.
N.3 Users should not have privileges to install or deactivate unauthorized software applications.
N.4 The system should have session time-outs when the user has not been active for a certain time period.
N.5 Critical security updates released by the operating system developer should be installed regularly.
N.6 Anti-virus applications and detection signatures should be configured on a daily basis.
N.7 It should not be allowed to transfer personal data from workstations to external storage devices (e.g. USB, DVD, external hard drives).
N.8 Workstations used for the processing of personal data should preferably not be connected to the Internet unless security measures are in place to prevent unauthorised processing, copying and transfer of personal data on store.
N.9 Full disk encryption should be enabled on the workstation operating system drives
Related to ISO 27001:2013 - A. 14.1 Security requirements of information systems

Network/Communication security

Measure Identifier Measure Description Risk level
O.1 Whenever access is performed through the Internet, communication should be encrypted through cryptographic protocols (TLS/SSL).
O.2 Wireless access to the IT system should be allowed only for specific users and processes. It should be protected by encryption mechanisms.
O.3 Remote access to the IT system should in general be avoided. In cases where this is absolutely necessary, it should be performed only under the control and monitoring of a specific person from the organization (e.g. IT administrator/security officer) through pre-defined devices.
O.4 Traffic to and from the IT system should be monitored and controlled through Firewalls and Intrusion Detection Systems.
O.5 Connection to the internet should not be allowed to servers and workstations used for the processing of personal data.
O.6 The network of the information system should be segregated from the other networks of the data controller.
O.7 Access to the IT system should be performed only by pre-authorized devices and terminal using techniques such as MAC filtering or Network Access Control (NAC)
Related to ISO 27001:2013 - A.13 Communications Security

Back-ups

Measure Identifier Measure Description Risk level
P.1 Backup and data restore procedures should be defined, documented and clearly linked to roles and responsibilities.
P.2 Backups should be given an appropriate level of physical and environmental protection consistent with the standards applied on the originating data.
P.3 Execution of backups should be monitored to ensure completeness.
P.4 Full backups should be carried out regularly.
P.5 Backup media should be regularly tested to ensure that they can be relied upon for emergency use.
P.6 Scheduled incremental backups should be carried out at least on a daily basis.
P.7 Copies of the backup should be securely stored in different locations.
P.8 In case a third party service for back up storage is used, the copy must be encrypted before being transmitted from the data controller.
P.9 Copies of backups should be encrypted and securely stored offline as well.
Related to ISO 27001:2013 - A.12.3 Back-Up

Mobile/Portable devices

Measure Identifier Measure Description Risk level
Q.1 Mobile and portable device management procedures should be defined and documented establishing clear rules for their proper use.
Q.2 Mobile devices that are allowed to access the information system should be pre-registered and pre-authorized.
Q.3 Mobile devices should be subject to the same levels of access control procedures (to the data processing system) as other terminal equipment.
Q.4 Specific roles and responsibilities regarding mobile and portable device management should be clearly defined.
Q.5 The organization should be able to remotely erase personal data (related to its processing operation) on a mobile device that has been compromised.
Q.6 Mobile devices should support separation of private and business use of the device through secure software containers.
Q.7 Mobile devices should be physically protected against theft when not in use.
Q.8 Two factor authentication should be considered for accessing mobile devices
Q.9 Personal data stored at the mobile device (as part of the organization’s data processing operation) should be encrypted.
Related to ISO 27001:2013 - A. 6.2 Mobile devices and teleworking

Application lifecycle security

Measure Identifier Measure Description Risk level
R.1 During the development lifecycle best practises, state of the art and well acknowledged secure development practices, frameworks or standards should be followed.
R.2 Specific security requirements should be defined during the early stages of the development lifecycle.
R.3 Specific technologies and techniques designed for supporting privacy and data protection (also referred to as Privacy Enhancing Technologies (PETs)) should be adopted in analogy to the security requirements.
R.4 Secure coding standards and practises should be followed.
R.5 During the development, testing and validation against the implementation of the initial security requirements should be performed.
R.6 Vulnerability assessment, application and infrastructure penetration testing should be performed by a trusted third party prior to the operational adoption. The application shall not be adopted unless the required level of security is achieved.
R.7 Periodic penetration testing should be carried out.
R.8 Information about technical vulnerabilities of information systems being used should be obtained.
R.9 Software patches should be tested and evaluated before they are installed in an operational environment.
Related to ISO 27001:2013 - A.12.6 Technical vulnerability management & A.14.2 Security in development and support processes

Data deletion/disposal

Measure Identifier Measure Description Risk level
S.1 Software-based overwriting should be performed on all media prior to their disposal. In cases where this is not possible (CD’s, DVD’s, etc.) physical destruction should be performed.
S.2 Shredding of paper and portable media used to store personal data shall be carried out.
S.3 Multiple passes of software-based overwriting should be performed on all media before being disposed.
S.4 If a third party’s services are used to securely dispose of media or paper based records, a service agreement should be in place and a record of destruction of records should be produced as appropriate.
S.5 Following the software erasure, additional hardware based measures such as degaussing should be performed. Depending on the case, physical destruction should also be considered.
S.6 If a third party, therefor data processor, is being used for destruction of media or paper based files, it should be considered that the process takes place at the premises of the data controller (and avoid off-site transfer of personal data.
Related to ISO 27001:2013 - A. 8.3.2 Disposal of media & A. 11.2.7 Secure disposal or re-use of equipment

Physical security

Measure Identifier Measure Description Risk level
T.1 The physical perimeter of the IT system infrastructure should not be accessible by non-authorized personnel.
T.2 Clear identification, through appropriate means e.g. ID Badges, for all personnel and visitors accessing the premises of the organization should be established, as appropriate.
T.3 Secure zones should be defined and be protected by appropriate entry controls. A physical log book or electronic audit trail of all access should be securely maintained and monitored
T.4 Intruder detection systems should be installed in all security zones.
T.5 Physical barriers should, where applicable, be built to prevent unauthorized physical access.
T.6 Vacant secure areas should be physically locked and periodically reviewed
T.7 An automatic fire suppression system, closed control dedicated air conditioning system and uninterruptible power supply (UPS) should be implemented at the server room
T.8 External party support service personnel should be granted restricted access to secure areas.
Related to ISO 27001:2013 - A.11 – Physical and environmental security

6. Export the analysis and the proposed measures

Please note that none of the data/information entered is saved and will not be available should the browser is closed. Selecting the button below, you will be able to export (in a pdf format) all the information entered along to identified level of risk of the processing operations in addition the proposed security (technical and organizational) measures.

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information