Document toolboxDocument toolbox

Technical and organizational measures

Owned by Andreas Schmidt
Last updated: May 12, 2023 by Patrick Schuessler
3 min read

 

Access control to premises and facilities

Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include:

Technical measures:

  • Manual locking system

  • Video surveillance of the entrances

Organizational measures:

  • Key regulation & list

  • Reception

  • Visitors only accompanied by staff

  • Vacant rooms must always be locked

Access control to systems

Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:

Technical measures:

  • Login with a username and password

  • Password locking of computers

  • Provision of a password manager

  • Applications of SSO where possible

  • Applications of 2FA where possible

  • Application of VPN for production network access

  • Application of Anti-virus and security software

  • Application of a firewall through trained personnel

Organizational measures:

  • Manage user permissions

  • Create user profiles

  • “Secure password" policy

  • “Delete / Destroy" policy

  • “Clean desk" policy

  • Quarterly Access Reviews

 

Access control to data

Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized [input, reading, copying, removal] modification or disclosure of data. These measures shall include:

Technical measures:

  • Physical deletion of data carriers

Organizational measures:

  • Use of authorization concepts

  • Paperless office

  • Minimum number of administrators

  • Data protection vault

  • Management of user rights by administrators

  • Differentiated access rights

  • Organizational training on correct behavior; like lock screen, no password reuse, complex passwords, avoiding copying of data

Disclosure control

Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:

Technical measures:

  • Provision via encrypted https connections

  • Properly secured mobile devices

  • Encryption using a VPN or other encrypted protocols for remote access, transport and communication of data

Organizational measures:

  • Documentation of the data recipients as well as the duration of the planned transfer

 

Input control

Measures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed, or removed (deleted) and by whom must be maintained. Measures should include:

Technical measures:

  • Logging user activities on IT systems

Organizational measures:

  • Overview of which programs can be used to enter, change or delete which data.

  • Traceability of data entry, modification, and deletion by individual users

  • Clear responsibilities for deletions

Job control

Measures should be put in place to ensure that data is processed strictly in compliance with the data importer’s instructions. These measures must include:

  • Careful selection of sub-processors

  • DPAs with regard to GDPR are in place with sub-processors

  • Prior review of the security measures taken by the contractor and their documentation

  • Conclusion of the necessary agreement on commissioned processing or EU standard contractual clauses

  • Written instructions to the contractor

  • Obligation of the contractor's employees to maintain data secrecy

  • Regulation on the use of further subcontractors

Availability control

Measures should be put in place to ensure that data are protected against accidental destruction or loss. These measures must include:

Technical measures:

  • Fire and smoke detection systems

  • Our data center providers are certified to ISO/IEC 27001:2013

  • Proper electrical security measures including uninterruptible power supply (UPS) for self-hosted server facilities

Organizational measures:

  • Backup & recovery concept (see recoverability)

  • Control of the backup process

Organisational Control

  • Periodic training of employees and sub-processors

  • Employee Handbook and Instructions on data security and privacy

  • Contractual obligation of non-disclosure for every employee as part of the onboarding proces

  • Data protection officer

Separation control

It must be ensured that data collected for different purposes can be processed separately.

Technical measures:

  • Separation of productive and test environment

  • Physical separation (systems/databases/data carriers)

  • Multi-client capability of relevant applications

Organizational measures:

  • Control via authorization concept

  • Definition of database rights


Recoverability control

Rapid recovery of data after a failure must be ensured.

Technical measures:

  • Automated configuration of the infrastructure to quickly build it from scratch

  • Automated, daily backups of the last 30 days

Organizational measures:

  • Test recovery at least per year

 

In addition, technical and organizational measures are permanently monitored in our compliance system. A list can be found here: Trust Report (yasoon.com)