A pillar of the new privacy regulation (GDPR) is Information security and related internal control. The management of the business is responsible for establishing and maintaining an Information Security Management System.
What is new in relation to this pillar is that there are considerably higher fines associated with significant deviations from these requirements.
The information a business processes must be protected according to the legislation and the organization's own needs. The processing of personal data must be legally justified.
The requirements for the information processing must be risk-based and the information is to be secured with appropriate physical and logical security measures for the everyday situation and when a disaster occurs.
A policy for information security with accompanying instructions for different groups of employees should be established. Training must be conducted so that management and employees be able to fulfill the requirements that the company has defined.
Procedures for management review, maintenance of the control system and routines for important processes in operations (eg. ITIL) must be prepared and operationalized.
There must be a system for exception/incident reporting, and monitoring of deviations and risk is key to continuous improvement of the control system.
All procedures should be documented and maintaned and shall show through documentation how the system operated.
Depending on the customer's standpoint, there is a need for the internal control system to be implemented or revitalized. Most of the establishment takes place in workshops with the information security manager, or DPO and other key resource personnel and leaders.
The following workshops can typically be carried out:
- Information mapping. Developing an overview of all the information business processes. Describing the legal basis for processing personal data. Updating System Overview with information owners, classification, delete routines etc.
- Conducting risk assessment for information security, including all IT system, physical documents, records, personnel, etc.
- Establishing policies and guidelines for information security with role descriptions and periodic activities in an annual cycle.
- Documenting the required security level, management review, independent audit etc.
- Developing procedures for risk assessment, classification of data, change management, exception/incident handling (reporting and processing events)
- Planning and implementing training for various groups as needed.
An operational and documented system for information with governing, implementation and a controlling part. An organization that is competent and motivated to establish and maintain information security that meets the legal requirements and business needs.