GDPR
How should your organization act to handle the GDPR requirements?
GDPR put requirements on the handling of personal information that could be relevant for all parts of your organization. When we compare GDPR:s requirements on protection for personal data with ISO/IEC 27001 Annex A, 114 controls for information security, together with other relevant ISO/IEC standards, we find that these standards provide a solid base for meeting the requirements of GDPR. There are of course unique requirements in GDPR that will require additional controls in order to manage these specifically.
See the Veriscan pdf: Information Security Management System (ISMS) and handling of personal data
How can Veriscan support you?
Veriscan has worked with information security supporting public institutions and companies since 1999 and has since the start of the ISO/IEC 27000 standard family been engaged in the development of these standards form internationally. Our methods and tools for information classification, risk management and measurement of the performance of the information security protection of an organization provide you with a powerful support to your GDPR work.
- Information classification for your organization that includes GDPR
- Identification and visualization of your information assets provides a powerful overview and insight
- Risk assessment, protective measures and risk management for protection of personal information
- Measurement of the performance of your information security protection including GDPR
See Veriscan pdf: Veriscan solutions for handling personal data and meeting the requirements of GDPR
Contact
For more information please contact Veriscan.
Email: info@veriscan.se
Information classification for your organization including GDPR
To include GDPR in the normal classification of your information is a smart solution in order to establish one common process as part of your Information Security Management System (ISMS) based on the ISO 27000-family of standards. The classification of information assets is defined as protective measure A 8.2.1 in ISO/IEC 27001, and is also present in the GDPR requirements to classify personal information from the perspective of the individual citizen.
In order to combine these activities in one process the following steps in the classification process are necessary;
- That you establish a concise scale of consequences in your classification model
- That you have a routine established for handling personnel information, preferably integrated in the business processes where you handle this kind of information, and that you establish information ownership roles.
- That the classification model covering the traditional information security perspectives (CIA) is complemented with impact on the individual citizen and on what grounds you process personal information.
- An efficient classification tool supporting both tasks is obviously an advantage
- A key objective is to establish one information asset register that combines results and conclusions from classification continuously over time from the process
In this example from our tool for information classification – Veriscan vIC – we show a classification model based on 4 traditional perspectives together with an assessment of the impact on the individual citizen and the legal grounds for handling personal information.
^
Identification and visualization of information assets provides overview and understanding
To classify your information including the GDPR requirements and build one common register provides a strong foundation for subsequent risk assessment and risk protection and management to protect these assets.
To accomplish this, you need to know where the information, and specifically your personal identifiable information (PII) resides. With these information assets identified you are able to assess vulnerabilities, threats and potential consequences as a basis for decisions upon protective measures and for implementing an efficient risk protection. With these steps, supported by ISO/IEC 27001, we have developed an effective methodology to help you implement this process. The classification process can be done in many ways and our tool – Veriscan vIC – will provide a support for this. It will ensure that the information asset register you build includes not only information but also information handling assets such as business systems, applications, databases, IT services, cloud services and infrastructure.
To be able to visualize and dynamically produce reports from the information asset registry, using Veriscan vIC, will give you the quick and simple overview that information owners, object owners, risk owners, CISO and various management levels require.
In this example you will see how one specific Personal Identifiable Information (PII) asset is spread and present in several different IT systems/IT services that is being deployed by an organization.
The dark grey box represents a specific information type consisting of personal identifiable information (PII) within the CRS System. This PII will be present in the internal Data Center but the same PII will also be present in the marketing Campaign System operated and running as a Cloud Service.
^
Risk assessment and risk management for the protection of Personal Identifiable Information (PII)
Depending on where PII resides you will have different information security risk scenarios to handle. You might also face risks connected to handling PII in various processes that are required by GDPR, e.g. the incident management process. These risks should be captured within the risk assessments that being executed as part of the Information Security Management System (ISMS) according to ISO/IEC 27001.
It is imperative that you manage to capture these risk scenarios using your risk assessment methodology and process. Both methodology, process and your supporting tools will influence how effective your risk protection and management become. Veriscan can support, and help fine-tune, your methodology and process but will also be able to provide an effective and simple tool – VeriscanRISK.
This illustration shows how VeriscanRISK easily allow you to select and produce reports on the relevant risks connected to your PII. Please notice that these risks may have other connections within information security, e.g. towards Compliance regulations, etc. at the same time. In this way you can limit the number of registered risks you handle and manage several risk scenarios impacted. With this risk assessment as a foundation you continue with decisions on protective measures and assign responsibility, time schedule and follow up/reporting. These steps are also supported in VeriscanRISK.
^
Measuring the performance of your information security protection including GDPR
A performance measurement of your information security using Veriscan Rating will provide a powerful assessment of indicators on how well you handle the requirements of GDPR. It will also provide concise reports available for the Executive Management. This regular measurement will also build a foundation for follow-up and continuously improve the improvement of the information security in your organization based on a consistent and visual reporting.
The Veriscan Rating methodology is based on “best practice” developed in a large number of client measurement project over 20 years with a foundation in standards such as ISO/IEC 27001 Annex A, ISO/IEC 27002 together with additional specific controls developed internationally covering information security in IT Systems, in Organizations and in Physical assets/sites. Here we will of course include specific controls covering the unique requirements of GDPR.