1 / 13

General Data Protection Regulation (GDPR) / Information Security Awareness

Understand the importance of information security and classification under GDPR for the ISACA London Chapter members. Learn about data minimization, protection by default, retention, and encryption practices.

enidw
Download Presentation

General Data Protection Regulation (GDPR) / Information Security Awareness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. General Data Protection Regulation (GDPR) / Information Security Awareness Document Classification – Private Deepinder Chhabra – 15/05/2018

  2. Information Security • INFORMATION SECURITY means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. • GOAL – To protect the confidentiality, integrity and availability of information, of members private information at rest and in transit, regardless of media. • EVERYONE1in the ISACA London Chapter (ILC) organisation is responsible for the members personal identifiable information (MPII) held by • All involved in handling MPII for delivering services to ILC members. 1 Everyone includes: Board Directors, Apprentices, Administrators, Advisors.

  3. Why Information Classification is important for ISACA London Chapter? We as a membership organization hold and process MPII and under EUGDPR must process MPII in a lawful purpose and should take all necessary measures to protect the MPPI and process it in line with our obligations under Affiliation Agreement with ISACA International (Controller). Visible Information Classification helps us • Understand Need, Priority and degree of protection required • Protect information against threat of compromise

  4. Information Classification & Handling - ILC_GDPR-C_DOC_8.2.docm All ILC information labeled as Confidential or Restricted or unlabeled where ILC is the custodian should be treated as ILC Confidential. ILC information/data classified as Confidential and Restricted should be encrypted before sharing with legitimate parties.

  5. Topic: GDPR Data Minimisation Attempt should be made by all involved in the ILC delivery of services (Directors/Apprentices/Past Presidents/ILC) to members to ensure that least amount of MPII required information should be used. MPII should be minimised. An explicit approval would be required from Presidential team before sharing Confidential information especially Personal Information of Members if it includes either one of the following details Work/home postal address Contact Phone Numbers

  6. Topic: GDPR Data Protection by Default/Design (Article 25) Before starting a new project; considering adoption of new process/system or engaging a third party that would involve processing of MPII, a DPIA should be conducted (as per ILC_GDPR DOC 2.4 Privacy Impact Assessment Procedure) Should confirm that sufficient controls will be/are embedded in the process/system or third party (through binding contracts) to protect MPII. Explicit approval from President/Vice President is required before implementation.

  7. Topic: GDPR Retention and Deletion of MPII Each Directorate should delete MPII data immediately after use. That includes all paper copies and electronic format. The MPII should be stored only using approved encryption formation (AES 256 or MSOffice inbuilt encryption option in XML extensions). Please note that protecting a MS Office document does not equate to Encryption. If any MPII has to be retained (as per retention requirements outlined in ILC_GDPR DOC 2.3) then it should be shared with Chapter Admin (in encrypted format) for retention. Please consult admin for encryption pass phrase to be used.

  8. Topic: GDPR Encrypt MS Office Document Use only ILC approved passphrase to encrypt ILC Confidential or Restricted Information/Data. Use separate channel to communicate password. If document shared using email do not use email to share the passphrase. Do not share ILC internal passphrase with external parties. Please use onetime passphrase to share Restricted information with external parties.

  9. Topic: GDPR ILC Confidential Information YOU MUST NOT SHARE ILC CONFIDENTIAL INFORMATION WITHOUT AN EXPLICIT APPROVAL FROM PRESIDENT/ VICE PRESIDENT.

  10. Topic: GDPR ILC Confidential Information The MPII that contains any of the following Home Address Work Address Phone Numbers Email addresses Gender Information IF NOT SURE ABOUT THE CLASSIFICATION SEND AN EMAIL TO DPO@ISACA-LONDON.ORG Examples of the reports that may contain Confidential Information given on next page

  11. Topic: GDPR Type of Reports and Confidential Information

  12. Topic: GDPR Data Loss/ Breach INFORM PRESIDENT /VICE PRESIDENT IMMEDIATELY AND SEND AN EMAIL TO DPO@ISACAC-LONDON.ORG INCIDENT/SUSPECTED BREACH BREACH (COMPROMISE/ DISCLOSURE/LOSS OF DATA) LAPTOP / MOBILE PHONE WITH PII LOST/STOLEN ANY SECURITY WEAKNESSES

More Related