Ensuring Information Security - A more practical view with TOMs

Introduction

Have you ever wondered what a company in  the EU has to do to ensure information security and all the depending legal requirements? You can get a rough idea by looking at the so-called "Technical and Organizational Measures" (TOM) which a company has to implement in its processes. 

Whenever I audit our information security measures I create a list of TOMs relevant for the processes of our company. Additional to the TOMs I check the list of security assets, their risks and the implemented controls, the inventory of used IT systems and the index of data processing activities to get an overview about what I have to audit. If one of them doesn't exist, I create it accordingly. 

Here's the list of TOMs which are relevant for my current company. I use it as a checklist for my internal audits, but of course all audits start with checking if new TOMs are required because of changed conditions. By this the TOMs are improved if required.

The list of TOMs is separated into sections, which can be found in almost every modern company. I used a checklist provided by the Bavarian Federal Official for Data Protection & Privacy as a template to assemble this list, but I aligned it to my knowledge, the requirements of our company and the procedures of my own security management approach.

Technical and Organizational Measures to ensure Information Security

Management and Organisation

Insufficient security structures in an organization can significantly disturb the operational procedures. Existing professional competences must therefore be utilized. Not only the CTO but also the Data Protection Official (DPO) and the CEO must be involved in the process of implementing security requirements.

  • A suitable organizational structure for information security is in place and information security is integrated into organization-wide processes and procedures
  • Security policies and guidelines are defined, approved by the management and communicated to the staff.
  • The roles of the individual employees in the security process are clearly defined
  • The CEO is involved in the security management processes, especially in the risk management.
  • Regular review of the effectiveness of the technical and organizational measures according to the PDCA cycle (Plan-Do-Check-Act) are conducted
  • Concepts and documentation in the security environment are regularly reviewed and kept up to date
  • Depending on the size of the company: Use of a suitable information security management system (ISMS), e.g. according to ISO/IEC 27001, BSI standards or ISIS12
  • The roles and responsibilities in information security are known and filled within the company (e.g. Information Security Officer (CISO), IT Manager (CTO), Data Protection Official (DPO) etc.)
  • DPO is consequently involved in security issues
  • DPO has sufficient professional qualification for security-relevant topics and opportunities for further training on these topics
  • Regular audits of the DPO in accordance with Art. 32 GDPR on the security of processing are conducted
  • Knowledge of the responsible data protection supervisory authority as well as knowledge of the notification obligations according to Art. 33 and 34 GDPR (breach of security) is in place and documented
  • Escalation processes in the event of security breaches (who is to be informed when and how?), e.g. in emergency management, are known to all employees and documented
  • Consistent documentation of security incidents (security reporting) exists
  • Active support of the DPO by the company management is ensured
  • Insights into (new) digital threats are gathered and potential impacts on the own business are derived

Physical security of the infrastructure

Physical access to IT systems and PII must be made difficult for unauthorised persons. Serious damage caused by (natural) events such as fire or water must also be prevented as far as possible.

  • A comprehensive overall concept for facility security in general (e.g. fire protection, access restriction and control) exists

  • A concept for access restrictions and physical access control (perimeter protection) exists

  • Clear rules for dealing with visitors (e.g. companions, safety zones, visitor badges, logging, responsible staff member for visitors) are part of the concept
  • Rules for dealing with external service providers (e.g. contracts for work, craftsmen, maintenance of systems) - such as non-disclosure agreement, personal supervision in security zones or logging exist and are practiced  parts of corresponding business processes
  • Different security zones (e.g. visitors' meetings, server rooms, workplaces, research area) are defined
  • For security zones: Current overview for authorization management (Which employee is allowed in which zone?) is existent
  • For security zones: Access to security zones is restricted with suitable technology (via keys/chip cards, possibly also other factors).
  • For security zones: Self-closing doors at zone transition
  • For security zones: If applicable, signage indicating which zone should/must not be entered
  • Secure locking systems including documented key management
  • Concept for fire protection is in place
  • Usage of fire/smoke detection systems (within the framework of the fire protection concept)
  • Use of automatic extinguishing systems in server rooms (e.g. CO2 extinguishing), taking into account occupational health and safety regulations
  • Fire-retardant cabinets/ safes for storing essential components (e.g. backup tapes, important original documents)
  • The building (e.g. walls, windows) and the infrastructure (e.g. pipes, hazard detection systems) are regularly inspected and maintained
  • Fencing of the premises
  • Stable, intruder-resistant windows and doors on the ground floor (e.g. according to DIN EN 1627)
  • Alarm systems for detecting intruders, especially outside working hours, are in place
  • Deployment of security personnel (external if necessary)
  • Use of video surveillance systems in consideration of data protection requirements (monitoring of access protection)
  • Sufficient air conditioning of server rooms
  • No (openable) windows in server rooms
  • Use of equipment to ensure the power supply of server systems (uninterruptible power supply (UPS)), especially in the event of short-term power failures or fluctuations
  • Prevent natural hazards (especially fire, smoke, shocks, chemical reactions, floods, power failures, explosions and attacks/vandalism)
  • Check risks due to flooding/heavy rain, especially for server rooms in the basement or other vulnerable areas

Awareness of the Employees

Employees are now increasingly the focus of cyberattacks. Sophisticated social engineering techniques are used to trick them into carrying out security-critical actions. Employees must therefore be trained in security issues in order to defeat such attacks.

  • All employees of the company must receive appropriate training in information security and data protection as relevant to their role
  • Data protection training for new employees promptly after taking up employment
  • Regular refresher training for existing staff (at least once a year)
  • Everyone in the company is regularly informed about new developments in data protection and IT security (e.g. by email, intranet, collaboration platform, notice board)
  • Relevant guidelines, e.g. on email/internet use, dealing with malicious code messages, use of encryption techniques, are kept up to date and are easy to find (e.g. on the intranet)
  • Data protection manual (which e.g. also provides training content) is accessible to all employees
  • Training content: Selected employees involved in the detection of security breaches (such as CTO, DPO, management, executives, support) know the internal processes for dealing with incidents (including notification according to Art. 33 GDPR, emergency plan/incident response plan)
  • Employees are trained on how cyber attacks are initiated by means of social engineering (help for self-help)
  • Employees are trained about the dangers of email communication, especially with encrypted email attachments (e.g. zip file with password)
  • Employees can recognise fake emails (e.g. sender addresses, conspicuousness, embedded links)
  • Raise awareness of staff interacting with external parties, such as suppliers, on appropriate rules of engagement, policies, processes and behavior (including what data may be shared and in what form, what may be security critical)
  • Employees affected by working from home know how to use home office solutions and specific risks are pointed out

Authentication

Digital access restrictions help in everyday life. Users of IT systems and services must therefore prove their access authorization by suitable means.

  • All employees are instructed in the use of authentication procedures and mechanisms
  • Regulated process for central administration of user identities, especially for creation (e.g. new employee), change (e.g. name change after marriage) and deletion (e.g. employee leaving)
  • Assignment of unique identifiers for each user
  • Avoidance of group identifiers
  • In the case of mandatory usage of group identifiers: Use of data protection-compliant logging of the associated user activities
  • Use of strong passwords and publication of a guideline for this - e.g. at least 10 digits for random complex characters or at least 16 digits for simpler character strings without direct usage of common words
  • Implementation of the password policy for strong passwords in the systems with user IDs as automatically as possible
  • Preventing the selection of weak passwords in applications (e.g. via policies or technically enforced via the identity & access management system)
  • Passwords are blocked after a security incident, even if only suspected, and must be renewed by the user
  • When a new user logs in for the first time or the password was reset by IT (e.g. if the password is forgotten), the user must change the password
  • Passwords must not be passed on (not even to colleagues, superiors or the IT department) - in exceptional cases (e.g. longer illness) the password is reset by IT and this process is documented
  • Informing employees that passwords must not be recorded on slips of paper or noticeboards
  • No saving of passwords in the browser without securing them with a master password
  • No multiple usage of a password for different services, unless central identity management (e.g. Active Directory, OneLogin etc.) is used
  • Do not send passwords by email (e.g. for a company account to a cloud service)
  • For local admin accounts, particularly strong passwords (e.g. at least 16 digits, complex and without common word parts, and different for each PC)
  • Use of two- or multi-factor authentication procedures for high-risk processing activities. (e.g. OTP, smart cards, USB tokens)
  • As far as possible, consistent use of two-factor authentication procedures for administrator accounts in applications
  • With two-factor authentication, the use of biometric features (e.g. fingerprint) in central systems (e.g. access control to security zone) is only to be used in exceptional cases - local storage (e.g. iPhone), on the other hand, is to be implemented more frequently
  • Automatic blocking of accesses in case of too many incorrect attempts due to wrong password: Either time-based (one hour, six hours, 24 hours) or complete (contact with IT necessary)
  • Time delay between individual login attempts (especially for applications accessible via the Internet) to make automatic online attacks more difficult
  • Display of the number of failed logins for a user who successfully logs in. Goal: Create transparency for attacks or attempted attacks that have taken place
  • Notify user about failed login attempts via email. Goal: Create transparency for attacks or attempted attacks that have taken place
  • Do not store passwords in plain text but use suitable cryptographic procedures (e.g. bcrypt with Salt)
  • Establish rules for automatically locking passwords after a security incident (e.g. change password hash so that no clear text password exists for it)
  • In case smart cards are used as staff badges, check whether they can be used for standard authentications (e.g. operating system login)
  • Default authentication information by manufacturer for software should be changed after installation

Roles/Privileges Concept

Users should only be able to access PII that is necessary for their activities. By introducing user privileges for certain roles (e.g. accounting, IT administration), different privileges are assigned to specific persons.

  • Create role profiles for the employees with reference to the entries of the processing activities index
  • Control and regulate access to information and buildings/areas in a targeted manner via the Roles and Privileges Concept
  • Establish regulations for the administration of roles (assignment, withdrawal) to employees
  • Regularly check (e.g. once a year) whether the assignment of roles corresponds to the specifications and whether the roles still meet the requirements of the business activity
  • No administrator accounts for users who do not perform administrative activities
  • Create various administrative roles (e.g. create new users, perform backups, configure the firewall) for IT administration
  • Do not use superuser (e.g. root on Linux) if possible
  • Set up two user IDs for employees with IT administration tasks: an administration ID and a normal user ID (for non-administrative purposes such as surfing the internet)
  • Establish a rule that no surfing on the Internet or reading/sending e-mails is done using administrator privileges

End user devices (clients)

The end user devices used for daily work must be permanently secured. No or only insufficient regulations usually lead to open vulnerabilities on client systems, which can then pose a considerable threat to the entire organization.

  • A device management (who uses which devices in which area?) is available
  • Automatic locking after a certain period of inactivity if manual locking cannot be guaranteed when leaving the area of influence
  • Apply privacy films to monitors and notebook screens in case of potential unauthorised viewing (e.g. in the entry area of the office)
  • Activation of a firewall that blocks unwanted services on the end device (e.g. inadvertently installed web servers)
  • Use of an anti-virus solution or an endpoint protection system with regular signature updates that are updated at least daily and regulations on how to proceed in the event of a warning message
  • Central registration of malware alerts by the IT administration
  • IT administration process plan in the event of a malicious code attack
  • Patch management concept in place ( including update plan with overview of software used)
  • Regular evaluation of information on security vulnerabilities of the software used, such as operating systems, office software and specialized applications (e.g. through e-mail newsletters, manufacturer publications, specialized media, security warnings)
  • Installation of critical security updates within 24 hours (mandatory), other security-related updates within 7 days (mandatory but can be discussed with the CISO) and all other updates (feature releases and similar) within 4 weeks (if possible)
  • PII must be stored on a storage media that is covered by the backup (e.g. network drive)
  • Limit the use of external devices to the minimum necessary through technical measures (e.g. USB sticks, smartphones, external hard drives)
  • Deactivate auto start from external media (e.g. USB sticks)
  • Remote maintenance for clients for IT administration purposes exclusively via encrypted connections after authentication by the administrator and approval by the user
  • Using only operating systems and software for which security updates are still available in a timely manner
  • Preventing the execution of software downloaded (from the Internet) whose sources are identified as unsafe
  • Access to websites should be managed restrictively so that the risk of compromise, e.g. by malware, is reduced and access to unauthorised websites is prevented (e.g. via web proxy with up-to-date blacklists)
  • Preventing the automatic execution of applications from the temporary download directory of the Internet browser
  • Applications are to be executed on the end user devices without administrator privileges, if possible
  • Establish a process for effective data deletion before an end user device is given to another employee
  • A security concept for the use of printers, copiers and multifunctional devices is in place (e.g. no unauthorised viewing of printed documents, adequate protection of stored information, proper disposal)

Mobile storage devices

The widespread use of USB storage devices, notebooks and smartphones makes regulations necessary for usage and also in the event of loss. Unprotected storage media besides that allow unauthorised persons to access sensitive data without much effort.

    Using strong encryption of mobile end user devices (e.g. hard disk encryption, container solutions)
  • Using backup and synchronization mechanisms to prevent major data loss in case of loss and theft
  • For smartphones: Access only after authentication (e.g. PIN, password) - Length of identifier dependent on automatic blocking and deletion functions
  • For smartphones: Use of biometric access procedures only if the biometric templates are stored locally within a secure chip on the smartphone and for PII with no high risk
  • For smartphones: Use cloud storage for data backup only after careful examination of the data protection requirements (also employee data protection for "Find my Phone" functions)
  • For smartphones: Mobile device management solutions for configuring and managing the devices, the installed apps and locating/deleting them in the event of loss
  • For smartphones: Only secure sources are used for the installation of apps. Apps are tested and approved beforehand
  • Check regulations to see if it is sufficient to be able to access less data than within the internal company network when using mobile workstations (e.g. notebook on a business trip)
  • Provide anti-theft devices (e.g. attachment of lockable steel cables) for notebooks if required
  • Create regulations on private use of notebooks and smart phones - Recommendation: No private use
  • Employees know the regulations in case of loss of a mobile end user device, e.g. report the loss to the company and/or the police
  • For mobile storage devices: There is a guideline for the safe handling of mobile storage devices; Staff members are aware of this policy and are trained in the handling of mobile storage devices
  • For mobile storage devices: Secure deletion of the storage device before and after use is ensured

Server systems

Server systems must be secured with special care, as security breaches there can usually have enormous consequences due to the large amount of PII.

  • Only competently trained persons are allowed to perform administration activities on the servers
  • Set up different administration roles with privileges according to the least privilege principle for different administration tasks (e.g. software updates, configuration, backup)
  • Regulated process for the timely installation of security updates for the servers - critical updates must be installed within 24 hours
  • Consistent use of two-factor authentication procedures for applications that support this, especially for administrators
  • Disabling/uninstalling standard server services that are not required (e.g. print server)
  • Block local server services from external access via firewall
  • Check further hardening measures for the deployed server operating system
  • Disable sending of telemetry data to manufacturers unless assessed as necessary

Websites and Web Applications

Websites and web applications are usually easily accessible platforms for attacks, which can usually be well secured with known best-practice approaches.

  • Usage of state of the art HTTPS protocol (TLS1.2 or TLS1.3)
  • Ensuring access to databases is only possible for required servers
  • Remote access to web servers only with encrypted connection and two-factor authentication (e.g. SSH with client certificates)
  • Limitation of web application administration areas to specific IP addresses (e.g. VPN gateway)
  • Only trained or competent persons are allowed to perform administration tasks on the servers
  • Regulated process for informing about security updates and timely installing them, especially for common content management systems (CMS)
  • Execution of security tests on web applications according to good practice (e.g. OWASP Testing Guide)
  • No transfer of PII (e.g. mail address) via HTTP GET request, as this data is stored in the web server log files and can be extracted by website trackers
  • Separation of web server, application logic and data storage of a web application by own servers, which are integrated in a suitable firewall architecture (e.g. DMZ - Demilitarized Zone)
  • Blocking the discovery of content by search engines (via robots.txt), if this content is not required to be found by a search engine

Networks

Attacks on one's own network via the Internet are possible in many organizations. To prevent the spread of malicious code, for example, the organization's own network structure must be actively protected against such negative external influences.

  • Appropriate network segmentation: Restrictive separation of sensitive networks (e.g. HR) from administrative networks (using firewall systems and/or VLAN)
  • Deployment of a firewall at the central internet gateway
  • Blocking all services that are not required (e.g. VoIP, Peer-to peer, Telnet)
  • Use of a web proxy through which all HTTP(S) connections must pass
  • Blocking HTTP(S) connections away from the web proxy - avoid exception rules
  • Logging and blocking of IOCs (Indicators of Compromise, mostly URL and IP hashes)
  • Regular updating of IOCs from appropriate sources
  • Use of suitable firewall architectures to separate internal-only systems (e.g., workstation, printer) from servers accessible via the Internet (e.g., mail server, Web server, VPN endpoint) - Common: Concept of a DMZ (Demilitarized Zone)
  • Use of wireless access via WLAN only on current WLAN routers with effective access mechanisms (e.g. WPA-2 with at least 24-digit password, WP3-Enterprise or use of a Radius server)
  • Usage of a WLAN guest access that has no access to the internal network
  • Regulated process for proper configuration of firewalls and regular review of them (e.g., as a requirement for release procedures)
  • Logging at firewall level to detect and analyze unauthorized access attempts between networks
  • Automatic notifications to IT administration when unauthorized processing is suspected
  • Regular checking of the correct configuration of the firewall (e.g. by means of port scans for the company's own IP addresses from external sources and periodic pentests)
  • Use of sufficiently qualified personnel/service provider to configure the firewall
  • Checking incoming e-mails using anti-malware protection
  • Blocking of dangerous email attachments (e.g. .exe, .doc, .cmd)
  • Do not use unencrypted protocols (e.g. FTP, Telnet)
  • Use of intrusion detection systems (IDS) or intrusion prevention systems (IPS)
  • Connecting branch offices or home offices via strongly encrypted VPN connections with client certificate authentication

Archiving

Although archive data is no longer required for daily work, it must sometimes be kept for a certain period of time due to legal retention periods. It must therefore be ensured that the PII it contains is protected.

  • Establish regulations on which data must be retained on which legal basis and the length of the retention period (Storage, Locking & Deletion Guidelines)
  • Define access to archive files: Document, implement and check
  • Archive data must be effectively deleted after the retention period has expired
  • No archiving on storage devices that are unsuitable for long storage periods (e.g. rewritable DVDs)
  • No storage of archive data in productive databases, but transfer of archive data from productive systems to the archive systems
  • Encryption of archive files with suitable key management: store decryption keys in at least two (locally) separated locations
  • Suitable data formats for archiving documents were selected to ensure long-term readability of the data

Maintenance by Service Providers

The activities of external IT service providers, especially during maintenance, must be monitored and documented. In order to prevent unintentional disclosure of data, PII must be carefully deleted from the hardware that has been taken out of service.

  • Recording of all activities of external service providers
  • Include an NDA in the service contract or have the external employee sign it
  • Define internal employee who monitors (or, if necessary, accompanies) and documents the activities of the external service provider
  • Create regulations for effective data deletion on hardware (e.g., PCs, printers, smartphones) that is taken back by the service provider or manufacturer (e.g., in the event of defects)
  • When using remote maintenance software, regularly apply security updates and pay attention to information about known vulnerabilities or misconfigurations
  • Log remote maintenance by external service providers and limit access only to the system being serviced - if possible, track digitally by an employee on the screen of the serviced system

Logging

By means of suitable logging, security breaches pursuant to Article 33 of the GDPR can also be detected and processed retrospectively. Without a list of user activities, however, it is usually not possible to make a valid assessment of whether and to what extent unauthorised data access has occurred.

  • Create a concept for logging user activities, technical system events, error states, and Internet activities, taking into account data protection requirements (including protection of employee data)
  • Log files are stored on a dedicated logging system (e.g., a central logging server)
  • The clocks of the information processing systems used (PCs, notebooks, etc.) should be synchronized with appropriate time sources to enable targeted analysis during security events
  • Compliance with the purpose limitation of the log files must be ensured: The personnel representative committee must be involved if necessary
  • Regular analysis of log files without any reason to detect unusual entries - preferred: automatic heuristics

Business Continuity

The availability of business processes and the associated IT systems and data must be guaranteed. Within the framework of the backup concept, it is therefore important to ensure an orderly interaction when restoring stored data in order to remain operational in the event of an emergency.

  • Emergency plan for business continuity: regulations on: which systems are to be restored in which order, which persons/service providers can be consulted in the event of an emergency, and which reporting obligations exist
  • The emergency plan is regularly reviewed, e.g. through tests and emergency drills
  • Existence of a written backup concept
  • Execution of backups according to the 3-2-1 rule: 3 data backups, 2 different backup media (also "off- line" like tape backups) and 1 of them at an external location
  • Suitable physical storage of backup media (e.g. safe, different fire protection zones, etc.)
  • Regular verification that at least one backup is performed daily
  • Regular tests to ensure that all relevant data is included in the backup process and that the recovery works
  • At least one backup system cannot be encrypted by malicious code, e.g. special data backup procedure such as pull procedure of the backup system or air-gap separated (offline) after completion of the backup process
  • Avoid macros in Office documents as far as possible in day-to-day operations to protect against ransomware
  • Permitting only signed Microsoft Office macros or (regular) information, e.g. once a year, to employees about the risks of macro activation (e.g. in Microsoft Word)
  • Prevention of automatic execution of downloaded applications (e.g. software restriction policy and sandboxing)
  • Disable Windows Script Hosts (WSH) on clients (if not required) or check if the restriction of Powershell scripts with the "Constrained-Language Mode" on Windows clients is feasible or use a web proxy with (daily) updated blocking lists of malicious code download sites (IOCs)
  • Emergency plan includes dealing with encryption trojans / ransomware - this is also available in paper form
  • Review backup and recovery strategy that ensures backups cannot be encrypted by ransomware

Cryptography

The confidentiality, integrity and authenticity of data, systems and entities can be ensured using state-of-the-art cryptographic procedures.

  • Rules for effective usage of cryptography, including key management, should be defined
  • Hash methods can be used to achieve the integrity of data, software and IT systems - state of the art methods include SHA-256, SHA-512, SHA-3, bcrypt, Blowfish
  • Password storage only with "normal" hash functions (e.g. SHA class) if password is at least 12 digits - Use of salt values as protection against entry in available databases (rainbow tables)
  • Password storage with salt according to the state of the art with e.g. HMAC/SHA256, bcrypt, scrypt, PBKDF2
  • State-of-the-art symmetric encryption with e.g. AES-256 with CBC/GCM mode
  • State-of-the-art asymmetric encryption with e.g. RSA-2048 bit (or higher)
  • Effective key management (generation, distribution, locking) is essential when using cryptographic methods
  • Protect secret keys with strong passwords of at least 16 digits. In the case of high risk, consider using HSM (hardware security modules) / hardware tokens
  • Obtain SSL certificates from trusted certificate authorities
  • Use HTTPS according to the state of the art (e.g., at least 2048-bit RSA, Perfect Forward Secrecy, HSTS, client certificates if necessary)
  • No usage of cryptographic methods with known vulnerabilities or key lengths that are too short, e.g. DES, 3-DES, MD5, SHA-1 - if legacy systems still require these, perform an individual risk analysis

Data Transfer

Both the exchange of data with other entities via electronic communication networks and the physical transport of mobile storage devices and documents must be secured in such a way that the confidentiality and integrity of the PII is not compromised.

  • Rules must exist for all types of data transfers both within the organization and between the organization and other parties
  • Especially for cloud services, procedures for usage have to be established (including a possible exit strategy to reduce dependencies on individual cloud services).
  • Encryption of mobile storage devices (such as DVD, USB sticks, hard disk) according to state-of-the-art technology
  • For email, cloud platforms: Transport encryption of PII according to the state of the art for normal risk
  • For email, cloud platforms: Transport encryption and content encryption of PII according to the state of the art for high risk
  • For Messenger: transport and content encryption of messages and files
  • Ensuring the integrity of PII through digital signatures, at least in the case of high risk
  • For HTTPS: Use of client certificates to prove authenticity for a closed user group
  • Encrypted usage of DNS services (DNSSec, DNS-over-TLS)

Software development and selection

Data protection and security must be taken into account at an early stage in the development of one's own software systems or in the selection of software products in one's own business.

  • Relevant employees are trained and know that security-by-design (ensuring confidentiality, availability, and integrity) as a subset of data-protection-by-design is a legal privacy requirement and has impact on key design decisions (product selection, centralized vs. decentralized, pseudonymization, encryption, country of a service provider etc.)
  • Production system is separated to development/test system
  • Restrict access to the source code when developing software
  • PII or access credentials aren't stored in source code management
  • System and security testing, such as code scanning and penetration testing, must be performed regularly
  • Sufficient test cycles are considered
  • Continuous inventory of the versions of software or components (e.g. frameworks, libraries) as well as their dependencies exists
  • Standard software and corresponding updates are only obtained from trustworthy sources
  • It's ensured that an ongoing plan exists to monitor, evaluate, and apply updates or configuration changes for the life of a software application

Data processing on behalf

Service providers handling personal data in the context of processing on behalf require appropriate safeguards to also ensure the security of the processing.

  • Use only service providers who can provide the guarantees (in the form of written documents)
  • Security measures according to Art. 32 GDPR as part of a data processing agreement must fit the service - the level of abstraction of the measures is sometimes slightly higher than for internal TOM lists of a controller
  • The effectiveness of the guarantees can be demonstrated (to some extent) by suitable certifications - e.g. ISO 27001 for data centers with physical security scope is usually meaningful
  • An on-site inspection by the person responsible must not be excluded
  • The processor may not include any other subcontractors without informing the client - the client then has a right of objection
  • The processor must have processes in place to detect data breaches and report them without delay to the controller as defined by the GDPR
  • Transfers to insecure third countries may only be possible with additional technical protection measures, primarily the use of cryptographic processes
  • Data is effectively deleted in the case of processing on behalf (at the latest) after the end of the contract
  • Details of the deletion technology can be provided if required
  • Periodic review of the processors regarding security practices and service delivery



You'll only receive email when they publish something new.

More from FF-Sec