Search results

Home / Search

Category:
Select
Select

11288 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • GDPR: Right to be forgotten and backups


    What is your take and solution to this problem? What formulations could I include in our GDPR policies, and in which documents (policies, notices, schedules etc) in the toolkit should I include formulations in order to be compliant?

    Answer:

    Let begin with some considerations about the right to be forgotten as set up in EU GDPR “article 17 Right to erasure (‘right to be forgotten’)” https://advisera.com/eugdpracademy/gdpr/right-to-erasure-right-to-be-forgotten/

    You must comply with an erasure request where:
    - the data subject ha s objected to the processing and (other than in relation to objections to direct marketing) there are no overriding legitimate interests to justify that processing;
    - the personal data is no longer needed for the purpose for which it was collected or processed;
    - the individual withdraws consent and there are no other grounds for the processing;
    - the personal data is unlawfully processed ;
    - there is a legal obligation under Union or Member State law to erase the personal data; or
    - personal data was processed in connection with an online service offered to a child.

    You do not need to comply if the processing is:
    - necessary for rights of freedom of expression or information;
    - for compliance with a legal obligation under Union or Member State law;
    - in the public interest or carried out by an official authority;
    - for public interest in the area of public health;
    - for archiving or research; or
    - for legal claims.

    So before considering erasing the data, you should perform an assessment based on the information provided above.

    However, if you find yourself in the situation where the erasure request is valid you need to comply with it or prove that you did your best to comply regardless if the data is stored locally or elsewhere.

    You can learn more about data subject rights by going through our article “8 data subject rights according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr/

  • Certificaciones de una proveedor cloud


    Respuesta: Generalmente te diría que si, porque la mayoría de proveedores cloud que conozco tienen una infraestructura IT segura, aunque te recomiendo que busques proveedores que cumplan con estándares como por ejemplo ISO 27017 que es para servicios cloud, o ISO 27018 que es para la protección de la privacidad en la nube. También es importante considerar certificaciones como CSA, CCM, o inclusive ISO 27001 o ISO 20000. Por tanto, te recomiendo servicios que sean gestionados por proveedores con estos estándares, porque pueden darte una seguridad o una confianza de que tu información está a salvo en la nube. Este artículo te puede resultar interesante “ISO 27001 vs. ISO 27017 - Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

    Y también este otro “ISO 27001 vs. ISO 27018 - Standard for protectin g privacy in the cloud” : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

  • Privacy Statement


    Answer:

    As required by EU GDPR article 13 “Information to be provided where personal data are collected from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/) you need to provide to the data subject with “Identity and the contact details of the controller” regardless if the controller is an individual or a legal entity. As for a controller which is owned by a Holding company you just need to specify the details for the controller.

    Regarding your next query, if you are not collecting or processing personal data there is there is no requirement in the EU GDPR that you provide such information.

    You might find our webinar on ” Privacy Notices Under the EU GDPR” (https: //advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/) useful for your tasks ahead.

  • Training manuals and QMS documents


    Answer:

    Those training manuals are useful now because of the implementation of a new database. Will they still be useful in the future to train, to integrate new workers? If the answer is no, the training manuals will be of short time usefulness and I would not include them in the QMS documents. If the answer is yes, I start to see them as a kind of work instructions to be used in the future by whoever has doubts about the database operation, and in that case I would include them as QMS documents.

    The following materials will provide you details about work instructions:

    - Article - How to structure work instructions in the ISO 9001 QMS - https://advisera.com/9001academy/blog/2015/06/16/how-to-structure-work-instructions-in-the-iso-9001-qms/

    - [free course] ISO 9001:2015 Foundations Course - https://tr aining.advisera.com/course/iso-90012015-foundations-course/

    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Starting with the documentation


    Answer:

    You can always start filling in the EU GDPR Readiness Assessment Questionnaire which will give you an overview of your current compliance status. The EU GDPR Readiness Assessment Questionnaire can be found in folder 1 of the EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ Alternatively, you can use our EU GDPR Readiness Assessment Tool which you can find at https://advisera.com/eugdpracademy/eu-gdpr-readiness-assessment-tool/

    After performing the Assessment and setting up your project plan and project team you can start working through the documents in the order in which they are presented in the Toolkit. Make sure that you also consult the “List_of_documents_EU_GDPR_Documentation_Toolkit” so you can see which are the mandatory documents that you need to have (although we encourage our customers to consider all documents and not only the mandatory ones).

    There are al so several materials available on Advisera website that you might find useful in your future tasks:
    - Article: “9 steps for implementing GDPR” (https://advisera.com/articles/9-steps-for-implementing-gdpr/);
    - Webinar: “How to use a Documentation Toolkit for the implementation of EU GDPR” (https://advisera.com/eugdpracademy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-eu-gdpr-free-webinar-on-demand/)

  • Division of tasks


    Notwithstanding the workload, do you think this is feasible or are there any potential conflicts of interest here?

    Answer: A single person to manage such scope (considering the different systems, number of personnel and multiple offices), may compromise the systems effectiveness, because not only the common aspects of the systems (e.g., control of documents, internal audit, processes and controls monitoring, etc.), but the specific activities required by each system (risk assessment, business impact analysis, and processes monitoring), and support required by employees can easily overload a single person time and capacity.

    You should consider at least another person to assume part of the tasks.

  • Shared resources


    Asset name: Network locker (NO Office)
    Threat: Information interception
    Vulnerability: Switch Locker is shared with other companies
    Consequence(0 to 3): 2
    Likelihood(0 to 3): 3

    The neighboring office (and anyone with access) has access to the locker through a door that can only be locked from their side. The people that are responsible for the building, will apparently install an alarm that will go off if anyone opens the door, however we are not very happy about that as a solution, and we’d much rather be able to control exactly who has access to the locker.

    ?Do you have any suggestion that u can give us?

    Answer: Considering the scenario you described, you should try to establish with the people that are responsible for the building an agreement specifying the security controls they need to implement (e.g., install an alarm, give you the key to the locker, etc.). If this solution is not possible, other alternatives you should consider are:
    - Implement a separate switch/network
    - Implement cryptography to protect communication between the computers in your network and to protect you files.
    - Implement access control into the shared folders in your network.

    The last alternative in terms of risk management is to accept the risk (and do nothing), and to avoid the risk (e.g., by stopping using the switch).

    This article will provide you further explanation about handling suppliers:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • ISO 27001 implementation project


    Answer: The first and most critical step is to get management support for the project. Implementing information security will need resources in terms of people, material and capital, and most of all, it involves cultural change, and for that you will need top management support and involvement.

    To help you with Top Management, I suggest you to use our Project proposal for ISO 27001 / ISO 22301 implementation and Project plan for ISO 27001 / ISO 22301 implementation that you can find at these links:
    - https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-iso-22301-implementation-msword
    - https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation

    These documents can be adjusted to your organization context and can help you explain the importance of ISO 27001 to the business and how the implementation should be conducted.

    Regarding the gap asses sment phase, I suggest you to take a look at our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

    Its question-and-answer format allows you to visualize which specific elements of an information security management system you’ve already implemented, and what you still need to do.

    These articles will provide you further explanation about implementation steps:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
    - ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
    - Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

    These materials will also help you regarding implementation steps :
    - Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
    - Seven key problems to avoid in ISO 27001 implementation [free webinar on demand] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/

  • Applicability of controls


    Answer: A control from Annex must be applied only if one of the following occurs:
    - There are risks identified as unacceptable in the risk assessment that require the implementation of the control
    - There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
    - There is a top management decision requiring the implementation of the control

    If none of these occurs there is no need to implement a control considering ISO 27001 requirements (what occurs in fact is that hardly one of these won't happen regarding incident management - is extremely rare that a company does not have any control from section A.16). Since you did not provide the justification for exclusion in your documen t it is not possible to evaluate is the exclusion acceptable or not (at the beginning of the document, about control A.6.1.1, there is a comment about the same issue - justification for inclusion/exclusion).

    This article will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • ISO 27005 Annexes


    Answer: Annexes B (Identification and valuation of assets and impact assessment), C (Examples of typical threats) and D (Vulnerabilities and methods for vulnerability assessment) from ISO 27005 are compilations from common practices and situations found in the market, so there is no problem to adopt them in your framework

    This material will also help you regarding risk management:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Page 799-vs-13485 of 1129 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +