ISMS IS/DPP TOP POLICY - example (governance)

EXAMPLE IS/DPP TOP POLICY

1. General.................................................................................................................................2

1.1 Scope..............................................................................................................................2

1.2 Management Buy-In........................................................................................................2

2. Principles..............................................................................................................................3

3. Accountability and Governance............................................................................................4

3.1 BoD.................................................................................................................................4

3.2 Executive Committee......................................................................................................4

3.3 Risk management Committee.........................................................................................4

3.4 Executive Sponsor..........................................................................................................5

3.5 Information Security Team..............................................................................................5

3.6 CISO................................................................................................................................6

3.7 DPO.................................................................................................................................7

3.8 Legal Department............................................................................................................9

3.9 Risk management...........................................................................................................9

3.10 Internal Audit.................................................................................................................9

3.11 Project Managers........................................................................................................10

3.12 Information Asset Owners...........................................................................................10

3.13 Staff.............................................................................................................................11

4. Policy framework................................................................................................................12

4.1 Policy documents..........................................................................................................12

4.2 Policy Definition Process...............................................................................................12

4.3 Exceptions management...............................................................................................12

5. Communication...................................................................................................................13

5.1 Communication.............................................................................................................13

5.2 Training.........................................................................................................................13

5.3 Awareness....................................................................................................................13

6. Enforcement.......................................................................................................................13

7. Reporting............................................................................................................................14

7.1 Top level: Risk Management Committee......................................................................14

7.2 Lower levels..................................................................................................................14

1


1. General

1.1 SCOPE This policy relates to information security, data protection and privacy (IS/DPP) and applies to CORPORATION.

1.2 MANAGEMENT BUY-IN The top management of CORPORATION

- acknowledges the importance of IS/DPP- appoints the COO as the executive sponsor for CORPORATION’s program IS/DPP- champions

o robust information security in line with the state-of-the-art in the industryo transparent data protectiono to raise the maturity of IS/DPP to a level where it is well-known and

managed throughout the organisation and keep it at that levelo to keep the risk in relation to IS/DPP in general at a low risk level, that is a

level that does not reasonably lead to criminal sanctions for the company or any

of its staff does not foreseeably exceed a financial risk of xxx EUR does not reasonably lead to negative exposure in a nationally and/or

internationally distributed media (such as newspapers) doesn’t harm the top xxx customers and/or a cluster of more than xxx

customers - commits to

o lead by exampleo reasonably supplying the means

to bring the technology up to standard to communicate to the staff to raise knowledge and awareness on

IS/DPPo supporting the CISO and the DPO, a.o. by giving them access to all the

means and staff of the organisation, giving them access to (personal) data and processing operations, ensuring they can maintain their respective expert knowledge, ensuring that they are involved, properly and in a timely manner, in all issues which relate to the protection of (personal) data, …

o not instructing the DPO with regard to the exercise of the DPO’s (legal) tasks

o acknowledge, adopt and enforce the reasonable policy documents the CISO and/or the DPO present

2


2. PrinciplesCORPORATION sets the following guiding principles on Information security, data protection and privacy (IS/DPP):

IS/DPP is not only compliance driven, but also flows from the ethical stature of CORPORATION and serves to protect CORPORATION, its business, its staff and its customers.

IS/DPP is a point of attention for everybody in the organisation. IS/DPP is applied in a risk-based manner, which includes that the risk should be

known internally; risks should be in line with CORPORATION’s risk appetite; the risk assessment should take into account the nature, scope, context and purposes of processing; etc.

CORPORATION wants to set up processes and procedures that are future-proof, and thus should take into account potential future risks, should be privacy-by-design and privacy-by-default.

CORPORATION uses the following major benchmarks for its IS/DPP framework:o the General Data Protection Regulationo the reference measures issued by the Belgian Data Protection Authority,

which inherently refer to the ISO 27000-series

3


3. Accountability and GovernanceWithin the CORPORATION’s organisation everybody can and should contribute to IS/DPP. To streamline the governance some bodies and persons in the organisation are designated to decide on or implement aspects of the IS/DPP framework.

3.1 BOD The Board of Directors is at a strategic and final level accountable for the IS/DPP within the CORPORATION organisation.

The Board of Directors adopts the strategy on IS/DPP. That is the highest policy document on IS/DPP in the CORPORATION organisation.

The Board of Directors ensures that IS/DPP is taken into account in all documents it (legally) must adopt or acknowledge, such as the governance memorandum, the internal control statement, etc.

The Board of Directors can evocate and review any decision in the organisation on IS/DPP.

3.2 EXECUTIVE COMMITTEE The Executive Committee is at the highest operational level accountable for the IS/DPP within the CORPORATION organisation.

Key responsibilities of the Executive Committee in the context of IS/DPP are:- reviewing and ratifying IS/DPP policy documents, as the case may be ensuring that

they are in line with the organisation’s business strategy - interpreting and finetuning the risk appetite determined by the Board of Directors- supporting the awareness efforts in the context of IS/DPP by by their collective and

individual decisions and actions (“tone at the top”)- providing the necessary means

o to support the IS/DPP measures in the field of ICT as part of the ICT budgeto to support the IS/DPP measures in the field of facilities as part of the facilities

budgeto to support the IS/DPP measures in the field of communication, training and

awareness of the staff as part of the HR budgeto to support the IS/DPP third line control as part of the audit budgeto to comply to the data protection and privacy legislation, in as far as not

covered by (the above) other budgets, as part of the compliance budget;- decide on issues brought to its attention by the DPO with a request for a decision;- reviewing escalations from the Risk Management Committee with regard to the

reporting set up under this IS/DPP framework.

3.3 RISK MANAGEMENT COMMITTEE Key responsibilities of The Risk Management Committee in the context of IS/DPP are:

- reviewing IS/DPP policy documents and providing an advice to the Management Committee

- reviewing the top level reporting set up under this IS/DPP and escalating issues to the Executive Committee

4


3.4 EXECUTIVE SPONSOR Key responsibilities of the Executive Sponsor in the context of IS/DPP are:

- “representing” the topic of IS/DPP around the table of the Executive Committee in all topics on its agenda

- acting as a sounding board for the DPO and the CISO on a regular and ad hoc basis

- acting as a channel to the Risk Management Committee and the Executive Committee at times the DPO and CISO want to bring an item to those for a

3.5 INFORMATION SECURITY TEAM The core Information Security Team is composed of :

- the Executive Sponsor- the DPO- the CISO- the head of HR

The Information Security Team can, at the request of one of its core members, be joined by any other relevant party, e.g.

- the head of facilities- the head of IT- a representative of legal department- a representative of risk management- a representative of internal audit- an external expert on IS/DPP

Key responsibilities of the Information Security Team are: - to, on a yearly basis or in a shorter interval when needed, present

o a high-level risk assessment (via the reporting) on the IS/DPP risk posture, o a gap analysis with the position wanted on the critical points and other major

points o an action plan with regard to the critical points and other major points o an overview and analysis of the (upcoming) changes that (may) impact the

organisation- follow up (upcoming) changes that (may) impact the organisation, which includes

changes to the regulatory environment (legislation, case law, interpretation, etc.), to the IT and security architecture, …

- preparing (binding) IS/DPP policy documents, reviewing them at regular intervals (to be determined by the Information Security Team) or when such is triggered by a change (in the law, in the organisation, …) and proposing actualisations, updates and improvements

- issuing (and periodically updating) IS/DPP guidance- coordinating the different aspects of IS/DPP to improve the cooperation and

alignment between the actors involved and avoid parallel or crossing initiatives or activities, a.o. in the field of

o communication, training and awareness raising on IS/DPPo first, second and third line controls

- managing IS/DPP related critical incidents from notification through to resolution, mainly through coordination

- supervising and coordinating the different aspects of IS/DPP in programs and projects, such as

5


o reviewing program and project solutions are compliant with IS/DPP policy documents, if not tackled at another level (e.g. in the program or project steering committee)

o approving program and project level exceptions to IS/DPP policy documentso reviewing and resolving key cross-program or cross-project IS/DPP issues

- ensuring regular IS/DPP second and third line controls are undertaken and findings are followed-up and resolved within reasonable, required timeframes

- preparing the overarching IS/DPP reporting to the top management

The roles, functions and tasks of the information security team can be further elaborated in other (lower-level) policy documents.

3.6 CISO A member of the IT team is appointed as chief information security officer (CISO).

Key responsibilities of the CISO are: - suggesting guidance to the Information Security Team- advising on, stimulating, verifying, and documenting the implementation of

measures related to IS/DPP – with a focus on information security as defined by the best practices -, in particular in relation to

o (information) asset management1, as in keeping the architecture and overview of hardware, software, databases, data sets

o security at the level of the mediumo device securityo network securityo business continuityo incident management

- cooperating and aligning with the DPO on IS/DPP, a.o. on o reviewing policies in the IS/DPP framework to also include aspects relating to

data protection and privacyo communicating, training and raising awareness on IS/DPPo implementing organizational and technical measures to protect (personal)

data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorized disclosure, dissemination or access, or alteration of personal data, hereby ensuring compliance with the relevant laws and regulations

o tackling and reviewing incidents related to IS/DPP- stimulating and coordinating the efforts on communication, training and awareness- supervising the joiner/leaver/transfer process- with regard to third parties with an impact on the IS/DPP posture of the organization

o ensuring the documented prior screening of such third parties with an impact on the IS/DPP posture of the organization

o ensuring the documented follow-up of such third parties- coordinating and consolidating the reporting on

o efforts on communication, training and awarenesso the effectiveness of access management o the application of joiner/leaver/transfer processo service levels

imposed on third parties relating to IS/DPP relating to IS/DPP defined by the Information Security Team

1 Not to be confused with financial asset management.

6


o key performance indicators relating to IS/DPP defined by the Information Security Team

o assurance from third parties relating to IS/DPPo the results of controls performedo IS/DPP incidents o IS/DPP risks

The roles, functions and tasks of the CISO can be further elaborated in other (lower-level) policy documents.

In order to fulfill his mission, the CISO - receives sufficient resources (time, staffing, equipment and budget) - has unhindered access to the information necessary to perform his function.

3.7 DPO 3.7.1 DPO The compliance officer is (also) assigned as data protection officer.

The mission of the data protection officer includes all the tasks allocated to the data protection officer in the law, e.g.

- towards Identifin / the National Register- towards the Crossroads Database on Social Security (with regard to work related

accidents)

Key responsibilities of the DPO are: - performing the tasks that are adjudicated to him by law- cooperating and aligning with the CISO on IS/DPP, a.o. on

o reviewing policies in the IS/DPP framework to also include aspects relating to data protection and privacy

o communicating, training and raising awareness on IS/DPPo implementing organizational and technical measures to protect (personal)

data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorized disclosure, dissemination or access, or alteration of personal data, hereby ensuring compliance with the relevant laws and regulations

o tackling and reviewing incidents related to IS/DPP- liaising and consulting with Legal, if and when necessary, in advising on personal

data protection and privacy legislation- operating as external Single Point of Contact (SPOC)

o at least in second line (after the complaints handling team and/or team handling the requests from data subjects), within the organisation regarding all matters related to personal data protection and privacy

o for the organisation to the authorities regarding all matters related to personal data protection and privacy

- advising on, stimulating, verifying, and documenting the compliance with applicable data protection and privacy legislation, including but not limited to

o informing and advising the organisation and the staff who carry out processing of their obligations pursuant to the legislation

o advising when prior checking with the authorities should be considered - ensure the proper translation of personal data protection principles into the IS/DPP

policy documents and the proper implementation thereof

7


- suggesting guidance to the Information Security Team- supporting the organization, in particular the project managers and information asset

owners, in documenting the data processing and making privacy impact assessments on

o new initiatives and projects o existing data processing, including updating such documentation

- provide advice on any use of personal data in circumstances that are not steered by policy documents or when policy documents require interpretation

- giving a (conditional) sign-off on o the use of personal data for uses that are not yet (fully) defined, e.g. in tests or

in projects that have not been delivered yet o the texts and/or processes used to meet the transparency requirements or to

capture consent of the data subjecto the texts, templates and/or processes used to meet the requirements on

properly binding third parties with an impact on the IS/DPP posture of the organization

- advising on and supervising proper transparency towardso data subjectso data protection authoritieso the public

- coordinating and consolidating reporting on IS/DPP matters that are not covered by other reporting lines, amongst others on

o new IS/DPP relevant legislation

In order to fulfill his mission, the DPO - receives sufficient resources (time, staffing, equipment, training and budget)- has unhindered access to the information necessary to perform his function- should remain in an independent position and thus

o hold no other functions which could result in a conflict of interest pertaining to his role

o not receive (binding) instructions on the execution of the role as DPO

The DPO has the right to veto all initiatives that are not in line with IS/DPP policies, laws or security requirements. Such veto can only be overruled in writing by the Executive Committee.

The DPO can report and escalate directly to the Executive Committee and/or (the chair of) the Board of Directors, if he considers the other reporting lines insufficient.

The DPO is bound by a professional duty of secrecy.

3.7.2 DEPUTY DPOS The Executive Committee can, advised by the DPO, appoint (a) deputy data protection officer(s) which focuse(s) on data protection relating to

- staff data- health data- judicial data

The deputy DPO supports the DPO in the focus area that is assigned to him and in concert with the DPO performs the jobs of the DPO in that focus area. For the avoidance of doubt, there is no hierarchical link between the deputy DPOs and the DPO, but only a functional link. The tasks as deputy DPO are considered to be part of the function of the deputy DPOs and are evaluated in the generic evaluation of the deputy DPOs.

8


The roles, functions and tasks of the Deputy DPOs can be further elaborated in other (lower-level) policy documents and in arragements between the DPO and the respective deputy DPOs.

3.8 LEGAL DEPARTMENT The legal department acts as support function for the Data Protection Officer for all legal and regulatory issues.

The key responsibilities of the Legal Department in the context of IS/DPP are to:- support the Data Protection Officer in all relevant legal aspects, such as

o his advices on the personal data processing aspects of the various products and services of the organisation;

o checks of legal documentation with regard to data processing (incl. agreements, SOC assurance documents, …)

- follow the progress of legal and regulatory developments in the domain of personal data protection laws that are or may be relevant for the organisation (incl. EU, Belgium, PCI DSS)

- assess the impact of existing, new and upcoming legislation with the view towards policy setting within the organisation

- provide in-depth knowledge and documentation on the legal aspects of o the products and services of the companieso the relationship with third party providers and partners

The roles, functions and tasks of the legal department – within the scope of this policy - can be further elaborated in other (lower-level) policy documents.

3.9 RISK MANAGEMENT The risk management function embeds the IS/DPP risks in the overal risk management framework.

Key responsibilities of the risk management function in the context of IS/DPP are: - cooperating and aligning with the CISO and DPO on IS/DPP, a.o. on

o reviewing policies in the risk mangement framework to also include aspects relating to IS/DPP

o communicating, training and raising awareness on risk for it to include (reference to) IS/DPP

o tackling and reviewing incidents that are also related to IS/DPPo organising second line controls which may also relate to IS/DPP

The roles, functions and tasks of the risk management function – within the scope of this policy - can be further elaborated in other (lower-level) policy documents. They may however never infringe the independence of the internal audit function.

3.10 INTERNAL AUDIT The internal audit function embeds IS/DPP in the overal (internal) audit framework.

Key responsibilities of the internal audit function in the context of IS/DPP are: - cooperating and aligning with the CISO and DPO on IS/DPP, a.o. on

9


o organising first, second and third line controls that relate to IS/DPP in a way that covers the broadest scope possible a.o. by reasonably avoiding overlap and by using the result of controls of the other lines to improve the controls of the own line

o tackling and reviewing incidents that are also related to IS/DPP

The roles, functions and tasks of the internal audit function – within the scope of this policy - can be further elaborated in other (lower-level) policy documents. They may however never infringe the independence of the internal audit function.

3.11 PROJECT MANAGERS Project managers must embed IS/DPP in the overal project documentation from the start of the project .

Key responsibilities of project managers in the context of IS/DPP are: - If no issues are IS/DPP are to be addressed this is to be explicilty documented in the

project documentation. - If issues are IS/DPP are to be addressed (mainly because personal data is being

processed at one point during the project and/or the project end product of the project), then the data processing must be described and documented and a privacy impact assessment has to be made following the relevant policy document and, as the case may be, supported by (members of) the Information Security Team.

The roles, functions and tasks of the project managers – within the scope of this policy - can be further elaborated in other (lower-level) policy documents.

3.12 INFORMATION ASSET OWNERS An Information Asset Owner (IAO) is appointed per (major) Information Asset of the organsation, i.e. a database of data used for a separate purpose, an application containing data used for a separate purpose,…

IAOs are appointed by the line management, advised by the Information Security Team.

Key responsibilities of IAOs in the context of IS/DPP are: - in general

o to act as the gatekeeper for the access to the information asset, a.o. by supporting in the implementation and review of access rights

o to support of the DPO in collecting and providing information on the data processing within the organisation

o to document the information asset, including any project documentation relating to the setup, a privacy impact assessment (or at least a description of the data set), a view on where that information asset is embedded in the information management architecture of the organisation, any dependencies on respectively of other information assets within or outside of the organisation

o to suggest (specific) acceptable use rules or other instructions to the persons with access rights to the DPO

o to communicate acceptable use rules or other instructions to the persons with access rights and raise awareness on them

o to proactively raise issues they have in managing the information asset to the DPO and/or the CISO

- if the information asset is a primary source within the organisation

10


o to document arrangements with any secondary sources a.o. on data minimization, secure and timely delivery, and business continuity, as the case may be following the instructions and templates of the DPO

o to detect and report to the DPO of derived use of the primary source data he did not prior approve, a.o. by (periodic) checks on the use

- if the information asset is a secondary source within the organisationo to ensure that the data is used in line with the arrangements made with the

primary sourceo to ensure that the data is not further processed (incl. disseminated or used),

without the formal approval of the IAO of the primary source which should be documented and based on full information of such further processing (which should in principle be covered by a privacy impact assessment) and a clear argumentation why the connection is not made with the primary source

The roles, functions and tasks of the IAOs can be further elaborated in other (lower-level) policy documents.

3.13 STAFF Employees and other staff of the organisation must

- comply to the legal requirements related to data protection and privacy- respect the principles set out and communicated by the organisation in relation to

data protection and privacy- not use their access rights (in the broadest sense) if and when they do not have a

demonstrable, professional need-to-know of the data- respect the information classification given to data and even upgrade it (never

downgrade it) if that - follow the instructions of the organisation with regard to data processing

Employees and other staff of the organisation should- act as gatekeeper, even to colleagues, for the personal data they have access to- upgrade the information classification of data to a level that is more restricted (never

downgrade it) if and when that seems appropriate- support other staff members in protecting (personal) data - proactively notify the information asset owner if they no longer need certain access

rights- notify (potential) breaches or vulnerabilities in the data protection and privacy setup to

the DPO and/or the CISO

The roles, functions and tasks of the staff members can be further elaborated in other (lower-level) policy documents.

11


4. Policy framework

4.1 POLICY DOCUMENTS Whereas this overarching policy is the highest norm within the organsation with regard to IS/DPP, other policy documents on the topic will be developped, established, communicated to the (relevant) staff members, and enforced.

Type of norm Description Decision levelProcedures Policy documents that define a procedure to

be followed, mainly aimed at involving centers of competence

Information Security Team

Instructions Policy documents that define instructions to the staff that the staff MUST follow. They can be issued on an “all staff” level, on a unit level or on a staff member level.

Executive Committee

Specifications Policy documents that define technical specifications or requirements that support IS/DPP.

Executive Committee

Standards Policy documents that define “comply or explain” requirements that SHOULD be followed unless there is a solid, document explanation to divert which is not vetoed by the CISO or the DPO.

Executive Committee

Guidelines Policy documents that attempt to provide guidance to avoid harm to the data subjects, the staff members or the organization.

Information Security Team, CISO or DPO

4.2 POLICY DEFINITION PROCESS The Information Security Team defines the policy definition process – from idea to pubication - respecting the (decision) elements defined in the current policy.

4.3 EXCEPTIONS MANAGEMENT Exceptions to compliance with a policy document must be decided at the appropriate level, which if not indicated differently in the policy document to which an exception is made, is the member of the Executive Committee responsible for the department to which the exception applies. Such member of the Executive Committee must always be included for any exception whereof the impact may be above the risk level defined in the first part of this policy.

Exceptions to compliance with a policy document must be documented, irrespective of the type of norm (must, should, can). The documentation must include the rule diverted from, the extent of the exception (department, rule, term, …), the impact of the exception (scope of the impact a.o. number of data subjects, types of data,…; relation of the impact v the risk appetite of the orgnisation ), the advice of the CISO and the DPO on the exception, the decision of the appropriate decision taker and the signature of the decision taker. The documentation must be provided to the DPO, who shall keep a register thereof. The register is taken into account in the reporting on the IS/DPP risk.

The exception management can be further elaborated in other (lower-level) policy documents.

12


5. Communication

5.1 COMMUNICATION The DPO and the CISO, in concert, ensure the communication of the IS/DPP policies to the relevant target groups. Coordination is done at the level of the Information Security Team.

The evidence of the communication and, as the case may be, the target group, should be provided to and kept by the DPO.

5.2 TRAINING The DPO and the CISO, in concert, ensure the training on IS/DPP to the relevant target groups. Coordination is done at the level of the Information Security Team.

Each new employee and on premis staff member should attend a basic training on IS/DPP within the first month of employment within the organisation.

Each employee and on premis staff member should attend a training on (selected) key elements of IS/DPP at least once every year.

The training material should be validated by the Information Security Team.

The evidence of the training and, as the case may be, the target group, should be provided to and kept by the DPO.

5.3 AWARENESS The Information Security Team decides on the awareness raising actions to be set up. The DPO and the CISO make suggestions for such actions.

There should be at least 1 awareness raising action directed to all employees and on premis staff members per three months.

The awareness raising material should be validated by the Information Security Team.

The evidence of the awareness raising actions and, as the case may be, the target group, should be provided to and kept by the DPO.

6. EnforcementAny IS/DPP incident should lead to a root cause analysis, the definition of lessons learned and the implementation of improvement actions.

Any IS/DPP incident can lead to enforcement actions from the line management towards the staff members involved. Enforcement action can range very broadly from the requirement to (again) follow IS/DPP traning up to any sanction as defined in the relevant documents (e.g. the agreement with the processor, the employment agreement, …).

13


7. Reporting

7.1 TOP LEVEL: RISK MANAGEMENT COMMITTEE The reporting to the top management is a compilation of

- relevant changes, such as changes in the regulatory environment and the organisation

- key (IS/DPP) risk indicators - progress on the IS/DPP action plan- the efforts on the communication, training and awareness actions- the major incidents in the past reporting period - the results of the first, second and third line controls

The reporting requirement, including its content and its frequency, can be further elaborated by the Risk Management Committee in other policy documents.

7.2 LOWER LEVELS The reporting requirement to the Information Security Team, the CISO and the DPO respectively can be further elaborated by the recipient of such reporting in other (lower-level) policy documents.

14

ISMS IS/DPP TOP POLICY - example (governance)

Law

Transcript of ISMS IS/DPP TOP POLICY - example (governance)