Data Protection

Retention periods

Description How long data is retained and available is identified and recorded and adheres to the minimum legal or business requirements. After this period, data is deleted and unrecoverable. This...

Data handling procedure

Description The rules regarding the processing of data are made explicit and clear, including whether remote work is allowed, under what circumstances and the use of Bring-Your-Own-Device and how data...

Organizational Data Deletion

Description After the retention period or when the data medium is decommissioned, lost or repurposed, organisation data is deleted. End users receive sufficient warning before data is deleted. Specification Deletion...

Printing Data-Leakage Prevention

Description Printing services are appropriately protected: Printers are kept separate from the public internet. Printing requires authentication before printing. No repeating printing statements. Documents are stored encrypted and for as...

Data Exfiltration Detection and Prevention

Description There are measures to prevent users from downloading entire datasets. Additionally, or if these measures cannot be implemented, alerting and monitoring for users downloading large amounts of information from...

Administrator Data Access

Description Only data owners have access to their data. Administrators and suppliers can only access the data through a break-glass procedure that involves business sign-off and consultation with the organisation....

Remote Wipe of Organizational Data

Description It is possible for organisational data to be deleted from devices remotely by a device management system, if they actively make a connection or based on an interval without...

Authorized data distribution

Description The proces owner authorises distribution of confidential information explicitly to any recipient, internal or external to the organisation. For all non-incidental data transfers, the authorisation is documented and reviewed...