Process Owner

Authorization Matrix

Description Process owners are responsible for an authorization matrix listing who has what access to data and functionality in relevant systems, in what capacity. The authorisation matrix includes roles, the...

Joiner/Mover/Leaver

Description Process approve users getting authorisations to the data in the process. The requests of individuals that want access to information assets or authorisations to do so, are logged and...

Least Privilege

Description Individuals receive only the minimum number of authorisations required for their role and purpose in the processing activities. Authorisations are only given for the period the activities take place....

Review of Permissions

Description Periodically, a list of all users in the system is generated along with associated permissions and reviewed. If it is available, all access rights must be in accordance with...

Team capacity monitoring

Description Teams plan to have sufficient capacity to execute important tasks, also during holidays. There is monitoring on the capacity of the team and structural understaffing gets flagged and addressed....

Non-Disclosure Agreements

Description When working with sensitive information, individuals are required to agree with and sign a non-disclosure agreement (NDA). At a minimum the NDA specifies how the individual should handle the...

Background Check

Description Before commencement of processing activities background checks are performed for all individuals working with sensitive data and systems to determine integrity and suitability for the tasks and ensure secure...

Retention periods

Description How long data is retained and available is identified and recorded and adheres to the minimum legal or business requirements. After this period, data is deleted and unrecoverable. This...

Data handling procedure

Description The rules regarding the processing of data are made explicit and clear, including whether remote work is allowed, under what circumstances and the use of Bring-Your-Own-Device and how data...

Authorized data distribution

Description The proces owner authorises distribution of confidential information explicitly to any recipient, internal or external to the organisation. For all non-incidental data transfers, the authorisation is documented and reviewed...