Data Security Project
Is your entity fully prepared to detect, defend against, and respond to cyber-attacks and data breaches?
What to do?
Start by assessing whether:
Do you encrpyt, pseudonymise, or anonymise personal information whereever possible?
Do you have IT policies (BYOD, password, data management, IT procurement, network access) in place? Are they up to date and being complied with?
Have you taken the necessary steps to protect personal information under your organisation's control? Do you use encryption for all personal information in transit and at rest?
Consider the benefits of conducting data privacy impact assessments (DPIA), and put a process in place to carry it out. Be sure to train relevant employees on the established process.
Is personal information secured in locations with limited (or just-in-time) access? Are user, application and backend access controls correct and up to date?
Does your organisation test local & cloud-based and third party controlled applications for security suitability and approved for use?
Do you ensure that your entity has "fit for purpose" security software and hardware to help with the prevention, detection and response to security incidents? Examples of this include multi-factor authentication on critical systems, anti-virus/mal-ware suites, actively managed proxy firewalls, intrusion detection systems, enterprise incident response applications).
Are proactive steps in place to build a holistic privacy culture and awareness (e.g. training, education, phishing and social engineering exercises)?
Are relevant security information and performance metrics are being reported to executives and the board?
Do you have a process in place to notify the Office of the Privacy Commissioner (PrivCom) and affected individuals in the event of a data breach?