Training Information Asset Owners

- Classification : internal -

COMPANYIS/DPP Level-Up Training SessionsInformantion Asset Owners

(date)

2- Classification: Internal - Page

“Level-up”

In addition to the baseline training for all staff

Applicable to specific staff, in this case: information asset owners

Why? - Information asset owners are the primary responsible indivuals for a

specific internal or external data source. They form a pivotal role in the information asset architecture and management as they are the single points of contact for the data sources of the organisation.

- Therefore information asset owners are well-placed champions for IS/DPP.


YOUR MISSION, should you choose to accept it…

Take up active ownership of Information Assets assigned to you in the Business-As-Usual

by

Keeping the IS/DPP documentation on the Information Assets and keeping it up-to-date, especially additional uses.

Liaise with the CISO so he can keep the overview,

a.o. via the Information Asset Inventory Guard (the access to) the Information Assets,

their quality and their perimeter throughout their lifecycle. Support the Access Management.

Important note: this is a continuous mission !

Q1: Why is there a setup with Information Asset Owners?


Data is everywhere.


Data is everywhere, we organise it


Data is everywhere, we organise it, to be able to manage it


Architectural benefit

• Overview.

• Easier to grasp.

• Support / Single Point of Contact for certain data sets.

• Future ?

• Single (“authentic”) source for certain data.

• Agile, decentralized deployment.

Q2: What documentation should I keep?


Checklist

Data set and data flow description Risk mitigating / sharing measures (as implemented)

Technical measures (+ point of contact)Organisational measures

documented (a.o. who can/should have access?) communication/training/awareness [plan]

Residual risk acceptance (if any, documented) Risk assessment (different versions)

After implementation project (legacy = absent)Regular reviews

Periodic (norm : 1 / year) Due to changes


Document: Data Sets (first 3 criteria)

Source of the data Objective / SubjectiveData Subject / Generated ourselves / 3rd party / …

Purpose for the data

Credit review, AML screening, profiling, contact in execution of agreement, marketing, segmentation, …

Data subject Customer, cardholder, prospect, candidate, staff member, contact at supplier, contact at corporate customer,…

Data fields Free fields: Name, address, free comment, meeting report, …Dropdown lists: Country, Title, Status,…

Special categories of data

Financial data, card data (PCI), …Relating to race, ethnic origin, (political, philosophical, religious) beliefs, trade union membership, sexual lifeHealth data / Judicial data (related to litigation, criminal sanctions, presumptions of criminal facts,…)

(Estimated) volume By number of data subjects, by number of data fields per data subject, …


Scope = DATA

Idea

Process

Texts

“Image”

Card(holder) Data

Personal Data

Customer Data

Copyright

Patent

Trade Mark

Data Subject

Competitive advantage

Legal protection (when in the open)Want to

protect

Have to protect(by obscurity)

Duty of discretion

PCI DSS (PSD)

Personal Data Protection

Privileged Information Market Abuse


Other data

Personal data

Other personal data

Perceived as private

Perceived as public

Special categories

Sensitive

Health

Judicial

IGA

Special Categories of Data

PCI

Nat Reg


Document: Risks

Data Classification Give the full data classification per data set.

Risks identified What risks were identified in terms of the different layers of information security and data protection?

Qualitative measure of the risk

Likelihood x impact

Quantitative measure of the risk

(if possible) more detailed calculations based on statistical models (e.g. monte carlo)

Validation by CISO The CISO has to validate all information risk assessments.

Validation by DPO (for personal data)

The DPO has to validate all personal data related risk assessments.

Frequently re-evaluate


Document: Risk Approach

Risk Mitigating Measures

For every risk identified, the mitigating measures: technically and/or organisationally (incl. first line controls).

Risk Sharing Measures

For every risk identified, if applied, the risk sharing measures: agreements, insurances, etc;

Residual Risk For every risk identified, the residual risk (incl. assessment in terms of likelihood and impact).

Comparison to 1st Risk Assessment

Preferably visually (matrix)

Validation by CISO The CISO has to validate all information risk approaches.

Validation by DPO (for personal data)

The DPO has to validate all personal data related risk approaches.

Residual Risk Acceptance (if any)

The decision by the ExCo or, as the case may be, a steering committee to which the project follow-up was delegated.

New risk acceptance or measures, if and when the risk assessment has shown change in risk profile. Escalate via CISO or DPO


Document: Data Flows

Data set transferred (see data set for further detail)Source of the data In principle the repository you are

responsible for as Information Asset OwnerRecipient of the data Within company / between GROUP companies /

Third Party (processing on COMPANY’s behalf) / Third Party (processing on own behalf)

Purpose for use by the recipient

To allow alignment with the original purpose and fitness of the data set

Operational description of transfer

Automatic or manual intervention, format (xls, xml, CODA, …), channel, frequency of the transfer, …

Security of the transfer Measures taken to ensure the secure transfer, both technical (e.g. encryption) and organisational (e.g. double channel for transfer of package and key)

Assurance by recipient To keep the data secure and confidential, not to use the data for other purposes than described, not to further transfer the data, to update the data at request of IAO,…

Validation Validation by CISO (always) and DPO (personal data)

Q3: What to consider when re-assessing?

?


Re-Assess

Assessment Who? When?Original (0.1) Project manager Start of project

First version (1.0) Project manager End of project

Addendum due to (significant) change (2.0)

Project manager End of project

Periodic review (2.1 or 2.0 confirmed)

Information Asset Owner 1/year

Ad hoc review due to (minor) change in process, regulation, … (2.1 or 2.0 confirmed)

Information Asset Owner when needed (note: not always externally triggered !)

Planned control review CISO or DPO (personal data)

second line control planning

Ad hoc control review CISO or DPO (personal data)

event (e.g. data breach or supervisor request)


Data Classifications indicate Risks

Category Classifications

Confidentiality Public, Internal, Restricted and Secret.

Integrity Accurate, Vital and Absolute.

Availability Non-Essential, Essential, Critical and Highly Critical.

Traceability Non-Traceable, Sensitive and Critical.

Retention No Retention, Short-Term, Mid-Term and Long-Term.

+“Privacy” Use within the boundaries of the (original) purpose

Information Classification Policy


Environment

Physical

HumanDevice

Application

Repository

Carrier

Layers & Dimensions

Changes• In the regulatory environment• In processes• In people (JLT)• In technology

Net

wor

k

Data

3rd Parties


Take into Account the Entire Data Lifecycle

Less people can reach it gatekeepers

Data retention forces at work

Can we legitimately collect / create the data (for that purpose)? (legal constraints, contractual constraints,…)

Is the storage secure? Whichfunctions / roles need access? Everybody else should be kept out.Is the integrity guarded?Is the availability up to standard?

Can we legitimately use the data for that purpose?Is everybody with access bound by confidentiality?

Can we legitimately share the data (for that purpose)?Do we want to share that data?


Finality (Data Protection Act / GDPR)

Relevance

Up-to-date Retention

@Start

@End

Ongoing

Minimisation

Quality


Balance test

Legal requirement

Implied consent

Explicit consent

Controller’s legitimate interest

Data subjects fundamental

rights

written? formality v. evidence

Legitimacy (Data Protection Act /GDPR)


Forces at Work in Data Retention

Legal requirementMin. retention

PurposeRelevance

ArchiveEvidence

Legal requirementMax. retention

FacilitiesCapacity, readibility,…,

Personal data protectionRelevance

HAVE TO

USEFUL

WANT TO

HAVE TO

HAVE TO

WANT TO

LegalLack of evidence

Data protectionProtection

WANT TO

USEFUL


Measure the risk

Risk = likelihood x impact(base on “trusted” sources)


Remember: Possible Positions towards Risk

In principle only LOW risk

If this “pops up”:escalate via CISO or DPO.

Q4: How do I, as Information Asset Owner, guard the Information Asset?


Focus on the GOAL (“purpose”)

Purpose(s) should have been clearly defined @ start.

Other purposes are in principle not allowed.

Exceptions should

be validated by CISO and DPO

(for personal data).

Purpose helps define when to move data to archive (lower access).

Purpose helps define when to delete data and triggers deletion. Data transfers must be documented.

IAO support HR, IT and CISO to periodically review the authorizations to the data set(s) in his ownership (lateral control).

IAO is a first line control, next to line management, to assessauthorizations to the data set(s) in his ownership (lateral control).

The data quality (fit-4-purpose) should be maintained.


Escalate if and when necessary

An Information Asset Owner can and should escalate any issue with the processing / handling of the Information Assets in his ownership to the CISO and the DPO (for personal data).

Issues are e.g. (there is no exhaustive list)

The data quality has significantly deteriorated, yet someone prevents the deletion of the data.

The foreseen data retention date or the use for the data given the purpose, has expired, yet someone prevents the deletion of the data.

A data recipient does not want to document the arrangements. There is a discussion on the authorizations (give or not, or type of

authorization (create/read/write/delete). A project manager did not deliver the proper documentation at the end of the

project.

Useful Additional Information


Especially Relevant Policy Documents

• Information Ownership Policy

• Information Asset Inventory

• Information Asset Architecture and Management

• Information Classification Policy

• (other)

(Sharepoint)

(Folder)


Relevent Points of Contact

as sounding boards(and support) CISO (Chief Information Security Officer)

(name)

DPO (Data Protection Officer) (name)

for arrangements with secondary data users within COMPANY (in as far as the template does not cover it)

for agreements with third parties

Procurement (name)Legal (name)

Law

Training Information Asset Owners