TECHNICAL AND ORGANISATIONAL MEASURES
Title: Technical and Organisational Measures
Created: Nazaf Azmi
Last Modified date: 06/06/2024
Version Number | Date of change and author | Reason |
1.0 | 24-04-2024 Nazaf Azmi | Document created |
1.1 | 06-06-2024 Henry Mullen | Terminology amendments |
General
In the digital age, protecting personal information is paramount. Technical and organizational measures (TOMs) play a pivotal role in safeguarding data integrity, confidentiality, and availability. This document outlines key principles, strategies, and best practices implemented by Worka.
Technical measures encompass the use of technology to secure data, including encryption, access controls, and intrusion detection systems. Organizational measures involve policies, procedures, and practices designed to manage and mitigate risks, such as employee training, incident response plans, and compliance frameworks.
Key components of Technical Measures
Control against Malware
Patch and Vulnerability Management
Encryption and Key Management
Secured Internet browsing and connection.
Authentication via Single Sign On (SSO) or Two-Factor Authentication (2FA)
Data Encryption at rest and in transit
Data Protection compliant destruction of data carriers (files, drives etc.)
Locking of device housing
Secure Firewall
Card for locked areas
Logging of access to applications and processes such as data destruction
Key components of Organisational Measures
Information Security Policy: To maintain a secure infrastructure to minimise exposure to data loss, to have fit-for-purpose available systems and to ensure employees and contractors understand the importance of Information Security.
Business Continuity Plan: To understand the critical functions and activities of the organisation and analyse and respond to the identified risks to the organisation. In so doing the plan provides a detailed, prioritised, and timetabled response to an emergency and identifies the key roles, responsibilities, and contacts to respond to an emergency.
Risk Assessment: Apart from being a legal requirement in some cases, we use risk assessments to help develop mitigation solutions and as an effective preventive measure.
Awareness & Training: To have in place comprehensive training programs covering various aspects of cybersecurity, including recognizing phishing attempts, creating strong passwords, identifying social engineering tactics, and understanding the importance of data protection.
Policy Communication and Acknowledgment: Ensure that employees are aware of and acknowledge organizational security policies and procedures through regular communication, training modules, and acknowledgment forms.
Other policies and procedures – Ensure that we have robust and easy to follow policies and procedures in place so that our employees know what their obligations are and what to do if certain situations occur including a clean desk, bring your own device, remote work policies, data breach and DSR procedures.
Reviews & audits – Having the above policies and procedures in place is not enough. We need to make sure that they are effective. Therefore, we have established controls and audits to evaluate their effectiveness.
Due diligence –We must be able to ensure the security of personal data when we use sub-processors. We establish due diligence checks before we commit to a sub-processor. We must agree with the sub-processor a monitoring process.