TECHNICAL AND ORGANISATIONAL MEASURES



Title: Technical and Organisational Measures

Created: Nazaf Azmi

Last Modified date: 06/06/2024

Version Number

Date of change and author

Reason

1.0

24-04-2024 Nazaf Azmi

Document created

1.1

06-06-2024 Henry Mullen

Terminology amendments

General

In the digital age, protecting personal information is paramount. Technical and organizational measures (TOMs) play a pivotal role in safeguarding data integrity, confidentiality, and availability. This document outlines key principles, strategies, and best practices implemented by Worka.

Technical measures encompass the use of technology to secure data, including encryption, access controls, and intrusion detection systems. Organizational measures involve policies, procedures, and practices designed to manage and mitigate risks, such as employee training, incident response plans, and compliance frameworks.

Key components of Technical Measures

  • Control against Malware

  • Patch and Vulnerability Management

  • Encryption and Key Management

  • Secured Internet browsing and connection.

  • Authentication via Single Sign On (SSO) or Two-Factor Authentication (2FA)

  • Data Encryption at rest and in transit

  • Data Protection compliant destruction of data carriers (files, drives etc.)

  • Locking of device housing

  • Secure Firewall

  • Card for locked areas

  • Logging of access to applications and processes such as data destruction

Key components of Organisational Measures

  • Information Security Policy: To maintain a secure infrastructure to minimise exposure to data loss, to have fit-for-purpose available systems and to ensure employees and contractors understand the importance of Information Security.

  • Business Continuity Plan: To understand the critical functions and activities of the organisation and analyse and respond to the identified risks to the organisation. In so doing the plan provides a detailed, prioritised, and timetabled response to an emergency and identifies the key roles, responsibilities, and contacts to respond to an emergency.

  • Risk Assessment: Apart from being a legal requirement in some cases, we use risk assessments to help develop mitigation solutions and as an effective preventive measure.

  • Awareness & Training: To have in place comprehensive training programs covering various aspects of cybersecurity, including recognizing phishing attempts, creating strong passwords, identifying social engineering tactics, and understanding the importance of data protection.

  • Policy Communication and Acknowledgment: Ensure that employees are aware of and acknowledge organizational security policies and procedures through regular communication, training modules, and acknowledgment forms.

  • Other policies and procedures – Ensure that we have robust and easy to follow policies and procedures in place so that our employees know what their obligations are and what to do if certain situations occur including a clean desk, bring your own device, remote work policies, data breach and DSR procedures.

  • Reviews & audits – Having the above policies and procedures in place is not enough. We need to make sure that they are effective. Therefore, we have established controls and audits to evaluate their effectiveness.

  • Due diligence –We must be able to ensure the security of personal data when we use sub-processors. We establish due diligence checks before we commit to a sub-processor. We must agree with the sub-processor a monitoring process.