¶ The SENTINEL organisational and technical measures (OTMs)
Below you may browse a complete listing of all the organisational and technical measures available in the platform for recommendation and implementation.
The OTMs below are always recommended, since a risk level of at least LOW is always assumed. They are grouped per OTM category.
¶ O1: Defining and enforcing a policy
- O1.L.1 A set of policies for Information Security and Data Protection shall be defined and approved by management.
- O1.L.2 The policies for information security and data protection shall be reviewed annually to ensure their continuing suitability, adequacy and effectiveness.
¶ O2: Assigning roles and responsibilities
- O2.L.1 Define and allocate roles and responsibilities for CS and PDP
- O2.L.2 Clearly define hand over/take over procedures during re-organizations, changes / terminations of employment and rights revocation.
- O3.L.1 Grant each person involved with personal data processing specific access control rights on a need-to-know basis
- O4.L.1 Create a register of the SME’s assets, hardware, software, and network, used for personal data processing. At a minimum, include: IT resource, type (e.g., server, workstation, tablet etc.), location (on-premises, Cloud etc.).
- O4.L.2 Assign a specific member of staff, e.g., IT officer, to maintaining and updating the register, on a regular basis
- O5.L.1 The assignee for managing assets is to ensure that all changes to IT assets of the SME are registered and monitored regularly.
- O5.L.2 Software development should be performed in a separate environment that is not connected to the production infrastructure used for doing business or for processing personal data.
- O5.L.3 When testing is required, “dummy” data should be used, not actual data.
- O5.L.4 Specific procedures should be in place at all times, for the protection of personal data when testing assets
- O6.L.1 Define, document and agree formal procedures, including requirements and obligations, for processing personal data, between the SME and any third parties who process personal data on its behalf (e.g., Cloud service providers), prior to any processing activities. These should establish, as a minimum, the same level of security as mandated in the organization’s security policy.
- O6.L.2 Upon discovering a data breach, the data processor shall notify the controller (SME) without undue delay.
- O6.L.3 (Upon discovering a data breach) The data processor should provide sufficient documented evidence of compliance
- O6.L.5 The personal data to be collected shall be clearly defined. A lack of definition of the input data could lead to collect data that are not necessary for the purpose .
- O6.L.6 All data not explicitly required for processing shall be removed. Determine what personal data is required and where, in the processing, and confirm the legal ground (lawful basis) for the processing. Personal data protection policy updated. Specific workflows / business processeses updated, to ensure only personal data necessary for each specific purpose are processed.
- O6.L.7 Personal data shall be collected in the same format in which they are to be processed.
- O6.L.8 A personal data collection form shall be used to collect personal data
- O6.L.9 The privacy notice to be transmitted to data subjects shall be well defined and part of the organisation's privacy policy.
- O6.L.10 The privacy notice shall be transmitted to data subjects before any personal data collection or processing takes place.
- O6.L.11 The privacy notice to be transmitted to data subjects shall be concise, transparent, intelligible, and readily available to data subjects all times.
- O6.L.12 The privacy notice to be transmitted to data subjects shall apply to a specific processing activity and not be generic.
- O6.L.13 For paper-based storage the organisation shall enforce a) Confidentiality of personnel; b) Training and c) Physical security
- O6.L.14 For data stored on standalone devices such as local discs, usb devices, smartphones, etc: The organisation shall enforce a) Workstation and mobile security; b) Backup policy c) Physical security
- O6.L.15 For data stored on internal and/or networked servers the organisation shall enforce a) Authentication and Access control; b) Logging and monitoring; c) Server and database security; d) Network security; e) Backup policy; f) Physical security
- O6.L.16 For data stored on a public, private or hybrid Cloud if the assets are owned, the organisation shall enforce a) Authentication and Access control; b) Logging and monitoring; c) Server and database security; d) Network security; e) Backup policy. If the assets are not owned (e.g. SaaS services), the organisation shall be aware and managing the obligations and cybersecurity responsibility of 3rd parties/Cloud providers (Data processors).
- O6.L.17 Data subjects shall be given access to their personal data
- O6.L.18 Data subjects shall be provided with the means to challenge the accuracy and completeness of their personal data, if they so desire.
- O6.L.19 Data subjects shall be provided with the means to request the partial of full erasure of their personal data, and/or the termination of their data processing, if they so desire.
- O6.L.21 Data subjects shall be provided with the means to request the restriction of the processing of of their personal data.
- O6.L.22 Data subjects shall be provided with the means to object to or request the full termination of the processing of of their personal data.
- O6.L.23 Processors shall be duly informed of any personal data amendment, correction or removal requested by data subjects.
- O6.L.24 Data subjects shall be able to contest any results of automated decision-making
- O6.L.25 Appropriate controls should be put into effect so as to ensure that data subjects only have access to their own personal data and that their rights may only be applied to their own personal data.
- O6.L.26 All requests made by data subjects shall be appropriately recorded
- O6.L.27 The request for consent shall be presented in a manner which is clearly distinguishable from the other matters, and in an intelligible and easily accessible form, using clear and plain language.
- O6.L.28 Data subject shall be adequately informed of the consequences of granting and withholding consent.
- O6.L.29 A clear, prominent, easily understandable, accessible and affordable mechanism shall be made available to data subjects to exercise consent.
- O6.L.30 The consent mechanism shall provide clear options for data subjects to withdraw their consent.
- O6.L.31 The consent mechanism shall provide the means to verify that data subjects' preferences are implemented as expressed.
- O6.L.32 Permanent, timestamped and auditable records shall always be kept by the controller of the details associated with data subjects granting or withdrawing their consent.
¶ O7: Handling incidents
- O7.L.1 Define an incident response plan with procedures to ensure an effective and orderly response to incidents involving personal data.
- O7.L.2 Personal data breaches should be reported immediately to management
- O7.L.3 Personal data breaches discovered by outsourced data processors, should be reported to the data controller (SME).
- O7.L.4 Immediate notification procedures for the reporting of the breaches to competent authorities and affected data subjects should also be in place, following art. 33 and 34 GDPR
- O8.L.1 Establish specific procedures and controls to be followed to ensure the required level of continuity and availability of the IT assets/services for processing personal data, in the event of an incident/data breach
- O9.L.1 Ensure that employees understand their responsibilities and obligations related to PDP.
- O9.L.2 Roles and responsibilities should be clearly communicated during the pre- employment and/or induction processes
¶ O10: Cybersecurity awareness, education and training
- O10.L.1 Inform staff about the CS controls of the IT assets relating to their work about the CS controls of the IT assets
- O10.L.2 Employees involved in personal data processing should additionally be informed about relevant GDPR requirements and legal obligations through regular awareness activities
¶ Τ1: Authentication and Access control
- T1.L.1 Implement a strict access control system for all users accessing SME IT assets, which should allow creating, approving, reviewing and deleting user accounts and their roles and permissions.
- T1.L.2 User accounts should be personal and not shared (common) amongst users. In cases where this can’t be implemented, ensure that people using the same account have the same roles and responsibilities.
- T1.L.3 Support robust authentication, based on the access control policy, requiring as a minimum a username/password combination.
- T1.L.4 Passwords should respect a certain (configurable) minimum level of complexity and not be acceptable by the system unless their strength criteria are met.
- T1.L.5 Passwords must always be stored in a hashed/encrypted form in the database
¶ Τ2: Logging and monitoring
- T2.L.1 Implement and enable detailed logging and monitoring for every IT asset used in the processing of personal data.
- T2.L.2 Every type of data processing (view, modification, deletion) should be logged.
- T2.L.3 Log files should be timestamped and adequately protected against tampering and unauthorized access.
- T2.L.4 Clocks should be synchronised to a single reference time source
¶ Τ3: Server and database security
- T3.L.1 Configure database and applications servers to run on a separate account
- T3.L.2 Configure the minimum OS privileges necessary to function correctly
- T3.L.3 Only the personal data which is absolutely necessary for each task should be accessed and processed
- T4.L.1 Users should not be able to deactivate or bypass security settings
- T4.L.2 Install and configure anti-virus software for every device. Update on a weekly basis
- T4.L.3 Disable the privileges for users to install or activate unauthorized software applications
- T4.L.4 Implement screen-lock and session time-outs when the user has been inactive for a certain time period
- T4.L.5 Critical security updates released by the operating system developer should be installed regularly
- T5.L.1 Define and document mobile device management procedures for security.
- T5.L.2 Devices allowed to access SME IT assets should be pre-registered and authorized.
- T5.L.3 Mobile devices should be subject to the same levels of access control as other terminal equipment
- T6.L.1 Enforce encryption of all communication and data transfers over the Internet, e.g., through TLS/SSL
- T7.L.1 Define and document company-wide data backup and restore procedures and clearly link them to specific staff roles and responsibilities.
- T7.L.2 Backups should be given an appropriate level of physical and environmental protection, at least as robust as the standards applied to the data being backed up.
- T7.L.3 Backups should be monitored and verified for integrity. Full backups should be carried out regularly
- T8.L.1 Follow and adhere to best practices, state of the art and well-acknowledged secure development practices, frameworks or standards during software development lifecycles;
- T8.L.2 Define and implement specific security requirements during early stages of development;
- T8.L.3 Adopt specific techniques for supporting privacy, e.g., state-of-the-art privacy-enhancing technologies / PETs, in analogy to the defined security requirements;
- T8.L.4 Follow secure coding standards and practices
- T8.L.5 Perform rigorous testing and validation against the implementation of the initial security requirements, during development.
- T9.L.1 Perform software-based overwriting on media prior to disposal. When software-based overwriting on media prior to disposal isn't possible (e.g., DVDs, etc.) perform physical destruction.
- T9.L.2 Shred / destroy paper or similar print media used to store personal data
- T10.L.1 Ensure the physical perimeter of the SME’s IT assets is inaccessible by non- authorized personnel
The OTMs below are recommended, along with all low-risk ones, for PAs assessed with MEDIUM risk.
¶ O1: Defining and enforcing a policy
- O1.M.1 Separate policies for Privacy and PDP shall be defined and approved by management.
- O1.M.2 All information security and privacy responsibilities shall be defined and allocated.
- O1.M.3 Baseline measures for PDP shall be clearly defined and documented and approved by management.
- O1.M.4 Appropriate data processors with relevant authorities shall be defined and maintained
- O1.M.5 Appropriate third party with special interest groups shall be defined and maintained
- O1.M.6 Policies and procedures for PDP shall be documented and storage and preservation, including the preservation of legibility shall be guaranteed
¶ O2: Assigning roles and responsibilities
- O2.M.1 The company shall appoint a Data Protection Officer for the establishment, implementation, maintenance and continual improvement of the information privacy management system (selected using a custom rule)
- O2.M.2 The company shall appoint an Information Security Officer for the establishment, implementation, maintenance and continual improvement of the information security management system
- O2.M.3 The company shall ensure that the responsibilities and authorities for roles relevant to CS and PDP are assigned and communicated
- O3.M.1 An access control policy shall be established, documented and reviewed based on business, information security, and privacy requirements
- O3.M.2 Determine the SME’s access control rules, access rights and restrictions for specific user roles for PDP
- O3.M.3 Define and document the segregation of access control roles, e.g., access request, access authorization, access administration
- O4.M.1 Assets maintained in the inventory shall be owned and assigned to specific roles
- O5.M.1 Changes to the organization, business processes, information processing facilities and systems that affect information security shall be documented and controlled. Create and regularly maintain a detailed change policy document, which should include: a process (including timelines) for introducing changes and the roles/users that have change rights
- O6.M.1 Organisations shall regularly monitor, review and audit supplier service delivery for effectiveness and compliance.
- O6.M.2 The data subjects shall be properly informed - and understand - the semantics of the personal data provided and the impact of their answers
- O6.M.3 Personal data shall be collected in a way which prevents inaccuracies, errors and omissions. No more data shall be collected than is necessary.
- O6.M.4 An appropriate procedure to receive, handle and manage data subjects' requests shall be designed and established
- O6.M.5 The timeframe for completing a request by a data subject shall be appropriately monitored and enforced.
- O6.M.6 Ensure that the GDPR rules and safeguards for transferring personal data outside the EU/EEA have been properly enforced (BCR, CCDT, SCCs, commission decision adequation, certification, etc). If such guarantees don’t accompany the transfer, personal data may still be transferred with a) court judgement; b) explicit data subject consent; c) transfer necessary to a contract with the data subject or regarding their interest, d) transfer necessary to public interest, e) transfer necessary for the of defence of legal claims, f) transfer necessary to protect vital interests of the data subject, or, g) the data is public and open for consultation. (selected using a custom rule)
- O6.M.7 Execute a DPIA (Data Protection Impact Assessment) for this Processing Activity before any actual processing takes place. (selected using a custom rule)
- O6.M.8 A detailed digital Record of Processing Activities (ROPA) shall be created and maintained at all times, to include significant information about processing of personal data within this Processing Activity, including data categories, data subjects, the purpose of the processing, the data recipients, data transfers, processing risk criteria and other pertinent information. This ROPA must be completely made available to authorities upon request. (selected using a custom rule)
¶ O7: Handling incidents
- O7.M.1 Information security and privacy incidents shall be responded to in accordance with the documented procedures including a list of mitigation actions and clear assignment of roles.
- O8.M.1 The organization shall document all established, implemented and maintained processes, procedures and controls that ensure the required level of continuity for information security and privacy during an adverse situation.
- O8.M.2 The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.
- O9.M.1 The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security.
¶ O10: Cybersecurity awareness, education and training
- O10.M.1 All employees of the organization and, where relevant, contractors shall receive appropriate training and about GDPR obligations and activities relating to their work, as relevant for their job function
¶ Τ1: Authentication and Access control
- T1.M.1 Password management policy shall be documented and shall ensure quality passwords, validity period and a number of acceptable unsuccessful login attempts
¶ Τ2: Logging and monitoring
- T2.M.1 System administrator and system operator activities (including addition/deletion/change of user rights or access/viewing of log files) shall be logged and the logs protected and regularly reviewed.
- T2.M.2 Modifying or deleting of log files should not be possible, irrespective of the access privileges of the user.
- T2.M.3 Implement and enable log file health monitoring
- T2.M.4 Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services.
¶ Τ3: Server and database security
- T3.M.1 A policy on the use of cryptographic controls for protection of information shall be developed and implemented. Implement encryption for data at-rest either by software or hardware means.
- T3.M.2 A policy on the use of cryptographic controls for protection of information shall be developed and implemented. Consider drives with built-in encryption.
- T3.M.3 A policy on the use of cryptographic controls for protection of information shall be developed and implemented. Pseudonymization techniques shall be applied through separation of data from direct identifiers linking the data with the data subject
- T4.M.1 Detection, prevention and recovery controls to protect against malware shall be implemented and updated on a daily basis
- T5.M.1 Rules for the acceptable use of mobile devices associated with information and information processing facilities shall be identified, documented and implemented.
- T5.M.2 Enable functionality to remotely erase data (related to the SME’s processing) on mobile devices that may have been compromised.
- T5.M.3 Mobile devices should support separation of private and business use of the device through secure containers.
- T5.M.4 Mobile devices should be physically protected against theft when not in use
- T6.M.1 Wireless networks shall be managed and controlled to protect information in systems and applications. Wireless access to the organisation’s IT assets for specific users and processes shall only be permitted when absolutely necessary and enforce strong encryption and Wi-Fi security
- T6.M.2 Remote access to IT assets shall be prevented unless absolutely necessary, under the control and monitoring of the IT security officer and/or the Data Protection Officer (DPO), through pre-registered and approved devices
- T6.M.3 Networks shall be managed, monitored and controlled to protect information in systems and applications. Network traffic shall be monitored to and from IT assets through tightly configured ACLs, firewalls and Intrusion Detection Systems (IDS)
- T6.M.4 Groups of IT asserts processing personal data, information services, and users shall be segregated on networks.
- T6.M.5 Only pre-authorized devices and terminal equipment shall have access to IT assets, e.g., via MAC filtering or Network Access Control
- T7.M.1 Backup media should be regularly tested for reliability.
- T7.M.2 Incremental, automatic (scheduled) backups should be carried out on a daily basis.
- T7.M.3 Redundant copies of the backups should be securely stored in different locations.
- T7.M.4 In case a third party is used, e.g., a Cloud provider, the data must be strongly encrypted before being transmitted out of the SME
- T8.M.1 Information about technical vulnerabilities of information systems being used shall be obtained by a trusted third party in a timely fashion and before deploying to production. The organisation’s exposure to such vulnerabilities shall be evaluated and appropriate measures taken to address any associated risk.
- T8.M.2 Penetration testing shall be scheduled and completed in a regular and timely way. Any identifiied weaknesses in staff awareness shall be addressed through refresher training or through direct support.
- T8.M.3 Deep insight into security vulnerabilities of the organisation’s IT assets shall be obtained, which includes all hardware and software assets
- T8.M.4 The effectiveness of software patches shall be evaluated in a testing environment before deploying to a production environment.
- T9.M.1 Multiple passes of software-based overwriting shall be performed on media prior to disposal.
- T9.M.2 If a third party’s services are used to securely dispose of media or of paper-based records, a service agreement shall be in place and a record of destruction of records should be produced as appropriate
- T10.M.1 Physical security for offices, rooms and facilities shall be designed and applied.
- T10.M.2 Identify and enforce secure zones by appropriate entry controls. Maintain a physical log book or electronic audit trail of all such access
- T10.M.3 Install and operate intrusion detection systems in every security zone
- T10.M.4 Physical Barriers for entering in secure areas shall be designed and applied.
- T10.M.5 Physically lock and regularly monitor vacant secure areas
- T10.M.6 Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage.
- T10.M.7 Grant service personnel of third parties and subcontractors restricted access to secure areas
The OTMs below are recommended, along with all low- and medium-risk ones, for PAs assessed with HIGH risk.
¶ O1: Defining and enforcing a policy
- O1.H.1 The policies for information security and data protection shall be reviewed per semester/annually or more often as (i) significant organizational changes occur, (ii) critical incident identified, and/or (iii) risk appetite of the organisation significantly changes to ensure continuing compliance, suitability, adequacy and effectiveness.
¶ O2: Assigning roles and responsibilities
- O2.H.1 The organisation shall nominate or appoint a Data Protection Officer (DPO) for the establishment, implementation, maintenance and continual improvement of the information privacy management system (selected using a custom rule)
- O2.H.2 Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.
- O2.H.3 The organisation shall nominate or appoint an Information Security Officer for the establishment, implementation, maintenance and continual improvement of the information security management system.
- O3.Η.1 Access rights shall be reviewed. Staff with excessive access rigfhts shall be identified. The organisation shall ensure that assigned roles are limited to staff and third-parties on a need-to-know basis.
- O4.Η.1 Audit the inventory annually to check and confirm access to assets rights. Please note: The member of staff with responsibility for the inventory shall update the inventory as changes happen.
- O6.Η.1 Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.
- O6.Η.2 The definition of every personal data collected (its semantics) must be set up “by design”
- O6.Η.3 Adequacy, relevance, and limitation of personal data should be assessed “by design”
- O6.Η.4 Transparency, intelligibility and accessibility of privacy notice shall be assessed by-design and be properly documented
- O6.Η.5 An assessment shall be regularly made to evaluate the simplicity and efficiency of the data subjects' request procedure
- O6.Η.6 Performance reports in responding to, and completing data subjects' requests shall be regularly compiled and made available to management.
- O6.Η.7 An assessment shall be regularly made to evaluate the quality and efficiency of data subjects' consent management mechanism.
¶ O7: Handling incidents
- O7.Η.1 Event logs recording user activities, exceptions, faults and information security and privacy events shall be produced, retained and made available for regular and timely review. Relevant information shall be retained for evidence in view of an incident (i.e., data breach).
- O8.Η.1 Specific staff with the necessary responsibility, authority and competence shall be tasked with managing business continuity in the event of an incident or data breach.
- O8.Η.2 An alternative IT facility (e.g., a ‘disaster site’, with sync to a Cloud provider or co-located in a datacentre) should be considered in the event of downtime of the related IT assets
- O9.Η.1 Staff involved in high-risk personal data processing shall be bound to specific confidentiality clauses, under employment contract, Non-Disclosure Agreement (NDA) or other relevant legislation and regulation.
¶ O10: Cybersecurity awareness, education and training
- O10.Η.1 A training plan with clearly defined goals and objectives shall be implemented and reviewed annually for effectiveness and compliance
¶ Τ1: Authentication and Access control
- T1.Η.1 IT assets used for processing personal data shall only be accessible using two-factor authentication (2FA). The authentication factors such as passwords, security tokens, USB tokens, biometrics, etc., should be considered
- T1.Η.2 Device authentication and access control shall be performed
¶ Τ3: Server and database security
- T3.Η.1 Consider privacy-by-design techniques at the database layer. For example, authorised queries, privacy-preserving querying, searchable encryption, etc
- T4.Η.1 Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organisation.
- T4.Η.2 Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. Workstations used for the processing of personal data shall not be directly accessible via the Internet unless robust security measures are in place to prevent unauthorised personal data processing.
- T4.Η.3 A policy on the use of cryptographic controls for protection of information shall be developed and implemented, enforcing full disk encryption on all workstation drives
- T5.Η.1 Two factor authentication (2FA) shall be implemented for staff accessing or using handheld/portable computing devices, such as smartphones/cell phones, etc.
- T5.Η.2 A policy on the use of cryptographic controls for protection of information stored or processed through the use of handheld/portable computing devices, such as smartphones/cell phones, etc., shall be developed and implemented. Personal data stored at the handheld/portable computing devices (related to the organisation’s processing operations) shall be encrypted.
- T7.Η.1 Copies of all backups shall be encrypted and stored offline securely
- T9.Η.1 Following software erasure, rigorious hardware-based measures shall be implimented, such as degaussing.
- T9.Η.2 When software-based overwriting on media prior to disposal isn't possible (e.g., DVDs, etc.) the media shall be physically destroyed
- T9.Η.3 If a third-party data processor is outsourced for data disposal, the process shall only take place at the physical premises of the data controller organisation, to avoid off-site transfer of personal data
The SENTINEL OTMs are based on the ISO 27001 family of standards and the ENISA guidelines for SMEs for data protection, with various additions and imrpovements as well as numerous targeted additions for conforming to GDPR requirements (category O6).