Internal Security Manual
- RISK ANALYSIS AND SECURITY MEASURES.
1.1 RISK ANALYSIS
The approval of the GDPR represents a paradigm shift in the way any company internally manages data protection. In the previous regulatory model, derived from Directive 95/46/EC, LOPD 15/1999, and its regulations (RDLOPD), security measures were established based on the level of security of personal data processed by data controllers and processors.
In the GDPR-derived model, companies must conduct a detailed analysis of the risks associated with these processes and manage these risks by establishing security measures deemed necessary and reasonable for the treatment of such risks. ETTS has successfully implemented this.
Moreover, risk analysis helps determine whether it is advisable, necessary, or mandatory to appoint a Data Protection Officer (DPO) within the company and whether it is necessary to conduct a Data Protection Impact Assessment (DPIA) for certain processes posing a high risk to individuals’ rights and freedoms.
The data protection risk management process is structured into the following phases:
- Risk Identification
- Risk Assessment
- Risk Treatment
Once a risk is identified and assessed, four possibilities for its treatment are considered:
The objective of risk treatment is to bring it to an acceptable level for the Data Controller or Processor.
If a risk is not critical enough for the Data Controller, a control measure may be to accept the risk, meaning being aware of its existence and monitoring it. Conversely, if the risk poses a significant threat to information security, the decision may be to transfer, mitigate, or avoid that risk.
Risk transfer involves making a third party responsible for managing the possibility of a negative impact (realization of the risk). Generally, risks are transferred through insurance, guarantees, and/or contracts. Mitigating a risk involves reducing the likelihood of its occurrence and/or mitigating its consequences.
Finally, avoiding a risk means eliminating the threat causing it. This can be achieved by better protecting the main objectives of personal data processing from potential negative impacts or by modifying the temporal planning or scope of data processing to prevent the risk.
This risk management must balance the costs of controlling activities, the importance of data processing for the Controller or Processor’s processes, and the level of criticality of the risk.
1.1.1 RISK MANAGEMENT AND DETERMINATION OF SECURITY MEASURES APPLICATION
Article 32 of the GDPR provides that, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the variable risks of probability and severity to the rights and freedoms of individuals, the Data Controller and Processor shall apply appropriate technical and organizational measures to ensure a level of security appropriate to the risk. With this in mind, ETTS has adopted:
- Pseudonymization and encryption of personal data.
- Measures ensuring permanent confidentiality, integrity, availability, and resilience of processing systems and services.
- The ability to restore the availability and access to personal data quickly in case of a physical or technical incident.
- Implementation of processes for regular verification, evaluation, and assessment of the effectiveness of technical and organizational measures to ensure the security of processing.
- Periodic risk assessment/analysis in processing.
For this purpose, the following classification is identified:
- Preventive Controls: actions or measures aimed at preventing and/or avoiding errors, omissions, and irregularities in the user’s interaction with the information system and paper documentation. They become the implementation of measures that allow for action prior to the materialization of the risk.
- Detective Controls: detect vulnerabilities in the system and measures applied after their occurrence.
- Corrective Controls: aimed at mitigating the consequences of the risk causes in any of the processing areas where they have occurred.
Depending on the treatment and its associated risks, specific security measures will be applied to accept, mitigate, transfer, or eliminate the risk.
The following basic measures have been proposed to address risks:
1.2 PREVENTIVE CONTROLS
SECURITY REGULATIONS FOR PERSONNEL:
- Establishment of an internal security policy, known by internal and/or external staff, allowing the knowledge and application of security measures and procedures.
- Personnel only have access to the resources and information necessary for the performance of their duties.
IDENTIFICATION AND AUTHENTICATION SYSTEMS
- Use of a username and password for access to information systems.
- Individualized and confidential access codes.
- Access to applications according to the authorized user profile.
- Periodic modification of access codes, at least once a year.
- Unintelligible storage of passwords.
MEDIA AND DOCUMENT MANAGEMENT
- Means for identifying the type of data contained in storage media.
- Labeling system.
- Inventory of media: additions and removals of media.
- Prior authorization for the removal of media and documents from the Data Controller’s premises.
- Discarded or reused media: Destruction system preventing any attempt at subsequent recovery.
- The transfer of media requires the adoption of measures preventing theft, loss, or unauthorized access.
- Labeling identifying the date of creation, destination, and type of data contained, understandable to authorized personnel.
- Distribution of media will be done by encrypting such data or using another mechanism ensuring that the information is not accessible or manipulated during transport.
BACKUP COPIES AND DATA RECOVERY
- Backup and recovery process allowing the retrieval and reconstruction of data in case of a computer system failure.
- Designation of a person or external entity responsible.
- Minimum weekly implementation.
- For the correct configuration of the backup procedure, real data is not used. If necessary, a copy of the data will be made in advance, and necessary measures will be taken not to affect the confidentiality, integrity, and security of personal data.
- A backup copy is kept in a different location from where the computer equipment processing them is located, using elements that guarantee the integrity and recovery of information, allowing its retrieval.
- In the case of special categories of data, a backup copy is maintained outside the company’s premises.
DATA PROTECTION COORDINATION
A Data Protection Coordinator has been appointed, responsible for overseeing and controlling compliance with data protection regulations.
Data transmitted through public or wireless electronic communications networks, especially those of special categories of data, are encrypted to ensure that the information is intelligible and not manipulated by third parties during transmission.
Data retention periods are established based on the category of data and its purposes. Mechanisms are also established for the deletion of data once the retention period has expired, for both electronic and paper support.
DESTRUCTION OR ERASURE AND ADOPTION OF MEASURES TO PREVENT ACCESS TO INFORMATION
Data is securely destroyed or erased, particularly when discarding equipment or media (HDD, USB devices, CDs, etc.). Before recycling or eliminating them, they are formatted, deleted, and securely destroyed, making data recovery impossible.
1.3 DETECTIVE CONTROLS
IDENTIFICATION AND AUTHENTICATION
A mechanism has been established that limits the possibility of repeatedly attempting unauthorized access to the information system.
BACKUP COPIES AND DATA RECOVERY
ETTS verifies every 6 months the proper execution, functioning, and recovery of backups.
Periodically, information systems and data processing and storage facilities undergo internal or external audits to verify compliance with regulations.
- Extraordinary audit: In case of substantial changes to the information system and in addition to Impact Assessments.
- The audit report addresses:
- Adequacy of measures and controls to the GDPR and national regulations.
- Identification of deficiencies and proposing corrective or complementary measures.
- Including data, facts, and observations on which the reached opinions are based.
- Proposed recommendations.
- Elevation of conclusions to ETTS for the adoption of the necessary measures for the implementation of improvements.
- Implemented a procedure for the notification and management of incidents affecting personal data.
- The content of the log includes:
- Type of incident.
- Moment it occurred or was detected.
- Person making the notification.
- Recipient of the communication.
- Effects resulting from the incident.
- Corrective measures applied.
- For each access to especially protected personal data in electronic media, the following is recorded:
- User identification.
- Date and time of access.
- Accessed data.
- Type of access.
- Whether it was authorized or denied. If authorized, information allowing the identification of the accessed record is stored.
- Deactivation of installed access logs is not allowed. The data contained in the log will be retained for a minimum of 2 years.
- The log is controlled by the Data Controller, their IT Manager, Data Protection Coordinator, or, if applicable, the Data Protection Officer.
- The logs and the contained information are periodically reviewed, producing the corresponding report of the reviews conducted and the issues detected.
1.4 CORRECTIVE CONTROLS
BACKUP COPIES AND DATA RECOVERY
- Procedures for data recovery guaranteeing its reconstruction in the state it was in at the time of loss or destruction.
- Procedures for data recovery are included in the Incident Log, indicating:
- Person who executed the process.
- Restored data.
- If necessary, which data needed to be manually recorded in the recovery process.
- Authorization from ETTS is required for the execution of data recovery procedures.
1.5 MEASURES APPLICABLE TO PAPER-BASED PROCESSING
The archiving of media or documents is carried out according to criteria ensuring the proper preservation of documents, location and consultation of information, as well as enabling the exercise of rights to oppose, access, rectify, and cancel.
Cabinets, file cabinets, or other elements storing paper documentation with personal data are located in areas where access is protected by doors with key-operated opening systems. The areas remain closed when access to the documents in the file is unnecessary.
When documentation with personal data is outside the storage location or is under review/processing, whether before or after archiving, the user in charge of it safeguards and prevents access by unauthorized persons at all times.
The destruction of copies or reproductions is done using a paper shredder and/or by contracting an external company responsible for these tasks, which issues a certificate accrediting the destruction.
Access to paper-based documentation is limited exclusively to authorized personnel.
Whenever physical transfer of documentation occurs, measures are taken to prevent access or manipulation of the information.