Nowadays, virtually every company has computer equipment, applications, files, archives, projects, patents, data and stored information of diverse kinds. All these assets have an economic value that all too often is not quantified. The aim of IT security is to protect these assets using suitable techniques. Each asset should be assigned a protection level and a financial investment commensurate with its value.
Many companies have adopted digitalisation technologies to have corporate data stored, transmitted and searched quickly and cost-effectively.
Compared to a few years ago, users are able to share more information and customise the way information is used more effortlessly.
|To reach this goal, most of the software available today, including operating systems, browsers, email as well as messaging and productivity tools, need to provide a high level of interconnectivity, integration and automation.
Data has extended beyond the alphanumerical concept, as now photos, videos and sound files are stored daily and take up an increasingly amount of space on computer hard discs.
A privacy culture supported by technology and new corporate organisation is essential!
In this connection, three key questions arise:
- Can any company today afford to neglect this aspect and not have its own security plan?
- Does your company have adequate skills and resources to keep up with the continuous evolution of attack and protection technologies?
- Are security suppliers able to provide clients with global approaches and solutions as such problems demand?
To this end, recently a number of laws have been enacted nationally as well as across Europe to deal with behaviours that may damage companies and individuals. As a result, in June 2003 Act No. 196 - replacing previous Act No. 675/1996 - was issued to ensure a more consistent interpretation of European regulations . Against this background, Strale can provide a qualified consultancy service aimed at identifying all the actions that need to be taken to ensure that the processing of personal and/or sensitive data using electronic instruments or available on hard copy is consistent with the security provisions laid down by the above Act.
For this purpose, a Security Policy Document is drafted (pursuant to Art. 34, subsection 1-g of the above Act), stating the following:
- List of personal data being processed;
- Task setting within the divisions entrusted with data processing;
- Assessment of the risksaffecting such data;
- Steps to be taken to ensure data integrity and availability as well as the protection of areas and rooms used for data storage and accessibility;
- Description of disaster recovery best practices
- Training planned for the individuals entrusted with data processing with respect to (i) measures aimed at preventing harmful events; (ii) discipline on the protection of personal data considered as more significant in relation to the operations performed, (iii) liabilities arising from data processing, and (iv) updates on the required minimum measures adopted by the Data Controller. Training must be planned both when individuals first start work as well as whenever their duties change or new significant tools are introduced with regard to personal data processing;
- Description of the standards to be adopted to ensure that the required minimum security measures are taken with regard to personal data processing outsourced pursuant to law provisions;
- Policies to be adopted to encrypt or separate an individual's personal data revealing his/her health conditions and sexual behaviours from other data concerning such individual.
Information memoranda will also be prepared and submitted to the individuals concerned for acknowledgement. They will state:
- Purposes and terms underlying the processing of the data;
- Whether supplying the data is compulsory or optional;
- Consequences of refusal to reply;
- Subjects to whom the data may be disclosed and scope of disclosure;
- Name or company name and address or registered office of the Data Controller.
Strale can also provide whatever system-related support is required to set up, implement and roll out the measures as identified in the Security Policy Document.