Measures that are suitable for preventing unauthorized individuals from accessing data processing systems with which personal data is processed or used.
Office area and data center physically and geographically separated
Measures in data center:
· Alarm system in the data center.
· Video monitoring.
· Automatic access control system using a personalized electronic key (chip card).
· Electronic logging of access.
· Physical access protection of the server through locked server cabinets.
· Certified according to ISO 27001.
Measures in the office area:
· Rules for leaving the workplace e.g., screen lock, closing documents, and the office building e.g. closing windows and doors).
· Locking the office with a key.
· Visitor policy.
2 System access control
Measures that are suitable for preventing data processing systems from being used by unauthorized individuals.
Use of VPN technology.
Hardware firewall
Intrusion detection system.
Certificate-based, user-based access control system on servers (public/private keys).
Databases are accessed with a username and password.
The stored policy requires at least 12 digits with 3 out of 4 criteria.
Number of administrator accesses reduced to the “most necessary”;
3 Data access control
Measures that ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, changed or removed without authorization during processing, use and after storage.
Access is role-based.
Certificate-based, client-based access control system from app to server.
4 Separation rule
Measures to ensure that data collected for different purposes can be processed separately.
Logical separation of clients (software-based).
Separation of productive and test system.
5 Pseudonyms
The processing of personal data in such a way that the data can no longer be assigned to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to appropriate technical and organizational measures.
Internal instruction to pseudonyms personal data if possible in the event of disclosure or after the statutory deletion period has expired.
Want to print your doc? This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (