System Owner

After the retention period or when the data medium is decommissioned, lost or repurposed, organisation data is deleted. End users receive sufficient warning before data is deleted.

There are measures to prevent users from downloading entire datasets. Additionally, or if these measures cannot be implemented, alerting and monitoring for users downloading large amounts of information from the service is in place.

Only data owners have access to their data. Administrators and suppliers can only access the data through a break-glass procedure that involves business sign-off and consultation with the organisation.

Description It is possible for organisational data to be deleted from devices remotely by a device management system, if they actively make a connection or based on an interval without any connection. Encrypted data to which the keys are made unrecoverable complies with this standard.

Certificates for Transport Level Security (TLS) are registered with at least: for what service it was issued, what the owning group is including contact information, expiration date and technical details of certificate. There is a process for requesting and revoking official certificates. Requesting and approving certificate requests are separate roles. The organisation selects approved certificate providers. Self-signed certificates are never allowed. If there is any indication that a system may be compromised, current certificates are revoked, new private keys generated and replacement certificates requested based on the new private key. Clients check whether certificates have been revoked as part of...

Data at rest is always stored encrypted. The organisation is responsible for the key management of the chosen encryption solution, either directly, contractually or through policies.

A disaster recovery plan (DRP) exists for potential disaster scenarios that could affect the IT systems. The disaster recovery plan is reviewed at least annually. The disaster recovery plan is tested periodically.

Communication coming from outside the organisation needs to be clearly distinguishable from internal communication with warnings that the originating party is from outside the organisation. This includes electronic messages received in email programs.

IT components send emails to end-users using an email address ending in a top-level domain for which the organisation is legally responsible. Mailservers take measures to prevent the reception and transmission of spam and malicious mails. Mails should be revocable on managed servers and supported endpoints. Links in emails should be validated to not be malicious. Mailserver reputation is monitored. Thresholds are determined and actions are taken to improve the reputation if it falls below thresholds.

All data in transit is transferred over encrypted connections, using the encrypted versions of protocols or encapsulation of plaintext protocols over encrypted connections.