Documenting, implementing and maintaining compliance

Generally, strong technical controls and procedures are used to help prevent information from being hacked or a system from being compromised by malware. Technical controls can be overcome with well targeted and sometimes simple efforts in social engineering. There is no point in having strong software, network security and well trained personnel if relevant physical assets are vulnerable due to low security awareness, poor business practices or vulnerable physical security.

It is important to maintain a needs-based information control system across the organization. Access controls must ensure that information is not available to those who have no good reason to access it. Your strategy also needs to guard against a determined insider — background checking, security training, a culture that encourages and rewards reporting, appropriate logging of access incidents and information used together with periodic auditing and penetration testing must form part of the picture.

See Documenting, implementing and maintaining compliance.

In this subtopic, we discuss your objectives in developing a global privacy and data protection strategy. We identify aspects of your business that should be considered, the information collected and processed and the location of that information. We describe considerations in carrying out data mapping, anticipated issues and risks and also provide guidance regarding the selection of local experts. Finally, we provide suggestions for implementing and maintaining compliance.