Donnerstag, 13. Juni 2024

Technical and Organizational Measures (TOMs) - The NAIX Standard

Ray Najem

Sales Representative & Webmaster

Enhancing Data Security with Technical and Organizational Measures

As we navigate the complexities of the digital landscape, ensuring the security of data is more critical than ever. It's in every company's interest to protect data from unauthorized access of any type: digital or physical. For personal data, this necessity has led to the introduction of the General Data Protection Regulation (GDPR) across the European Union. Among its many requirements, GDPR mandates that organizations implement Technical and Organizational Measures (TOMs) to safeguard personal data.

This blog will explore what TOMs are, why they are essential, and how organizations can effectively implement them. We, as NAIX want so set a standard in what topics should be covered in every TOM document.

This blog post has been written in cooperation with Lennard Kiezewski (Internal Audit, Bertelsmann SE & Co. KGaA )

What are Technical and Organizational Measures?

Technical measures are IT-based solutions designed to protect data from unauthorized access, breaches, and other cyber threats. From our standpoint, these should include documentation and implementation of:

  • Encryption: Transforms readable data into an unreadable format unless decrypted with a secure key, significantly reducing the risk of data being compromised during transmission or storage.
  • Access Controls: Limit access to data to only those individuals who need it to perform their job functions.
  • Firewalls and Secure Server Configurations: Protect network and server integrity.
  • Validation of Data: Using strong passwords, password managers (e.g., 1Password), two-factor authentication (2FA), passkeys, and regular security updates (e.g., JAMF) for applications and operating systems.
  • Endpoint Security: Includes antivirus (e.g., Bitdefender), Endpoint Detection and Response (EDR) systems (e.g., CrowdStrike), and encryption at rest (e.g., AES 256).
  • Data Anonymization: Prevents information leakage by anonymizing data (e.g., NAIX) in the event of unauthorized access.

Organizational measures focus on policies, procedures, and training that govern the management of personal data within an organization. These measures ensure that data is handled securely and in compliance with legal requirements. We suggest, that every company should cover:

  • Data Protection Policies: Clear policies outlining how personal data should be handled and protected.
  • Employee Training: Regular training on data protection principles and practices, including confidentiality and IT security.
  • Incident Response Strategies: Formal plans to address data breaches or security incidents effectively.
  • Logging Data Processing: Central log management (e.g., SIEM systems like MS Sentinel) for tracking access to data, ensuring accurate records of data processing activities.
  • Authorization: For critical data access, requiring additional verification such as biometric checks or multi-person approval processes.
  • Transfer of Data: Enforcing secure transfer protocols such as SSL/TLS for digital data and tamper-evident bags for physical transfers.
  • Integrity of Data: Ensuring data consistency, such as verifying file types (e.g., checking MIME types for uploads).
  • Availability of Data: Protecting data from loss with redundancy measures, Uninterrupted Power Supply (UPS) systems, and regular backups and recovery plans.
  • Data Separation: Ensuring separation of different types of data, such as customer data, through multi-tenancy or using different databases and servers.
  • Regular Audits: Conducting technical audits like penetration tests (e.g., OneConsult) and vulnerability scans (e.g., Tenable) to ensure measures are in place and effective.

Importance of TOMs

The primary purpose of implementing TOMs is to protect (personal) data from loss, alteration, or unauthorized access, thereby ensuring the integrity and confidentiality of such data. This is not just a legal requirement but a critical component of building trust with customers and business partners. Cyber risks are increasing, both from internal and external sources, and the costs associated with data breaches are escalating. TOMs act as a preventive, and cost-effective measure to secure data effectively.

Implementing Effective TOMs

The first step in implementing TOMs is conducting a risk assessment to identify potential vulnerabilities within your data processing activities. Based on this assessment, appropriate technical and organizational measures can be tailored to the specific needs of the organization.

Technical Implementations:

  • Data Encryption: Employ strong encryption for data at rest and in transit.
  • Access Control: Limit access to data to only those individuals who require it to perform their job functions.
  • Regular Audits: Conduct regular security audits and vulnerability assessments to identify and mitigate risks.

Organizational Strategies:

  • Data Protection Policies: Develop clear policies outlining how personal data should be handled and protected.
  • Employee Training: Regular training on data protection principles and practices is crucial. Employees should be aware of the potential risks and how to mitigate them.
  • Incident Response: Establish a formal incident response plan to address data breaches or security incidents effectively.

Documentation and Compliance

It's essential not only to implement these measures, but also to document them thoroughly. Documentation serves as proof of compliance with GDPR requirements and is vital during audits or inspections. Organizations should maintain records of processing activities, risk assessments, and compliance checks.

Conclusion

The implementation of robust Technical and Organizational Measures is a cornerstone of GDPR compliance. By taking proactive steps to safeguard personal data, organizations not only comply with legal requirements but also enhance their reputation and build stronger relationships with stakeholders. Effective data protection is an ongoing process that requires continual improvement and adaptation to new security challenges.

In essence, TOMs are not just a regulatory obligation, but a best practice that all organizations should embrace to protect their most valuable asset—data.

Do you want a free copy of our TOMs or does your company need advisory on how to implement those measures effectively? Then reach out to us: contact@naix.de