Assessment of the effectiveness of personal data protection
After building a personal data protection system in IS necessary to evaluate the effectiveness of their protection. First, general criteria for a hypothetical assessment are drawn up, indicating the means that will provide an impartial and meaningful analysis.
Assessment program and methodology
The program must include:
- the object being evaluated;
- the recorded sequence of events, including the list and content of the procedures to be performed;
- final evaluation criteria.
What to check
- Complete documentation for the object.
- Analysis of the IS structure and the technical process of information processing.
- Assessment of the level of protection.
- Checking the structure of IS according to the declared documentation.
- Assess the organization of the workflow and the overall implementation of the security requirements.
- Security issues of the inspected object.
- Are there standard protective equipment, how they are configured.
- Assessment of the level of competence of persons responsible for the protection of personal data.
- Checking the knowledge of IS personnel on information security.
- Checking access rights.
- Registration and accounting.
- Ensuring integrity.
- Antivirus and all databases.
- General analysis of the level of protection.
- Intrusion detection.
- Firewall and its settings.
- The level of protection of communication channels.
- Checking the IS protection by a security scanner.
Based on the results of the above manipulations, a protocol is drawn up for assessing the effectiveness of the PD protection system. It serves as the basis for drawing up a final opinion on the state of data protection.
If the IS has not passed the test for compliance with the requirements for creating effective protection of the processed information, then proposals are developed to eliminate the shortcomings and, if possible, the shortcomings are eliminated even before the end of the assessment procedure.