Guideline 50. Security and privacy of master data

Submitted by Anonymous (not verified) on Tue, 07/10/2018 - 09:46

The institution establishes a framework for the management of the security and privacy of the master data based on the relevant regulations.

Guideline code

ICT_06500

Mechanism

The master data management team and the ICT unit should implement the security and privacy framework for the master data system, including the following measures:

Include an inventory of master data assets, specifying the respective owners and the access rights;
Classify master data items according to the institutional model and applicable regulations for public, private and sensitive information;
Consider relevant risk scenarios for the master data systems’ security and privacy;
Establish policies and protocols of master data security that govern the interaction between human resources and institutional data, highlighting privacy before, during and after the termination of employment. These protocols should apply to all staff: internal, external, consultants, contractors and temporary staff.

Data protection regulations on master data should be enforced taking into account data exchange with other institutions.
The security measures should also be applied to all business applications using the master data.

Parent

Structure

The Master Data Stewardship Council should establish policies and responsibilities for the adoption of master data security based on the institution’s security framework and on the relevant regulations. It should highlight when laws and regulations oblige the institution to carry out data governance procedures (integrity, storage and maintenance, data protection, “right to be forgotten”, etc.).
The Master Data Stewardship Council should design a framework observing the master data security policies and relevant data protection regulations as well as privacy requirements generated by individual consents.
The framework should cover all relevant data security aspects, involving not only corporate access control and databases, but also security in networks and communications as well as physical security.
The management should establish roles and responsibilities on the enforcement of data security and privacy rules and regulations.
The defined data security and privacy framework should follow the institutional data security framework, as well as this set of Guidelines, particularly Section B.2, Data Security and Privacy, and the international standard ISO/IEC 27000.