1 / 11

SECURITY POLICY DOCUMENT

SECURITY POLICY DOCUMENT. According to art. 34 d. lgs. 30 June 2003, n. 196. Chapter I Organizational structure and information system of the company/institution. (seat) The dental laboratory : (headoffice) location (town, street, street number)

isaura
Download Presentation

SECURITY POLICY DOCUMENT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SECURITY POLICY DOCUMENT According to art. 34 d. lgs. 30 June 2003, n. 196

  2. Chapter IOrganizational structure and information system of the company/institution • (seat) The dental laboratory : (headoffice) location (town, street, street number) • (branch office) : location (town, street, street number) • information system: • number of stand-alone computer • operating system • internet connection (dial-up…) • number of portable computer • operating system • internet connection

  3. Chapter IIList of processing operations concerning personal data - (Whom the data are referred to?) • Patient data -(Which kind of data are stored?) • personal data • (any data that can be used to identify a person) • identification data • (personal data that permit the direct identification of the data subject) • sensitive data • (any data that disclose information about health life, disease, especially contagious disease, pregnancy) • Employees data • Personal data • Identification data • Sensitive data (health life) • Suppliers data • Personal data • Identification data

  4. Chapter IIIdistribution of tasks and responsabilities among the departments/division in charge of processing data • The person in charge for data is the doctor with regard to patients, employees and suppliers data • You can identify a single employee in charge for data

  5. Chapter IVAnalysis of the risk applying to the data • Physical Risks • Risk of entry by unauthorized person - Level: low • Risk of fire - Level: medium • Risk of flooding- Level: low

  6. Chapter IVAnalysis of the risk applying to the data (2) • Data Processing Risks • Risk of damages, loss or modification of data caused by unauthorized access to the information system • Level: low • Risk of damages, loss or modification of data caused by software bugs (e.g. virus, trojan horse, worm) • Level: low • Risk of damages, loss or modification of data caused by malfunctioning of the information system • Level: low • Risk of damages, loss or modification of data caused by a wrong utilization of the computer technology • Level: low • Risk of damages, loss or modification of data caused by power failure • Level: low

  7. Chapter Vmeasures to be taken in order to ensure data integrity as well as protection of areas and premises insofar as they are relevant for the purpose of keeping and accessing such data • Physical Risks • 1.Risk of entry by unauthorized person: • Surveillance system • Alarm system • Night watchman • Security guard • Risk of fire • Fire escape • Fire preservation system • Fireproof wall • Risk of flooding • The office is on the 2nd floor

  8. Chapter Vmeasures to be taken in order to ensure data integrity as well as protection of areas and premises insofar as they are relevant for the purpose of keeping and accessing such data (2) • Data Processing Risks • Risk of damages, loss or modification of data caused by unauthorized access to the information system • Firewall • Password (that is changed every six months) • Risk of damages, loss or modification of data caused by software bugs (e.g. virus, trojan horse, worm) • Anti-virus software (e.g. Avast professional) automatically updated through internet connection • Risk of damages, loss or modification of data caused by malfunctioning of the information system • Periodic softwareupdating • Periodic technical assistance • 4.Risk of damages, loss or modification of data caused by a wrong utilization of the computer technology • Password • Periodic computer science and data processing training of employee • Risk of damages, loss or modification of data caused by power failure • Power generator • Uninterruptible Power Supply

  9. Chapter VIDescription of criteria and mechanisms to restore data availabitlity following destrcution and/or damage • Back-up copy • Frequency (e.g. monthly back up) • Back up copy diskette are replaced every year • There are two back up copy diskettes • Back up copy diskettes are locked

  10. Chapter VIISchedule of training activities concerning the persons in charge of the processing • Periodical training of the employee with regard to: • legal aspect of privacy protection; • tort, criminal and administrative liability for illegal processes of data • lawful behaviours with regard to data process • technical aspect of electronic data storage

  11. Chapter VIIICriteria to be implemented in order to ensure adoption of the minimum security measures whenever the processing operations concerning personal data are externalized • Personal data will be externalized to third person: - For book-keeping purposes, to business consultant sig. X - For dental furniture, to dental technician, sig. X -For other medical products, to suppliers sig. X, Y., Z • Personal data externalized are the only strictly necessary to the collaborator activity • The above mentioned person are supposed to respect the same rule implemented by the Dental laboratory • The Dental Laboratory will verify privacy rules observance

More Related