Asset Management
Office
The Data Protection Officer maintains a list of all devices (laptops, printers) that are available for office work, stating at least which employee is using the device and what operating system is being used.
Data centre
A list of data centre assets (physical and virtual computers with the installed software systems) will be maintained by the Operators in a repository, where this list will be updated with every change. This list will be reviewed by the Data Protection Officer every 3 months.
Cloud
A list of Cloud assets will be automatically kept by Azure per subscription. Every 3 months a copy of this list will be stored in a repository. This list will be reviewed by the Data Protection Officer every 3 months.
Physical replacement, retirement and destruction
Whenever systems or parts are replaced, retired or returned to the manufacturer as part of a warranty procedure, they should be securely wiped by using specific software to do so. USB sticks and hard drives being retired can also be terminally destructed by applying physical force before being send to a waste management facility. A report proofing the execution of the wiping software should be provided by the executing operator in the work item describing the replacement of retirement of the part. Validation is executed according to the normal validation & review procedures related to (Kanban) work items.
Malware protection
All systems, including personal systems (laptops), should have malware protection software installed with recent (less than 1-month-old) malware definitions available.
System encryption
All systems, specifically personal systems (laptops), should use encrypted disks or encrypted data storage, using at least SHA-256 or stronger encryption.