PNO Information Security Policy – PNO Group holding B.V.

U N D E R C O N S T R U C T I O N

The information security policy lays the foundation for the ‘information security’ within the entire organization of PNO Consultants. This policy document is the pivot for further development and implementation of required standards, procedures and processes.
Introduction
This document provides general policy principles on information security. These starting points have a strong normative character and reflect choices. With this document, PNO Consultants can add to – and implement its policy. The policy is based on the General Data Protection Regulation (AVG / GDPR). This document explains a considerable number of policy principles and includes security requirements and measures that apply to all processes and supporting systems throughout the organization. Part of this document is a management structure for information security, with which responsibilities for information security are vested and information security is embedded in the regular planning and control cycle within the (quality maintenance) of the business processes.
Information security
Information security is the collective name for the processes, which are designed to protect the reliability of organizational processes, the information systems used and the data stored therein against intentional or unintentional misfortune. The term ‘information security’ refers to:
• Availability / continuity: ensuring the availability of information and information processing equipment at the right time and place for the users;
• Exclusivity / confidentiality: protecting information against sharing with – and mutation by unauthorized persons. Information is only accessible to those who are authorized to do so;
• Integrity / reliability: ensuring the correctness, completeness, timeliness and verifiability of information and information processing.
Why Information security?
Information is one of the most important assets of a financial service organization. Accessible and reliable information from clients is essential for an advisory organization, which behaves responsibly, is approachable and service-oriented, is transparent and proactively accountable to clients and achieves maximum results with available resources. Ultimately, it is about the protection of valuable information. The more valuable the information is, the more measures need to be taken.
Scope and demarcation of information security
Information security is more than ICT, computers and automation. It concerns all forms of information (analogue, digital, text, video, sound, memory, knowledge), all possible information carriers (paper, electronic, photo, film, CD, DVD, screen etc.) and all information processing systems (the software, system software, databases, hardware, associated business assets), but especially people and business processes.
Information security policy PNO Consultants
The management of PNO Consultants plays a crucial role in the execution of this information security policy. For example, the management makes an assessment of the importance of the various parts of the information provision for PNO Consultants, the risks that PNO Consultants runs and which of these risks are unacceptably high. Based on this, management sets up this information security policy, conveys this to the organization and supports and monitors its implementation.
The PNO management gives a clear direction to information security and demonstrates that it supports information security and acts involved, by issuing and maintaining an information security policy from and for the entire organization. This policy applies to the entire organization, all processes, organizational components, and supporting information systems and data (collections). PNO Consultants’ information security policy is in line with all relevant national and European laws and regulations. The following applies here:
• There is legislation that must always be met, in particular the AVG / GDPR.
• There is a standards framework that is followed as much as possible: the code for information security (NEN / ISO 27001).
• The board of directors of PNO Consultants sets the standards framework, where there is room for consideration and prioritization based on the ‘comply or explain’ principle.

The following starting points are taken from the Information Security Code:

All information and information systems are critical and vital for PNO Consultants. The responsibility for information security lies with (line) management, with the management being ultimately responsible. Responsibilities for data protection and for implementing security procedures are explicitly defined.
The quality of the information provision is anchored within the organization through periodic monitoring, organization-wide planning and coordination. Together with the Information Security Plan, the information security policy forms the foundation of a reliable information provision. The information security plan addresses the reliability of the information provision throughout the organization. The plan is periodically adjusted on the basis of new developments, registrations in the incident register and existing risk analyzes.
Information security is a continuous improvement process. ‘Plan, do, check and act’ together form the management system of information security.
The Data Protection Officer (DPO) supports the organization from an independent position in monitoring and increasing the reliability of the information provision and reports on this.
PNO Consultants makes the necessary people and resources available to secure its property and work processes in the manner set out in this policy.
Rules and responsibilities for the security policy must be laid down and established. All employees of PNO Consultants are trained in the use of security procedures.
Every employee, whether permanent or temporary, internal or external, is obliged to protect data and information systems against unauthorized access, use, change, disclosure, destruction, loss or transfer and to report any suspected violations where necessary.

Established, after consultation with- and with the advice of the Works Council (Article 25 paragraph 1 under h and k WOR) by the management of PNO Nederland B.V. on April 13, 2018,
Peter Zwart, CEO of PNO Consultants

Information Security Policy PNO Consultants
1 Basic principles of Information security
Coherence
These chapters work in conjunction with the information security policy of PNO Consultants. They provide further details of the information security policy.
The importance of information (safety)
Information is one of the main assets of PNO Consultants. The loss of data, failure of ICT, or the unauthorized access to or manipulation of certain information can have serious consequences for business operations but also lead to reputation damage. Information security is therefore of great importance. Information security (IS) is the process that serves this interest.
Vision
PNO Consultants continuously strives to increase information security and further professionalize the IS-function in the organization. Reliable information provision is necessary for the proper functioning of the organization and the basis for protecting the interests and rights of employees and clients. This requires an integrated approach, good entrepreneurship and risk awareness. Every organizational unit is involved.
The information security process is primarily focused on protecting information, but at the same time it is an essential tool for executing business processes; it enables, for example, electronic service provision in a responsible manner, as well as new, innovative ways of working. The focus is to exchange information in all forms, such as electronic, on paper and orally. It is not only about protecting privacy, but also about protecting vital contractual obligations that are supported by information. It is not just about ICT: responsible and conscious employee behavior is essential for information security.
Goal
The information security policy (IS-policy) is the framework for appropriate technical and organizational measures to protect and safeguard information within PNO Consultants, so that PNO
Consultants comply with relevant legislation and regulations. PNO Consultants strives to be ‘in control’ and to be accountable in a professional manner. In this respect, control means that PNO Consultants know which measures have been taken and that there is a SMART planning for the measures that have not yet been taken.
Assumptions
• The information security policy of PNO Consultants is in line with all relevant national and European laws and regulations, in particular the AVG / GDPR.
• The policy is based on the code for information security (NEN / ISO 27001).
• The IS-policy is determined by the management of PNO Consultants. The management periodically recalibrates the IS-policy.
Risk approach
The approach to information security (IS-policy) of PNO Consultants is ‘risk-based’. If a business process or a system needs more measures, a risk analysis is carried out. To do this, the process owner makes an inventory of the vulnerability of his work process and the threats that can lead to a security incident, taking into account the information protection requirements. The risk is the chance of security incidents and their impact on the work process and is determined by the process owner: risk = chance x impact.
Target groups
• The IS-policy is intended for all internal and external employees of PNO Consultants:
Target group Relevance for IS-policy
Management Integral responsibility, framework and implementation
Line management (process owners) Control on information security and compliance monitoring
Employees Behavior and compliance
Clients Classification: determining protection requirements for information
DPO officer Daily coordination of IS
Human resources Labor conditions
Facility matters Physical access security
ICT services Technical security
Auditors Independent testing
Compliance Suppliers
Scope
• The scope of this policy includes all processes, underlying information systems, information and data from PNO Consultants and external parties (clients in particular), their use by employees in the broadest sense of the word, regardless of location, time and equipment used.
• This IS policy is a general basis. For specific core tasks, specific (additional) security requirements may apply on the basis of legislation and regulations.
IS-policy and architecture
• IS is part of the information architecture of PNO Consultants and is elaborated in the IS architecture.
• This architecture describes principles, guidelines and measures, based on the different protection levels (classification).
2 Organisation of information safety
2.1 Internal organisation
Risks
• The non-explicit allocation of responsibilities and associated activities, procedures and instruments prevents effective and structural implementation and safeguarding of the control measures.
Goal
Managing information security (IS) within the organization.
A management framework has been established to initiate and manage the implementation of information security in the organization.
Approval by the management of the information security policy, the allocation of the roles and the coordination and assessment of the implementation of the policy within the organization.
Responsibilities
• The management of PNO Consultants is fully responsible for the security of information within the work processes of PNO Consultants, and sets frameworks for information security (IS) on the basis of national and European laws and regulations and standards frameworks.
• The management is responsible for setting up a framework and steering. The management controls risks, checks whether the measures taken comply with the reliability requirements and whether they offer sufficient protection, periodically evaluates policy frameworks and adjusts these where necessary.
• The managers of PNO Consultants are responsible for the implementation of the integral security of their organizational units, steering for security awareness, business continuity and compliance with rules and guidelines, and reporting on compliance with the laws and regulations and general policy of PNO Consultants in the management reports.
• The DPO (Data Protection Officer) effectuates the management role on behalf of the management on a daily basis by preparing the decision-making of the management and supervising its implementation.
2.2 External parties
• IS-policy, national standards and laws and regulations also apply to external parties (suppliers, chain partners) with which PNO Consultants cooperates and exchanges information. The ‘comply or explain’ principle also applies to external parties (apply or explain).
• In the case of agreements with third parties, the general terms and conditions of PNO Consultants always apply, which include confidentiality and liability. Deviations from the general conditions must be checked against IS-policy. Required security measures are additionally recorded in contracts and / or processing agreements. This guarantees, among other things, that security incidents are reported immediately and that PNO Consultants has the right to (organize a) check on agreements.
3 Management of assets
Responsibility for company resources
Risks
• Assets and information are exposed to risks such as theft, damage or injudicious use, especially where IT configuration items do not keep record of the owner / main user.
• Uncertainty regarding who is responsible for data files and who can act in the event of incidents, resulting in doubt surrounding who is responsible for security.
Goal
Achieve and maintain adequate protection of corporate assets of the organization.
The owner and the person responsible for maintaining the control measures are recorded for all operating assets.
Control measures
• All assets must be identified, an inventory must be maintained.
• Assign all information and assets related to ICT facilities to an ‘owner’ (a part of the organization).
• Establish, document and implement rules for acceptable use of information and assets related to ICT facilities.
• Equipment, information and software of the organization may not be taken away from the location without prior permission.
• The responsibility for specific control measures may be delegated by the owner, but the owner remains responsible for proper protection of the assets.
• Employees must exercise due care in the use of ICT resources, social media and information and guarantee the integrity and good name of PNO Consultants.
• Employees only use information to perform the tasks assigned to them and the purpose for which the information was provided.
• Private use of information and files is not permitted.
• Further rules are drawn up for working remotely and using private means.
• The employee takes appropriate technical and organizational measures to protect information against loss or against any form of unlawful use. The employee will in any case take into account the security regulations set by PNO Consultants (including this information security policy).
4 Safety of personnel
Risks
• The appointment or hiring of new staff and the commissioning of work by external employees deserves extra attention, because human failure and threats of human nature can have a significant influence on the availability, integrity and confidentiality of information.
Goal
To ensure that employees, hired personnel and external users understand their responsibilities and are suitable for the roles for which they are being considered and to reduce the risk of theft, fraud or misuse of facilities.
The responsibilities with regard to security are laid down in appropriate job descriptions and in the employment conditions prior to employment.
All candidates for an appointment, hired personnel and external users are screened, in particular for confidentiality positions.
Employees, hired staff and external users who use ICT facilities sign an agreement about their security roles and responsibilities.
Control measures
• Line management is responsible for the correct handling of the security aspects when entering into, changing and terminating an employment contract or an agreement with external parties. The HR department supervises this process.
• Upon termination of employment and hiring, all assets of the organization are returned. Authorizations are blocked on behalf of line management.
• Line management determines which role (s) the employee must fulfill and which authorizations for consulting, staging, mutating and disposing of data must be provided.
• All employees (and, where applicable, external users of our systems) must receive training in procedures that apply to information security within PNO Consultants. This training should be repeated regularly to keep the security awareness up to standard.
Awareness
• The management promotes overall communication and awareness about information security.
• Line management encourages employees (and external users of our systems) to comply with security guidelines.
• In work meetings, attention is paid periodically to information security. Insofar as relevant, agreements are made about this.
5 Physical safety and securing the environment
Risks
• Unauthorized access to critical systems or valuable information. In the absence of registration, incidents are also not traceable to individuals.
• By, for example, the use of external parties, the supply of suppliers and other non-employees or the fact that the employees are located at several locations at a considerable distance from each other, it is relatively easy for non-employees to gain access to the premises by entering at the same time as an authorized employee.
• If information is visible on desks, there is an increased risk regarding confidentiality.
• No procedures for the safe removal or reuse of ICT equipment.
• Protection of equipment, including equipment used outside the site and disposal of company property, is necessary to reduce the risk of unauthorized access to information and to protect the equipment and information against loss or damage.
Goal
Preventing unauthorized physical access to, damage to or disruption of the information of the organization, assets and interruption of the business activities.
ICT facilities, which support critical or sensitive business activities, should be physically housed in secure areas, protected by restricted security areas, in a controlled environment, secured with appropriate security barriers and access security. They must be physically protected against unauthorized access, damage and malfunctions.
Preventing loss, damage or theft of equipment and protection against physical threats and external hazards.
Control measures
• All offices of PNO Consultants are assigned a risk profile based on generic profiles. This is the generic risk profile that best matches the object.
• The damage caused by external threats (such as fire, flood, explosions, riots, power interruption) is limited by appropriate preventive measures.
• The issuance of access means is registered.
• The quality of access equipment (doors, keys, locks, access passes) is geared to the risk profile.
• The physical access to rooms where information or IT facilities are located is reserved for authorized personnel. Registration of the granted access supports the implementation of the access regulation.
• Server rooms, data centers and associated cabling systems are set up in line with current ‘best practices’.
• (Data) connections are protected against interception or damage.
• Spare equipment and back-ups are separated in two locations or data centers to minimize the consequences of a calamity.
• Data and software are removed from equipment or safely overwritten before the equipment is removed. Information is stored and destroyed in accordance with the 1995 Public Records Act and the ensuing archive decisions or in accordance with the agreements made with clients.
6 Security of equipment and information
Risks
• The lack of documentation can lead to errors, non-uniform data entry, or in case the administrator / operator fails, to problems concerning continuity.
• Improper authorizations can lead to erroneous actions, fraud and embezzlement.
• Failure to perform and record technical and functional application tests and / or their results may lead to an increased risk of failure or data loss in certain circumstances (time pressure, holiday periods, etc.).
• PNO Consultants will increasingly collaborate (and exchange information) with third parties. In case of management of systems and data by a third party, information from PNO Consultants may also become public. PNO Consultants remains responsible for the information security of its data when their management is partly with another party.
• Software and IT facilities are vulnerable to viruses.
Goal
Guaranteeing the correct and safe utilisation of ICT facilities.
Established responsibilities and procedures for the management and operation of all ICT facilities. This also includes the development of suitable operating instructions.
Application, where necessary, of segregation of duties to reduce the risk of negligence or intentional misuse.
6.1 Control measures
Organisational aspects
• In principle, no one person should have authorization to control an entire cycle of actions within an information system, that could allow availability, integrity or confidentiality to be compromised. If necessary, an audit trail must be established of all actions and times in the process, so that transaction can be reduced. The audit trail is not accessible to the person whose actions are recorded.
• There is a separation between management tasks and other usage tasks. Management activities are only performed when logged in as an administrator, normal user tasks only when logged in as a user.
• In case of external hosting of data and / or services (outsourcing, cloud computing), PNO Consultants remains ultimately responsible for the reliability of outsourced services. This is bound by rules and requires good (contractual) agreements and monitoring.
• External hosting of data and / or services is in accordance with the IS-policy.
System planning and acceptance
• New systems, upgrades and new versions are tested for impact and consequences and only implemented after formal acceptance and approval by the client (usually the process owner). The test and the test results are documented.
• Systems for Development, Test and / or Acceptance (DTA) are logically separated from Production (P).
• Facilities for development, testing, acceptance and production (DTAP) are segregated to prevent unauthorized access to or change in the production system.
• Test accounts are used in the DTA. In principle, no testing is done with production accounts, unless it is absolutely necessary for the test.
• Confidential or secret data from the production environment may not be used in the development, testing, training or acceptance environment unless the data has been anonymized. |Nevertheless, if it is necessary to use data from production, explicit consent of the owner of the data is required and procedures must be followed to destroy data after development and testing.
• The use of ICT resources is monitored for the timely adaptation of the available capacity to demand.
Technical aspects
• All data other than classification ‘none’ is encrypted in accordance with ‘best practices’ (the state of the art), whereby the required encryption is stronger as data becomes more sensitive.
• Data on paper is protected by proper storage and regulation for access to archive rooms.
• When opening or writing files, these are automatically checked for viruses, trojans and other malware. Incoming and outgoing e-mails are also checked for this. The update for the detection definitions takes place in principle daily.
• Antivirus software from various suppliers is applied at various levels within the ICT infrastructure (network components, servers, PCs).
• All equipment connected to the network of PNO Consultants must be identifiable.
• Mobile code is executed in a logically isolated environment to reduce the risk of compromising the integrity of the system. The ‘mobile code’ is always executed with minimal rights so that the integrity of the host system is not compromised.
• Documents, storage media, import and export data and system documentation are protected against unauthorized disclosure, modification, deletion and destruction.
• The (uncontrolled) copying of information is not permitted, except for back-up by authorized system management.
• All information posted on PNO Consultants websites is protected against unauthorized modification. Only public information is published on publicly accessible websites.
• Groups of information services, users and information systems are separated on the network so that the chance of unauthorized access to data is further reduced.
• Depending on the risks associated with online transactions, measures are taken to prevent incomplete transfer, incorrect routing, unauthorized modification, disclosure, duplication or display.
• The network is monitored and managed to ensure attacks, malfunctions or errors can be detected and repaired and the reliability of the network does not fall below the agreed minimum level (service levels).
Back-up and recovery
• By order of the owner of data, ICT makes reserve copies of all essential company data and software so that the continuity of the data processing can be guaranteed.
• The size and frequency of the backups is in line with the importance of the data for the continuity of the service and the internal operations.
• In chain systems, the back-up mechanism must ensure the data integrity of the information chain.
• The back-up and recovery procedures are tested regularly (at least once a year) to determine their reliability.
Information-exchange
Control
• The use of information systems, as well as exceptions and information security incidents, are recorded in log files in a manner that is consistent with the risk, and in such a way that at least all relevant legal requirements are complied with, such as in particular the processing of personal data by virtue of the AVG / GDPR.
• Relevant things to log are: – type of event (such as back-up / restore, reset password, accessed space); – actions with special powers; – (attempted) unauthorized access; – system warnings; – (attempt to) change the security settings.
• A log line contains at least: – a user ID or ID that can be traced back to a natural person; – the event; – where possible, the identity of the workstation or location; – the object on which the action was carried out; – the result of the action; – the date and time of the event.
• In a log line, only the data necessary for reporting is stored.
• Measures are taken to ensure that logging data remain available and cannot be changed by a user or system administrator. The retention periods are in accordance with legal requirements.
6.2 Management of the services provided by a third party
Risks
• PNO Consultants is increasingly working together with third parties. In the case of full or partial management of systems and data by a third party, information from PNO Consultants will need to be closely monitored. PNO Consultants remains responsible for the information security of its data when the management is wholly or partially with another party.
Goal
Implement and maintain an appropriate level of information security and record this in (processing) agreements and / or covenants.
The organization checks the implementation of the measures, which are laid down in agreements, monitors the compliance with the agreements and manages changes to ensure that the security meets all the requirements that have been agreed with the third party.
Control measures
• The security measures, definitions of services and levels of service as laid down in the (processing) agreement for services by a third party are implemented and executed.
• The services, reports and records, which are supplied by the third party, are checked and assessed and periodic audits are carried out.
• Changes in the services provided by third parties, for example in existing policies, procedures and measures for information security, are managed.
Assumptions
• In the basic SLA for services, attention is paid to information security.
• There is a basic contract for access to the ICT facilities and / or the provision of information (files, data) by third parties in which there are frameworks for access to ICT facilities by third parties. In contract management, application management and functional management compliance with the agreements made is included.
6.3 Treatment of media
Risks
• Removable media may contain information that may fall into unauthorized hands due to misuse, loss or theft.
Goal
Preventing unauthorized disclosure, modification, deletion or destruction of information and assets.
Media is controlled and physically protected.
Established procedures to protect documents, storage media (eg USB sticks, backup tapes, and disks), import and export data and system documentation against unauthorized disclosure, modification, deletion and destruction.
Control measures
• Procedures should be established for the management of removable media.
• Procedures should be established for safely removing media when it is no longer needed.
• System documentation must be protected against unauthorized access.
Assumptions
• There are procedures for the management of removable media and for the safe removal or reuse of ICT equipment.
• Hard disks and other media are adequately erased or destroyed on disposal or reuse. In any case if confidential information is stored on it and / or licensed software is installed.
• There are guidelines for storing paper and computer media in any case for both sensitive or critical company information.
• Collection policy for mobile devices, such as laptops, PDAs, iPads, for when these are no longer used.
• Encryption on confidential information.
6.4 Exchange of information
Risks
• Loss or theft of laptops, USB sticks, iPads and the like, whereby in principle information may end up in the wrong hands.
Control measures
• Establish formal policies, formal procedures and formal control measures to protect the exchange of information through the use of all types of communication facilities.
• Establishing agreements for the exchange of information and software between the organization of PNO Consultants and external parties.
• Protection measures for media that contain information against unauthorized access, misuse or corruption during transport outside the physical boundaries of the organization.
• Protection of information, which plays a role in the electronic exchange of messages.
Goal
Maintain security of information and software, which is exchanged within an organization and with any external entity.
A formal exchange policy with regards to the exchange of information and software between organizations, which is in line with the exchange agreements and relevant legislation.
Established procedures and standards to protect information and physical media that contain information.
Assumptions
• Formalized situation regarding the transport of the backups and the possibilities of suppliers to gain access to the network.
• A basic framework with preconditions for data exchange with third parties.
• Sensitive information is never disclosed via telephone or fax, because of the risk of eavesdropping.
• Awareness and social control to reduce the risk of information leakage via telephone and the like.
7 Logical access security
The identity of a user who has access to information from PNO Consultants must be established. Logical access is based on the classification of the information.
Risks
• When access control is not explicitly based on a risk analysis, it is not clear whether the correct level of security is used.
• Disruptions due to incorrect use of IT rooms or ICT components (in other words where ICT teams do not have access).
Goal
Controlling access to information, IT facilities and business processes on the basis of business needs and security requirements.
Policy regarding information dissemination and authorization applies.
Assumptions
• The owner of the data is authorized to grant access.
• As a rule, no ‘general’ identities are used. For traceability and transparency it is necessary to know who has performed a particular action.
• Where possible, PNO Consultants uses existing (national) facilities for authentication, authorization and information security (such as: DigiD and eHerkenning for the Netherlands).
7.1 Authentication and authorization
• Passwords are assigned for a limited period (3 to a maximum of 6 months). Passwords must meet requirements that are enforced by the system. For employees with special powers (system and functional managers) stricter requirements apply.
• The user is responsible for keeping their password secret.
• Authentication tools such as passwords are protected against unauthorized access and modification during transport and storage (through encryption).
• Authorization is role-based. Authorizations are granted via function(s) and organization components.
7.2 External access
• The management can grant an external party access to the network of PNO Consultants. A procedure must be made and followed for this. External parties cannot connect to the private network of PNO Consultants on their own initiative, unless explicitly agreed.
• The external party is responsible for authentication and authorization of its own employees. PNO Consultants has the right to monitor this and does so on the basis of the audit trail and internal logging.
7.3 Mobile and working from home
• A home work environment is available for working remotely. Access to confidential information is granted on the basis of multifactor authentication.
• Unattended equipment (private devices or the ‘open laptop’) can use wireless access points (WiFi). These are logically separated from the company network of PNO Consultants.
• Mobile business applications are preferably offered in such a way that no information from PNO Consultants is stored on the mobile device (zero footprint). Information from PNO Consultants must be encrypted during transport and storage.
• Facilities such as webmail, as well as social network and cloud services (Dropbox, Gmail, etc.) are not suitable for sharing confidential and secret information due to the low level of protection (usually only name and password, the lack of encryption).
7.4 Other measures
• The physical (wired) network is not accessible to unattended equipment.
• The network of PNO Consultants is segmented where possible (departments, users and systems are logically separated). Access control lists (ACLs) are implemented between segments with different protection levels.
7.5 Security of information systems (software)
Goal
Ensure that security is an integral part of information systems.
7.5.1. Organisational aspects
• Testing on IS-policy is part of the test for projects with an ICT component and part of the project start and end of architecture (PSA and PEA).
• Projects with a high risk profile fall under the supervision of ICT. Testing on architecture and information security is part of this.
• Project mandates are provided with advice on information security (for example).
• Relevant security requirements are also included in the program of requirements for new information systems or expansions of existing information systems.
7.5.2. Software development and maintenance
• Applications are developed and tested using national guidelines for security, such as guidelines for web application security. At minimum it is tested for known vulnerabilities as recorded in the OWASP top 10.
• Web applications are tested for data entry (limit values, format, inconsistency, SQL injection, cross site scripting, etc.) before commissioning.
• The output functions of programs make it possible to determine the completeness and correctness of the data (e.g. through checksums).
• Only data that is necessary for the user is utilised (target binding), taking into account security requirements (classification).
• Access to the source code is limited to the employees who maintain or install this code.
• Technical vulnerabilities are regularly repaired, with a minimum of 4 times per year by ‘patching’ software, or ‘ad hoc’ in the event of an acute threat. The software to be used is partly determined by the risks.
7.5.3. Encryption (encryption)
• Internal data traffic (‘machine to machine’) is protected according to classification with certificates.
• Security certificates are centrally managed within PNO Consultants.
8 Security incidents
Risks
• If incidents are not registered, it is not clear where and when incidents occur or have occurred. In this way, no lessons can be learned from these incidents to prevent them in the future or to implement better preventive measures.
Goal
Ensure that information security events and weaknesses relating to information systems are made known in such a way that timely corrective action can be taken.
Formal procedures for reporting events and escalation. All employees, hired personnel and external users are aware of these procedures for reporting the different types of events and vulnerabilities that may affect the security of the assets.
A mandatory reporting system is in place to report all information security events and weak spots as quickly as possible to the designated contact person.
8.1 Notification and registration
• The employee must immediately report any known or suspected security breaches and security incidents to the DPO of PNO Consultants.
• Security incidents that are reported to the service desk are registered as such and submitted to the DPO of PNO Consultants. The regular reporting and escalation line applies to settlement.
• Depending on the severity of an incident, there is a duty to report to the Dutch Data Protection Authority.
8.2 Alarm phases
• In case of major incidents, action is taken and scaled up in accordance with the ICT crisis management scenarios.
9 Business continuity
Risks
• When there is little or no implementation of the continuity planning, in addition to a false sense of security, there is also a high risk of ad hoc measures when an emergency occurs.
• The loss of employees (illness, death, dismissal) can be a real threat.
Goal
Prevent interruption of business activities and protect critical business processes against the consequences of major disruptions in information systems and bring about timely recovery.
An adequate management process for business continuity to limit the impact on the organization, caused by the loss of information and its recovery to an acceptable level.
Information security is an integral part of the total business continuity process and other management processes within the organization.
Policy starting point
There are continuity / contingency plans for the most important processes and systems that are realized through a management process.
Continuity plans must be regularly tested and kept up-to-date.
10 Compliance
Prevent violation of any laws, regulations and / or security requirements.
10.1 Organizational aspects
• Improving the quality of information security is a continuous process and part of all business processes of PNO Consultants that work with sensitive information. Information security is a quality characteristic of the primary process, on which the management of each department steers. The quality is measured on the basis of:

the extent to which a full set of measures has been implemented, based on established policy;
the efficiency and effectiveness of the implemented measures;
the extent to which information security supports the achievement of the strategic objectives.
• A security documentation file is created and maintained. This file contains all relevant mandatory and non-mandatory documents showing whether it can be demonstrated that the specific security requirements have been met.
10.2 (Legal) frameworks
• Specific information about relevant laws and regulations can be provided by the Legal Department of PNO Consultants. For example, the use of personal data is regulated by the AVG / GDPR.
• For each type of registration, the retention period, the storage medium and any destruction are determined in accordance with law, regulations, contractual obligations and business requirements. The choice of the storage medium takes into account the storage period, deterioration of the quality of the medium over time and the continuous availability of tools (such as hardware and software) to consult and process the data.
• When (having) manufactured and installed software, care is taken to ensure that the intellectual property rights that rest on it are not violated.
10.3 General Data Protection Regulation (AVG) / General Data Protection Regulation (GDPR)
• The AVG regulates the processing of personal data.
• Personal data
Personal data is all data on the basis of which a person can be identified. A person can be identified as the person using the personal data without making a special effort. Personal data includes name and address details, e-mail addresses, passport photos, fingerprints and IP addresses. And data that gives any information appreciation about a person, for example someone’s IQ.
• When is there processing of personal data?
Processing means any action with regards to personal data. Examples of processing within law include: collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, distributing, distributing, distributing or any other form of posting, bringing together, shielding, shielding , erasing and destroying data.
From this list it appears that the processing of personal data takes place quickly. In fact, everything that one does with personal data falls under the processing of personal data.
• General rules for processing personal data
The main rule is that personal data is only processed in accordance with the law and in a proper and careful manner. In addition, personal data may only be collected if a precise purpose description is given. Moreover, the law stipulates that personal data may only be processed to the extent that it is adequate, relevant and not excessive.
• Conditions for processing personal data: justifications
In addition to the abovementioned general rules, the law requires that for each processing of personal data at least one of the justifications mentioned in the law must apply. The law has the following principles:
Permission
The data subject (this is the person whose data is processed) has given their unambiguous consent to the processing. This explicit consent is also referred to as informed consent.
The processing of personal data of a child younger than 13 years requires the consent of a parent or legal representative. An organization must make a reasonable effort to verify that permission.
Execution agreement
The data processing is necessary for the execution of an agreement in which the party concerned is a party.
Legal obligation
The data processing is necessary to fulfill a legal obligation.
Vital interest
Data processing is necessary to combat a serious threat to the health of the person concerned.
Public law task
The processing of data is necessary for the representation of a legitimate interest of the person who processes the data (or of a third party to whom the data is provided). This means that the person who processes the data must weigh their own interest against the interest and the rights of the person concerned. The processor must also check in advance whether the same result cannot be achieved with less data.
Processing register
• Every processing of personal data must be recorded in a processing register. The register must include:
name and contact details of the controller;
which personal data is being processed and for what purpose?
from whom the personal data has been obtained;
where the data is located and how the protection of the data is guaranteed;
whether there is a transfer of personal data to third parties;
whether there is processing of personal data on behalf of the controller by an external party.
• Private Impact Assessment (PIA)
If it is likely that a new processing of personal data involves high risks, a data protection impact assessment (PIA) must be drawn up. This is particularly the case if new technologies are used to process the personal data and if there is large-scale processing of personal data. If there is systematic processing of personal data, based on automated processing and / or processing of particularly sensitive personal data, a PIA must also be performed. A PIA must contain a description of the processing of the personal data and the purpose thereof. An assessment of the necessity and proportionality of the processing must also take place, as well as a risk inventory and a description of the measures that must be taken to deal with the risks.
• Reporting obligation for personal data (data leaks)
A data breach can be caused by security problems: a lost USB stick, a stolen laptop, a burglary in a data file, a fire in a data center, etc. As a result, personal data may fall into the hands of third parties who may not actually have granted access to it. Even if a data breach only relates to the data of one person, this must immediately be reported to the DPO and / or the management.