Dear Reader,

I am back after a one-day study break. Although it was needed, I found that I did very much miss my studying routine.

Continuing on the practical component of learning, today the focus is on completing a Policy Review Assessment. Going through the exercise was useful to critically think on how detailed an internal policy needs to be.

The specific standard being followed means little if there are no clear roles and responsibilities to drive the activities that will ensure compliance. For example, a Vendor Risk Assessment, who owns it, how often must it be carried out.

To strengthen this area, I am taking this a step further and devising a policy based on cybersecurity legislative requirements, namely EU GDPR (2016) and HIPAA.

EU GDPR Notes (so far!)

• Everyone has the right to the protection of data concerning him or her
• Although there is a data protection framework in place, there is flexibility for special categories of personal (sensitive) data. In sum, some data is more important than others
• Does not apply to:
  • the processing of personal data by the individual in the course of personal/household activities - correspondence, social networking and online activity.
  • prevention, investigation, detection or prosecution of criminal offences and penalties as well as the safeguarding and protection of threats to public spaces.
  • personal data of deceased persons (which has me curious on what are the data protocols in place for deceased individuals)
• There are also special provisions in place for business ranging from under 250 employees to large enterprises

Overall, I will continue to update these notes