Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

GDPR And Privacy By design Consultancy

199 visualizaciones

Publicado el

General Data Protection Regulation Consulting Practises and Approached, ready made check list for APP IT privacy by design.

Publicado en: Derecho
  • Inicia sesión para ver los comentarios

  • Sé el primero en recomendar esto

GDPR And Privacy By design Consultancy

  1. 1. SourcetekIT– School Bid Privileged and Confidential Page 1 of 87 DAN GRIBBLE SOURCETEKIT | 365, Suite 20, Healey Rd, Bolton, ON L7E 5C1 Response to RFP – GDPR School KIND ATTN:JASON EDGMON
  2. 2. SourcetekIT– School Bid Privileged and Confidential Page 2 of 87 Confidentiality Agreement This document is confidential and may not be copied without the permission of EnrollHostel. This document contains information proprietary to EnrollHostel. Transmittal, receipt or possession of this document does not express licenseor imply rights to use,sell,and design, develop or have developed products or services from this information. No reproduction, publication or disclosure of this information in whole or in part, electronic or otherwise, shall be mad without prior written authorization from a signing office of EnrollHostel. Authorized transfer of this document from the custody and control of EnrollHostel constitutes a loan for limited purposes, and this document must be returned to EnrollHostel upon request, and in allevents upon the conclusion of the loan. Copyright 2018 EnrollHostel 365 Healey Road Suite 20 Caledon, ON L7E 5C1
  3. 3. SourcetekIT– School Bid Privileged and Confidential Page 3 of 87 To: Jason Edgmon Senior Director of IT Infrastructure & Operations Pharmaceutical Research and Manufacturers of America jedgmon@School.org Dear Jason, EnrollHostel thanks Pharmaceutical Research and Manufacturers of America(School) for providing the opportunity to respond to this RFP for the provisioning of one single team that combines IT, Network and Security operations for their Network & IT infrastructure. Value is found in knowledge. EnrollHostel is renowned for its expertise in Asset Management, and Infrastructure management through its state-of-the-art NOC and SOC. A Professional Services’ company specializing in large-scale urban infrastructure engagements, EnrollHostel lends its expertise to leading Value- added re-sellers and construction companies from the design phase through final testing throughout hospitals in North America. EnrollHostel understands that engineering and technical prowess within its organization is of prime importance at a time when our society demands data to be integrated, automated and secured. Our Managed IT Services’ offering is something we’re intimately familiar with and have deployed numerous times over the last year in environments comparable to your prescribed size and scope. EnrollHostel’s Managed IT solution services ensure that our clients’ applications are managed and operated on a 24x7 basis, ensuring both secure and high performance. Our services allow clients to benefit from scalable project operations and cross-functional/discipline-knowledge sharing between teams, enabling EnrollHostel to provide best in class Managed IT services. The advantage of a partnership with EnrollHostel will ensure that this experience and qualification is leveraged to;  Mitigate transitional risk  Provide best in class quality services at significantly lower costs  Quickly construct ateam of experienced and knowledgeable personnel for onsite –offshore based delivery, thereby assuring excellence in operations EnrollHostel follows amanaged service approach, basedon ITILbest practices,that provides for aset of process frameworks and flexiblegovernance models that transform support services;improving productivity, achieving higher operational efficiency and increasing cost predictability. Adopting a multi-phased approach from transition to continual improvement, the managed service model provides:  Scalability and resource efficiency  Less client involvement in routine operational tasks  Predictability in delivery through experience and understanding of application environment  Resource utilization and shift work load balancing  Service Level Agreement (SLA) driven metrics  Total quality management through well-defined processes and ITIL best practices
  4. 4. SourcetekIT– School Bid Privileged and Confidential Page 4 of 87 EnrollHostel understands School’s key objective to partner with a MSP that can demonstrate how their value- added services will provide critical helpdesk, security, network engineering, business continuity, and disaster recovery capabilities in a cost-effective manner while providing superior customer service to our users in a 24x7x365 environment. In partnering with EnrollHostel over other “large” IT Consulting Firms, School will benefit by leveraging our:  Proven past performances of successfully deploying end-to-end managed IT services to many similar scale organizations  10+ years of proven experience in collaboration, security and Infrastructure management  Agile and dynamic business model that quickly adapts to customer needs and environment Value proposition: Lower cost; maximize process efficiency  Process oriented, result driven methodology focused on maximizing business value Value proposition: Process standardization and consolidation  Thought leadership and unparalleled technology “know-how” Value proposition: Lower cost; maximize process efficiency; fast and safe technology implementation  Focused on customer satisfaction Value proposition: Maximize process efficiency; enable customers to do more  High priority on Quality and Operational Excellence Value proposition: Maximize brand value; increase revenue. Best Regards Dan Gribble VP-Sales, EnrollHostel dgribble@EnrollHostel.com (412) 418 3159
  5. 5. SourcetekIT– School Bid Privileged and Confidential Page 5 of 87 TABLE OF CONTENTS 1 PART I – GENERAL INFORMATION .................................................................................................................................................................7 1.1 EXECUTIVESUMMARY..................................................................................................................................................................................7 1.2 SCOPEOF SERVICES.......................................................................................................................................................................................7 X1.3 EXCEPTIONS TO RFP REQUIREMENTS ......................................................................................................................................................18 2 PART II – DESCRIPTION OF SERVICES...........................................................................................................................................................19 2.1 AUDITING/ASESSING IT SERVICES COMPLAINCE ...................................................................................................................................19 2.1.1 COMPLAINCE AUDIT/ ASSESSMENT METHODOLOGY ...............................................................................................................19 .............................................................................................................................................................................................................................19 2.1.2 GDPR What has Changed?..............................................................................................................................................................22 2.1.3 GDPR Governance Framework. ......................................................................................................................................................22 2.1.4 .............................................................................................................................................................................................................23 .............................................................................................................................................................................................................................23 2.1.5 EnrollHostel Audit Knowledge Repository ....................................................................................................................................24 2.1.6 Audit Plan...........................................................................................................................................................................................27 2.1.7 Compliance Dashboards ....................................................................................................................................................................1 2.1.8 VULNERABILITY TESTING ...................................................................................................................................................................5 2.2 EXECUTIONPLAN...........................................................................................................................................................................................6 2.2.1 SERVICE DELIVERY APPROACH .........................................................................................................................................................6 2.2.2 INCEPTION ...........................................................................................................................................................................................8 2.2.3 KNOWLEDGE TRANSFER ....................................................................................................................................................................8 2.2.4 STEADY STATE OPERATIONS ...........................................................................................................................................................10 2.2.5 AUDIT STRATEGY ..............................................................................................................................................................................11 2.3 ACCOUNT MANAGEMENT & TECHNOLOGY TEAM STRUCTURE..........................................................................................................13 2.3.1 AUDIT ACCOUNT MANAGEMENT ..................................................................................................................................................13 2.3.2 PROJECT TEAM STRUCTURE............................................................................................................................................................15 2.3.2.1 TEAM STRUCTURE..................................................................................................................................................................... 15 2.3.2.2 TEAM ROLES & RESPONSIBILITES.............................................................................................................................................. 16 3 PART III – REFERENCES & ENROLLHOSTEL CAPABILITIES ........................................................................................................................18 3.1 CASE STUDIES ...............................................................................................................................................................................................18 3.1.1 CASE STUDY 1 ....................................................................................................................................................................................19 3.1.2 CASE STUDY 2 ....................................................................................................................................................................................19 3.1.3 CASE STUDY 3 ....................................................................................................................................................................................20 3.2 ENROLLHOSTEL | CAPABILITY....................................................................................................................................................................21 3.2.1 PROGRAM GOVERNANCE ...............................................................................................................................................................22 3.2.2 CONTINUAL SERVICE IMPROVEMENT (CSI)..................................................................................................................................22 3.2.3 KNOWLEDGE MANAGEMENT.........................................................................................................................................................22 3.2.4 TEAM COMPETENCY AND SKILLS ENHANCEMENTS ...................................................................................................................23 3.3 ENROLLHOSTEL | PROJECTMANAGEMENT PROCESS...........................................................................................................................23 3.3.1 REPORTING METRICS .......................................................................................................................................................................24 3.3.2 ESCALATION HANDLING ..................................................................................................................................................................25 3.3.3 COMMUNICATION PLAN .................................................................................................................................................................25 3.3.4 RISK MANAGEMENT PLAN..............................................................................................................................................................26 3.3.5 CHANGE MANAGEMENT PROCEDURE..........................................................................................................................................26 3.4 ENROLLHOSTEL | COMPLIMENTARY VALUE ADDED SERVICES ...........................................................................................................28 3.5 ENROLLHOSTEL | DIFFERENTIATORS .......................................................................................................................................................28 3.5.1 CYBERSECURITY SERVICES ...............................................................................................................................................................30 3.5.1.1 Penetration Testing................................................................................................................................................................... 30 3.5.1.2 Corporate Trainings - Cybersecurity......................................................................................................................................... 31 3.5.1.3 Email Securityand Office 365 Integration................................................................................................................................ 32 3.5.1.4 Cyber-Forensics......................................................................................................................................................................... 33 3.5.1.5 Social Engineering..................................................................................................................................................................... 34 3.5.2 SECURITY ASSESSMENT AND COMPLIANCE .................................................................................................................................35 3.5.3 SECURITY OPERATIONS CENTER.....................................................................................................................................................37 4 PART IV – PROJECT COST................................................................................................................................................................................40 4.1 FIXED PRICE ..................................................................................................................................................................................................40
  6. 6. SourcetekIT– School Bid Privileged and Confidential Page 6 of 87 4.2 RATE CARD FOR ADDITIONALWORK........................................................................................................................................................40 4.2.1 ADDITIONAL INITIATIVES.................................................................................................................................................................40 4.3 ASSUMPTIONS .............................................................................................................................................................................................41 4.3.1 USER COUNT AND DEMOGRAPHIC................................................................................................................................................42 4.3.2 ON-PREMISE & HOSTED ENVIRONMENT.....................................................................................Error! Bookmark not defined. 4.3.2.1 Desktops/Laptops ..................................................................................................................................................................... 42 4.3.2.2 On-Premise Network................................................................................................................................................................. 42 4.3.2.3 Hosted Cloud Environment....................................................................................................................................................... 42 4.3.2.4 Legacy Business Applications.................................................................................................................................................... 42 4.3.2.5 Third Party Vendors .................................................................................................................................................................. 42
  7. 7. SourcetekIT– School Bid Privileged and Confidential Page 7 of 87 1 PART I – GENERAL INFORMATION 1.1 EXECUTIVE SUMMARY EnrollHostel is pleasedto provide this proposal for Accessing/Auditing Compliance to GDPR For School student from Spain [Europe]. EnrollHostel understands the importance of these services School provides to Students. EnrollHostel brings to this engagement a significant advantage to Education Sector, in terms of technology expertise, security, operations architecture, strategy and advisory skills, process maturity and a consistent and reliable track record providing operational and infrastructure support across multiple technologies. EnrollHostel also proposes the advantages it brings on board as compared to other MSPs. 1.2 SCOPE OF SERVICES EnrollHostel understands that School is looking for the following GDPR compliance services. Below is EnrollHostel’s compliance to the scope of services detailed by School in their RFP document: Our proposed solution has been detailed in the Section: PART II – DESCRIPTION OF SERVICES GDPR ISO27k Article Outline/summary Control Notes 1 GDPR concerns the protection and free movement of “personal data”, defined in article 4 as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. A.18.1.4 etc. The ISO27k standards concern information r information security controls mitigating una information. In the context of GDPR, privac personal information, particularly sensitive specifically mention compliance obligations of personal info (more formally known as Pe in some countries) in control A.18.1.4. 2 GDPR concerns “the processing of personal data wholly or partly by automated means ....” (essentially, IT systems, apps and networks) and in a business or corporate/organizational context (private home uses are not in scope). Many ISO27k concerns information in general, not networks. It is a broad framework, built aro systematically addresses information risks a organization as a whole, including but going aspects. 3 GDPR concerns personal data for people in the European Union whether is it processed in the EU or elsewhere A.18.1.4 etc. ISO27k is global in scope. Any organization European Union may fall under GDPR, espec info.
  8. 8. SourcetekIT– School Bid Privileged and Confidential Page 8 of 87 GDPR ISO27k Article Outline/summary Control Notes 4 GDPR privacy-related terms are formally defined here. 3 ISO/IEC 27000 defines most ISO27k terms in organizations have their own glossaries in th definitions do not conflict with GDPR. Chapter I General provisions 5 Personal data must be: (a) processed lawfully, fairly and transparently; (b) collected for specified, explicit and legitimate purposes only; (c) adequate, relevant and limited; (d) accurate; (e) kept no longer than needed; (f) processed securely to ensure its integrity and confidentiality. [This is the latest incarnation of the original OECD principles published way back in 1980 <tips hat>.] The “controller” is accountable for all that. 6.1.2, A.8.1.1 A.8.2 A.8.3 A.9.1.1 A.9.4.1 A.10 A.13.2 A.14.1.1 A.15 A.17 A.18 ... in fact almost all! 5 A.6.1.1 Business processes plus apps, systems and n personal information, requiring a comprehe physical and other controls … starting with a information risks. See also ‘privacy by desig In order to satisfy these requirements, orga info is, classify it and apply appropriate mea Although not stated as such, accountability ‘Leadership’ section of ISO/IEC 27001. 6 Lawful processing must: (a) be consented to by the subject for the stated purpose; (b) be required by a contract; (c) be necessary for other compliance reasons; (d) be necessary to protect someone’s vital interests; (e) be required for public interest oran official authority; and/or(f) be limited if the subject is a child. Note: there are several detailed and explicit requirements concerning lawful processing - see GDPR! Note also that EU member states may impose additional rules. 6.1.2 A.14.1.1 A.18.1.1 etc. This should also be covered in the assessmen It will influence the design of business proce (e.g. it may be necessary to determine some and use their personal info). These are busi personal information: many security contro unacceptable information risks that cannot data) or shared (e.g. relying on some other p - a risk in its own right!).
  9. 9. SourcetekIT– School Bid Privileged and Confidential Page 9 of 87 GDPR ISO27k Article Outline/summary Control Notes 7 The data subject’s consent must be informed, freely given and they can withdraw it easily at any time. A.8.2.3 A.12.1.1 A.13.2.4? A.18.1.3 6.1.2 A.14.1.1 A.8.3.2 A.13.2 etc. There is a requirement to request informed stop!) and to be able to demonstrate this. P and records demonstrating the consent mus Withdrawal of consent implies the capabilit info, perhaps during its processing and may business processes to check and handle req 8 Special restrictions apply to consent by/for children. See Article 7 These special restrictions apply primarily at getting a parent’s consent). 9 Special restrictions apply toparticularly sensitive data concerning a person’s race, political opinions, religion, sexuality, genetic info and other biometrics etc. Processing of such info is prohibited by default unless consent is given and processing is necessary (as defined in the Article). A.8.2.1 A.8.2.3 A.14.1.1 See 7 above. It is important to identify wher whether that is ‘necessary’ in fact, and to ob considered in the design of systems, apps an 10 Special restrictions also apply to personal data concerning criminal convictions and offenses. A.7.1 A.8.2.1 A.8.2.3 6.1.2 A.14.1.1 A.7.1 etc. Any use of this information should be ident circumstances. Such information should pre authorities … but may be needed for backgr etc. 11 Some restrictions don’t apply if a person cannot be identified from the data held. A.8.2.1 A.8.2.3 6.1.2 A.14.1.1 etc. Avoiding information risks (by NOT knowing where feasible: does the business really nee aggregate info/statistics suffice? Chapter III Rights of the data subject 12 Communications with data subjects must be transparent, clear and easily understood. A.12.1.1 A.14.1.1 A.16 etc. See above. This affects the wording of web etc. plus the processes. It may also be relev i.e. mechanisms allowing people to enquire personal information (implying a means to i responding promptly, and for keeping recor for excessive requests)
  10. 10. SourcetekIT– School Bid Privileged and Confidential Page 10 of 87 GDPR ISO27k Article Outline/summary Control Notes 13 When personal data are collected, people must be given (or already possess) several specific items of information such as details of the data “controller” and “data protection officer”, whether theirinfo will be exported (especially outside the EU), how long the info will be held, their rights and how to enquire/complain etc. A.8.2.1 A.8.2.3 A.12.1.1 A.14.1.1 A.16 etc. Procedures for the provision of fair processi controller and purposes for processing the d implemented. This relies in part on identifyi 14 Similar notification requirements to Article 13 apply if personal info is obtained indirectly (e.g. a commercial mailing list?): people must be informed within a month and on the first communication with them. A.8.2.1 A.8.2.3 A.12.1.1 A.14.1 A.16 etc. See Article 13. 15 People have the right to find out whether the organization holds their personal info, what it is being used for, to whom it may be disclosed etc., and be informed of the right to complain, get it corrected, insist on it being erased etc. People have rights to obtain a copy of their personal information. A.8.1.1 A.8.2.1 A.12.1.1 A.13.2.1 A.14.1.1 etc. Subject rights include being able to obtain a the need for identification and authenticati disclosing the nature of processing e.g. the l ‘profiling’, and info about the controls if the backup and archive copies. See also Article 7 16 People have the right to get theirpersonal info corrected, completed, clarified etc. A.12.1.1 A.14.1 A.9 A.16? A.12.3 A.18.1.3 Implies functional requirements to check, ed controls concerning identification, authenti also affect backup and archive copies. 17 People have a right to be forgotten i.e. to have their personal info erased and no longer used. 6.1.2 A.14.1.1 A.9 A.16 A.12.3 A.8.3.2 This is a form of withdrawing consent (see A functional requirements to be able to erase controls concerning identification, authenti also affect backup and archive copies. 18 People have a right to restrict processing of their personal info. 6.1.2 A.8.2.1 A.8.2.3 A.12.1.1 A.14.1.1 A.16 A.12.3 See Articles 7, 12 etc. May need ways to identify the specific data new handling / processing rules. Note it ma
  11. 11. SourcetekIT– School Bid Privileged and Confidential Page 11 of 87 GDPR ISO27k Article Outline/summary Control Notes A.18.1.1 19 People have a right to know the outcome of requests to have their personal info corrected, completed, erased, restricted etc. A.12.1.1 6.1.2 A.14.1.1 A.16 etc. Informing/updating the originator is a conve management process, but there may be a se for privacy complaints, requests etc. since th employees/insiders. 20 People have a right to obtain a usable ‘portable’ electronic copy of theirpersonal data to pass to a different controller. 6.1.2 A.13 A.14.1.1 A.8.3 A.10 A.18.1.3 etc. Depending on your organisation’s purpose, in practice (low risk) that it may best be han automated IT system functions. Note that t the identified and authenticated person/s c securely, probably encrypted. It may also im confirming this (Articles 17, 18 and 19). 21 People have a right to object to their information being used for profiling and marketing purposes. 6.1.2 A.12.1.1 A.14.1.1 A.16 A.12.3 etc. See article 18. May need ways to identify the specific data implement new handling / processing rules. 22 People have a right to insist that key decisions arising from automatic processing of their personal info are manually reviewed/reconsidered. 6.1.2 A.12.1.1 A.14.1.1 A.16 Profiling and decision support systems invo review and overrides, with the appropriate controls etc. 23 National laws may modify or override various rights and restrictions for national security and other purposes. A.18.1.1 This is primarily of concern to the authoritie police, customs, immigration, armed forces) private/commercial organizations, either ro industry, ISPs, CSPs, money laundering rules (implying a legally-sound manualprocess to situations). Chapter IV Controller and processor 24 The “controller” (generally the organization that owns and benefits from processing of personal info) is responsible for implementing appropriate privacy controls (including policies and codes of conduct) 4, 5, 6, 7, 8, 9, 10 and much of Annex A This is a formal reminder that a suitable, com must be implemented, including policies an physical and other controls addressing the i obligations. The scale of this typically requi privacy. Given the overlaps, it normally ma
  12. 12. SourcetekIT– School Bid Privileged and Confidential Page 12 of 87 GDPR ISO27k Article Outline/summary Control Notes considering the risks, rights and other requirements within and perhaps beyond GDPR. and coordinate privacy with the ISO27k ISM and business continuity management - in ot 25 Taking account of risks, costs and benefits, there should be adequate protection for personal info by design, and by default. 6 and much of Annex A There are business reasons for investing app information risks and compliance imperativ with various costs and benefits: elaborating management support and involvement, plu necessary to design, deliver, implement and Privacy by design and by default are exampl the specification, design, development, ope related IT systems and processes, including parties e.g. ISPs and CSPs. 26 Where organizations are jointly responsible for determining and fulfilling privacy requirements collaboratively, they must clarify and fulfil their respective roles and responsibilities. 5.3 9.1 A.13.2 A.15 A.16 A.18.1 Organizations need to manage relationships privacy and other information security aspe includes, for instance, jointly investigating a or access requests, achieving and maintainin and respecting consented purposes for whic regardless of where it ends up. 27 Organizations outside Europe must formally nominate privacy representatives inside Europe if they meet certain conditions (e.g. they routinely supply goods and services to, or monitor, Europeans). 5.3 7.5.1 A.15? A.18.1.4 This is one of many compliance formalities: Officer or equivalent) should be accountabl 28 If an organisation uses one or more third parties to process personal info (‘processors’), it must ensure they too are compliant with GDPR. 8.2 9.1 A.15 A.18.1.1 A.18.1.3 A.18.1.4 This applies to ISPs and CSPs, outsourced da services where the organization passes pers marketing plus HR, payroll, tax, pension and applies on the receiving end: service supplie their GDPR compliance status, privacy polic subcontractors), and to have compliance an included in contracts and agreements. The assessed and treated in the normal manner 29 Processors must only process personal info in accordance with instructions from the controller and applicable laws. Most Processors need to secure and control perso controllers. They may well be controllers fo will hopefully have all necessary privacy arr case of extending them to cover client info, relationships (e.g. how to handle breaches o 30 Controllers must maintain documentation concerning privacy e.g. the purposes for which personal info is gathered and 7.5 More important formalities.
  13. 13. SourcetekIT– School Bid Privileged and Confidential Page 13 of 87 GDPR ISO27k Article Outline/summary Control Notes processed, ‘categories’ of data subjects and personal data etc. 31 Organizations must cooperate with the authorities e.g. privacy or data protection ombudsmen. A.6.1.3 Another formality. 32 Organizations must implement, operate and maintain appropriate technical and organizational security measures for personal info, addressing the information risks. 8.2 8.3 and most of Annex A GDPR mentions a few control examples (suc resilience) covering data confidentiality, int testing/assurance measures and compliance procedures, awareness/training and compli ISO27k ISMS provides a coherent, comprehe manage privacy alongside other information etc. 33 Privacy breaches that have exposed or harmed personal info must be notified to the authorities promptly (within 3 days of becoming aware of them unless delays are justified). A.16 A.18.1.4 Breaches etc. would normally be handled as management process but GDPR-specific obl notifying the authorities) must be fulfilled. containing personal info are probably not no encrypted (but remember this is NOT legal a clock starts ticking is not explicitly defined: i assess the available information/evident fir reportable incident has actually occurred i.e incident is declared genuine, not a false-alar 34 Privacy breaches that have exposed or harmed personal info and hence are likely to harm their interests must be notified to the people so affected ‘without undue delay’. A.16 A.18.1.4 Aside from the legal and ethical considerati privacy authorities, there are obviously sign the timing and nature of disclosure. This wo management process for serious or significa management as well as specialists and advis the associated business costs, disruption an arguments to make privacy a corporate imp appropriate preventive measures. The same serious/significant information incidents of 35 Privacy risks including potential impacts must be assessed, particularly where new technologies/systems/arrangements are being considered, or otherwise where risks may be significant (e.g. ‘profiling’ defined in Article 4 as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's 6.1.2 A.6.1.3 A.8.2.1 ISO/IEC 27005 and ISO 31000 Again, there are sound business and ethical information risks (including privacy and com obligations. Privacy-related risks should pro registers alongside various other risks. GDP assessment of privacy risks as part of the ro business change projects, new IT systems de
  14. 14. SourcetekIT– School Bid Privileged and Confidential Page 14 of 87 GDPR ISO27k Article Outline/summary Control Notes performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”). ‘Significantly risky situations’ are to be defined by the national privacy authorities, apparently. 36 Privacy risks assessed as “high” [undefined] should be notified to the authorities, giving them the chance to comment. 6.1.2 A.6.1.3 A.8.2.1 ISO/IEC 27005 and ISO 31000 The GDPR requirement is well-meaning but corporate policies concerning the precise de the other hand explicit inputs from the auth official position on the suitability and adequ words this comes down to a business risk/st 37 A data protection officermust be formally identified under specified circumstances e.g. public bodies, organizations regularly and systematically monitoring people on a large scale, or those performing large-scale processing of sensitive personal info relating to criminal records. 5.3 A.6.1.1 A.18.1.4 Aside from GDPR obligation, the “Privacy Of more broadly applicable and valuable, whet notifiable or not. There are clearly many an focal point for privacy (ideally a competent sense for virtually all organizations. This is a 38 [If formally designated] the data protection officer must be supported by the organization and engaged in privacy matters. 5.3 A.6.1.1 A.18.1.4 See above. Formalities aside, without mana the organization, a Privacy Officer is powerl 39 [If formally designated] the data protection officer must offer advice on privacy matters, monitor compliance, liaise with the authorities, act as a contact point, address privacy risks etc. 5.3 A.6.1.1 A.18.1.4 See above. The GDPR requirements would f description. 40 Various authorities, associations and industry bodies are anticipated to draw up codes of conduct elaborating on GDPR and privacy, offer them to be formally approved (by an unspecified mechanism) and (where appropriate) to implement their own (member) compliance mechanisms. 5.3, A.6.1.1 A.18.1.4 Although this is a valiant attempt toadd we achieve a full legal mandate … but the ethic than just a matter of strict compliance with that, codes (and ISO27k standards!) offer go may generate commercial/marketing advan 41 The bodies behind codes of conduct are required to monitor compliance (by their members), independently and without prejudice to the legal and regulatory 5.3 A.6.1.1 A.18.1.4 See above.
  15. 15. SourcetekIT– School Bid Privileged and Confidential Page 15 of 87 GDPR ISO27k Article Outline/summary Control Notes compliance monitoring conducted by the national authorities. 42 Voluntary data protection certification schemes offering compliance seals and marks (valid for 3 years) are to be developed and registered. 5.3 A.6.1.1 A.18.1.4 Similar schemes already exist: GDPR gives th the commercial advantages they already ex 43 Certification bodies that award compliance seals and marks should be competent and accredited for this purpose. The European Commission may impose technical standards for certification schemes. 5.3 A.6.1.1 A.18.1.4 This should improve the credibility and mea may also increase the costs. Since they are certified, and which schemes to join, are com management. Chapter V Transfers of personal data to third countries or international organisations 44 International transfers and processing of personal info must fulfil requirements laid down in subsequent Articles. - Preamble. 45 Data transfers to countries whose privacy arrangements (laws, regulations, official compliance mechanisms ...) are deemed adequate by the European Commission (i.e. compliant with GDPR) do not require official authorisation orspecific additional safeguards. A.18.1.4 Most formalities are to be handled by the Co avoiding transfers to other countries, monit ensuring that suitable contracts/agreement as with other third party datatransfers (see 46 Data transfers to countries whose privacy arrangements (laws, regulations, official compliance mechanisms ...) are not deemed adequate by the European Commission (i.e. compliant with GDPR) but meet certain other criteria require additional safeguards. A.18.1.4 Essentially, the organization must implemen controls before transferring personaldata t suitable contractual clauses and compliance 47 National authorities may approve legally- binding privacy rules permitting transfers to non-approved countries. A.18.1.4 Formalities may affect contractual terms, co Hint: it may not be worth the aggravation, r 48 Requirements on European organizations from authorities outside Europe to disclose personal data may be invalid unless covered by international agreements or treaties. A.18.1.4, A.16 Such situations would normally be handled specialists - but may start out as incidents. 49 Yet more conditions apply to personal info transfers to non-approved countries e.g. explicit consent by the data subjects. A.18.1.4 The Commission is deliberately making it dif the privacy risks are higher.
  16. 16. SourcetekIT– School Bid Privileged and Confidential Page 16 of 87 GDPR ISO27k Article Outline/summary Control Notes 50 International authorities will cooperate on privacy - - Chapter VI Independent supervisory authorities 51-59 [Concern national bodies to oversee privacy.] - - Chapter VII Cooperation and consistency 60-76 [Concern supervisory authorities and the EU Data Protection Board.] - - Chapter VIII Remedies, liability and penalties 77-81 [Supervisory authorities can deal with privacy complaints.] - - 82 Anyone damaged by infringements of GDPR has a right to compensation from the controller/s or processor/s. A.18.1.4 - 83 Administrative fines imposed by supervisory authorities shall be “effective, proportionate and dissuasive”. Various criteria are defined. Depending on the infringements and circumstances, fines may reach 20 million Euros or up to 4% of total worldwide annual turnoverfor the previous year if greater. 6 A.18.1.4 Such huge fines are clearly intended to be a significant part of the potential impact of pr assessment of GDPR compliance and other p 84 Other penalties may be imposed. They too must be “effective, proportionate and dissuasive”. 6 A.18.1.4 See above. Chapter IX Provisions relating tospecific processing situations 85 Countries must balance privacy/data protection rights against freedom of expression, journalism, academic research etc. through suitable laws. 6 A.18.1.1 A.18.1.4 Issues under this Article may come down to hence again there are information risks to b where personal information is involved. 86 Personal data in official documents may be disclosed if the documents are formally required to be disclosed under ‘freedom of information’-type laws. 6 A.18.1.1 A.18.1.4 It may be feasible to redact personal or othe ISO/IEC 27038.
  17. 17. SourcetekIT– School Bid Privileged and Confidential Page 17 of 87 GDPR ISO27k Article Outline/summary Control Notes 87 Countries may impose further privacy controls for national ID numbers. 6 A.18.1.1 A.18.1.4 National ID numbers may be used as secret they must remain confidential to reduce the sensitive personal information, implying the security/privacy controls. 88 Countries may impose further constraints on corporate processing and use of personal information about employees e.g. to safeguard human dignity and fundamental rights. 6 A.18.1.1 A.18.1.4 Employment laws may intersect with GDPR compliance and altering the information ris 89 Where personal data are to be archived e.g. for research and statistical purposes, the privacy risks should be addressed through suitable controls such as pseudonymization and data minimization where feasible. 6 A.18.1.4 Privacy concerns remain as long as the data their families or communities may be impac this, the information risks should be identifi in the normal way. 90 Countries may enact additional laws concerning workers’ secrecy and privacy obligations. 6 A.18.1.1 A.18.1.4 Employment or secrecy laws may intersect w complicating compliance and altering the in 91 Pre-existing privacy rules for churches and religious associations may continue, “provided they are brought intoline with” GDPR. A.18.1.4 Good luck interpreting this highly ambiguou Chapter X Delegated acts and implementing acts 92-99 [Concern how GDPR is being enacted by the EU.] A.18.1.1 Not relevant to an individual organization’s much as they need to comply with applicab Suggested3tiersof escalatedsupport: SupportTier Description Tier 1 All supportincidentsbegininTier1,where theinitialtrouble ticketiscreated.The issue isidentified, andclearlydocumented,andbasichardware/software troubleshootingis initiated. At this stage engineers are also using the existing knowledge base to investigate and try best of his/her ability to resolve the issue.
  18. 18. SourcetekIT– School Bid Privileged and Confidential Page 18 of 87 Tier 2 All supportincidentsthatcannotbe resolvedwithTier1Supportare escalatedtoTier 2 where more complex supportonhardware/software issuescanbe providedby more experiencedEngineers. Tier 3 Support Incidents that cannot be resolved by Tier 2 Support are escalated to Tier 3, where supportisprovidedbythe mostqualifiedandexperiencedengineerswhohave the abilityto collaboratewith3rdParty(Vendor)SupportEngineerstoresolvethe most complex issues. 1.3 EXCEPTIONS TO RFP REQUIREMENTS None.
  19. 19. SourcetekIT– School Bid Privileged and Confidential Page 19 of 87 2 PART II – DESCRIPTION OF SERVICES 2.1 AUDITING/ASESSING IT SERVICES COMPLAINCE 2.1.1 COMPLAINCE AUDIT/ ASSESSMENT METHODOLOGY
  20. 20. SourcetekIT– School Bid Privileged and Confidential Page 20 of 87 EnrollHostel’sGRAYBIEmanagedservices platformprovides asinglepaneof accessandvisibilityforallthenetwork devicesandsecurityissuesbackedbyour 24/7/365 monitoringbyourcertified andhighlyexperiencedеngіnееrѕ.
  21. 21. SourcetekIT– School Bid Privileged and Confidential Page 21 of 87 GRAYBIE connectstoanyIT datasource or monitoringsystemtocollectandcollatedataonvariousITsystemsand applications. GRAYBIE’s Core Rule Engine is leveraged to apply custom rules applicable to the business, gaining insight into how the IT systems are performing within the business. Businesscritical application performance, underlyingITinfrastructureperformanceandService deliverywithinthe organizationITsupportsystemcanall be correlated to give a meaningful insight into the IT environment health. GRAYBIE not only enables operational excellence through quick resolution but also helps in saving operational costs through descriptive,prescriptive,andpredictiveinsightsforcalculatingthe magnitude,risk,andtime of the issue athand, inreal-time, thereby enabling the teams to escalate it to the management at the right moment: Fewreal-time capabilitiesof GRAYBIE:  Sесurіtу threat соrrеlаtіоn and іnсіdеnt аnаlуѕіѕ  Custom соrrеlаtіоn rule сrеаtіоn  Dеvісе fault management  High-touch service delivery  Thіrd-раrtу lоg analysis to mееt compliance rеԛuіrеmеntѕ  Cоnfіgurаtіоn and engineering ѕuрроrt
  22. 22. SourcetekIT– School Bid Privileged and Confidential Page 22 of 87 2.1.2 GDPR What has Changed?  Increased accountability and greater level of responsibility within organisations to ensure that personal data is fully protected and processed according tothe regulations  More data willbe classified as customers personaldata,not just in normal databases but alsoin EUC component and in Cloud data storage  New internal roleof a Data Protection Officer  ExternalRoles outside the company will alsobe regulated,such as contractors,partners and service providers  Ey e-wateringly high cost of non-compliance  New requirements for notification of data losses through hacking and lackof compliance  Greater rights for customers tounderstand how their data is tobe used, togive their informed consent, and tomake future requests tochange their consent  Risk Assessments  Priv acy Impact Assessments 2.1.3 GDPR Governance Framework. Role Description Data Subject A living natural person – they have rights and PII refers to them Data Controller Specifies how PII is to be manipulated Data Processor Manipulates the PII on behalf of the Data Controller
  23. 23. SourcetekIT– School Bid Privileged and Confidential Page 23 of 87 DPO Data Protection Officer: A person charged with protecting PII and helping an organisation to meet the GDPR compliance requirements Supervisory Authority (SA) A national body who enforces the GDPR in EU member states. EDPB European Data Protection Board: The coordinating layer who provides consistency between SAs Third Country A country outside of the EU Third Party An individual linked in some way to the Data Subject or any company or organisation to who data is sent 2.1.4 The Parts of the GDPR AIM Commentaries & guidelines explaining why the articles are necessary and providing an appreciation of how the law and how the Articles are likely to be interpreted GDPR Recitals99 Articles AIM The letter of the law The Articles are the AIM To allow Data Subjects to
  24. 24. SourcetekIT– School Bid Privileged and Confidential Page 24 of 87 2.1.5 EnrollHostel Audit Knowledge Repository
  25. 25. SourcetekIT– School Bid Privileged and Confidential Page 25 of 87 EnrollHostel’s24x7x365 NetworkOperationsCentre (NOC)рrоvіdеѕrеаl-tіmе datafromover1,700 services, аррlісаtіоnѕandрrосеѕѕеѕ inuse асrоѕѕ ourclients’infrastructurenetworks. Alarmingоursecurityandtесhnісаl
  26. 26. SourcetekIT– School Bid Privileged and Confidential Page 26 of 87 analysts, fromwithin ourсlоudѕеrvісеѕ detectsandrеѕоlvеsроtеntіаl problems bеfоrе thеуbесоmе service аffесtіng to уоurbuѕіnеѕѕореrаtіоnѕ. Our state-of-the-artNOCenablesquickriskdеtесtіоn,securityраtсhdерlоуmеnt,backup andendроіntmanagement for yourѕеrvеrѕ,dеѕktорѕ andportable dеvісеѕ.
  27. 27. SourcetekIT– School Bid Privileged and Confidential Page 27 of 87 2.1.6 Audit Plan GDPR Plan This GDPR planner aims to help you prepare your business data compliance processes for the General Data Protection Regulation (GDPR), which comes into force on the 25th of May 2018. This planner expands on the suggested set of actions for each of the 12 areas issued by the Information Commissioner’s Office (ICO), but, rather than presenting them by subject matter, it does so chronologically, breaking down the necessary actions over four periods of time: (1) ground work (2) planning (3) implementation, and (4) embed/test/review. Phases 1, 2, 3 and 4 can be seen below. Phase 1: Groundwork CATEGORY TASK DATE COMMENT COMPLETED Consider whether to appoint a Data Protection Insert date Officer (DPO) to be responsible for data protection within your organisation and to Data Protection assess whether your current approach to data day 1 protection compliance will meet the GDPR’s Officers requirements. Scope out the potential DPO role. See Precedent: Data protection officer—DPO— job description and role profile. Data Protection Assign budget and/or resources to data Insert date Day 2 Officers protection compliance. Ensure the board receives regular briefings Insert date Day 3 & 4 and updates on the organisation’s Awareness preparations for GDPR implementation. You can cover this in Precedent: Data protection board report. Add GDPR compliance as a risk to your Insert date Day 4 Awareness organisation’s Risk register. Consider the resource implications on implementing the GDPR.
  28. 28. SourcetekIT– School Bid Privileged and Confidential Page 28 of 87
  29. 29. SourcetekIT– School Bid Privileged and Confidential Page 29 of 87 CATEGORY TASK DATE COMMENTCOMPLETE D Conduct an audit of: Insert date what personal data you receive and/or Day 5 Hold Day 6 how you process personal data Day 7 for what purposes, you process personal Data whether you transfer or share personal data and, if so, to whom and how how personal data moves within your Day 8 Organisation whether you transfer personal data outside the EEA Day 8 Information audit how you ensure personal data remains Day 9 accurate and up-to-date −− how you store personal data Day 10 −− how long you keep personal data Day 11 −− how you destroy personal data Day 11 For the first part of the audit (what personal data you receive and/or hold), see Practice Note: Data mapping and Precedent: Sample data processing map. See also Precedent: Data and information register, which can be used to record the output of your data mapping exercise, including the remaining parts of the audit. Review Practice Note: The General Data Insert date Day 12 Protection Regulation—Rights of the data subject, with particular regard to: Individuals’ rights − − data portability − − data deletion − − direct marketing
  30. 30. SourcetekIT– School Bid Privileged and Confidential Page 30 of 87 − − objecting to processing − − restricted processing −− automated decision-making and profiling Communicating Review Practice Note: Privacy notices to Insert date Day 13 familiarise yourself with the ICO’s expectations privacy information in relation to privacy notices.
  31. 31. SourcetekIT– School Bid Privileged and Confidential Page 31 of 87 Phase 2: Planning CATEGORY TASK DATE COMMENT COMPLETED Proceed with appointment of a DPO or Insert date Day 16 nominated individual to be responsible for data protection within your organisation and CATEGORY TASK DATE COMMCOMPLETE D Review all the data you process and identify Insert date Day 14 your legal basis for doing so — generally, this will Legal basis for be consent of the data subject. Pay particular attention to sensitive personal data.processing personal data Document your findings in a Data and information register, also known as a data-processing register. Review Practice Note: The General Data Insert date Day 15 Consent Protection Regulation—Lawfulness of processing—New standard for consent. Review Practice Note: The General Data Insert date Day 15 Children Protection Regulation—Lawfulness of processing—Parental consent. Review subtopic: Privacy impact Insert date Day 16 Privacy by design assessments to familiarise yourself with the concept of privacy impact assessments (PIAs), also known as privacy by design.
  32. 32. SourcetekIT– School Bid Privileged and Confidential Page 32 of 87 Data Protection GDPR preparation—see Precedent: Data protection officer—DPO—job description Officer and role profile. Decide where the DPO should sit within your organisation’s structure and governance arrangements. Legal basis for Check that your current legal basis for Insert date Day 17 processing data (as recorded in a dataprocessing personal processing register) will be valid under the data GDPR—see: lawfulness of processing. CATEGORY TASK DATE COMMENT COMPLETED Consider whether the right to portability Insert date Day 17 will apply to any of the data you process, ie personal data an individual has provided to you as a data controller, where: Individuals’ rights −− the processing is based on the individual’s consent or for the performance of a contract, and −− processing is carried out by automated Means If so, consider how you will deal with requests Insert date Day 17 Individuals’ rights to port data—to include the requirement to provide the personal data in a structured, commonly used and machine-readable form. Check your procedures and work out how Insert date
  33. 33. SourcetekIT– School Bid Privileged and Confidential Page 33 of 87 you would react if someone asks to have their personal data erased. Can your current IT systems facilitate the Individuals’ rights location and deletion of data or will you need Day 18 to invest time and money in some form of enhanced functionality? Who will make the decisions about deletion when requests are received? Consider whether your systems will be able Insert date Day 18 Individuals’ rights to cope with requests for data portability or deletion where the data relates to more than one data subject. Review your direct marketing processes Insert date Day 19 Individuals’ rights (including those of any service providers). Are you able to remove data subjects who object to direct marketing? Consider whether your systems enable Insert date Day 19 Individuals’ rights you to isolate and exclude restricted data from processing activities
  34. 34. SourcetekIT– School Bid Privileged and Confidential Page 34 of 87 CATEGORY TASK DATE COMMENTCOMPLETE D Audit whether, to what extent and on Insert date Day 20 what basis your organisation makes use of automated decision-making and/profiling (refer to data processing register). If: Individuals’ rights −− you undertake profiling based on consent, check that consent is explicit −− profiling is undertaken on sensitive personal data, check your processes enable your organisation to obtain explicit Consent Review your internal processes for dealing with Insert date Day 21 Subject access subject access requests. Consider whether requests changes are required to be able to process requests within one month. Subject access Consider conducting a cost/benefit analysis of Insert date Day 22 developing functionality for people to access requests their own information easily online. Communicating privacy information Draw up a register of all documents and intranet and website pages that provide privacy information. See Precedent: Privacy notice register. Audit the wording and functionality of each Plan for ICO Privacy Code compliance. Day 23
  35. 35. SourcetekIT– School Bid Privileged and Confidential Page 35 of 87 privacy notice identified in the register for compliance with the ICO Privacy Code. See Precedent: Privacy notice audit. Identify whether the organisation can make amendments to privacy notices itself or relies on an external service provider to make changes. 5
  36. 36. SourcetekIT– School Bid Privileged and Confidential Page 36 of 87 CATEGORY TASK DATE COMMENTCOMPLETE D Review your current systems for obtaining Insert date Day 24 consent—do you presume consent from silence, pre-ticked boxes or inactivity? You can use Precedents: Privacy notice register and Privacy notice audit as your starting point. Consent If yes, investigate what technological and other process changes need to be made to ensure: −− consent is given by a clear affirmative act, e.g. a written statement, electronic means, or oral statement −− separate consent is given for distinct processing obligations Consider whether you currently obtain Insert date Day 25 consent as part of a written declaration which concerns other matters. You can use Precedents: Privacy notice register and Privacy notice audit as a Consent starting point. If you do, consider what changes need to be made to ensure the consent request is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Consider whether your current systems Insert date Day 26 Consent provide an effective audit trail of consent being given. If not, investigate what changes need to be made. Consider whether your current system Insert date
  37. 37. SourcetekIT– School Bid Privileged and Confidential Page 37 of 87 Consent provides simple methods for withdrawing consent. If not, investigate what changes need to be made. 6
  38. 38. SourcetekIT– School Bid Privileged and Confidential Page 38 of 87 CATEGORY TASK DATE COMMENTCOMPLETE D Determine whether the rules on children will Insert date Day 28 affect your organisation and, if so, consider: −− what process changes are required (if any) to ensure appropriate parental consent mechanisms are implemented Children/consent −− any codes of practice relating to children issued by any relevant regulator −− whether any process changes are required to ensure you can demonstrate you properly consider whether a child’s interests may override your own (if relying on legitimate interests to justify processing) Review your information security Insert date Day 28 Data breaches arrangements—see Precedent: Information security review. If you have not already done so, Insert date Day 29 implement a data breach policy or plan. See subtopic: Managing data breaches, Data breaches which contains a range of tools and Precedents including: Data breach plan, Data breach panic sheet and Data protection breach management workflow. Review data protection clauses with Insert date Day 29 external providers to ensure they require Data breaches prompt notification to you of any data security breach and appropriate remedies, including termination.
  39. 39. SourcetekIT– School Bid Privileged and Confidential Page 39 of 87 Data protection by design Consider your organisation’s strategic Insert date plan and ICT plan. Are there any activities Day 29 within the foreseeable future that may trigger the need for a PIA? If yes, ensure your project plan(s) make provision for conducting a PIA to ensure privacy by design—see Precedent: Privacy impact assessment. 7
  40. 40. SourcetekIT– School Bid Privileged and Confidential Page 40 of 87 CATEGORY TASK DATE COMMENTCOMPLETE D Collate contract documentation for all third Insert date Day 30 Information audit parties with whom you share data. This information should be available in your data processing register Determine which national data protection Insert date Day 30 supervisory authority you come under— for the vast majority of organisations, this is likely to be the ICO. International If your organisation operates from other Member States, map out where the most significant decisions about data processing are made. This will help to determine your organisation’s main establishment and therefore your lead supervisory authority. Phase 3: Implementation — by the end of December 2017 CATEGORY TASK DATE COMMENT COMPLETED Make necessary changes to your systems and Insert date Day 31 processes in relation to: −− data portability −− data deletion Individuals’ rights −− direct marketing −− objections to processing −− restricted processing
  41. 41. SourcetekIT– School Bid Privileged and Confidential Page 41 of 87 −− automated decision-making and/profiling Day 32 Subject access requests Make necessary changes to your Insert date systems and processes in relation to subject access requests. This will include amending response letters and timescales. 8
  42. 42. SourcetekIT– School Bid Privileged and Confidential Page 42 of 87 CATEGORY TASK DATE COMMENTCOMPLETE D Legal basis for Implement a process for making and recording Insert date Day 32 decisions on processing activities beyond theprocessing personal scope for which consent was given, taking into data account the factors in GDPR, Art 6(4). Communicating Finalise updated privacy notices. Insert date Day 32 privacy information Make changes to your consent systems and Insert date Day 32 processes as required to ensure: −− any request for consent is clearly distinguishable from the other matters, and is made available in an intelligible and easily accessible form, using clear and plain language Consent −− consent is given by a clear affirmative act, Day 33 eg a written statement, electronic means, or oral statement −− separate consent is given for distinct processing obligations −− there is an effective audit trail of consent being given −− there are simple methods for withdrawing consent If you offer information society services Insert date Day 33 directly to children, make necessary changes to your systems and processes: Children/consent −− in relation to parental consent
  43. 43. SourcetekIT– School Bid Privileged and Confidential Page 43 of 87 9 −− to demonstrate you properly consider whether a child’s interests may override your own (if relying on legitimate interests to justify processing) Update your Data breach plan for consistency Insert date Day 34 Data breaches with the GDPR, eg regarding notification requirements.
  44. 44. SourcetekIT– School Bid Privileged and Confidential Page 44 of 87 CATEGORY TASK DATE COMMENTCOMPLETE D Ensure data protection clauses with external Insert date Day 34 Data breaches providers require prompt notification to you of any data security breach and incorporate appropriate remedies, including termination. Embed a culture of privacy by design, Insert date Day 35 Privacy by design ensuring that any high privacy-risk or high impact projects incorporate a PIA. Review contract documentation for all Insert date Day 35 third parties with whom you share data. Consider the extent to which contract clauses require amendment for compliance with the GDPR. See Information audit Precedents: Data processing provisions— Day 35 DPA 1998 and GDPR compliant— pro-controller and Data processing provisions—DPA 1998 and GDPR compliant—pro-processor. Negotiate with relevant third parties. Awareness Plan a programme of staff training and Insert date Day 36 awareness.
  45. 45. Phase 4: Embed, test and review — by the end of April 2018 CATEGORY TASK DATE COMMENTCOMPLETE D Ensure system and process changes have Insert date Day 37 gone live in relation to: −− consent (including in relation to children) − − data portability − − data deletion Individuals’ rights − − direct marketing − − objections to processing − − restricted processing − − subject access requests −− processing activities beyond the scope for which consent was given Test and review the new systems. Communicating Publish updated privacy notices and ensure Insert date Day 38 any external providers update relevant privacy privacy information notices published on your behalf. Roll out and test updated Data breach plan Insert date Day 39 Data breaches for consistency with the GDPR, e.g. regarding notification requirements. Data breaches Insert date Day 40
  46. 46. 1 Train staff on all new policies and procedures. Privacy by design Ensure any large-scale projects that impact on Insert date Day 41 privacy incorporate a PIA. Check that contract documentation for all Insert date Day 42 Information audit third parties with whom you share data is GDPR-compliant. 2.1.7 Compliance Dashboards The compliance team рrоvіdеѕrеаl time datavisibilityformonitoring asperthe following dashboards:
  47. 47. 2
  48. 48. 3 Fig: NOC Main Dashboard Fig: Threat Activity report
  49. 49. 4 Fig: Types of report dashboard Fig: Devices dashboard Fig: Device Executive summary
  50. 50. 5 Fig: Device executive summary – 2 Fig: Device executive summary - 3 2.1.8 VULNERABILITY TESTING A vulnerabilityassessment/evaluationisaprocedure usedtorecognizeanddole outseriousnesslevelsto whatever number security surrenders as could reasonably be expected in a given time period. This procedure may include robotized and manual systems with changing degrees of meticulousness and an accentuation on thorough scope. Utilizing a hazard-based approach, weakness appraisals may target
  51. 51. 6 diverse layers of innovation, the most widely recognized being host-, network-, and application-layer evaluations. Directing vulnerability appraisals enable associations to distinguish vulnerabilities in their product and supporting framework before a bargain can happen. A vulnerability can be characterized in two ways: • A bug in code or an imperfectioninprogrammingplanthatcan be abusedto cause hurt. Misuse may happen by means of a verified or unauthenticated aggressor. • A hole in securitymethodsora shortcomingininteriorcontrolsthat whenmisusedoutcomesin a security break. Our dedicated team at EnrollHostel provides Vulnerability evaluations that are intended to yield a positionedororganizedrundownof aframework'svulnerabilitiesfordifferentsortsof dangers.Usingthis, we will utilize these evaluations know about security hazards and comprehend they require help distinguishing and organizing potential issues. By understanding their vulnerabilities, we can plan arrangements and patches for those vulnerabilities for consolidation with their hazard administration framework. The pointof viewof adefenselessnessmayvary,contingentuponthe frameworksurveyed.Forinstance, a utilityframework,similartopowerand water,may organize vulnerabilitiestothingsthat coulddisturb administrations or harm offices, similar to cataclysms, altering and psychological oppressor assaults. Notwithstanding, a data framework (IS), like a site with databases, may require an appraisal of its powerlessnesstoprogrammersanddifferenttypesof cyberattack.Thenagain,aserverfarmmayrequire an appraisal of bothphysical andvirtual vulnerabilitiessinceitrequiressecurityforitsphysical office and digital nearness. This is where we pitch in to provide the best of services and line up the possible cases and assessments you need. 2.2 EXECUTION PLAN 2.2.1 SERVICE DELIVERY APPROACH EnrollHostel isof the opinionthatgovernance ismultifacetedwithitsorganizational structure,customer engagement, relationship models, processes and metrics. When the business and operational environmentiscomplexthere isagreaterneedforrobustgovernance,aswithoutitthereisincreasedrisk of shared service and vendor partnership value leakage. 1. Plan Assessment 2. Design & Architect for privacy 3. Fill The Gap 4. Operate 5. Conform to Standard BusinesssucceedswhenITrunsbetterandquickerwithreducedcost.OurOperations&SupportServices is based on ITIL driven Service management framework, coupled with the state of the art tooling and processes helps IT organizations cut cost, reduce risk and drive down IT Cost. Our mission is to reduce incident trend targeting zero count and to ensure availability and reliability of applications to meet the service levelcommitmentforeachapplication.We proactivelymonitoruserexperience,businessmetrics,
  52. 52. 7 critical components and processes to analyze and fix incidents before end-users are impacted or experience any delay, and thus ensure business critical apps perform at peak efficiency and availability without any downtime. The diagram below illustrates our approach to building an effective and high-performing support/operations service.
  53. 53. 8 2.2.2 INCEPTION A teamcomprisingthe service deliverymanagersfrom EnrollHostel andSchool will be setupfordetailed planning/resource assignmentand scope finalization.The teamwouldschedule,prioritize andmonitor the tasks,as well asprovide statusreports.The tasksassociatedwiththisphase are highlightedbelow: Activities Teams Involved EnrollHostel Team School Team(s) Existing Vendor Team(s) Identify Processes: Standard ProcessFlowCharts    Identify existing Documentation and Knowledgebase    Team Ramp-up  2.2.3 KNOWLEDGE TRANSFER During this phase, the EnrollHostel support team will gain and share the knowledge about the environmentandinfrastructure tobe supported.Existing School andvendorteamswill alsobe involved, as required. Activities Teams Involved ENROLLHOSTEL Team School Team(s) Existing Vendor Team(s) Study Processes: Standard ProcessFlowCharts    Reporting / Interfaces (If any changes) / Access    Environment / System Landscape / Architecture / Database / Servers / Hosting    Study Documentation and Knowledge Base    Issue /Back Log forlast 3 monthsandlast quarterof previousyear(foryear-endissues)    DetailedRolesandResponsibilities   The EnrollHostel Knowledge Transfer model promotes:  Preparing SOPs and other documents (e.g. architectural details of environment, workflow diagrams etc.)  Maintaining strong known issues databases
  54. 54. 9  Capture of knowledge through collaboration both by explicit (interviewing and observation process; ticket-by-ticket analysis) and implicit (discussion forums, blogs, error database and reusable components repository) means.  Ensure acquired knowledge is easily retrievable.  Knowledgesharingacrossmultiple anddisparate ENROLLHOSTELresources  Reductionof informationoverload/capturethroughreplicationbestpractices.
  55. 55. 10 2.2.4 STEADY STATE OPERATIONS EnrollHostel’s team will commence steady-state operations will full SLA compliance. SLA measurement as per targets would be measured and reported to SCHOOL. All the handover from current vendor team(s) will be considered complete, and they can be disengaged from the project at the start of Steady-State Operations.
  56. 56. 11 2.2.5 AUDIT STRATEGY
  57. 57. 12 Effective implementationof Auditstrategy,andleverage the bestpracticesof ITService Management (ITSM) concepts.The main focusfor IT Auditandcompliance istoexecute the businessrequirements definedatthe Service Deliverytothe business.The diagrambelow illustratesthe variouscomponentsof an ITSM approach. The important components of ITSMfor having a Network-First strategy are as per below: Access Management Implementation of security polices defined by Information Security Management. The implementation should include physical barriers to systems such as VLAN separation, firewalling, and access to storage and applications. Change Management Establisha processfor controllingthe life cycle of all changeswhile minimizingdisruptiontooperations. Test and review all changes that are candidates for automation vs, mechanized.
  58. 58. 13 Service Asset and Configuration Management Establish a process for maintaining information on assets, component, and infrastructure needed to provide services. Informationonassetsshouldcontainpast andcurrentstatesandfuture-statesforecast for demand portfolio. Release & Deployment Management Establish a predictable and homogenized release and deployment process to protect the production environment. Ensure during capacity planning hardware and VM specifications are pre-defined and tested,priortodeploymentcycle. UtilizeVMcomponenttemplatesapprovedforproductionsuchasVM images and Gold images. Knowledge Management Establisha knowledgemanagementprocessforgathering,analyzing,andstoringandsharingknowledge within the IT organization Incident & Problem Management Establishaprocessforresolvingeventsthatare impactingservicesinthe virtualizedenvironmentassoon as possible with minimal disruption. Identify and resolve root causes of incidents that have occurred as well as identity and prevent or minimize the impact of incidents that may re-occur. Request Fulfillment Management of all service requests while utilizing best practices for managing requests. All services requests will be documented in the services catalog and will include SLA on when the request will be completed. Systems Administration Regularly perform systems administration tasks and mature towards automation and scripting skills. 2.3 ACCOUNT MANAGEMENT & TECHNOLOGY TEAM STRUCTURE 2.3.1 AUDIT ACCOUNT MANAGEMENT Despite havingmultiple Centersof Excellence,practicesandbeingdrivenbyIndustry’sStandardsandBest Practices, EnrollHostel firmly believes and promotes a Client Centric model where each engagement is tailored explicitly around the client’s needs and business drivers. To thisextent,ithascreatedthe ClientSolutionsgroup,whichprovidesadedicatedAccountManagerand Solution Specialists who actively interact with all the stakeholders within each client’s organization not only to understand the business needs and requirements but also to align the proper services and resources that will ensure maximum benefits to the client. Additional, these two entities indirectly validate the qualityof the deliveryandprovide feedbackandinputstothe Global DeliveryOrganization.
  59. 59. 14
  60. 60. 15 2.3.2 PROJECT TEAM STRUCTURE 2.3.2.1 TEAM STRUCTURE Director Audit Committee IT Audit Team IT Audit Team Legal IT complaince Team IT Audit Manager Chief Audit Executive IT AuditManager Lead Auditor Internal Auditors Department 1 Internal Auditors Department 2
  61. 61. 16 2.3.2.2 TEAM ROLES & RESPONSIBILITES Role Description Data Subject A living natural person – they have rights and PII refers to them Data Controller Specifies how PII is to be manipulated Data Processor Manipulates the PII on behalf of the Data Controller DPO Data Protection Officer: A person charged with protecting PII and helping an organisation to meet the GDPR compliance requirements Supervisory Authority (SA) A national body who enforces the GDPR in EU member states. EDPB European Data Protection Board: The coordinating layer who provides consistency between SAs Third Country A country outside of the EU Third Party An individual linked in some way to the Data Subject or any company or organisation to who data is sent Role Responsibilities Delivery Manager (Audit)  Reviewingandunderstandingthe responsibilitiesof eachpartyunderthisSOW.  Workingwith School teamto accomplishthe tasksoutlinedinthisSOW.  Maintainingregularcommunicationswiththe School teamonengagementprogress.  Assistinginthe resolutionof deviationsfromthe scope/planthatmayimpact deliverables,schedulesand/orcosts.  Provide managementupdate of the projectteamdeliverablesprogramgovernance metricsandreport onengagementhealthto School stakeholders.  Ensure that the engagementremainshealthyandtasksoutlinedwithinthe SOWare executedtothe client’ssatisfaction.
  62. 62. 17 SeniorAuditors  Coordinate/manageendtoendsupportandoperationsrelatedactivitiesandprioritize userrequestsand problemsaccordingtoseverityandexistingworkload.  Optimize effortwithembeddedbestpracticesthataccelerate time tovalue  Manage projectteamdeliverables/qualityissues/SLAs.  Ensure all outagesare communicatedandaddressedwithinthe stipulatedtimeframe.  Manage the shiftschedule andavailabilityof resources  Supportoperational tools  Manage properdelegationof supporttaskamongall supportteammembers.  Provide clarificationaboutnew andexistingprocesses  AssistSchool managersinall projectrelatedtasks,includingticketmanagement.  Maintainand update documentation.  Followdefinedguidelinesand processesand ensure the otherteammembersalso followit.  Planand participate inService ImprovementandValue-additionactivities  Plancross-traininginitiativeswithinthe team JuniorAuditors  Work on supportandoperationsrelatedactivities/tasks/tickets–primarilyon Network Operations/activities  Optimize effortwithembeddedbestpracticesthataccelerate time to market  Guide otherteammembersonbestpracticesandtechnologyenhancements  Planand participate inService ImprovementandValue-additionactivities  Define andenhance supportprocesses  Provide necessaryadvisoryservicesto SCHOOL  Provide on-call supportonweekends/USholidays Lead Auditor GDPR  Work on support and operationsrelatedactivities/tasks/tickets – primarilyon IT Operations/ activities  Maintain constant communicationwith customers and SCHOOL stakeholders, especiallywiththe onsite leads.  Prioritizationof userrequestsand problems,withlead /manager, according to severityand existingwork load  Coordinate with other SCHOOL teams for issue resolution  Support operational tools  PerformRCAs  Followguidelinesofdefinedsupportprocesses.
  63. 63. 18 3 PART III – REFERENCES & ENROLLHOSTEL CAPABILITIES 3.1 CASE STUDIES Some of the salientprojectsthat EnrollHostel hasdone inthe pastinclude the following(additional detailshave beenprovidedasCase Studiesinthe proposal documentinANNEXUREI) Customer* Services Details LeadingGovernment GDPR Consulting GDPR assessment,GDPRGap Analysis,GDPRinternal audit, GDPR external audit,DPIA Data protectionimpactassessment, Leadingglobal Insurance Regulator PrivacyControls consulting PrivacyLaw based audit/assessment, AssigningDPO Role/team,PrivacyGapAnalysis Privacyinternal audit,Privacylaw external audit. Leadingmulti-nationalBank PrivacyLaw consulting PIIassessment,PrivacyLaw based audit/assessment,,PrivacyGap AnalysisPrivacyinternal audit, Privacylaw basedexternal audit *Due to contractual obligations, we are not permitted to explicitly name the organization for which these services were provided. Some of the key tasks that EnrollHostel teams have been involved in projects with Managed Operations/Support included: a) Privacy Audit/assessment , PII processing lawfully. b) GAP Analysis to Reach for GDPR compliance c) Privacy by design d) Data Protection Impact assessment e) Appointing and building Data Protection Officer Team. f) Remedies, liability, & penalties g) Provisions relating to specific processing situations h) Delegated acts and implementing acts
  64. 64. 19 3.1.1 CASE STUDY 1 Name and Address Leading Government in EMEA Region Contracting Activity GDPR Audit Contract Type Fixed Price Description of Services *Due to contractual obligations, we are not permitted to explicitly name the organization for which these services were provided. The Challenges  Client wanted to Assess its privacy based on new privacy law.  Privacy Audit/assessment , PII processing lawfully.  GAP Analysis to Reach for GDPR compliance  Privacy by design  Data Protection Impact assessment  Appointing and building Data Protection Officer Team.  Remedies, liability, & penalties  Provisions relating to specific processing situations  Delegated acts and implementing acts Solution The enterprise leveragedServerOperationsandCrisisManagementteams.Teamalsoworkedclosely withthe other dependent team for any changes and upgrades to the production web applications.  Privacy Audit/assessment , PII processing lawfully.  GAP Analysis to Reach for GDPR compliance  Privacy by design  Data Protection Impact assessment  Appointing and building Data Protection Officer Team.  Remedies, liability, & penalties  Provisions relating to specific processing situations  Delegated acts and implementing acts Benefits Delivered  Privacy Audit/assessment , PII processing lawfully.  GAP Analysis to Reach for GDPR compliance  Privacy by design  Data Protection Impact assessment  Appointing and building Data Protection Officer Team.  Remedies, liability, & penalties  Provisions relating to specific processing situations  Delegated acts and implementing acts 3.1.2 CASE STUDY 2 Name and Address Leading media and entertainment company in US* Contracting Activity 24 x 7 Infra-support
  65. 65. 20 Contract Type Fixed Price Description of Services *Due to contractual obligations, we are not permitted to explicitly name the organization for which these services were provided. The Challenges The IT team of the Insurance company is responsible for provisioning and managing the entire enterprise ITinfrastructure acrossmultiple locations.The primaryobjective wasto fix Privacyaspect withrespecttoprovidinglegally,regulatorycomplaintandcompetitive ITelements.Thisautomation would enable higher compliance to privacy and help the IT team and customer in managing day-to- day operations more effectively. The IT team had a challenge in terms of managing IT across distributed locations and the huge impact of smooth IT operations on business services. Solution The privacyassessmentwasdone and solutionwasdeployedcentrallyatthe IT operationscenterto proactively monitor the network, systems, applications and database infrastructure and notify users if there is any privacy issue. The solution deployed is used to monitor privacy aspect for regulatory and legal compliance of the critical networkdevices.Service levelcommittedbythe service providerisbeenverifiedbyusingthe availability service level report available from NOC solution service. The solution was deployed for monitoring multiple key performance indicators of various elements including;  Routers,switches ->Availability,responsetimes,CPUutilizationandmemoryutilization, customSNMP expressions-basedperformance metrics  MPLS links -> availability,response timesandutilization  Servers->Resource utilizationbyCPU,Memory,Disk,Bandwidth,etc  Databases-> table space utilization,logfileutilization,deadlocksandqueryresponse times  Applications ->service availability  WebServices ->availability Benefits Delivered  Privacy by design service was deployed to centralize incoming service requests to various departments.  A streamlined service request, routing, tracking, escalation, resolution and closure has brought about accountability within each department.  The automatedroutingandSLA monitoringcapabilitieshave reducedissueclosure timesand have improved end user satisfaction.  The NOC solution deployed has helpedthe IT staff to provide better service response, quick resolution of end user reported issues with flexible workflow-based automation and has enabled higher customer satisfaction across organization. 3.1.3 CASE STUDY 3 Name and Address Leading media and entertainment company in US* Contracting Activity 24 x 7 Infra-support Contract Type Fixed Price
  66. 66. 21 Description of Services *Due to contractual obligations, we are not permitted to explicitly name the organization for which these services were provided. The Challenges The IT infrastructure companyisdistributedacross10 locations.There are about100 critical network elementsincludingrouters,switches,linksetc.The IToperationsrunon20+critical windows2000and 2003 servers. There are about 15+ mission critical applications that run on variety of Microsoft SQL and proprietary databases. These applications also include web based middleware and other web services based application. The few objectives for IT Infrastructure monitoring include the following:  Proactive auditing/assessment of networks, systems, applications, databases, IT services infrastructure for availability and performance  Determine root cause, fix problems quickly and ensure mission critical applications are healthy and available for end users conflicting with GDPR.  Enhance enduserperceptionof IT servicesbyensuring privacy protection resolutiontoend userissues.Ensurethatthe ITteamisaccountableinclosingenduserreportedissuesontime with higher user satisfaction.  Auditprivacy of hosts,applications,locations,departmentsincludinghourly,weekly,monthly usage trends  Plan future privacy needs like privacy by design need are met in advance and maintain the competitive edge Solution  The Privacy by design solution was deployed to monitor core IT services like messaging services, ERPservicesandEIPservices.The teamusesNOCtool toensure availabilityof these services to the branches is proactively monitored and accounted  Real time dashboards and historical reports were made available as part of a build in web based portal and are used by the IT team to examine and optimize resource compliance.  The non-invasive,agentlessmonitoringcapabilityof complaince wasdeployedtohelpthe IT team for easy and faster deployment for monitoring across local and remote servers, databases, applications  Flexible notification and escalation capabilities of Complaince were used for proactive monitoring of faults and performance breaches. This helped the IT engineers to fix issues before they are reported by end users. Benefits Delivered  The Complaince Assessment and analysis helped to audit better manage applications compliance across locations, departments  Better manage compliance for PII assessment, Privacy Law based audit/assessment, Privacy Gap Analysis Privacy internal audit, Privacy law based external audit  Better Privacy Compliance for application, link availability and performance  Quick response time & resolution resulting in customer delight 3.2 ENROLLHOSTEL | CAPABILITY
  67. 67. 22 EnrollHostel isfoundedonastrong foundationof architecture,process,and aprivacy-basedapproachto technologysolutions.Ourprofessionalsconsistentlyuse these fundamental principlescoupledwithout- of-the-box thinking to deliver creative and robust solutions that meet our clients stated as well as unanticipated needs. This approach allows us to deliver solutions that combine our expertise around development,supportandtestingusingacontinuousintegrationapproachwithindustryleadingproducts in various functional domains. Our core competency is the ability to quickly understand the client’s business needs and deliver an elegant and robust, yet cost-effective solution. Over the past 10 years, customers have engaged EnrollHostel for solutions and services across a wide variety of technologies. EnrollHostel has constantly innovated and kept abreast of new and emerging technologies in IT infrastructure, Security & Internet Of Things, amongst others. 3.2.1 PROGRAM GOVERNANCE EnrollHostel has a well-defined program governance process, which closely monitors customer satisfaction, service levels and quality. Periodic reviews are conducted to ensure that services are being delivered to exceed customer expectation and seek feedback.  Monthly business review is conducted to review service levels, process compliance, issues to be escalated, targets and improvements for next month.  Quarterlyexecutive briefings,presentopportunitytodiscusspastperformance,recommendations and focus areas for future. 3.2.2 CONTINUAL SERVICE IMPROVEMENT (CSI) EnrollHostel continuallyinstitute processandmethodologythatmeetsrequirementsandalso allowsfor needsthatadjustbasedonclientchangingbusinessdynamics.Toachieve ourobjective of providingbest in class services, our project teams adhere to continual improvement framework based on ITIL best practices. The team will continually identify areas of improvement and provide recommendation on:  Deployingandenhancingcontinuousintegration frameworksforcode deploymentandautomated deployment  Build IT automation for important processes, such as automatic deployment and operations, automatic ticket creation based on monitoring alert, integration of monitoring tools  Proactivelymonitor,identifytrendandaddresssituationsandproposesolutionsinordertorestore and resolve critical issues in a timely fashion  Use ITIL techniques to improve the processes used.  Proactively work closelywith client teamsand third-party development for operational readiness and hand off of new development and applications 3.2.3 KNOWLEDGE MANAGEMENT The EnrollHostel Knowledge Management approach promotes:
  68. 68. 23  Capture of knowledgethroughcollaborationbothbyexplicit(interviewingandobservationprocess; case-by-case analysis) and implicit (discussion forums, blogs, error database and reusable components repository) means.  Organize the acquired knowledge so that it is easily retrievable.  Share and distribute knowledge through wiki documentation, run-books, standard operating procedures etc.  Use and reuse knowledge for operational efficiency, improvement, automation 3.2.4 TEAM COMPETENCY AND SKILLS ENHANCEMENTS To be on the forefrontof the ever-changingITtrends in business,itisimperative foranyorganizationto constantly update and reinvent itself. EnrollHostel aims to achieve this through a strategic skill enhancement program that involves every employee. Industry trend, analysts identify key areas of skill enhancement keeping in view, our core competencies and goals. EnrollHostel continuallystrivestoaugmentitsteamcompetencyandskillsconsideringthe changeinclient processes, technology,tools, and domain knowledge and encourages and facilitates across the board technical certification programs. Along with acquiring formal technical certification, it also empowers employeeswithenhancedskillsandknowledge.We sponsorthese certificationsandproactivelyarrange formal sessionsbetween industry expertsand our professionals. Some of the where our projects teams get trainings from internal and external trainers are, Soft Skills, Technical Trainings on disruptive and emerging technologies, team management, leadership etc. 3.3 ENROLLHOSTEL | PROJECT MANAGEMENT PROCESS EnrollHostel ensuresthatall projectsundertakenby itsteamare beinggovernedandmanagedeffectively meeting the customer expectations. Below are the key project monitoring & control processesthat will be followed to track the progress of the project delivery. Some of these may be tailored based on specific plans during project execution.  Track project planned activities against the actual and update critical dependenciesin schedule accordingly with the revised planned dates  Status Reporting of ongoing project activities & implement corrective actions based on the comments received from different stakeholder  Internal team meetings  Project customer meeting  Monthly business reviews  Track the estimates for reviewing the planned vs. actual effort throughout the project lifecycle  Monitor Risks associated with cost, resource and schedule aspects and perform ongoing risk identification and management in conjunction with client stakeholders.  Review any changes to the allocated requirements according to change management process
  69. 69. 24  Collect measurement data for the project regularly throughout the project life cycle in data collection plan on a monthly basis. This is done for the purpose of analysis & plan the preventive and corrective actions  SLA Monitoring & Tracking 3.3.1 REPORTING METRICS Below is a list of typical metrics that EnrollHostel team would produce during the course of thisproject. These metrics can be tailored in discussion with School at the time of project initiation. Service Desk Support Reports  Daily – ticket report, Pending & Closed ticket reports.  Weekly – ticket trend report, ticket analysis report.  Monthly – ticketAnalysis report, ticketTrendReport,Uptime reports,Backup and restore Report, RCA, Escalated ticket report Incident Management  Number of repeated Incidents, with known resolution methods  Number of Incidents resolved remotely by the support teams  Number of escalations for Incidents not resolved in the agreed resolution time  Average time for resolving an incident  Percentage of Incidents resolved by L2 without L3 involvement  Rate of incidents resolved during solution times agreed in SLA Problem Management  Number of problems logged  Average time for resolving problems  Number of problems where the underlying root cause is not known at a particular time  Number of reported incidents linked to the same problem after problem identification  Average time betweenfirstoccurrenceof anincidentandidentificationofthe underlyingrootcause  Average work effort for resolving problems Service Level Management  Number of services covered by SLAs  Number of Services where SLAs are backed up by corresponding OLAs/ UCs  Number of monitored Services/ SLAs, where weak-spots and counter-measures are reported  Number of Services/ SLAs which are regularly reviewed  Number of Services/ SLAs where the agreed service levels are fulfilled  Number of issues in the service provision, which are identified and addressed in an improvement plan Availability Management  Availability of applications relative to the availability agreed in SLAs and OLAs  Number of service interruptions  Average duration of service interruptions  Percentage of applications components under availability monitoring  Number of implemented measures with the objective of increasing availability
  70. 70. 25 Security Management  Number of preventive security measures which were implemented in response to identified security threats  Duration from the identification of a security threat to the implementation of a suitable counter measure  Number of identified security incidents, classified by severity category  Number of security incidents causing service interruption or reduced availability  Number of security tests and trainings carried out  Number of identified shortcomings in security mechanisms which were identified during tests 3.3.2 ESCALATION HANDLING EnrollHostel expects that all queries & issues related to successful execution of the project would be discussed and resolved via various meetings as per the CommunicationPlan. However, there may be instanceswhere eitherSchool orEnrollHostel managementencounters orforeseesanyissuesthatneed direct and prompt attention of other side’s management. 3.3.3 COMMUNICATION PLAN Meeting Type/Purpose Frequency Participants (EnrollHostel) Participants (School) Project Discussion/Issue Resolution Needbasis • Technical Lead • Otherteammembers (optional) • ProjectManager • IT SPOC Project Status Review Weekly • Service DeliveryManager • Technical Lead • ProjectManager SteeringCommittee Review Monthly • EngagementManager • Technical Lead • Service DeliveryManager • ProjectManager • ProjectChampion
  71. 71. 26 3.3.4 RISK MANAGEMENT PLAN EnrollHostel proposes to use industry-standard FMEA tool (Failure Mode Effect Analysis) for managing risks.FMEA aidsinanalysisof potential failures,problemsordefectswithinasystemusingaclassification by the severity and likelihood of the failures. Using the FMEA analysis, the project team can plan for appropriate mitigation & contingency strategies. 3.3.5 CHANGE MANAGEMENT PROCEDURE EnrollHostel understands that a project often requires changes during execution, and hence proposesa robust change management procedure. EnrollHostel proposes that a Change Management Board is established that has authority to approve, partially approve or reject any change request. The Board would comprise of: ENROLLHOSTEL  Service Delivery Manager  Engagement Manager School  Project Manager  Project Champion  Sourcing (optional) Risk Identification via FMEA Develop Mitigation & Contingency Plan PeriodicRisk Review Address major risks Update FMEA Trigger for Change  Scope  Requirements  Tools & Technology  Schedule Adjustments
  72. 72. 27 Impact Analysis • Schedule • Effort • Cost • Artifacts and Deliverables Submission of formal Change Request (CR) Discussion & Approval of CR by Change Management Board Updated CR Implementation of CR • Contract • Project plan • Artifacts & Deliverables
  73. 73. 28 3.4 ENROLLHOSTEL | COMPLIMENTARY VALUE ADDED SERVICES EnrollHostel’s decade old expertise in managing networks infrastructure brings a lot of advantages as compared to other IT Managed service providers. Since we always strive for bringing the best possible robustness to our clients’ networks, we will be bringing the following as complimentary services: - Complimentary Anti-virus software license for all end-point devices along with maintenance - Complimentary Penetration Testing to test the robustness of the installed network 3.5 ENROLLHOSTEL | DIFFERENTIATORS | Services EnrollHostel is one of those rare organisations, that not only possesses leading IT Infrastructure management professionals but also a global group of cybersecurity professionals. With security clearances of the highest order (US Fed clearance), our professionals have led many “Incident Response teams” carrying out “Forensics” for networks that have been breached.
  74. 74. 29
  75. 75. 30 3.5.1 CYBERSECURITY SERVICES In tоdау’ѕinformationесоnоmу,dаtасаnbe уоur оrgаnіzаtіоn’ѕmostvaluableаѕѕеt,butwіththе rіѕе of mоbіlе tесhnоlоgу, сlоud соmрutіng,аnd еxроnеntіаllу grоwіng vоlumе of digital іnfоrmаtіоn, kееріng that dаtа ѕесurе аlѕо bесоmеѕ оnе оf уоur grеаtеѕt сhаllеngеѕ. No оnе is immune to data lоѕѕ іnсіdеntѕ, and nо оnе is bеttеr еԛuірреd than EnrollHostel tо help уоu іdеntіfуаnd сlоѕе gарѕ thаt рut уоur оrgаnіzаtіоn’ѕ cyber ѕесurіtу аt rіѕk. Information ѕесurіtу іѕѕuеѕ — such as data brеасhеѕor employee mіѕсоnduсt — are a соnѕtаnt worry fоr C-ѕuіtе lеаdеrѕаѕwеll as fоr frоnt-lіnеmаnаgеrѕіnуоurorganization.Cуbеrѕесurіtусhаllеngеѕputѕеnѕіtіvеdataаt rіѕkandсаn соѕt your соmраnу time, revenue and rеѕоurсеѕ. EnrollHostel offersextensivecybersecuritystrategyandѕеrvісеѕthatсаnbе аррlіеdtomееtyourunіԛuе rеԛuіrеmеntѕ,whеthеr thеуbе rеlаtеd tо a ѕуѕtеm, аn аrсhіtесturе, a network, роlісу establishmentоr рrосеѕѕ implementationand improvement. Wе wоrk with оrgаnіzаtіоnѕ аt vаrіоuѕ stages оf thеіr суbеr ѕесurіtу ѕtrаtеgу dеvеlорmеnt and суbеr ѕесurіtу program іmрlеmеntаtіоn. 3.5.1.1 GDPR Services A Penetration test(Pen-test) is a procedure to assess the security of an IT foundation by securely attempting to misuse its vulnerabilities. These vulnerabilities may exist in working frameworks, administrations,operatingsystemsandapplicationblemishes, inappropriate arrangementsordangerous end-client conduct. Such evaluations are likewise helpful in approving the viability of protective components, and, end-client adherence to security arrangements. EnrollHostel’steamof leadingPen-testersthattestthe effectivenessof the security of the organization. This is accomplished by emulating the behaviors and techniques of likely attackers in the most realistic way possible.

×