Compliance, monitoring, alerts, test and audits
Regular assurance checks help organisations ensure that ICT security controls developed
and congured for the protection of personal data are properly implemented and practised.
If, for example, software patches are not updated as recommended by the third-party software
provider, then they may not contain the latest cybersecurity updates and therefore may
compromise the organisation’s defence against cyber attacks.
Strong compliance with the policies and processes as well as implementation of ICT controls
are key foundations in combatting cybersecurity issues. Such measures also strengthen the
incident response capabilities of an organisation.
Compliance, Monitoring, Alerts, Test and Audits Data Lifecycle
Basic Practices
Collection
Use
Disclosure
Storage
Archival
Disposal
a. Conduct regular ICT monitoring, alerts, security audits, scans
and tests to detect vulnerabilities and non-compliance with
organisational standards.
• • •
b. Apply prompt remedial action (i.e. system patching, security
scans and checking of log les for anomalies) to detect and
fix security vulnerabilities and any non-compliance with
established policies and procedures.
• • •
c. Maintain audit logs to record the events, as logs are important
for determining the cause of security incidents and monitoring
the overall health of ICT systems.
• •
d. Implement measures to ensure that ICT system logs are reviewed
regularly for security violations and possible breaches.
e. Ensure that outsourced IT vendors are aware that the
organisation intends to use their services to handle personal
data and they are clear on their responsibilities and requirements
for data processing.
12
• • • • • •
f. Understand the features and limitations of the solution (including
plug-ins) that is processing personal data before putting it
into use. For example, when using WordPress plug-ins,
understand the features of the plug-ins by reading online
documentation provided and change the necessary congurations
from default setting such that data collected in forms are not
published in a publicly accessible table.
• •
g. Develop a data breach management plan to manage and respond
to data breaches more effectively. Such plans should consider
the organisation’s business processes and needs, and cover the
spectrum of the use of data throughout the data lifecycle.
13
• • • • • •
12
Refer to PDPC’s Guide to Managing Data Intermediaries.
13
Refer to PDPC’s Guide on Managing and Notifying Data Breaches under the PDPA and Checklist for Incident Response
Management (see Annex).
GUIDE TO DATA PROTECTION PRACTICES FOR ICT SYSTEMS 27