Paul beat me to that control reference!
To be honest I think you are asking the wrong question. You should be asking
"what do I need to have in place to ensure that I comply with legislation
and that will satisfy any regulatory bodies that information management is
being done properly". When you look at it from this angle, a breach log is
an obvious need.
Simon Howarth
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Paul Ticher
Sent: 16 April 2013 16:40
To: [log in to unmask]
Subject: Re: [data-protection] Breach Logs
The ICO points people in the direction of ISO 27001 in terms of compliance
with Principle 7.
Control A.13.2.2 in ISO 27001 is entitled 'Learning from information
security incidents' and the control is that 'There shall be mechanisms in
place to enable the types, volumes and costs of information security
incidents to be quantified and monitored.'
It's not exactly a mandatory log, but if it walks like a duck and quacks ...
Paul Ticher
0116 273 8191
www.paulticher.com
22 Stoughton Drive North, Leicester LE5 5UB
For continuous priority support on Data Protection, sign up to my support
service:
www.paulticher.com/data-protection-services
----- Original Message -----
From: "Baines, Jonathan" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Tuesday, April 16, 2013 3:19 PM
Subject: Breach Logs
I've asked this question on twitter, but thought it would be equally suited
here.
Is anyone aware of an explicit statement from the ICO that he expects Data
Controllers to maintain a log of data security incidents? I'm sure I've seen
this said at one time or another, but can't find it. There is a good
argument that DPP7 requires one, and I know its mandatory under the amended
PECR, but if anyone can point me to something with more general application
I'd appreciate it.
Jonathan Baines
Complaints and Information Rights Officer
Legal and Democratic Services
Buckinghamshire County Council
01296 383681
follow us on twitter: @buckscclegal
Buckinghamshire County Council
Visit our Web Site : http://www.buckscc.gov.uk
Buckinghamshire County Council Email Disclaimer
This Email, and any attachments, may contain Protected or Restricted
information and is intended solely for the individual to whom it is
addressed. It may contain sensitive or protectively marked material and
should be handled accordingly. If this Email has been misdirected, please
notify the author or [log in to unmask] immediately. If you are not
the intended recipient you must not disclose, distribute, copy, print or
rely on any of the information contained in it or attached, and all copies
must be deleted immediately. Whilst we take reasonable steps to try to
identify any software viruses, any attachments to this Email may
nevertheless contain viruses which our anti-virus software has failed to
identify. You should therefore carry out your own anti-virus checks before
opening any documents.
Buckinghamshire County Council will not accept any liability for damage
caused by computer viruses emanating from any attachment or other document
supplied with this email.
All GCSx traffic may be subject to recording and / or monitoring in
accordance with relevant legislation.
The views expressed in this email are not necessarily those of
Buckinghamshire County Council unless explicitly stated.
This footnote also confirms that this email has been swept for content and
for the presence of computer viruses.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|