Compliance and real-time data: is it really well organized?

When it comes to data usage, we expect organizations to comply with common information security principles. Think of confidentiality, integrity and availability of data. In other words, is the data sufficiently protected against unauthorized access? Is the data correct, complete and up-to-date? And is it accessible and usable when you need it?

In addition, the non-repudiation of data must be guaranteed: the sender of information must not be able to deny that he has sent the information, and the recipient must not be able to deny that he has received it. The authenticity of systems and users must also be demonstrable. We also expect privacy to be well guaranteed and that the physical and digital security of users and systems is in order.

For this theory, there is the mnemonic CIANA-PS:

• Confidentiality
• Integrity  
• Availability  
• Non-repudiation  
• Authenticity  
• Privacy 
• Security

In addition to these information security principles, additional requirements may apply, such as financial, HR, environmental, sustainability, product or contractual obligations. Take a conscious look at this when you share or consult information online, you can often already see where the first headaches arise.

What agreements do you make when you share data?

What do you actually agree on when you share data, and how do you monitor those agreements? In my role, I ensure that we within AMIS Conclusion act in accordance with the frameworks that we have agreed with our stakeholders. These are internal stakeholders, such as the management, employees and the works council, but also external stakeholders such as customers, suppliers and governments. All these stakeholders have certain requirements and expectations. We translate these internally into policies, guidelines and procedures. Your requirements may also be part of this and translate into, for example, ISO, ISAE or GDPR requirements.

My main task is to ensure that these requirements are not only laid down, but actually complied with. And that goes beyond showing a certificate or assurance statement. Such a certificate or declaration is just the packaging. What really counts are the many measures and controls that have been set up in line with the policy to comply with the agreements. Compare it to a driver's license: it shows that someone is authorized to drive, but says nothing about how well that person can actually do it. You probably don't just get in with someone you know is not actually a safe driver.

From start to finish: the entire data lifecycle

In the entire data lifecycle, the general expectations are therefore essential. Both during the creation, storage, use, sharing, archiving and deletion of data. But how do you, as a consumer or organization, know whether a party is complying with this? Do you trust the other person's blue eyes? Or do you only settle after the demonstrability of facts? This is where compliance comes into its own. As a consumer, a degree of trust is often sufficient, but as an organization, more is needed, such as regulation, supervision, risk analysis, sanctions and reporting obligations.

Transparency in data usage is essential

As a consumer, I also need transparency. I don't mind that a service like Google learns my preferences so that better search results come out, after all, I don't pay for it. But as soon as I do pay, I want to be able to decide for myself what happens to my data. Then I want to know what has been agreed and who is responsible for what.

Terms of use with references to privacy policies and terms of service provide clarity. But let's be honest: who really reads them? You probably recognize this: you visit a website and blindly accept all cookies because otherwise the site will not work properly. During the ordering process, you accept all delivery terms and conditions, without reading them. And when using the online service, the terms of use are also accepted. What you are actually doing with this is possibly giving the other organization carte blanche over your data. The question is: do you really want this?

Large and small organizations, different risks

As a Compliance Officer, I therefore need transparency, both internally and in cooperation with external parties. I see two points of extra attention: 

1. Small organizations that do not (yet) fully meet all requirements. This requires additional guidance and testing.
2. Tech giants such as Microsoft, Google, Amazon and Oracle. Although they meet all the formal requirements, they are difficult to call on extra transparency.

This is how you assess whether an organization handles data reliably

If you are going to test an internal or external organization and their data use, three things are important:

1 | The scope

The scope determines the scope of, for example, a quality or information security management system. Does the system apply to your data? Without knowing the scope of a certificate or assurance statement, it is difficult to estimate whether an organization is managing your data properly.

2 | The maturity of the organisation

The maturity of an organization is also important. Is it a start-up organization, or does the organization already have years of experience with processes that are continuously improved through the so-called PDCA cycle (Plan-Do-Check-Act)? You will often find little or no information about maturity on websites or in certificates. Assurance reports can sometimes provide more clarity.

3 | Mutual responsibility agreements

The so-called 'shared responsibility matrix' of tech giants indicates where their responsibility extends and where the customer must take responsibility. With tech giants, the responsibility for the data often remains with the customer, even if this data is stored in the cloud. This means that as a consumer or organization you hand over your data, without the other organization being formally responsible for it. So you determine your own data risks!

Does your data storage still meet the general expectations? Yes and no. Formally, you are responsible for your data in these cases, especially if something goes wrong. The risk you run depends on the measures that the organisation offers you and that you may have taken yourself for protection. Think of:

• A well-designed backup and restore procedure 
• Redundant environments for optimal availability 
• Sufficient monitoring to protect your data

Why relying on real-time data shouldn't be a coincidence

At AMIS Conclusion, we don't take data lightly. If we don't have our affairs in order, it has direct consequences: trains come to a standstill, logistics chains get stuck, planes remain on the ground and in some cases there is no power at all.

As a master of real-time data, we are very aware of the responsibilities that come with it. Stakeholders demand not only speed and availability, but also reliability and security. That is why we use quality, security and privacy as a starting point, and we ensure that general expectations are guaranteed. We actively maintain various national and international quality systems, including ISO 27001, NEN 7510 and ISAE 3402.

As a Compliance Officer, I am a line judge along our 'data fields'. I raise the flag when necessary, and let myself be guided by internal and external referees (the auditors). It is up to you as a spectator (organization) to assess the quality of our performance. So make sure you get enough information to be able to give the confidence justified. And feel free to talk to me if you have any questions about that.