Recital - 83.
Security of Processing
Executive Summary
Risk evaluation and risk mitigation such as encryption, VPNs and security infrastructure "by design" are required of Controllers and Processors.
Recital Text
In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.
Executive Summary
Logs pertaining to user access activities, system faults, and security events should be recorded, stored securely and kept for as long as business needs require. Logs concerning the environment which processes or stores personal data should include additional information such as successful and unsuccessful logon or access to cardholder data, tampering with audit trails, as well as all actions by privileged users.
Logs should contain user identification, type of event, date and time, success/failure indication, origination of the event, and the affected resource. Log times should be synchronized between systems for forensic purposes.
Article ID: 384
Created: September 27, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/gdpr-security-of-processing-log-management-384.html