Data Security Summary

Data Security Summary

Data is very important.

Data security is an indispensable reality for us either private or company/organization. 

Technical and administrative measures;

a) To prevent the unlawful access to personal data,

b) To prevent the unlawful processing of personal data,

c) To ensure the protection of personal data

It is first necessary to determine what all personal data is processed by the data controller.

While determining these risks;

●Whether the personal data is sensitive personal data,

● What degree of confidentiality is required by its nature,

● The nature and quantity of the damage that may arise from the person concerned in the event of a security breach 

must be taken into attention.

It is very important that employees or data owners know something about cybersecurity and responds to the attack.

Employees and data owners are required to receive training on "issues such as data not being disclosed or shared unlawfully".

Employees and data owners must be informed about current/updated threats and preccontroller.

Correct and consistent policies and procedures to be determined regarding personal data security should be integrated into the work and operation of the data controller.

Within the scope of policies and procedures; 

* controls should be carried out regularly, 

* the controls should be documented, 

* the issues that need improvement should be determined and 

* the controls should be continued regularly after the necessary updates are made.

Personal data should be correct and up to date when necessary, must be kept as required for the purpose they are processed. 

it is recommended that data responsible are not often required to access and maintain the personal data that is kept for the archive purpose. 

Data controllers should make sure that the data processors provide at least as much security as their own personal data while receiving services. Because data processors are also responsible for ensuring the security of personal data, together with the data controller.

The information technology systems containing personal data are priority measures that can be taken against the unauthorized access threats over the internet are the firewall and a gateway.

A well-structured firewall can stop the violations that take place before the in-depth penetration of the network.

One of the other important elements is patch management and software update.

Access to systems containing personal data should be limited.

In order to prevent the internal and external attacks, cybercrime or malicious software;

a) Checking which software and services are running in information networks,

b) Determining whether there is an infiltration or  that should not occur in the information networks,

c) Keeping the transaction records of all users regularly (such as log records),

d) Reporting security issues as quickly as possible,

e) A formal reporting procedure should be established for employees to report security vulnerabilities in systems and services or threats using them.

Evidence should be collected and securely stored in undesirable events such as 

* the crash of the information system,

* malicious software,

* denial-of-service (DOS) attack, 

* incomplete or incorrect data entry, 

* violations of confidentiality and integrity, 

*abuse of the information system.

If personal data is stored on paper media or on devices located in the territory of the data controllers, physical security measures must be taken against threats such as theft or loss of these devices and papers.

The same level of precautions should be taken for paper media, electronic media and devices located outside the territory of the data controller and containing personal data belonging to the data controller.

The use of access control authorization and/or encryption methods will help ensure personal data security in case of loss or theft of devices containing personal data.

it is recommended that the personal data stored in the cloud be known in detail, backed up, synchronized, and, if necessary, applying a two-stage authentication check for remote access to this personal data.

The needs for the procurement, development, or improvement of existing systems should be determined by the data controller and security requirements should be considered.

In cases where personal data is damaged, destroyed, stolen, or lost for any reason, data controllers must take action as soon as possible by using the backed-up data.

On the other hand, backed-up personal data should be accessible only by the system administrator, and data set backups should be kept out of the network.