Skip links
Join
Free sign up
DiBL - Dilemma Based Learning

Security

This security description is based on ENISA’s guidelines. Overall, we assess that the impact of personal data loss is low, and the likelihood of personal data loss is also low. The security measures implemented are therefore, according to the ISO27001 standard, typically at a low level. However, higher security measures have been implemented in a number of areas, particularly related to Area A (Network and Technical Resources).
The data collected is expected to relate to areas that have no influence on individuals’ fundamental rights and freedoms, and any data loss would only minimally affect their lives. ENISA defines this as: Individuals may encounter a few minor inconveniences, which they will overcome without difficulty (time spent reloading information, irritation, etc.).
The processing is expected to include a limited amount of personal data with limited sensitivity, and the system is designed such that personal data, as far as possible, cannot be linked to a facilitator or participant unless this is explicitly desired and necessary for conducting teaching and/or evaluation activities.
Thus, any personal data from facilitators s and participants that the Data Controller chooses to collect will be anonymised. The solution can only be accessed anonymously using a session link, so if the user provides personally identifiable data, it will automatically be anonymised, as it is only tied to a fully randomly generated session and participant ID.
It is not expected that the collected data holds particularly high interest for external parties, and therefore, a higher level of security is not aimed for. Accordingly, we assess the likelihood of personal data loss as low.

Organizational Security Measures

  • The organization has an information security policy concerning the processing of personal data (A1).
  • The information security policy is updated annually (A2).

Roles and Responsibilities

  • Roles and responsibilities related to personal data processing are clearly defined and assigned in accordance with the security policy (B1).
  • During internal reorganizations, terminations, or changes in employment, rights and responsibilities are revoked. Handover procedures are clearly defined (B2).

Access Control Policy

  • Specific access rights are assigned to each role involved in processing personal data, with access granted only to the necessary privilege level (C1).

Resource/Asset Management

  • The organization maintains a register of all IT resources, including those used for processing personal data (hardware, software, and network). The register includes: IT resource, type (e.g., server, workstation), location (physical or electronic). The COO is responsible for maintaining and updating the register (D1).

Change Management

  • All changes to the IT system are logged and monitored regularly and automatically, with notifications sent to the COO (E1).
  • Software development takes place in a separate environment not connected to the system used for personal data processing. There is a test server with dummy data and a staging server with real data before changes go live (E2).

Data Processors

  • Formal guidelines and procedures are in place for data processors’ handling of personal data, including sub-processors (F1).
  • If the data processor discovers a breach of personal data security, they must notify the data controller without undue delay (F2).
  • Formal requirements and obligations are agreed upon between the data controller and the data processor. The processor must provide adequately documented evidence of compliance (F3).

Incident Response and Business Continuity

  • A procedure is defined to ensure an effective and orderly response to personal data incidents (G1).
  • Breaches of personal data security are reported immediately to management and affected parties without delay, in accordance with Articles 33 and 34 of the GDPR (G2).

Business Continuity

  • The organization has established key procedures to ensure the necessary level of continuity and availability of the IT system processing personal data in the event of a breakdown. In the case of a physical or technical incident, the data processor will be able to restore access to and availability of the data via backup through Azure services (H1).

Staff Confidentiality

  • The organization ensures that all employees understand their responsibilities and obligations regarding personal data processing.
  • The data processor’s employees are bound by confidentiality and integrity clauses in their employment contracts. Individuals at the processor with access to the system have clean criminal records. Roles and responsibilities are clearly communicated during the hiring and onboarding process (I1).

Staff Training

  • All employees are adequately informed about the IT system’s security controls relevant to their daily work.
  • Employees involved in processing personal data are properly informed about relevant data protection requirements and legal obligations through annual updates (J1).

Access Control and Authentication

  • An access control system is implemented for all users with access to the IT system. It allows creation, approval, review, and deletion of user accounts (K1).
  • The use of shared user accounts is avoided. If necessary, all users of a shared account have the same roles and responsibilities (K2).
    An authentication mechanism provides access to the IT system (based on access control policies), using a combination of username/password.
  • Password complexity can be configured by the administrator (K3).
  • The access control system can detect and reject passwords that do not meet complexity requirements. A specific password policy is defined and documented, covering length, complexity, and allowable failed login attempts (K4).
  • User passwords are stored in hashed form (K5).
  • Two-factor authentication is recommended for systems processing personal data but can be omitted if the data controller deems it unnecessary (K6).

Logging and Monitoring

  • Log files exist for the entire system, including those processing personal data. They cover all types of data access (viewing, modification, deletion) (L1).
  • Actions by system administrators and operators, such as adding/deleting/modifying user rights, must be logged (L2).
  • Log files are timestamped and protected against manipulation and unauthorized access (L4).

Server/Database Security

  • Database and application servers are configured to run using separate accounts with minimum OS privileges required to function properly (M1).
  • These servers process only the personal data necessary for their intended purpose (M2).
  • Access occurs through encrypted channels. User access occurs via HTTPS with certificates issued by a recognized provider (M3).
  • Pseudonymization and anonymization techniques are used to separate data from direct identifiers unless the data controller explicitly requires otherwise for evaluation purposes (M4).

Workstation Security

  • Regular users cannot disable or circumvent security settings (N1).
  • Antivirus software is automatically updated, typically weekly (N2).
  • The system has session timeouts; users are logged out after a defined period of inactivity (N4).
  • Critical security updates from the OS provider are installed regularly within 24 hours (N4).

Network/Communication Security

  • Communication is encrypted (SSL) when accessing via the internet (M1).

Backups

  • Backup and data recovery procedures are defined, documented, and clearly linked to roles and responsibilities (P1).
  • Backups are physically and environmentally protected at the same level as the original data (P2).
  • Execution of backups is monitored to ensure completeness (P3).
  • Full backups are performed regularly, weekly (P4).

Mobile Devices

  • Documented procedures exist for mobile devices, including clear rules for correct use (Q1).
  • Mobile devices are not used to access or export personal data (Q2).

Application Lifecycle Security

  • During development, best practices and well-established secure development standards are followed. The system is built on a modern framework. The platform is continuously updated to the latest versions, with automated monitoring of abnormal events, automated tests for known bugs, and all development occurs in a separate environment (R1).
  • Specific security requirements are defined early in the development lifecycle (R2).
  • Technologies and techniques designed to support privacy and data protection are built into the system from the beginning (R3).
  • Testing and validation are conducted during development to ensure the original security requirements are implemented (R4).
  • Secure coding standards and practices from OWASP are followed (R5).

Data Deletion/Disposal

  • Software-based overwriting is performed on all media before disposal. If not possible (e.g., CDs, DVDs), they are physically destroyed (S1).
  • After software deletion, additional hardware-based measures like degaussing and physical destruction are taken if the hardware contained sensitive personal data (S5).

Physical Security

  • The physical area of the IT system infrastructure is inaccessible to unauthorized personnel unless accompanied by authorized staff (T1).