Each institution that processes personal data is obliged to ensure data security. The threat on personal data security can be basically divided into intentional and unintentional actions. The measures to be taken should be preventive of all data security violations made either intentionally or unintentionally.
An example of intentional violation is that the data officer can share personal data with the other. In this way, the institution will allow unlawful access and processing of personal data. It is difficult to prevent intentional violations by technological measures. In addition to technological security measures, process security measures should be well designed and effective control points should be determined. At this stage, institutions have serious duties to comply with the law.
The other threat is the unintentional use of data by people with malicious intentions from outside or outside the organization, and the failure to ensure the security of the institutions. Technological and process security measures will prevent unintentional violations, except for corporate information. Therefore, the organization has to take all technical and administrative measures to ensure personal data security. In order to do this an information security system should be established in multiple areas to implement information security controls and take measures.
When installing the information security system, it is useful to implement the controls in the following areas and take precautions. Implementation of the measures to be taken directly and indirectly on all threatening surfaces which will affect data security will minimize the risk.
- Network and system security must be ensured.
- Secure storage and transmission of data must be ensured.
- Information security awareness training should be provided.
- System and network should be monitored and event records should be examined.
- Access controls should be regulated and constantly reviewed.
- Periodic system weakness tests should be performed.
- Current threats should be followed and measures should be implemented.
- Only the data needed should be stored.
- Patch management should be done effectively.
- Data must be backed up.
- Physical security must be ensured.
Studies in the field of information security should be done in a systematic way because it concerns more than one area. Failure to make or omit any of the above mentioned areas will damage the security of the data. Therefore, responsibilities should be determined in information security studies and technical care should be taken to ensure that information security personnel are equipped.