What is the Information Security Procedure?

Under the Protection of Privacy Regulations (Data Security) 5777-2017, database owners and holders must establish a written Information Security Procedure, governing the entity’s information security practices. The procedure must be assessed on an annual basis, and addresses topics such as: (i) physical protection; (ii) access authorization; (iii) Assessment of risks and mitigation steps; (iv) instructions to stakeholders; (v) incident management; and, (vi) management and usage of networks and portable devices.

Owners and holders of databases subject to medium or high security levels (See: “What are Database Information Security Levels”) are required to include additional provisions in the information security procedure, including, for example, (i) identification and verification measures with respect to access; (ii) methods of monitoring the use of the database systems; and, (III) the manner in which development activities in the database are performed and documented.