Asset Management and Devices (A. 8 Asset management) The organisation must have a register of the IT resources used for the processing of personal data on behalf of the data controller. This must be maintained by a specific resource, who also reviews and updates the list regularly, at least annually. All devices that are relevant in the handling and/or processing of the data controller’s data, including USB-keys and other mobile devices, must be protected, including hard disk encryp- tion, strong passwords used to protect against unauthorized access to personal data and ac- cess limitation to solely include employees with specific work-related purposes. Passwords must be stored in a hashed form. Login must automatically be blocked after 5 failed login at- tempts to protect against unauthorized access to personal data. If personal information can be processed on data processor’s employee-owned devices (BYOD) the devices must be adequately secured including encryption, forced adequate pass- words and access limitation to employees with specific work-related purposes, e.g., through sandboxing technologies. BYOD policies, guidelines and data protection policies must, upon request, be provided to the data controller – this also includes adopting a Mobile Device Man- agement (MDM) tool to enforce the above. The data processor must ensure control with all assets used to deliver services to the data controller which ensures that all data controller data are securely overwritten using specialised software before hardware decommissioning or reuse for other purposes. External media in use, including USB-keys, tablets, smartphones, etc. must be encrypted and securely erased or destroyed when decommissioned to protect against unauthorised access to personal data. Disks and removable media must be stored and protected against unauthorised access during repair, service and when transported, and must be handled in line with all security require- ments.
