The Crossroads Bank for Social Security (CBSS) has recently published some rules that, at a minimum, must be adhered to when processing (personal) data within the social security system, as well as related guidelines (eg. data classification, cloud computing and incident management).

Although primarily intended for the social security stakeholders, these provisions may also be of interest to other audiences, notably because the upcoming EU General Data Protection Regulation (GDPR) has been taken into account. In this regard, adopting a risk-based approach and embracing a “security and privacy by design” attitude from A to Z are some of the most striking examples.

It is likely that information security and/or data protection officers are already familiar with most of these rules and « best practices » but, in the current case, the CBSS also explains how their organisations should consider them in practice, for instance as regards virtualization related risks. Furthermore, specific standards, such as ISO 27002:2013 and COBIT 5, have been put forward.

Finally, comprehensive self-assessment questionnaires have been developed. They must be completed and returned in due time by the social security institutions concerned and third persons who process their information or supply them with ICT infrastructure components.

These rules, guidelines and questionnaires can be found on http://www.ksz-bcss.fgov.be (section privacy and security/GDPR)