Adoption of technical, organizational, and contractual measures

Each risk (or source of risk) associated with the activity carried out by an organization requires the adoption of a corresponding security measure aimed at limiting the probability of the risk materializing. It is possible to distinguish three macro-types of security measures.

Measures of a technical nature are measures aimed at directly and specifically protecting the information system. This is, in other words, the safe where information is kept. There are numerous ‘technical nature’ measures that operate on different levels of protection.

  • physical security measures: gates, surveillance systems, physical archives, etc.
  • the computer protection systems: firewalls, antivirus, antispam, etc.
  • the tracking and authentication systems: passwords, log tracking, credentials, etc.
  • measures acting on information: encryption, pseudonymization and anonymization
  • the storage measures: back-up systems, data centre, cloud, etc.

Secondly, risk can also be limited through organizational measures. The organization must establish the rules for accessing and managing the information system, as well as all the necessary procedures to be applied in any situation that may arise. Organizational measures serve two purposes. On the one hand, they offer greater protection to the organization’s information system in that they make it possible to clearly identify who’s responsible and their subsequent tasks. On the other hand, the creation of systems of information organization makes it possible to improve the organization’s efficiency, thus limiting access and using only information that is actually useful.

The last level of protection is provided via contractual measures. An organization must know what obligations and responsibilities to impose on which parties and how to act in the event of a breach.