The JOUO TOMs explained
Here you can find out which extensions we are currently working on for JOUO
What is a TOM Documentation?
TOM = Technical and Organizational Measures
-
In JOUO you can document your TOMs (technical and organizational measures), which is mandatory under data protection laws (e.g. GDPR (Article 32)).
- The TOMs always refer to one service provider. Usually there are several service providers, so that a TOM Documentation is needed for each of the various service providers.
-
In the end, you have a standardized PDF in which all TOMs for the various service providers are clearly listed.
What are Doc-Groups?
Why are the TOMs for IP addresses documented?
- If you have a website, you usually use technical services such as web hosting, server infrastructure or maintenance from your service providers.
- Your data from your customers or the company is stored on the servers of your service providers. These are located in buildings at various locations.
- Your IP addresses can be used to determine which service providers (e.g. web host providers) you use.
- TOMs are measures that are primarily intended to protect personal data.
- These include, for example, access controls such as doors with keys or video surveillance.
- Which measures are taken to protect personal data depends on your service provider (e.g. web hosting provider).
- A service provider can also take different measures at different locations.
- For example, some server farms may have video surveillance and others may not.
- We therefore group your IP addresses by service provider and location for the documentation of the measures.
- These are then the Doc-Groups.
So what do I have to select now?
- First select the service provider for which you want to document the TOMs.
- If the service provider has the same TOMs at several locations, select these locations as well.
- Create a name for your Doc-Group that describes it as clearly as possible.
Attention: This name will be used later in the generated PDF. Therefore, please choose a meaningful name.
What are measures?
The protection of personal data
Today, personal data must be protected in accordance with data protection laws (e.g. GDPR Article 32).
TOM = Technical and Organisational Measures
- TOMs list all the precautions that a company takes to ensure the security of personal data.
- In the case of your website, this includes precautions taken by your own company, but also those of your service providers (e.g. your web hosting provider).
Technical measures
- are protective measures that are implemented with the help of hardware, software and physical security
- such as encryption, firewalls, access controls or alarm systems
Organizational measures
- are all non-technical regulations and specifications that organize the processes, responsibilities and conduct of the persons entrusted with data processing
- such as the dual control principle, confidentiality obligations, training or clear process instructions
You should receive information about which measures your service provider is taking at which locations directly from your service provider.
The following controls are queried in the JOUO TOMs:
- Access control (location)
- Access control (system)
- Access control (permissions)
- Separation control
- Pseudonymization
- Tranfer control
- Input control
- Availability control
- Data protection management
- Incident response management
-
Privacy friendly default settings
- Order control (Outsourcing to third parties)
- These areas come from official and publicly available templates that are based on the requirements of Article 32 of the GDPR.
- We give you suggestions as to which measures may be taken. You can select these or enter your own.
How do I create a TOM in JOUO?
Prerequisite: your website must be registered in JOUO and your first security audit must have been completed.
Click on TOM Reports in the navigation to create a new TOM Report for your website.
Next, create a new Doc-Group.
Next, you have to enter the technical and organizational measures for the various areas by selecting given measures in the list or adding your own.
All your details are saved automatically. You don't have to actively save your data and can therefore interrupt the TOM creation at any time and continue working on it at another time.
Repeat the 3rd step until you have documented all service providers.
Next, create a new Doc-Group.
You can duplicate a TOM after it has been exported so that you don't have to re-enter everything.
TOM documentation is locked after export and can no longer be edited. This means that all your TOMs remain reproducible and retrievable.
What is an Infrastructure Documentation?
You can automatically export the data JOUO has collected from you in a PDF report for each TOM. This allows you to document your website infrastructure at any time. The documentation includes all your IP addresses, vulnerabilities and DNS data, for example.
What does GDPR and NIS2 mean?
GDPR
This is the EU's ‘General Data Protection Regulation’, which every EU member state has implemented. Sometimes you will also find the German term Datenschutz Grundverordnung (DSGVO).
Germany
The GDPR is implemented in Germany by the Federal Data Protection Act (BDSG) and the state data protection laws. JOUO covers both: GDPR and BDSG.
Swiss
The nDSG (‘new Data Protection Act’) differs from the European General Data Protection Regulation (GDPR) primarily in that individuals can be fined up to CHF 250,000. The EU law does not provide for fines for individuals. JOUO also covers the nDSG.
NIS2
The NIS2 Directive (Network and Information Security Directive) obliges the member states of the European Union to adopt a national cyber security strategy. With NIS2, mandatory security measures and reporting obligations in the event of security incidents apply to companies and organisations of medium size and above from 18 defined sectors. Service providers and suppliers of affected organisations are also obliged, even if they are based outside the EU, if they are active in the EU.