-
How is the software policy regulated?
-
What information security policy applies?
-
Do periodic scans take place? If so, how often?
-
Does the backup include draft datasets?
-
Is there a separation of development, test and production servers, and if so, how is this designed?
-
Who is responsible for the personal data in the datasets?
-
Is there such logging that in the event of a (suspected) data breach or other type of security incident, analyses can be made, such as who accessed, modified or deleted which data, which data was affected, et cetera?
-
How are the log files protected and are they in a different location from the systems themselves?
-
Can an institute, as part of an audit or following an incident, access the relevant part of the log file?
-
Can complete deletion of a dataset be done only at the request of the institute or depositor?