Checklist to Support Thesis Interviews |
|---|
1) Creation and Reception of Data- Have the basis and purpose for handling the data sets been identified and defined? When collecting and storing data, it is always necessary to determine the basis for its processing and the purpose of data processing. If data collection cannot be justified, it should be considered whether data processing is necessary.
- Have the special requirements related to the data sets being processed, such as those related to personal data, been identified?
- Note that the special requirements of data sets may require resources from IT management. Remember to report all needs in advance through the helpdesk.
- When starting the interview, ensure that the sender of the meeting invitation initiates the recording. This minimizes the risk of the recording being accessed by outsiders unnecessarily.
- What is the data classification of the interview? The most important thing is to first identify the type of data related to the interview topic: public, internal, confidential, or secret. Generally, the information collected from the interview is confidential.
- Refer to the data classification and storage guidelines available on the Wiki pages for more detailed instructions.
|
2) Data Storage- Who has access rights to the data?
- What is the data retention period and destruction time? Also agree on responsibilities: who will archive or destroy the data, for example, at the end of a project or initiative.
- Pay attention to the adequate security level when storing data on external devices, such as USB drives. For example, the content of secret or classified information in a USB drive must be encrypted separately, according the data classification scheme.
|
3) Data Usage- Are the access rights and permissions for the data sets defined based on the individual’s needs (i.e., the need-to-know principle)?
- Is the data being processed only in the agreed and approved information systems, devices, and processing environments? The procedures for data handling must be defined and communicated to all participants.
- Classified or secret information must be processed on a personal Z-network drive, as specified by the data classification scheme.
|
4) Data Sharing and Transfer- Can the identity of the recipient be sufficiently verified when sharing, transferring, and disclosing data? This is especially important when handling secret or classified material. For example, data sharing should always require the recipient to authenticate using a username and password.
- Is appropriate encryption used when sharing or transferring data? For instance, using the Z-network drive requires establishing a VPN connection, which encrypts the data traffic.
- Is it ensured that the data disclosure is lawful and that the recipient has both the right and the competence to handle the data sets when information is disclosed?
|
5) Data Archiving/Retention- Has the data retention period, location, and method been considered in archiving? Also, who is responsible and does archiving require resources from the IT Services?
- Has the usability and readability of the data been ensured throughout the entire retention period?
- Ensure that the recording has not been archived in the Teams group channel if you started the interview as a Teams group rather than a personal interview. Delete the recording from the discussion platform used during the interview.
|
6) Data Disposal- Is data disposal carried out in a sufficiently reliable manner at the end of the defined retention period or usage need?
- Do the reliable disposal procedures cover all devices that have stored classified information during their lifecycle? For example, network drives, external storage devices, cloud services, workspaces, workstations, etc.
- Remember to check the recycle bins on your computer and cloud services to permanently delete the data from all storage locations.
- Ensure that no interview-related material is left behind, such as in the discussion area of the interview session.
|