This statement contains information on how we deal with the processing of personal data as part of the SURF SOC/SIEM service (SOC = Security Operations Center, SIEM = Security Incident and Event Management).
This statement contains information on how we deal with the processing of personal data as part of the SURF SOC/SIEM service (SOC = Security Operations Center, SIEM = Security Incident and Event Management).
The Academy processes personal data in the context of SURF SOC/SIEM by collecting log data from the ICT infrastructure. We collect this data in order to analyse it for possible attacks and thus identify suspicious behaviour in time. In this way we manage our information security and monitor security incidents.
By means of the SIEM solution, personal data is collected and analysed from the Academy's ICT infrastructure via network monitoring and log files. SIEM functionality has been outsourced to SURF and is provided by Fox-IT. Part of the SIEM system is a database managed by UMBRIO.
In this privacy statement, we explain why we collect data, what data we collect, how long the data is retained, and how it is transferred to third parties. This privacy statement deals explicitly with the processing of personal data within SURF SOC/SIEM. You can access the Academy's central privacy statement on the Academy's Privacy statement webpage.
The legal basis for processing personal data in the context of SURF SOC/SIEM is the Academy's legitimate interest in safeguarding its networks and information and thereby protecting data relating to individuals.
Our aim in processing your personal data is twofold:
Your personal data that we process is collected through network monitoring and log files. The data is only consulted when an incident occurs that warrants examining the logged data. Only the data related to the incident is examined.
To identify possible misuse and to check whether an administrator account has been hacked, the data of administrators who have access to this environment is logged and stored within the Academy's SIEM environment. This includes commands (keyboard strokes) entered by administrators. Here too, log data is only consulted when an incident occurs that warrants examining the logged data. Only the data related to the incident is examined.
We process personal data of anyone who uses the Academy infrastructure in any way (employees, guests, website visitors...). This personal data includes, for example, e-mail addresses, login names (not passwords!), names and network addresses of computers, mobile phones, websites, etc. with which there has been contact and the times when that took place. This data is forwarded unfiltered to the SIEM environment.
Your personal data that we process is forwarded to various parties. Processing agreements have been concluded with all these parties, or the processor has concluded a processing agreement.
This concerns the following parties:
The personal data is stored and transmitted encrypted by all parties. Incident handlers can only access the data via Multi-factor Authentication. Only a limited number of people have access to the data. A record of who views what data is also kept so as to identify misuse. Processes are in place to prevent misuse, for example the four-eyes principle and periodic checks. Storage and processing of personal data (including by third parties) takes place within the European Economic Area (EEA).
Personal data stored in the SIEM system is retained by default for 183 days. The incident handlers can use the data as long as it is present in the SIEM system, i.e. for a maximum of 183 days. If the analyses reveal Indicators of Compromise (IoCs), these are shared (anonymised) with SURFcert (the incident response team for the SURF cooperative). After 183 days, the personal data is automatically cleaned up and removed from the SIEM system.
The Academy, as the data controller, is the first point of contact for you as a data subject. As a data subject, you have rights of access, rectification, restriction of processing and portability of data, as well as the right to be forgotten, right to object, and right to lodge a complaint with a supervisory authority. More information about these rights and how to invoke them can be found in the Academy's Privacy statement.
A Data Protection Officer has been appointed within the Academy to advise on and supervise data processing in accordance with the applicable legislation. To contact the Data Protection Officer, send an e-mail to fg@knaw.nl.