Professional Documents
Culture Documents
Singapore PDPA - Checklists To Guard Against Common Types of Data Breaches
Singapore PDPA - Checklists To Guard Against Common Types of Data Breaches
Organisations should still refer to the Guide to Data Protection Practices for ICT
Systems for implementation of baseline ICT data protection practices within their
organisation.
1
Refer to PDPC’s handbook on “How to Guard Against Common Types of Data Breaches”
2
Checklist to Guard Against Common Data Breaches
CHECKLIST 1
Application security in development
OBJECTIVES
This checklist aims to help organisations put in place good practices during their
application development phase and support process, to prevent coding issues that
could result in application errors leading to the subsequent disclosure of personal
data. It will also enhance security awareness and responsibilities during coding.
Not comply
Applicable
Policy / Risk Management
Comply
Comply
Partial
Not
BASIC PRACTICES
Applicable
ICT Controls
Comply
Comply
Partial
Not
BASIC PRACTICES
3
Checklist to Guard Against Common Data Breaches
development lifecycle.
Not comply
Applicable
ICT Controls
Comply
Comply
Partial
Not
b. Ensure adequate controls such as fail-safe
processing in coding under “if-then-else” exception
conditions are in place to prevent improper error
handling that may result in leakage of sensitive
personal data.
4
Checklist to Guard Against Common Data Breaches
Not comply
Applicable
SOP/IT Operations
Comply
Comply
Partial
Not
BASIC PRACTICES
2
Non-production environments include a network, operating system or other systems that are used as
a development area or test bed for new software or technologies.
3
Refer to PDPC’s “Guide to Basic Data Anonymisation Techniques”
5
Checklist to Guard Against Common Data Breaches
CHECKLIST 2
Infrastructure and system security
in ICT systems
OBJECTIVE
This checklist aims to help organisations review relevant data protection practices in
relation to configuration management, protection against malware/phishing,
enhancing security awareness/responsibilities and strengthening account
password management.
Not comply
Applicable
Policy / Risk Management
Comply
Comply
Partial
Not
BASIC PRACTICES
6
Checklist to Guard Against Common Data Breaches
Not comply
Applicable
Policy / Risk Management
Comply
Comply
Partial
Not
c. Communicate ICT security policies to both
internal stakeholders (e.g. staff), and
external parties (e.g. customers). This
provides assurance to external stakeholders
that their personal data are adequately
protected; and provides clarity to internal
stakeholders on their responsibilities and
security processes on handling personal
data in their day-to-day work and business
activities.
7
Checklist to Guard Against Common Data Breaches
Not comply
Applicable
ICT Controls
Comply
Comply
Partial
Not
BASIC PRACTICES
4
A commonly used phrase or paraphrase created by user will help them to remember their own
password more easily. If combined with uppercase, lowercase, numbers and special characters, it
makes the password stronger and harder to decode. An example is “Learn2bike@5” or
“LetsGo2gym@7”.
8
Checklist to Guard Against Common Data Breaches
Not comply
Applicable
ICT Controls
Comply
Comply
Partial
Not
Web applications and website security
5
Refer to OWASP’s website.
9
Checklist to Guard Against Common Data Breaches
Not comply
Applicable
ICT Controls
Comply
Comply
Partial
Not
Computer networks
10
Checklist to Guard Against Common Data Breaches
Not comply
Applicable
ICT Controls
Comply
Comply
Partial
Not
ENHANCED PRACTICES
11
Checklist to Guard Against Common Data Breaches
Not comply
Applicable
ICT Controls
Comply
Comply
Partial
Not
Computer networks
Database security
12
Checklist to Guard Against Common Data Breaches
Not comply
Applicable
SOP/IT Operations
Comply
Comply
Partial
Not
BASIC PRACTICES
Security awareness
13
Checklist to Guard Against Common Data Breaches
Not comply
Applicable
SOP/IT Operations
Comply
Comply
Partial
Not
Compliance, monitoring, alerts, test and audits
14
Checklist to Guard Against Common Data Breaches
Not comply
Applicable
Comply
Comply
Partial
Not
ICT security and testing
Computer networks
15
Checklist to Guard Against Common Data Breaches
Not comply
Applicable
SOP/IT Operations
Comply
Comply
Partial
Not
ENHANCED PRACTICES
Computer Networks
16
Checklist to Guard Against Common Data Breaches
17
BROUGHT TO YOU BY
The contents herein are not intended to be an authoritative statement of the law or a substitute for
legal or other professional advice. The PDPC and its members, officers, employees and delegates
shall not be responsible for any inaccuracy, error or omission in this publication or liable for any
damage or loss of any kind as a result of any use of or reliance on this publication.
The contents of this publication are protected by copyright, trademark or other forms of proprietary
rights may not be reproduced, republished or transmitted in any form or by any means, in whole or in
part, without written permission.