The development of a Personal Data Protection Program aims to comply with the General Data Protection Regulation.
The service includes the development of Personal Data Protection Policies and Procedures, compliance checks with the  regulation, personal data protection analysis (DPIA) and training on personal data protection issues.
Specifically, a Personal Data Protection Program, based on the requirements of the new Regulation, includes:
• Assess the current state of the organization in terms of information security and protection of personal data
• Identify the different types of personal data, identify the units of the business that have personal data and record how they are collected and managed.
• Creation of files and registers, flow charts of personal data and Policies and Procedures
• Management of the Partners in order to confirm the compliance of the Regulation by them
• Perform Data Protection Impact Assessment for any different activity that involves a high risk for personal data
• Carrying out Risk Assessment and Treatment (Technical & Organizational Measures) and Compliance Plan
• Training and Awareness of the staff of the organization regarding the Protection of Personal Data
• Compliance Audit
The benefits of an organization from the service are:
• Compliance with the Regulation and avoidance of exposure to the very high fines it imposes (4% of the global annual turnover or € 20,000,000, whichever is higher)
• Competitive advantage as the Regulation requires each Data Controller to confirm that the Data Processors are also compliant with the Regulation.
• Creating a culture of personal data protection for all employees
• Identifying and Managing Risks for the Privacy and Freedoms of Individuals

An Information Security Management System, developed based on the requirements of the ISO 27001 International Standard, the ADAE Regulation on the confidentiality of communications and international good practices, protects information wherever it is (online, in print, as knowledge to the public).
The service includes questionnaires, interviews, on-site visits to Space Hellas information security consultants and a review of all information (documents and electronics), the organization's sites and systems related to information security. The implementation methodology is based on internationally recognized security standards such as ISO 27001: 2013 as well as regulations that are likely to govern organizations. The services provided by Space Hellas include the following:: 
•    Procedures and Information Security Policies of the Organization (eg Acceptable Use Policy, Logical Access Policy, Network Security Policy, Physical Security Policy, Human Resources Security Policy, etc.) and Procedures that support these policies
•    Risk Assessment & Risk Treatment Plan, which identifies the risks to the confidentiality, integrity and availability of information, measures to address it and those responsible to monitor and address the implementation of the risk
•    Training and raising awareness of all employees of the organization in Information Security and Cyber Security, so that everyone knows the part of the Policies that must be implemented and how to protect themselves on the Internet
•    IT Audit, where all access to the information systems are documented, the systems are depicted in diagrams as well as the communication inside and outside the organization and the systems are checked for their security.
•    Vulnerability Assessment, in which technical, design, operational weaknesses of computer systems that make up an information network are identified
•    Internal Audit, where an internal audit of all employees is carried out regarding the knowledge of the System
•    Information Security Management and its implementation
•    Development of a Business Continuity Plan, which identifies the critical functions of the organization, the possible scenarios for the cessation of operations, the way and the time of restoration of the operation

The benefits of an organization from the service are:

• Compliance with the Law and avoidance of exposure to very high fines imposed by him. Image of complete image of the Security Level
• Reliability
• Reduction of vulnerabilities

Possibility of Certification with ISO 27001    
Through the development of an Information Security Management System, the Organization has the ability to be certified with the standard IS027001: 2013. Space Hellas will advise the Agency on the selection of the certification body, and will represent the Agency, during the inspection of its facilities, by an independent inspector from the certification body to be selected.

The Space Hellas Team can provide a properly trained and certified person to take on the duties of CISO.

The CISO is responsible for ensuring the confidentiality, integrity and availability of information. He refers to the Supreme Administration and is also responsible for:
• Contributes to the development / adoption / implementation / maintenance of a framework, program, policy, procedures and guidelines for information security.
• Maintains appropriate information security measures and mechanisms to protect against unauthorized access to electronically stored or transmitted data and to protect against reasonably expected threats and risks. CISO monitors and contributes to the execution of the continuous monitoring of the security of the Organization's systems.
• Ensures compliance through adequate training programs and periodic information security checks. These checks must be both internal and external.
• Takes care of the cooperation of the Groups and their Managers, so that all the policies and procedures that have been set:
o be valid throughout the Agency
o be inspected regularly
o be inspected extraordinarily if necessary
o be reviewed in the event that anything substantial changes in the operation of the Agency.
• Mention to the top management of the Agency the level of security of information, the secrecy of communications and the residual risk.
• He is a member of the Emergency Management Team and is responsible for evaluating and managing each event in collaboration with specialized engineers and other members of the Team.
• Checks the readiness to activate all the mechanisms and persons described in the Security Incident Management Procedure, at regular intervals.
• He advises the Risk Assessment Team, the periodicity of the risk assessment process and is aware of the quality of the team's work.
• Updates and receives the Risk Assessment Report from the Risk Assessment Manager.
• Consults the Anti Malware Team and checks its efficiency.
• Supervises the effectiveness of Security Reviews / Testing mechanisms in relation to the control policy for the implementation of security policies.
• Implements and is responsible for conducting an Awareness Program for users regarding security policies.
• Acts against non-compliance with Security Policies. CISO is informed of any changes in the current legislation and private agreements, in order to implement the necessary changes in the Security Policies.
• Communicates with all stakeholders to know their requirements for information security, evaluates them and takes care of their satisfaction.

The GDPR recognizes the data protection officer as a key component of the new data management system and establishes the conditions for its definition, position and duties.

The Space Hellas Team can provide a properly trained and certified person to take on the duties of Data Protection Officer (DPO) in accordance with the provisions of the Personal Data Protection Regulation (GDPR), but also the EU and national institutional framework for personal data protection.

The aim is to control, improve and maintain the compliance system with the Regulation with integrated mechanisms and policies that will ensure on an ongoing basis all the conditions for the operation of the Organization based on the existing provisions for personal data protection at organizational, technical and legal level. 

The consulting services cover all the obligations of the Organization, which generally concern:
• Observance of the principles governing the processing of personal data
• Ensuring the rights of data subjects
• The obligations of the Organization arising as a Data Controller like:
• The security of personal data processing
• The Notification of the breach to the Protection Authority and the notification to the natural persons
• Conducting countermeasures for critical processing
• Personal data transmission in third countries

In detail, the duties and responsibilities of the DPO include the following:
• Alignment of the Organization with the requirements of the Regulation
• Ensuring the protection of personal and sensitive data
• Personal data protection assessment (DPIA), Risk Assessment & Treatment, proposals for appropriate security measures
• Design and implementation of privacy policies and procedures
• Adoption of privacy principles by design & by default
• Compliance with the requirements set by the Regulation (manner of collecting personal data, consent, purpose of processing, retention period and location of storage, access and deletion)
• Establishment of appropriate reporting and data breach notification procedures
• Supervise the management of accesses and authorizations
• Staff training
• Compliance audits

The damage that can be done to an organization by natural phenomena or by the human factor is likely to be so significant that it will have to stop working indefinitely.

The provision of Business Continuity Management Systems services will help the Agency achieve the following:
•    Recovery of its services from an unexpected and catastrophic event
•    Maintaining the reputation of the Organization
•    Determining the maximum allowable loss of time, for products and services, so that the goals of the Organization can be achieved.
•    Observance of the regulatory framework for compliance of the users of the Organization, and procedures for the management of information and information systems of the Organization with the applicable legal and regulatory requirements. 
• Implementation of the requirements of the interested parties
• The investments that will help the business continuity of the Organization to be made in terms of cost / benefit, to be proportional to the needs of the company and to cover them completely.
• Set measurable annual targets for business continuity as a result of system inspections and analysis of results by the Agency's operational continuity team.
• Preparation for certification with ISO 22301: 2019

The services provided by Space Hellas include the following:
•    Business Continuity Policies and Procedures that support these policies
•    Risk Assessment & Risk Treatment Plan, which identifies the risks to the confidentiality, integrity and availability of information, its counter measures, and those responsible for monitoring and anticipating the implementation of the risk.
•    Training and raising awareness of all employees of the organization, so that everyone knows the part of Policies and the procedures they must implement
•    IT Audit, which describes all the procedures concerning information systems security
•    Vulnerability Assessment, in which the technical, design, and operational weaknesses of computer systems that make up an information system are identified.
•    Internal Audit, where an internal audit of employees is carried out regarding the knowledge of the Information Security Management System and its implementation
•    Development of a Business Continuity Plan, which identifies the critical functions of the organization, the possible scenarios for the cessation of operations, the way and the time of restoration of the operation
•    Disaster Recovery is a subset of Business Continuity and aims to address the effects of a disaster as quickly as possible so that the business can operate.
 
The benefits of an organization from the service are:   
•    Complete picture of the critical functions of the Organization
•    Complete business continuity plan of the Organization
•    Continuation of operation after an unexpected event
•    Continuous provision of services and products
•    Reliability
•    Reduction of vulnerabilities 

Possibility of Certification with ISO 22301: 2019
Through the development of Business Continuity Management System, the Organization has the ability to be certified with the standard ISO 22301: 2019. Space Hellas will advise the Agency on the selection of the certification body, and will represent the Agency, during the inspection of its facilities, by an independent inspector from the certification body to be selected. 

The NIS Directive has three parts:
1. National capabilities: EU Member States must have certain national cybersecurity capabilities of the individual EU countries, e.g. they must have a national CSIRT, perform cyber exercises, etc.
2. Cross-border collaboration: Cross-border collaboration between EU countries, e.g. the operational EU CSIRT network, the strategic NIS cooperation group, etc.
3. National supervision of critical sectors: EU Member states have to supervise the cybersecurity of critical market operators in their country: Ex-ante supervision in critical sectors (energy, transport, water, health, digital infrastructure and finance sector), ex-post supervision for critical digital service providers (online market places, cloud and online search engines)
How can we help you to comply with NIS directive: 
•    Development of an Information Security Management System and Implementation of ISO 27001 which is an international recognized standard for information security 
•    Development of a Business Continuity Management System and Implementation of ISO 222301 which is an international recognized standard for business continuity 
•    Performing vulnerability assessment and penetration testing
•    Provide CISO as a service and performing necessary checks for cybersecurity
•    Performing all necessary checks and ensuring that all appropriate technical and organizational measures to be comply with the directive are implemented 
•    Performing risk assessment and identify all cybersecurity threats. Always recommend solution for any threats identify, in accordance with the best practices and capabilities of the organization
•    Provide a very experienced team for incident handling
•    Improving and setting goals for information security and business continuity management systems  

Information technology audit involves the examination and evaluation of infrastructure, applications, use and management of data, policies, processes and business processes based on recognized standards or established policies. Space Hellas will assess whether the asset protection controls are adequate or whether additional measures are needed.
The primary objectives of an IT audit include:
•    Evaluate the systems and procedures that secure the organization's data
•    Identify risks to the organization's assets and identify methods to minimize these risks.
•    Confirmation that information management procedures comply with laws, policies and standards (eg ISO 27001).
•    Identification of deficiencies in IT systems and their related management
•    Suggestions for improvement and prioritization of actions

The Risk Assessment is based on the NIS guidelines and the internationally recognized ISO 27005 and ISO 31000 standards includes the assessment of the current situation and the assessment of goods, threats and vulnerabilities, with the simultaneous assignment of responsibility (risk owner) for each of the risks.

For the assets (data-information), the assessment is made based on the effect that their disclosure or unauthorized modification or destruction will have. The evaluation of material assets (firewalls, file servers, workstations, switches, routers, etc.) is done taking into account their replacement or repair and in the same way the programs (software assets) that operate in this infrastructure are evaluated.

Then, the security risks are identified. More specifically, the threats, which are related to each asset separately, are identified, and then the level of each threat is assessed. After that, the extent of the vulnerabilities that each threat can take advantage of is assessed.

The following threat categories are examined to identify threats:
•    Physical Physical and environmental threats (physical, environmental threats)
•    Logical Logical threats
•    Technical Technical failures
•    Application application software failures
•    Human errors
•    Malicious actions
To assess threats, the rating is examined on how often an incident is expected to occur and is defined as low, medium, high.

During the risk management process, the organization can manage the risk of each asset individually, having the following options:
•    Risk Acceptance
•    Risk Transfer
•    Risk Avoidance
•    Risk Mitigation

An organization's Quality Management System (QMS) contains all the business processes that are designed to provide and control every aspect related to the functions and quality of the organization's products/services.
The methodological approach that Space Hellas follows, and which is based on international standards and best practices, includes:
• Initial Implementation Planning – Kick Off Meeting
• Design and Development of QMS - Processes - Procedures - Work Instructions - Forms - Record Keeping
• Creation of necessary documents
• Information and Training of Personnel for Quality Management
• System Application
• Internal inspection
• Presentation of findings to the Management
With the development of a Quality Management System the Organization will be able to be certified to ISO 9001: 2015.