Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success

1,844 views

Published on

The EU Global Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) represent a landmark change in the global data protection space. While they originate in different countries and apply to different organizations, their primary message is the same:

Protect your data, or pay a steep price. More specifically, protect the sensitive data you collect from customers.

With deadlines looming, is your organization ready?

The time to act is now. Read more to learn:

--Key mandates and minimum requirements for compliance
--Why a comprehensive data-centric security strategy is invaluable to all data protection and data privacy efforts
--How you can gauge your organization’s incident response capabilities
--How to extend your focus beyond the organization’s figurative four walls to ensure requirements are met throughout your supply chain

The first New York requirements deadline has arrived. With the next deadline of mandates only 6 months away, you don't want to fall behind and leave your organization at risk for potential penalties and fines.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success

  1. 1. EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS
  2. 2. www.forsythe.com Forsythe is a leading enterprise IT company, providing advisory services, security, hosting and technology solutions for Fortune 1000 organizations. Forsythe helps clients optimize, modernize and innovate their IT to become agile, secure, digital businesses. Sponsored by
  3. 3. IN TODAY’S DIGITAL WORLD, WE ARE ALL “DATA SUBJECTS” Threats are increasing as technologies distribute sensitive data farther across locations, devices, and repositories Critical aspects of our lives are determined by the data that is held about us
  4. 4. CYBERCRIME IS A GROWTH INDUSTRY According to Gemalto, 1,792 data breaches led to almost 1.4 billion data records being compromised worldwide during 2016, an increase of 86 percent compared to 2015. That’s nearly 4 million records stolen per day, 157,364 per hour and 2,623 per minute.
  5. 5. EU GDPR AND NY DATA PROTECTION AND PRIVACY REQUIREMENTS ARE USHERING IN A NEW ERA OF ACCOUNTABILITY Protect your data, or pay a steep price. More specifically, protect the sensitive data you collect from customers.
  6. 6. Ask yourself: a) Beginning stages b) Well underway c) Fully compliant d) Not sure HOW FAR ALONG DO YOU THINK YOUR ORGANIZATION IS IN ITS COMPLIANCE PLAN?
  7. 7. Companies that violate certain provisions—such as the basic processing principles or the rules relating to cross-border data transfers—may face fines amounting to four percent of the company’s annual gross revenue, and up to two percent for violations such as failing to meet the breach notification rule. Fines EU GDPR MANDATES A “right to erasure”, also known as the “right to be forgotten,” gives a data subject the right to order a data controller/organization to erase any of their personal data in certain situations. Data controllers will be required to erase personal data “without undue delay” when the data is no longer necessary in relation to the purposes for which it was gathered or processed. Companies whose “core activities” involve large-scale processing of “special categories” of data—information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, health or sexual orientation—need to designate a data protection officer. Companies who collect some of this information strictly for internal human resources purposes may also be subject to this requirement. A single data breach notification requirement is applicable across the EU. The rule requires data controllers to notify the appropriate supervisory authority of a personal data breach within 72 hours of learning about it. Right to be Forgotten Breach Notification Data Protection Officer (DPO)
  8. 8. Establishment and adoption of a cybersecurity policy and program, including adequate funding and staffing, a CISO, cybersecurity awareness training, limitations on data retention, and periodic reporting to the most senior governing body of the organization. Program and Policy NY CYBERSECURITY MANDATES Risk-based minimum standards for technology systems including access controls such as multi-factor authentication, data protection (including encryption or an alternate CISO-approved compensating control), and vulnerability assessment/penetration testing. Adherence to minimum standards for addressing data breaches, including incident response plans, the preservation of data for investigations, and notice to DFS of material events within 72 hours. Additionally, organizations need to maintain audit trails for reconstruction of financial transactions, and cybersecurity incidents. Identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance. Additionally, organizations need to implement written policies and procedures designed to ensure the privacy and security of information systems, and sensitive data accessible to third-party providers. Security Controls Maintaining Accountability Data Breach Response
  9. 9. 3 KEYS TO SUCCESS
  10. 10. The development of a data- centric security program is invaluable to all data protection and data privacy efforts ONE DATA-CENTRIC SECURITY
  11. 11. Determine where and what type of data is stored Continuous process to provide visibility, outline risk, and validate employee role assignment Confirm awareness level and policy compliance as well as enhancement DATA DISCOVERY Many organizations don’t even know where their sensitive information is, which makes it extremely difficult to comply with requirements such as the GDPR “right to be forgotten”.
  12. 12. Policy Data handling procedures Report/detect/protect IR /forensics Risk-based approach Identify business owners CLASSIFICATION Data classification policies and tools facilitate the separation of valuable information that may be targeted from less valuable information.
  13. 13. Consider SSL decryption at gateway points of access Data-in-motion Data-at-rest Data-in-use ENCRYPTION STRATEGIES End-to-end encryption maximizes data protection regardless of whether the data is in a public or private cloud, on a device, or in transit. It can be invaluable in the effort to combat advanced threats, protect against IoT-enabled breaches, and maintain regulatory compliance.
  14. 14. Directory unification Access management Federation privileged access Access governance and authentication IDENTITY MANAGEMENT The NY requirements specify the use of multi-factor, risk-based authentication “for any individual accessing the Covered Entity's internal networks from an external network (500.12)” and as a means for protecting sensitive data. Multi-factor solutions and services can help.
  15. 15. The GDPR and NY requirements contain 72-hour data-breach notification mandates TWO INCIDENT RESPONSE
  16. 16. Ask yourself: a) Yes b) No c) Not sure IS YOUR ORGANIZATION READY TO RESPOND TO INCIDENTS WITHIN STRICT TIMELINES?
  17. 17. Are employees aware of what constitutes an incident to begin with, and how to report and manage an incident? QUESTIONS TO CONSIDER Have you optimized the tools you’re using today to protect against and detect incidents? Has your program been updated and tested to support today’s cyber threats and compliance with breach notification requirements? Do you have the tools and relationships in place to accelerate your response to a serious security incident for containment and public management? Does your plan include considerations for retaining forensic and PR firms that directly align to your cybersecurity insurance policy? 1 2 3 4 5
  18. 18. Third parties can present your greatest area of risk exposure THREE THIRD PARTY-RISK
  19. 19. Map your data. Understand which third parties have access to data, what categories of data they have, and what they are doing with it. Make sure you collect only the minimum amount of personal data required for the product or service, and review legal grounds for collection and processing. THIRD PARTY RISK PROGRAM ELEMENTS Ensure you have appropriate budget and resources allocated for completing assessments of third parties, and for remediation projects. Review your contracts to ensure they are compliant with both regulatory mandates (GDPR contains requirements for contracts with data processors, as well as between data controllers), and with your own security policies. Complete assessments of all third parties that have access to, handle or touch your client/personal data to ascertain their awareness of specific requirements, and to ensure that they have appropriate technical and organizational measures in place to comply. Ensure third parties are scored based on risk-assessment results and other due diligence. For high- risk third parties, identify audit partners for the assessment of processes, and set the scope of remediation programs and ongoing monitoring requirements.
  20. 20. PEOPLE Adhere to regulation-specific staffing requirements, such as GDPR’s DPO, and NY’s CISO (drives accountability) Education & awareness Changing behaviors around the collection and use of data Establishing appropriate consent controls Ensure suitable technical (security analysts, IR team) & non-technical (business leadership, legal, PR) staff is in place and is trained appropriately PROCESS Perform risk assessment (utilizing framework like NIST, ISO, etc.) Identify and manage collection of sensitive data Set processing/dissemination rules Ensure means to address inquiries and adhere to 72-hour notification req’s Establish data lifecycle management (inventory, classify, track the movement of, and disposal of, data) Set IR processes (preparation, detection/ reporting, triage/analysis, containment/ neutralization and post-incident activity) Develop third-party risk program TECHNOLOGY Visibility (identify data and its location: endpoint, DB/shares, cloud, structured/unstructured) Analytics (when, where, and how data is moving) Data protection tools (discovery, classification, DLP, encryption, IAM, CASB, and gateway controls) Detection tools (IDS/IPS, NGFW, UEBA) Containment tools: Endpoint Detection and Response, and Forensics tools Third-party risk and security scoring tools
  21. 21. WE’RE ALL GOING TO HAVE TO CHANGE THE WAY WE THINK ABOUT DATA PROTECTION. — Elizabeth Denham, UK Information Commissioner
  22. 22. http://focus.forsythe.com/articles/562/Addressing- the-EU-GDPR-and-New-York-Cybersecurity- Requirements-3-Keys-to-Success CHECK OUT THE ORIGINAL ARTICLE:
  23. 23. http://focus.forsythe.com OR FIND MORE ARTICLES ABOUT BUSINESS AND TECHNOLOGY SOLUTIONS AT FOCUS ONLINE:
  24. 24. Authors: David O’Leary Director, Forsythe Security Solutions Thomas Eck Director, Forsythe Security Solutions Alex Hanway Product Marketing Manager, Gemalo www.forsythe.com Forsythe is a leading enterprise IT company, providing advisory services, security, hosting and technology solutions for Fortune 1000 organizations. Forsythe helps clients optimize, modernize and innovate their IT to become agile, secure, digital businesses.

×