This document provides an overview of key considerations for complying with the General Data Protection Regulation (GDPR) as it relates to third party partners and suppliers. It discusses identifying personal data assets and flows, amending third party agreements to ensure compliance commitments, conducting third party vendor assessments, and technical and organizational security measures for protecting personal data such as pseudonymization, encryption, access controls and logging. The document emphasizes that controllers are responsible for personal data processed by third parties and outlines initial steps organizations can take to improve privacy and security.
4. SignificantDataProtectionEU
Personal data is defined as “any information relating to
an identified or identifiable natural person ‘data
subject…:”
• Name
• Location
• Identification Number
• OnLine ID / Cookies
• Gender
• Personal Preferences
• Ethnic
• Cultural
• Social Identity
• Memberships
• Biometric
• CCTV Video
• Event photos
• Insurance
• Visas
• Religion
• InsuranceClaims
4
Joe Orlando
6. NOT“Justanother ITProject!”
6
EVERYONE “owns”
the Solution.
Data Controller (who NEEDS
the data)
Why Do You NEED the Data?
Data Processor (who uses the data
to complete tasks)
What Do You DO with the Data?
How is this Data Stored; Managed;
Secured; Shared; Refreshed;
Processed and Destroyed?
ICTonlyFACILITATES
the Outcome:
Store Move Protect
ICTCannotDoThis Alone.
Joe Orlando
9. GDPR requires businesses to implement “technical and organizational
measures to provide appropriate protection to the personal data they
hold.”
3
GDPRexpresslystatesthat suchmeasuresinclude:
1. The pseudonymization and encryption of personal data
2. Measures to ensure resilience of systems and services
processing data
3. Measures that allow businesses to restore the availability and
access to the data in the event of a breach
4. Frequent testing of the effectiveness of the security
measures
Joe Orlando
11. AnIndividual’sRights
• Right to Know
• What PII You Have
• Source of the PII you Have
• ToWhere and to Whom does my PII Go
• Right to Edit Inaccuracies
• Right to Be Forgotten (Delete)
• Right to Opt Out
• Object to Processing
• Object to Automatic Decision Making
• Right to Portability
• Limit Retention Period
Joe Orlando
12. OBJECTIVE: SECURE THE DATA
Secure the Personal
Identifiable Information (PII)
& Personal Health
Information (PHI) to Prevent
Unauthorized Access and, in
the event of unauthorized
access …
the data they get is
unintelligible.
Joe Orlando
13. Of the 261 pages of GDPR, “encryption” appears
4
• "...implement measures to mitigate those
risks, such as encryption." (P51. (83))
• "...appropriate safeguards, which may
include encryption" (P121 (4.e))
• "...including inter alia as appropriate: (a) the
pseudonymisation and encryption of personal
data." (P160 (1a))
• "...unintelligible to any person who is not
authorised to access it, such as encryption"
(P163 (3a))
Joe Orlando
14. Regulatory “PASS” if Using Encryption
“…in case of a data breach, the
controller is not required to
communicate to the data subject if
he or she has implemented
encryption as a technical and
organisational protection measure”
(Article 34 Par.3 (a) GDPR).
Joe Orlando
15. OPTIONS (Easy toHardest) RISK to PII/ PHI EXPOSURE (High toLow)
SUBSET DATACOMING OUT OF PRODUCTION
ACCESS MANAGEMENT & MONITORING
FIELD PRESERVING DATAMASKING
DATAPSEUDONYMIZATION
FIELD/ROW/COLUMN
ENCRYPTION
FULL DISK
ENCRYPTION
20. 3rd Party Partners
• Sales Channel Partners
• Distributors
• Resellers
• Marketing Campaign Providers
• 3rd Party Processors
• Off Prem Storage and Backup Vendors
• 3rd Party Administrators (ESOP; Benefits;
Pension)
• Security Providers (Physical; Swipe cards; CCTV)
• 3rd Party Analytics Providers
Joe Orlando
21. The likelihood of
data going OUT
from INSIDE is
greater than the
likelihood of data
being exfiltrated
from OUTSIDE
Things to Consider…
Joe Orlando
22. Amendmentsto the 3rd PartyProviderAgreements
DataPrivacyAmendments(GPOandLegal)
22
• Commitment to Compliance
• Commitment to Cooperation
• Commitment to Validation and Audit
• Commitment to Being Responsive to Our Organization and
DSAR
• Commitment to Incident Response
• Commitment to Appropriate Record Keeping
Joe Orlando
24. UnderGDPR–VendorAssessmentQuestions
24
• Awareness and understanding of GDPR regulations and data protection principles
• Lawfulness of processing and further processing and legitimate interests
• Consent management
• Information notices
• Data Subject rights, access, rectification, portability, erasure, object & restriction of
processing processes
• Record retention policies and processes
• Privacy By Design, including ImpactAssessments
• Cross Border Transfers of Personal and Sensitive Data
• Data governance obligations
• Personal data breaches and notifications
• Sub-Contractor Agreements and Controls
• Codes of conduct and certifications
• Roles, Responsibilities and Competencies
• Co-operation and consistency between supervisory authorities, remedies and liabilities
• Derogations, special conditions and delegated acts, implementing acts and final provisions
• Subcontracted processes, processors and security controls
Joe Orlando
27. I
Section Sub-section Criteria - Checks Score
Section Sub-section
Participating 3rd Party Vendor must ensure that they are fully compliant with the Our Organization Security Policy.
0
The 3rd Party Provider Security Policy Baseline creates a general security and data protection baseline adapted
to Our Organization needs.
The 3rd Party Provider Security Policy Baseline addresses all elements of data flows into Our Organization,
including national and cross-border data flows.
0
The 3rd Party Provider shall take all reasonable steps to ensure data security (including data confidentiality,
integrity, authenticity, availability and non-repudiation).
0
3rd Party Provider must ensure that cross-border data is not transmitted via these services to a Member State
that either does not belong to or is not allowed into the cross-border environment.
0
3rd Party Vendor shall ensure that communication of identifiable personal data is subject to secure
communication and end-to-end security measures.
0
6.3rd Party Vendor shall ensure that their 3rd Party Provider establish an appropriate system of audit trail and
shall
0
a) allow authorised official bodies to duly inspect the established mechanisms 3rd Party Vendor for
data collection, processing, translation and transmitting
0
b) make logs available for legal purposes, e.g. if requested by a individual.
0
The 3rd Party Vendor must ensure that we have clearly identified the responsible data controller and data
processor in accordance with the provisions of the General Data Protection Regulation.
0
28. Area
Not Compliant
Security IncidentManagement Information
Security Incidents Does the 3rd Party Provider has policies in place which set out how information security incidents, and
breaches to the confidentiality of data, should be managed?
0
Are the security responsibilities of technical staff, data security officer addressed at the
recruitment stage, included in contracts, and monitored during an individual’s employment?
Does the 3rd Party Provider engage employees and third party users of information processing facilities
to sign a confidentiality (non-disclosure) agreement?
0
Incidents affecting security MUST be reported to the designated (by each
3rd Party Vendor ) point of contact through appropriate management channels as quickly as possible.
0
Is all staff trained in security procedures and the correct use of the information processing facilities to
minimize possible security incidents and risks.
0
Responsibilities and procedures for the management and operation of information processing
facilities must be established. This includes the development of appropriate operating instructions
and incident response procedures.
0
Average Area Score 0
Area
Not Compliant
Cryptography
Cryptograph
ic controls
-Does the 3rd Party Provider verify that CA (Certificate Authorities) are registered as such in the EU
Trusted Lists of Certification Service Providers?
- Is there a documented procedure and defining this and where?
0
- Does the 3rd Party Provider have documented descriptions on service addresses and certificates
compliant to the appropriate Regulators?
0
0
Average Area Score 0
Area
Not Compliant
Information security aspects of business continuitymanagement
Information
security
continuity
Planning
information
security continuity
• Have the availability requirements been established for the 3rd Party network?
•Have the availability requirements between the 3rd Party Provider and its service providers been
defined and established? Are these documented in the Service Level or similar Agreements?
0
Redundancies Availability of
information
processing facilities
• Does the 3rd Party Provider have a backup procedure for at least the critical assets?
•Does the 3rd Party Provider have defined backup times (Recovery Point Objective) in alignment with
the business and (if applicable) in the multilateral or other agreements between the partners in the
3rd
0
29. Average Area Score 0
Area
Not Compliant
Physical and
environmental security
Physical security measures should exist in the 3rd Party Vendor premisses where authorized users have
access to the e Information System and the respective information storing facilities (i.e. network, server
roo3rd Party Vendor etc.) to ensure that only authorized personnel have physical access.
Environmental Safeguard measures should protect premises and syste3rd Party Vendor from hazards and
destruction.
0
Secure Areas Physical
security
perimeter
•Are the physical areas where the processing facilities and staff operating the e system defined
and documented (e.g. under Asset Management, Procedure or elsewhere)?
•Is the 3rd Party Vendor operations environment including networks adequately segragated from
environments operated by external parties?
•Are the 3rd Party Vendor personnel offices segragated in order to protect security of operations and
preclude access by unauthorised personnel?
0
Physical entry controls •Are the 3rd Party Vendor building premises where staff operates the system have controlled
building entrances and exits?
•Are building entrances and exits equipped with intruder prevention and alarm syste3rd Party Vendor ?
Are visitors logged in a visitors logbook and guided when visiting the 3rd Party Vendor premises?
•Does server/computer room facilities have a visitor log system used by 3rd Party Vendor for
logging entrances and exits to the systems rooom of the 3rd Party Vendor , either automatically
or manually?
•Are Intruder Alarm Systems attached to a backup power supply system (battery, generator or UPS) to
ensure that server rooms are adequately protected and accessible during a disruption to the main power
supply system?
•Are the permission rights of personnel to those areas documented, reviewed and updated at
specified intervals?
(Note: Retention period of access logs and any CCTV recordings respect the nationally applicable
legislation for private and personal data protection)
0
A.11.1.3 Securing
offices, roo3rd
Party Vendor and
facilities
•Are 3rd Party Vendor offices where staff operates the e information system protected by physical
measures adequate for the level of sensitivity of the system?
0
Equipment should be physically protected from security threats and environmental
hazards. Protection of equipment is necessary to reduce the risk of unauthorized access
to data and to protect against loss or damage. This should also take into consideration
equipment location and disposal. Special controls may be required to protect against
hazards or unauthorized access, and to safeguard supporting facilities, such as the
electrical supply and cabling infrastructure.
0
30. Information security policies
Management
direction for
information
security
Policies for
information security
•Does the 3rd Party Provider have documented policies that define how personally identified information
is safeguarded?
0
0
Review of the policies
for information
security
•Are the 3rd Party Vendor responsibilities defined for managing the lifecycle of the Security Policies ensuring
that they are always kept up to date? 0
Average Area Score 0
Area Not Compliant
Organization of information security
Internal organization Information
security roles and
responsibilities
•Are the responsibilities for the 3rd Party Vendor Processes (especially for information security) included in
the security policies?
• Are the specific processes and assets of the 3rd Party Vendor identified and defined?
• Are the local responsibilities for the protection of assets for the 3rd Party Vendor documented and carried
out?
• Is the process of information security risk management documented and suitable?
• Does the information security risk management process include the 3rd Party Vendors processes and
assets?
0
Segregation of duties • Does the 3rd Party Provider a responsible for the security of information within the context of e ?
0
Average Area Score 0
Area Not Compliant
Operations Security
Integrity When information is sent from one country to another, it must be assured that the information has been
properly received by the end user (source of country B). (note: this requirement is applicable under
Information Security Domain in the area "Integrity") 0
Confidentiality The 3rd Party Provider must ensure that Our Organization data is not transmitted to 3rd Party Vendor not
belonging or allowed into the Our Organization environment.
The 3rd Party Provider must ensure the security (confidentiality, integrity, availability, non-repudiation,
authenticity and auditability) of data processed on their territory.
Event loggin,
protection of log
information
Event logs recording user activities, exceptions, faults and information security events shall be produced,
kept and regularly reviewed.
Logging facilities and log information shall be protected against tampering and unauthorized access.
System administrator and system operator activities shall be logged and the logs protected and
regularly reviewed.
3rd Party Vendor shall ensure that their 3rd Party Provider establish an appropriate system of audit trail
and shall enable a review of the mechanisms in place to protect 3rd Party data.
A62:G67A59:G67C63
Not Scored
Area
32. There are options… where to start
2/5/2018
▪ Subsetting Data used in Test/QAandDev
▪ Data Minimization
▪ Pseudonymisation / Masking
▪ Rigid Roles BasedAccess Controls and Management
▪ Reduce UnauthorizedAccess toPII/PHI
▪ Automatic Logging and Monitoring of UserActivities (Regular Testing)
▪ Lock Down Download and Mobile MediaAbility
▪ Make “Data in Motion” and “At Rest”Unintelligible
▪ Format Preserving Encryption
▪ Field; Column; Row Encryption
▪ Encrypt Workstations (& Laptops)or
▪ Full Disk Encryption with Individual Workstation Keys
▪ Provide end to end encryption (in motion and atrest)
Joe Orlando
33. Some First Steps…
✓ Reduce the number ofAccess Points (Minimize User and
AuthorizedAccess)
✓ Segregate,As MuchAs Possible, the Production Users –
Testers - Developers and QAUsers
✓ Ensure Secure DataTransmission
✓ Rigidly RestrictAccess by Well Defined Role/Authorization
✓ Prevent Data Download to PortableMedia
✓ Ensure Comprehensive Training on Handling PII/PHIas Part
of Employee Code of Ethics
✓ Reduce # of people who are “authorized to see”Sensitive Data
(PII/PHI)
2/5/2018 Joe Orlando
34. Some First Steps…
✓ Minimize; Pseudonymise; Mask Data as Much as
Viable
✓ Ensure Data Secured “At Rest” and “In Motion”
✓ Rigidly Restrict Access by WellDefined
Role/Authorization
✓ Implement End Point Security (DLP)
✓ Deliberately Reduce Potential Attack Surfaces
(Vulnerabilities) that Potentially Expose PII/PHI
✓ Administer Regular Test & Audits on Internal and3rd
Party “Data Privacy by Design and Default”
Procedures, Policies and Protocols
2/5/2018 Joe Orlando
35. OPTIONS (not mutually exclusive)
Data At Rest
• Pseudonymisation and
Masking
• Rigid Roles Based
Access Controls
and Management
• Encrypt Workstations
(& Laptops) to Prevent
Download and Export
Data In Motion
• Safe or Encrypted
Transfer (SFTP
(connection); encrypt
(the data))
• TLS Tunnel and/or
ZIX for mail
transport
Data In Use
• Data Minimization
• Data Subsetting
• Rigid Roles Based
Access Controls
and Management
• Pseudonymisation and
Masking
• Format Preserving
Encryption
• Field; Column;
Row
Encryption
Joe Orlando
36. Options: Specific Ideas
Data At Rest
• File Share
• BitLocker
• USB/Media
Lock down
• DLP Policies
• Restricted Access to
Db
Data In Motion
• CASB
• DLP
• Network Protocols
• ACLS
• VPN
• Firewall
Data In Use
• Rigid User
Access Rules and
Regular Reviews
• Proactive User
Lifecycle
Management
• Multi Factor
Authentication
Joe Orlando