The document discusses compliance with the General Data Protection Regulation (GDPR) which takes effect on May 25, 2018. It outlines several key points of the regulation including that it applies to all EU member states, personal data must be kept secure, and organizations will be held accountable for data security with large fines for non-compliance. It also discusses implementing a risk-based approach to data security, documenting compliance measures, appointing a data protection officer, and that higher risk requires more security efforts. Case studies demonstrate how organizations reduced risks by implementing network monitoring and access controls. Steps for technology implementation include documenting reviews and risk analysis, appointing a compliance officer, and following the UK National Cyber Security Centre's 10 steps for cyber security.
2. GENERAL DATA PROTECTION REGULATION
Introduction
• The GDPR applies to all EU member states, and replaces Data Protection Directive 95/46/EC
• The personal data be kept secure
• Holds an organization accountable for data security
• Large fines to be levied
Applicable to IT Security Technology
• A risk-based approach to set up measures to protect personal data
• Documentation to prove compliance
• Appointment of a data protection officer DPO
• No prescription of technology to secure data and higher risk mandates more effort for security
Today’s Situation
• Article 32 provisions requiring technical measures to protect data.
Ex. A non-EU retailer processing the data of many thousands of EU data subjects is expected to implement stronger measures to protect its
data than would a retailer processing data for only a handful of data subjects.
• A risk is to be evaluated by an organization and need to investigate a situation to implement.
3. Reducing Vulnerability
Case Studies: A large UK-based outsourced customer management service provider controls and processes huge
quantities of personal information throughout Europe and elsewhere. Analysis of its data security revealed a lack of visibility
into its complex network environment, including more than 80 firewalls. It lacked confidence some new firewalls had been
implemented with the organization’s own policies. Its manual change processes were slow and costly, which resulted in an
inability to track changes and verify the firewalls were properly implemented.
What to do.
• Implement network controls, testing and monitoring
• Tightening Access and Security Procedures and Network paths
• Device an integrated solution to reduce its systemic risk.
• Visualize and document all firewall rulesets and optimize
• Scan for assess and resolve network vulnerabilities.
As a result the company reduced its overall network risk profile and improved its continuous documented provable compliance and
decreased the chances of a data security breach.
4. Firewall and Device Monitoring
A large-scale business services provider delivers business process outsourcing to more than 20 top-tier companies and
government agencies in the UK. It was using resource consuming manual management processes to achieve compliance,
including network security, data security, vulnerability management, access control, security monitoring and information security
best practices. The company’s increasing network complexity was making the cost of compliance unsustainable, and the
company was not able to prove its firewalls were compliant.
A collective legal proceeding - Germany – UK – France
Example:
Legal proceeding brought by a consumer protection association against an organization that is allegedly failing to protect
personal data.
The adoption of collective legal proceedings in Europe compounds the legal risk of any organization suffering a data security
breach.
5. STEPS FOR IMPLEMENTING SECURITY TECHNOLOGY FOR COMPLIANCE WITH THE
GDPR
• Don’t wait start now
• Establish a track record of compliance before the effective date: May 25, 2018.
• Document the reviews of technology and steps toward achieving compliance.
• Institute a constant ever-improving process of analysing the risks
• Adopt a routine for maintaining the considerable documentation
• Appoint a data protection practitioner to become familiar with the procedures
• Take 10 Steps to Cyber Security - NCSC
6. CYBER SECURITY NCSC - STEPS
1. Risk Management Regime
• An appropriate risk management system supported by the board and senior management.
• Communicate risk management with policies and practices with all employees, contractors and suppliers
2. Secure configuration
• Ensuring configuration management to improve the security of systems.
• Remove or disable unnecessary functionality from systems
• Quickly fix known vulnerabilities and patching
3. Network security
• Secure networks from exposing systems to attacks
• Implementing policies and architecture to reduce the attacks
• Think where the data is stored, processed and an attacker’s opportunity to interfere.
4. Managing user privileges
• Users reasonable level of privileges and rights
• Highly elevated system privileges should be controlled and managed.
• Rely on ‘least privilege’ principle
7. 5. Malware prevention
• Developing and implementing anti-malware policies as defence in depth approach.
6. Monitoring
• System monitoring to detect attacks on systems and services.
• Good monitoring to effectively respond to attacks
• Ensure that systems are being used in accordance with organisational policies
• Monitoring is a key to comply with legal or regulatory requirements.
7. Removable media controls
• Route for malware and deliberate export of sensitive data.
• Must apply appropriate security controls
8. Home and mobile working
• Establish risk based policies and procedures for mobile working or remote access to users and service providers.
CYBER SECURITY NCSC - STEPS
8.
9. Article 5(2) and Article 30
Obligations on an organization to demonstrate that it is in compliance.
Example.
Through the creation and maintenance of documentation that proves the organization is using technology for continuous
monitoring of data and continuous evaluation of vulnerabilities.
Article 28
An outsourcer (data processor) must have technical and organizational controls in place to ensure data is protected and
documentation to prove compliance.
Article 32
• Requires an organization to implement technical measures to ensure data security.
• It does not provide a comprehensive list of security measures.
• It motivates to find, implement and effective security measures in rapidly changing IT security threat landscape
10. SPECIAL ADVICE
• Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and
deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that
compare the effectiveness of system administrators and departments in reducing risk.