GDPR - CISO vs DPO, Security challenges

1. GDPR – CISO PERSPECTIVE
GEORGE DRAGUSIN
PRESIDENT IT&C SECURITY COMMITTEE - ROMANIAN BANKING ASSOCIATION
CYBERTHREATS - 17 OCT 2017
ROMANIAN BANKING INSTITUTE

2. PICK ONE: A. DATA PROTECTION B. FINES C. SECURITY D. INDIVIDUALS’ RIGHTS
DISCLAIMER
NOT
ANOTHER
GDPR
PRESENTATION!

3. GDPR – ORGANIZATION PERSPECTIVE
https://www.closebrotherstechnology.co.uk/general-data-protection-regulation
GDPR WILL FUNDAMENTLY CHANGE
THE BUSINESS PROCESSES
OPPORTUNITY TO
INVEST IN SECURITY!

4. CISO VS. DPO
DPO*
* Not taking into consideration the small shops
GDPR - the A TEAM!
• PROJECT SPONSOR (MGMT)
• PM
• DPO
• BUSINESS ANALYSTS
• CISO
• IT
• LEGAL
• COMPLIANCE
• COMMUNICATION
CISO != DPO

5. DPO
NOT A DPO!
WHERE TO FIND THE DPO ?
UNICORN
SKILL: KUNG-FU
EMPLOYEE PROFILE
25% BUSINESS ANALYST
25% TECHNICAL
20% LEGAL
10% RISK MGMT
10% COMMUNCATION
10% FLEXIBLE
---------------------------------
100% DPO

6. CHALLENGES - PART I
• SECURITY BY DEFAULT
• SECURITY BY DESIGN
• DATA – WHERE?
• DATA – WHAT?
☞
• MINIMISE DATA COLLECTION
• RESTRICT ACCESS – NEED TO KNOW
• AUDIT TRAILS
☞
• DATA FLOW MAP
• DATA LOCATION (CLOUD)
• DATA STRUCTURE
TWO JPGS BUT DIFFERENT DATA >>>

7. CHALLENGES - PART II
• PSEUDO ANONYMIZATION
• ENCRYPTION
• BACKUPS
• RISK ASSESSEMENTS & PIA FOR RISKY PROCESSING
ONLY ENCRYPT DATA IF
YOU KNOW WHAT YOU
ARE DOING!
NOT THAT SIMPLE TO
PRESS DELETE

8. 3RD PARTY MANAGEMENT
DATA DATA TRANSFER
CONTROLLERDATA SUBJECT DATA PROCESSOR
 Review contractual agreements with DATA PROCESSORS (3rd parties)
 New market for AUDITS and CERTIFICATION
 Keep evidence of DATA TRANSFERS
 Pay attention to the data LOCATION (eg. outside EU)

9. BREACH NOTIFICATION
• Inform SA not later than 72 hours after having become aware of it
• Reporting under NIS Directive (eg. CIN)
• Inform Data Subject (eg. data not encrypted)
few questions …
• How good is your incident response program ?
• Do you have tools to monitor data processing and detect incidents ?
• Do you have enough people to operate the tools ?

10. TECHNOLOGY + ______________ = TOWARDS ”COMPLIANCE”
• Every vendor has at least one TOOL that’s “GDPR perfect”
• Plan before you buy … what you want to achieve
• Make sure people are comfortable with the TECHNOLOGY they will use
 DATA DISCOVERY TOOLS
 DATA CLASIFICATION AND DATA LOSS PREVENTION
 DOCUMENT MANAGEMENT SYSTEM
 ENCRYPTION
 SIEM
 … sky is the limit …
PEOPLE

11. CONCLUSION