Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(2017) GDPR – What Does It Mean For The Mainframe v0.2

344 views

Published on

In this session Rui will explain what the General Data Protection Regulation (GDPR) is and what the implications are for the mainframe. Get your mainframe ready and compliant with the GDPR before it comes to effect on May 25th, 2018.

Published in: Internet
  • Be the first to comment

(2017) GDPR – What Does It Mean For The Mainframe v0.2

  1. 1. Delivering the best in z services, software, hardware and training.Delivering the best in z services, software, hardware and training. Delivering the best in z services, skills, security and software. GDPR – What Does It Mean For The Mainframe?
  2. 2. Who am I? A quick introduction… RUI MIGUEL FEIO • Senior Technical Lead at RSM Partners • Based in the UK but travels all over the world • 18 years experience working with mainframes • Started with IBM as an MVS Sys Programmer • Specialist in mainframe security • Experience in other platforms
  3. 3. Data Privacy on a Digital World
  4. 4. http://www.ohchr.org/EN/Issues/DigitalAge/Pages/DigitalAgeIndex.aspx
  5. 5. The Data Protection Act controls how your personal information is used by organisations, businesses or the government. Everyone responsible for using data has to follow strict rules called ‘data protection principles’. The UK Data Protection Act https://www.gov.uk/data-protection/the-data-protection-act
  6. 6. https://www.webpagefx.com/blog/general/what-are-data-brokers-and-what-is-your-data-worth-infographic/
  7. 7. https://www.webpagefx.com/blog/general/what-are-data-brokers-and-what-is-your-data-worth-infographic/ “It knows who you are. It knows where you live. It knows what you do.” New York Times
  8. 8. The Paradigm of Private Data
  9. 9. General Data Protection Regulation (GDPR)
  10. 10. • GDPR is composed of 11 chapters and 99 articles: – Chapter 1 – General provisions – Chapter 2 – Principles – Chapter 3 – Rights of the data subject – Chapter 4 – Controller and processor – Chapter 5 – Transfers of personal data to third countries or international organisations – Chapter 6 – Independent supervisory authorities – Chapter 7 – Cooperation and consistency – Chapter 8 – Remedies, liability and penalties – Chapter 9 – Provisions relating to specific processing situations – Chapter 10 – Delegated acts and implementing acts – Chapter 11 – Final provisions GDPR Regulation
  11. 11. • General Data Protection Regulation to be enforced on 25 May 2018 • This regulation will impact any business, whether based in the EU or not, that holds the personal data of EU citizens. • GDPR is driven by two serious threats: – Reputational damage – Monetary fines (up to €20m max or 4% of total worldwide annual turnover, whichever is higher) • Mandatory for businesses of over 250 employees to appoint a Data Protection Officer (DPO). • GDPR has several rules such as ‘the right to be forgotten’ GDPR Overview http://www.eugdpr.org/
  12. 12. • 1 in 4 companies in the UK have stopped preparing for GDPR • “If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit.” * • 84% of financial services firms are not prepared for GDPR** The Brexit and GDPR * http://www.eugdpr.org/gdpr-faqs.html ** 2016 Egress article
  13. 13. How Does GDPR Affect The Mainframe?
  14. 14. • Most mainframe sites have not started to prepare for GDPR! • Main reasons are: – Belief that it only applies to countries of the European Union – Mainframe is unhackable so there’s nothing to be done – Mainframe meets all the GDPR requirements by default • Funny enough in some cases the GDPR compliance box has been ticked without the mainframe technical teams being even consulted!! Current Status
  15. 15. • How much customer data do you store on the mainframe? • What type of data you are collecting? • How much of that data relates to EU citizens or companies? • How data is processed, managed, stored and protected? • Which applications and processes use the data? • Who has got access to it? • Is the data properly classified? Do You Know?
  16. 16. Your Mainframe got breached?
  17. 17. How To Avoid ”Losing” Your Head?
  18. 18. You need to know your data, your processes, your applications; in summary you need to know your mainframe environment…
  19. 19. • 7 Steps to meet the GDPR technical requirements: – # 1 - Data Discovery & Detection: • Identify, document and classify the data • Where is it used, processed and stored? – # 2 - Access Control & Restriction: • Access to Data must be restricted • Access control of applications, processes and databases needs to be reviewed Mainframe Technical Perspective (1)
  20. 20. – # 3 - End-point-protection: • Tapes and other end-point-devices need to be controlled and protected. • Consider this: – Can the data be accessed by mobile devices? – Can the data be downloaded to the local terminal and transferred into a USB memory stick? – # 4 - Pseudonymisation and Encryption: • Data should be encrypted and anonymised both at “rest” and ”in transit” Mainframe Technical Perspective (2)
  21. 21. – # 5 - Backup and Recovery: • Think of CIA: Confidentiality, Integrity and Availability – # 6 - Anti-virus & Malware detection: • Does not apply to the mainframe (until it does) • Think of alerting and monitoring – # 7 - Vulnerability scanning and Penetration testing: • Consider undertaking these tests at a reasonable frequency to keep measuring your security effectiveness Mainframe Technical Perspective (3)
  22. 22. Review SecureMonitor Mainframe Technical - Summary
  23. 23. • Although not a direct GDPR requirement (at least not at the moment), consider Security Certifications. • It is extremely likely that approved certifications or codes-of- conduct specifically for GDPR will arrive, and it’s also highly possible that these will look for security certifications as pre-requisites (e.g. ISO 27001). Consider Security Certifications
  24. 24. Mainframe Technical Hardware
  25. 25. • Some examples of products that may help with GDPR: – IBM zSecure (or Vanguard’s equivalent) – IBM Multi-Factor Authentication for z/OS – IBM Security Identity Governance and Intelligence – RSM Exception Reporter – RSM Enterprise Connector – RSM zDetect – CA Privileged Access Manager – CA Test Data Manager – CA Data Content Discovery Mainframe Technical Software
  26. 26. The Clock is Ticking
  27. 27. https://www.helpnetsecurity.com/2017/11/06/gdpr-impact-ma-activity/
  28. 28. Questions?
  29. 29. Rui Miguel Feio RSM Partners ruif@rsmpartners.com mobile: +44 (0)7570 911459 www.rsmpartners.com Contact

×