This document provides an overview of key considerations for complying with the General Data Protection Regulation (GDPR) as it relates to third party partners and suppliers. It discusses identifying personal data assets and flows, amending third party agreements to ensure compliance commitments, conducting third party vendor assessments, and technical and organizational security measures for protecting personal data such as pseudonymization, encryption, access controls and logging. The document emphasizes that controllers are responsible for personal data processed by third parties and outlines initial steps organizations can take to improve privacy and security.
This document provides an overview of the General Data Protection Regulation (GDPR) for being ready to comply with it. It discusses how GDPR is different from previous regulations by focusing on personal data rights. It outlines the key principles of GDPR, including data protection by design. It describes the responsibilities of data controllers and processors. It presents a pyramid structure showing the levels of personal data, processing purposes, authorization for processing, and rights to personal data. It discusses requirements around records management, security, and breach notification. The key takeaways are that data protection involves both usage and disclosure of data, and that GDPR focuses on individual rights related to data analytics and identification.
Everything you Need to Know about The Data Protection Officer Role HackerOne
Data privacy and security expert, Debra Farber, presents on the emerging role of the Data Protection Officer (DPO). When the EU's General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018, companies around the world who process the personal data of EU residents will be required by law to appoint an independent DPO who has specific responsibilities and data protection knowledge.
At the Synopsys Security Event Israel, Ram Levi, Founder & CEO, Konfidas presented on GDPR. For more information, please visit our website at www.synopsys.com/software
This document summarizes a GDPR breakfast briefing that was held on March 8, 2018. It discusses why the new GDPR regulations are being introduced, as the current Data Protection Act is outdated. Key points of the new GDPR are outlined, including increased responsibilities for controllers and processors of personal data, new rights for individuals, and the six principles of lawful personal data processing. Businesses are advised to conduct a data audit, develop a GDPR compliance strategy and roadmap, and address questions about registration, training, data protection officers and data breaches to prepare for the introduction of GDPR by May 2018.
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
"Security, Privacy Data Protection and Perspectives to Counter Cybercrime" was presented at the CodeGate 2008 security conference in Seoul, Korea, April 2008.
http://www.codegate.org/
2011 hildebrandt institute cio forum data privacy and security presentation...David Cunningham
The document discusses a presentation on leveraging IT in times of fiscal restraint to support evolving law firm business models, with specific focus on data privacy and security risk management and competitive advantage. Speakers include CISOs and IT risk managers from law firms who cover topics like data regulations, examples of regulated data, information security roles, ISO 27001 certification, audits, components of information security programs, service provider management, and contractual controls. The presentation then ends with a question and answer session.
This document provides an overview of key considerations for complying with the General Data Protection Regulation (GDPR) as it relates to third party partners and suppliers. It discusses identifying personal data assets and flows, amending third party agreements to ensure compliance commitments, conducting third party vendor assessments, and technical and organizational security measures for protecting personal data such as pseudonymization, encryption, access controls and logging. The document emphasizes that controllers are responsible for personal data processed by third parties and outlines initial steps organizations can take to improve privacy and security.
This document provides an overview of the General Data Protection Regulation (GDPR) for being ready to comply with it. It discusses how GDPR is different from previous regulations by focusing on personal data rights. It outlines the key principles of GDPR, including data protection by design. It describes the responsibilities of data controllers and processors. It presents a pyramid structure showing the levels of personal data, processing purposes, authorization for processing, and rights to personal data. It discusses requirements around records management, security, and breach notification. The key takeaways are that data protection involves both usage and disclosure of data, and that GDPR focuses on individual rights related to data analytics and identification.
Everything you Need to Know about The Data Protection Officer Role HackerOne
Data privacy and security expert, Debra Farber, presents on the emerging role of the Data Protection Officer (DPO). When the EU's General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018, companies around the world who process the personal data of EU residents will be required by law to appoint an independent DPO who has specific responsibilities and data protection knowledge.
At the Synopsys Security Event Israel, Ram Levi, Founder & CEO, Konfidas presented on GDPR. For more information, please visit our website at www.synopsys.com/software
This document summarizes a GDPR breakfast briefing that was held on March 8, 2018. It discusses why the new GDPR regulations are being introduced, as the current Data Protection Act is outdated. Key points of the new GDPR are outlined, including increased responsibilities for controllers and processors of personal data, new rights for individuals, and the six principles of lawful personal data processing. Businesses are advised to conduct a data audit, develop a GDPR compliance strategy and roadmap, and address questions about registration, training, data protection officers and data breaches to prepare for the introduction of GDPR by May 2018.
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
"Security, Privacy Data Protection and Perspectives to Counter Cybercrime" was presented at the CodeGate 2008 security conference in Seoul, Korea, April 2008.
http://www.codegate.org/
2011 hildebrandt institute cio forum data privacy and security presentation...David Cunningham
The document discusses a presentation on leveraging IT in times of fiscal restraint to support evolving law firm business models, with specific focus on data privacy and security risk management and competitive advantage. Speakers include CISOs and IT risk managers from law firms who cover topics like data regulations, examples of regulated data, information security roles, ISO 27001 certification, audits, components of information security programs, service provider management, and contractual controls. The presentation then ends with a question and answer session.
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Kroll
With a dramatic increase in high-profile receiverships, regulatory fact finding, and class action lawsuits, it’s clear that cases involving blockchain technology are on the rise—and so is the risk these engagements bring to your firm. Learn what you can do to recognize when digital assets (such as Bitcoin and Ethereum) are involved in an engagement, how to reduce your exposure to risk with proper collection and review processes, and how to uncover and understand all the relevant information.
Presented by Josh McDougall, Director, Cyber Risk at Kroll during RelativityFest 2018
The Data protection law reform is coming with the General Data Protection Regulation (GDPR) taking effect from 25 May 2018. You should start preparing now for changes that GDPR will require to your current policies and procedures. This presentation is an overview of what it is about.
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...Harrison Clark Rickerbys
Slideshow from GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors, on 7th March 2018 at Hilton Puckrup Hall
The document provides an overview of the key aspects of the European Union's General Data Protection Regulation (GDPR). It discusses definitions like personal data, the rights of individuals as data subjects, and key principles of GDPR around consent, data breaches, international transfers, the right to be forgotten, and privacy by design. It outlines actors like controllers and processors, their obligations, and components of GDPR compliance like impact assessments, authorities, and fines for non-compliance.
This document discusses data privacy and protection laws in India. It provides an overview of the key legislation governing this area, the Information Technology Act 2000 and amendments. It outlines some international privacy laws as examples. The document then details India's Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 which regulate how companies must handle sensitive personal data and ensure security practices. It also discusses data theft issues and related penal provisions under the IT Act and Indian Penal Code.
ControlCase discusses the following: - What is GDPR? - How will it impact me? - How can I become compliant? - What is the timeline? - What are consequences if not met?
Isaca new delhi india privacy and big dataUlf Mattsson
This document summarizes Ulf Mattsson's presentation on bridging the gap between privacy and big data. Some key points:
- Ulf Mattsson is the CTO of Protegrity and has over 20 years of experience in encryption, tokenization, and data security.
- Big data and cloud computing are driving needs for data security due to regulations, expanding threats, and the desire to gain insights from sensitive data. However, emerging technologies also introduce new vulnerabilities.
- Regulations like PCI DSS and various privacy laws mandate protecting sensitive data. Compliance is important as non-compliance results in fines.
- Threats are also expanding as cyber criminals target valuable data and insiders remain
The GDPR changes are fast approaching and time is running out to prepare yourself and your data. GDPR is an important topic that you will need to know inside out for your business and marketing to succeed. CommuniGator can help you get fully prepared for its arrival.
We are here to answer YOUR GDPR questions to arm you with everything you need to ensure you are compliant come May 2018.
Find out how the new data law will affect your B2B marketing abilities. We answer all your questions with a Q&A section from our experts in the field – so you can really get to grips with the changes.
We cover:
- The good the bad and the ugly of GDPR
- Your own checklist to becoming compliant
- How to get your existing data ‘double opted-in’
- Answers to your burning questions!
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
Ulf Mattsson is the CTO of Protegrity, with over 20 years of experience in research and development and global services at IBM. He has been involved in developing encryption, tokenization, and intrusion prevention technologies. The document discusses cross-border offshoring and outsourcing of privacy sensitive data in the cloud. It notes that cloud services are often provided by third parties and can involve data being stored in multiple locations. Regulations like PCI DSS and national privacy laws apply when data crosses borders or is outsourced. Sensitive data needs to be protected to comply with regulations and address threats while also enabling useful insights from the data. Methods like de-identification through tokenization and encryption can protect identifiable data
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
The California Consumer Privacy Act (CCPA) takes effect on January 1, 2020, mandating that data about consumers be protected against a breach. If your IBM i system contains data for consumers from the state of California, the time to prepare is now.
In this webinar featuring well-known IBM i encryption expert Patrick Townsend, we share information that will help you prepare for CCPA compliance, including:
• Consumer rights granted by CCPA
• Hardening systems to prevent a breach
• Obscuring data to prevent exposure
• How Syncsort can help
CCPA is almost here. View this webinar on-demand and get started down the path to compliance!
The document provides an overview and agenda for a conference on achieving compliance with the General Data Protection Regulation (GDPR). It discusses key aspects of GDPR compliance including identifying personal data, data subject rights, security requirements, international data transfers, and remedies for non-compliance. Various vendors also present on how their products can help organizations meet GDPR requirements through features such as digital consent management and customizable reporting on personal data. An example case study highlights how one company used DocuSign to address challenges around manual processes, GDPR readiness, and security of personal information.
Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
25th May 2018 marks the enforcement date of EU’s General Data Protection Regulation. This new regulation strives to increase privacy for individuals and penalize businesses in breach. The complexity organizations face in managing consumer data is driving the growth of privacy tech solutions that decisively address a slew of privacy compliance challenges.
This document discusses privacy engineering and assurance. It begins by defining key privacy terminology like personally identifiable information and privacy principles. It then discusses elements of an accountable privacy program, including executive oversight, policies and processes, risk assessment, and complaint handling. The document outlines privacy activities across a product life cycle, including privacy impact assessments and risk management. It also discusses assessing privacy maturity and related business processes. Finally, it provides an example use case for conducting a privacy assessment.
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceIDERA Software
You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/tLtr50A5b4b
The General Data Protection Regulation (GDPR) is inevitable and goes live in the EU beginning May 25th 2018. It touches all technical and organizational measures as well as the design of internal systems and processes, and affects all companies around the world that have customers in the EU.
Join IDERA and Dr. Sultan Shiffa as he focuses on how data modeling, governance and collaboration help Executives, IT Managers, Architects, DBAs and Developers tackle the key challenges around data protection by design and by default, individual rights to access and erasure, valid consent, data protection roles and accountabilities, data breach notifications, and auditing the records of data processing activities. This session will also explore best practices and examples for how to master those challenges and assess the data protection impact. After this session, you can be prepared to become GDPR compliant ahead of the deadline and beyond.
The document discusses protecting corporate data from theft and leakage. It identifies common causes of data breaches like weak internal controls, lack of policies and awareness. The document differentiates between data theft, where data is intentionally stolen, and leakage, where data is accidentally released. It provides examples of how data is typically taken, like through portable storage devices, email and printing. Finally, it outlines steps companies can take to better protect their data, such as identifying and classifying sensitive data, assessing risks, developing policies and using auditing tools.
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]TrustArc
Watch the free webinar on-demand NOW: https://info.trustarc.com/marketing-under-gdpr-webinar.html
Practical advice on what marketing activities can and can’t be done.
Marketing is an area that will be highly impacted by changes required under the GDPR, but there is a lack of clear guidance as to what the compliance requirements mean in practice. Do you need consent for everything? How can direct marketing practices comply with the GDPR and still meet business objectives?
This on-demand webinar will support privacy and marketing teams by providing practical advice on what marketing activities can and cannot be done.
#trustarcGDPRevents
Webinar Speakers
James Koons
Senior Privacy Consultant, TrustArc
To register for upcoming/on-demand webinars visit: https://www.trustarc.com/events/webinar-schedule/
The document discusses the General Data Protection Regulation (GDPR) and provides information to help organizations comply. It lists types of personal data covered by GDPR and outlines typical questions organizations may have. It also discusses developing an incident response plan for data breaches and following a process to understand how personal data flows within an organization. The final section presents options for managing a GDPR compliance project either internally or with external support.
General Data Protection Regulation (GDPR) tidal wave that has hit, are you ready? Is your organization prepared for the extensive privacy requirements GDPR puts forth for any organization handling EU Data Subjects' personal Data? At this point, organizations must have a complete inventory of personal data and have conducted a DPIA against it. A handful of supervisory authorities have issued compliance guidelines, but your organizations must be able to assess compliance with this ambiguous regulation at any time.
Many aspects of GDPR define the distinction between a data collector and a data processor, their respective responsibilities and compliance requirements. Those responsibilities will have an effect on the contracts you negotiate with third parties, the way in which you evaluate the risks involved with establishing a business relationship and the policies you develop to maintain compliance to the regulations.
Join this webinar to learn:
*More information about GDPR and what the industry is experiencing to date
*What minimum requirements you should have had in place by May 25, 2018
*What you should plan to do for the next 12-18 months if you are not completely ready
*What the SEC Privacy Shield program is and why you should self-certify
*How to continuously monitor vendor risk KPIs
Webcast title : GDPR: Protecting Your Data
Description : Find out why data protection and encryption is an essential component of preparing for your GDPR readiness process.
Specifically, we will cover:
What is considered "Personal Data" and why it needs to be "protected"
The Legal Aspects of Data Protection under GDPR.
The technical ways to protect/pseudonymization
In this Session you will learn from the leading experts:
- Ulf Mattsson: The father of database Encryption.
- Martyn Hope: The Co-Founder of the GDPR Institut.
- Mark Rasch: Former Chief Cybersecurity Evangelist at Verizon and led the DOJ's Cyber Crime Unit.
Presenter : Ulf Mattsson, Martyn Hope, Mark Rasch, David Morris
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Kroll
With a dramatic increase in high-profile receiverships, regulatory fact finding, and class action lawsuits, it’s clear that cases involving blockchain technology are on the rise—and so is the risk these engagements bring to your firm. Learn what you can do to recognize when digital assets (such as Bitcoin and Ethereum) are involved in an engagement, how to reduce your exposure to risk with proper collection and review processes, and how to uncover and understand all the relevant information.
Presented by Josh McDougall, Director, Cyber Risk at Kroll during RelativityFest 2018
The Data protection law reform is coming with the General Data Protection Regulation (GDPR) taking effect from 25 May 2018. You should start preparing now for changes that GDPR will require to your current policies and procedures. This presentation is an overview of what it is about.
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...Harrison Clark Rickerbys
Slideshow from GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Directors, IT Directors & Ops Directors, on 7th March 2018 at Hilton Puckrup Hall
The document provides an overview of the key aspects of the European Union's General Data Protection Regulation (GDPR). It discusses definitions like personal data, the rights of individuals as data subjects, and key principles of GDPR around consent, data breaches, international transfers, the right to be forgotten, and privacy by design. It outlines actors like controllers and processors, their obligations, and components of GDPR compliance like impact assessments, authorities, and fines for non-compliance.
This document discusses data privacy and protection laws in India. It provides an overview of the key legislation governing this area, the Information Technology Act 2000 and amendments. It outlines some international privacy laws as examples. The document then details India's Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 which regulate how companies must handle sensitive personal data and ensure security practices. It also discusses data theft issues and related penal provisions under the IT Act and Indian Penal Code.
ControlCase discusses the following: - What is GDPR? - How will it impact me? - How can I become compliant? - What is the timeline? - What are consequences if not met?
Isaca new delhi india privacy and big dataUlf Mattsson
This document summarizes Ulf Mattsson's presentation on bridging the gap between privacy and big data. Some key points:
- Ulf Mattsson is the CTO of Protegrity and has over 20 years of experience in encryption, tokenization, and data security.
- Big data and cloud computing are driving needs for data security due to regulations, expanding threats, and the desire to gain insights from sensitive data. However, emerging technologies also introduce new vulnerabilities.
- Regulations like PCI DSS and various privacy laws mandate protecting sensitive data. Compliance is important as non-compliance results in fines.
- Threats are also expanding as cyber criminals target valuable data and insiders remain
The GDPR changes are fast approaching and time is running out to prepare yourself and your data. GDPR is an important topic that you will need to know inside out for your business and marketing to succeed. CommuniGator can help you get fully prepared for its arrival.
We are here to answer YOUR GDPR questions to arm you with everything you need to ensure you are compliant come May 2018.
Find out how the new data law will affect your B2B marketing abilities. We answer all your questions with a Q&A section from our experts in the field – so you can really get to grips with the changes.
We cover:
- The good the bad and the ugly of GDPR
- Your own checklist to becoming compliant
- How to get your existing data ‘double opted-in’
- Answers to your burning questions!
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
Ulf Mattsson is the CTO of Protegrity, with over 20 years of experience in research and development and global services at IBM. He has been involved in developing encryption, tokenization, and intrusion prevention technologies. The document discusses cross-border offshoring and outsourcing of privacy sensitive data in the cloud. It notes that cloud services are often provided by third parties and can involve data being stored in multiple locations. Regulations like PCI DSS and national privacy laws apply when data crosses borders or is outsourced. Sensitive data needs to be protected to comply with regulations and address threats while also enabling useful insights from the data. Methods like de-identification through tokenization and encryption can protect identifiable data
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
The California Consumer Privacy Act (CCPA) takes effect on January 1, 2020, mandating that data about consumers be protected against a breach. If your IBM i system contains data for consumers from the state of California, the time to prepare is now.
In this webinar featuring well-known IBM i encryption expert Patrick Townsend, we share information that will help you prepare for CCPA compliance, including:
• Consumer rights granted by CCPA
• Hardening systems to prevent a breach
• Obscuring data to prevent exposure
• How Syncsort can help
CCPA is almost here. View this webinar on-demand and get started down the path to compliance!
The document provides an overview and agenda for a conference on achieving compliance with the General Data Protection Regulation (GDPR). It discusses key aspects of GDPR compliance including identifying personal data, data subject rights, security requirements, international data transfers, and remedies for non-compliance. Various vendors also present on how their products can help organizations meet GDPR requirements through features such as digital consent management and customizable reporting on personal data. An example case study highlights how one company used DocuSign to address challenges around manual processes, GDPR readiness, and security of personal information.
Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
25th May 2018 marks the enforcement date of EU’s General Data Protection Regulation. This new regulation strives to increase privacy for individuals and penalize businesses in breach. The complexity organizations face in managing consumer data is driving the growth of privacy tech solutions that decisively address a slew of privacy compliance challenges.
This document discusses privacy engineering and assurance. It begins by defining key privacy terminology like personally identifiable information and privacy principles. It then discusses elements of an accountable privacy program, including executive oversight, policies and processes, risk assessment, and complaint handling. The document outlines privacy activities across a product life cycle, including privacy impact assessments and risk management. It also discusses assessing privacy maturity and related business processes. Finally, it provides an example use case for conducting a privacy assessment.
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceIDERA Software
You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/tLtr50A5b4b
The General Data Protection Regulation (GDPR) is inevitable and goes live in the EU beginning May 25th 2018. It touches all technical and organizational measures as well as the design of internal systems and processes, and affects all companies around the world that have customers in the EU.
Join IDERA and Dr. Sultan Shiffa as he focuses on how data modeling, governance and collaboration help Executives, IT Managers, Architects, DBAs and Developers tackle the key challenges around data protection by design and by default, individual rights to access and erasure, valid consent, data protection roles and accountabilities, data breach notifications, and auditing the records of data processing activities. This session will also explore best practices and examples for how to master those challenges and assess the data protection impact. After this session, you can be prepared to become GDPR compliant ahead of the deadline and beyond.
The document discusses protecting corporate data from theft and leakage. It identifies common causes of data breaches like weak internal controls, lack of policies and awareness. The document differentiates between data theft, where data is intentionally stolen, and leakage, where data is accidentally released. It provides examples of how data is typically taken, like through portable storage devices, email and printing. Finally, it outlines steps companies can take to better protect their data, such as identifying and classifying sensitive data, assessing risks, developing policies and using auditing tools.
Marketing under the GDPR: What You Can and Cannot Do [Webinar Slides]TrustArc
Watch the free webinar on-demand NOW: https://info.trustarc.com/marketing-under-gdpr-webinar.html
Practical advice on what marketing activities can and can’t be done.
Marketing is an area that will be highly impacted by changes required under the GDPR, but there is a lack of clear guidance as to what the compliance requirements mean in practice. Do you need consent for everything? How can direct marketing practices comply with the GDPR and still meet business objectives?
This on-demand webinar will support privacy and marketing teams by providing practical advice on what marketing activities can and cannot be done.
#trustarcGDPRevents
Webinar Speakers
James Koons
Senior Privacy Consultant, TrustArc
To register for upcoming/on-demand webinars visit: https://www.trustarc.com/events/webinar-schedule/
The document discusses the General Data Protection Regulation (GDPR) and provides information to help organizations comply. It lists types of personal data covered by GDPR and outlines typical questions organizations may have. It also discusses developing an incident response plan for data breaches and following a process to understand how personal data flows within an organization. The final section presents options for managing a GDPR compliance project either internally or with external support.
General Data Protection Regulation (GDPR) tidal wave that has hit, are you ready? Is your organization prepared for the extensive privacy requirements GDPR puts forth for any organization handling EU Data Subjects' personal Data? At this point, organizations must have a complete inventory of personal data and have conducted a DPIA against it. A handful of supervisory authorities have issued compliance guidelines, but your organizations must be able to assess compliance with this ambiguous regulation at any time.
Many aspects of GDPR define the distinction between a data collector and a data processor, their respective responsibilities and compliance requirements. Those responsibilities will have an effect on the contracts you negotiate with third parties, the way in which you evaluate the risks involved with establishing a business relationship and the policies you develop to maintain compliance to the regulations.
Join this webinar to learn:
*More information about GDPR and what the industry is experiencing to date
*What minimum requirements you should have had in place by May 25, 2018
*What you should plan to do for the next 12-18 months if you are not completely ready
*What the SEC Privacy Shield program is and why you should self-certify
*How to continuously monitor vendor risk KPIs
Webcast title : GDPR: Protecting Your Data
Description : Find out why data protection and encryption is an essential component of preparing for your GDPR readiness process.
Specifically, we will cover:
What is considered "Personal Data" and why it needs to be "protected"
The Legal Aspects of Data Protection under GDPR.
The technical ways to protect/pseudonymization
In this Session you will learn from the leading experts:
- Ulf Mattsson: The father of database Encryption.
- Martyn Hope: The Co-Founder of the GDPR Institut.
- Mark Rasch: Former Chief Cybersecurity Evangelist at Verizon and led the DOJ's Cyber Crime Unit.
Presenter : Ulf Mattsson, Martyn Hope, Mark Rasch, David Morris
This presentation reviews GDPR at a high level, and presents the core philosophy behind GDPR as well as the key concepts and key elements to consider in your data protection program.
The document discusses requirements for companies under the General Data Protection Regulation (GDPR) when working with third party partners and suppliers. It emphasizes that companies are responsible for personal data processed by third parties and should amend agreements to ensure compliance. The document provides examples of third party partners and recommends asking vendors questions to assess their ability to meet GDPR requirements regarding issues like data transfers, security, and responding to individual rights requests. Non-compliance could result in fines of up to 4% of global revenue.
Keep Calm and Comply: 3 Keys to GDPR SuccessSirius
Recent surveys benchmarking the status of U.S. companies' efforts to meet the May 25 deadline for the EU Global Data Protection Regulation (GDPR) have revealed a startling lack of preparedness.
Companies not yet in compliance are likely to violate the directive if they don’t take immediate action, and fines can amount to 2-4 percent of a company’s annual gross revenue. Do you have the resources and information you need to comply?
View to learn:
--What GDPR means to your business
--Short, medium, and long-term actions you can take to protect regulated data and achieve compliance
--How you can streamline incident response and third-party risk management capabilities
--How to streamline the resources and technology needed to keep up with the evolving regulatory landscape
Don't fall behind on these compliance regulations. Take the steps needed to protect the data you collect.
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
The document discusses data breaches and relevant laws. It notes an increasing number of data breaches and introduces key laws around data security - the GDPR and NISD. The GDPR requires organizations to implement appropriate security measures to protect personal data and report breaches. It applies broadly to any group processing EU citizens' data or offering goods/services to them. The NISD focuses on essential services and digital service providers, requiring security and reporting of significant incidents. Non-compliance can result in large fines and litigation. Proper precautions such as response planning and legal advice are recommended.
5 key steps for SMBs for reaching GDPR ComplianceGabor Farkas
In this GDPR Compliance presentation, you can learn more about the key steps to take for GDPR Compliance, including:
- What are data management processes and how to identify them at small and medium sized businesses
- What is personal data under the GDPR and how to establish a record of processing activities to map personal data
- How does encryption help with safeguarding personal data and ensuring GDPR compliance
- What your business should do to get ready for the new General Data Protection regulation on time
This document provides an overview of data breaches and relevant privacy laws. It notes that data breaches appear to be increasing, with millions of records leaked in 2018 alone. Two key laws are the EU's General Data Protection Regulation (GDPR) and Network and Information Systems Directive (NISD), which establish security and breach reporting requirements. Under these laws, personal data must be kept secure, breaches must be reported, and fines for noncompliance can be substantial. The document outlines compliance obligations and considerations around open source software vulnerabilities.
The document provides an overview of the main requirements of the General Data Protection Regulation (GDPR). It discusses definitions of personal data, genetic data, biometric data, and health data according to the GDPR. It also summarizes nine key GDPR requirements regarding the controller vs processor roles, right to erasure, consent requirements, right of access, right to data portability, data breach reporting, record keeping, data protection by design/default, and security of processing. The document further discusses data governance topics such as data collection, consent, anonymization/pseudonymization, right to be forgotten, data access control, and data export requirements.
The document discusses best practices for managing cybersecurity and data privacy risks from third party vendors. It recommends (1) conducting due diligence on third parties' security practices before engaging them, (2) using contracts to obligate third parties to comply with security standards and notify clients of incidents, and (3) periodically assessing third parties' security based on risk. Following these practices can help companies minimize risks from third parties as required by laws and frameworks.
The document discusses social media, web 2.0, and privacy. It notes that while social media allows people to share information, it also means that personal data is increasingly collected and used in ways that impact privacy. The document outlines how companies collect and use personal data from social media as well as employees' online activities, and the privacy and legal issues this raises for both individuals and employers. It also provides recommendations for how companies can improve their data privacy and security practices.
The GDPR introduces significant new compliance obligations for any organization handling personal data of EU individuals. It increases fines for non-compliance up to 4% of global annual turnover and strengthens the rights of individuals. Key changes include new consent requirements, breach notification timelines, data protection officers, privacy by design principles, documentation requirements, and extraterritorial jurisdiction. Organizations must review their data protection practices and ensure appropriate technical and organizational security measures are implemented to protect personal data.
The document discusses how Acronis solutions help organizations comply with the GDPR through features that allow for privacy impact assessments, data access governance, secure backup storage, data breach response, and data deletion in accordance with data subject rights like access, rectification, erasure and portability. It outlines how Acronis Backup, Storage, Backup Cloud and Disaster Recovery Service provide control over data location, strong encryption, easy data access and modification, fast recovery, and logging to meet GDPR requirements.
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
The EU Global Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) represent a landmark change in the global data protection space. While they originate in different countries and apply to different organizations, their primary message is the same:
Protect your data, or pay a steep price. More specifically, protect the sensitive data you collect from customers.
With deadlines looming, is your organization ready?
The time to act is now. Read more to learn:
--Key mandates and minimum requirements for compliance
--Why a comprehensive data-centric security strategy is invaluable to all data protection and data privacy efforts
--How you can gauge your organization’s incident response capabilities
--How to extend your focus beyond the organization’s figurative four walls to ensure requirements are met throughout your supply chain
The first New York requirements deadline has arrived. With the next deadline of mandates only 6 months away, you don't want to fall behind and leave your organization at risk for potential penalties and fines.
Privacy by Design and by Default + General Data Protection Regulation with Si...Peter Procházka
My presentation for SUG Hungary presented on 26.06.2018 with topic Privacy by Design and by Default and General Data Protection Regulation with Sitecore
How MongoDB can accelerate a path to GDPR complianceMongoDB
The timeline for compliance with the European Union’s General Data Protection Regulation (GDPR) is fast approaching. To help you ensure you’re prepared, we’re hosting an online discussion in advance of May 25th (when the regulation goes into effect). We’ll cover:
The specific requirements of GDPR
How these map to required database capabilities
How MongoDB can provide the core technology foundations to help organizations accelerate their path to compliance
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
The document discusses privacy and data protection. It defines privacy as an individual's ability to control how and when personal information is shared with others. It outlines several international agreements that establish privacy as a universal human right. The document also discusses the three dimensions of privacy - personal, territorial, and informational - and basic privacy principles like transparency and purpose limitation.
Digital marketing strategy presentation [autosaved]Joe Orlando
The document discusses how digital marketing has changed consumer purchase decisions and the importance of inbound marketing strategies. It provides tips on using metrics to measure marketing performance and ensure data drives meaningful action. Key recommendations include knowing the target audience, using a holistic inbound approach, and collaborating on an iterative strategy with defined metrics.
Digital marketing solutions has helped global enterprises adopt digital strategies for over a decade. They provide services ranging from basic social media presences to complex real-time bidding ad campaigns. Today, most purchase decisions are made online, so a digital presence is critical. Small, independent retailers have the same needs as large chains but without the same budgets or resources. DigiPOS Store Solutions developed partnerships to offer solutions typically unavailable to small businesses, like loyalty programs, mobile payments, and targeted advertising. This allows small retailers to benefit from digital marketing strategies without dedicating significant resources themselves.
Products Don't Sell Themselves
The document discusses differing perspectives on the role of product marketing. Some see it as focused on lead generation, content creation, and driving sales. Others see a broader strategic role in understanding customer needs, defining compelling products and value propositions, and ensuring alignment across functions. The author argues that marketing should contribute in all these areas by understanding customer problems and opportunities rather than just selling existing products. True success comes from solving customer needs, not from any single function alone.
Credit unions have struggled over the past decade as their target demographics have changed dramatically. Younger consumers expect to do their banking digitally and demand services like mobile access that many smaller credit unions cannot provide. Additionally, over-regulation has increased compliance costs for credit unions. To adapt, credit unions must modernize their digital offerings, focus on data analytics to better target potential members, and get more creative with their marketing, focusing on member benefits rather than just promoting loans. The pandemic accelerated credit union challenges, causing average shrinkage of 7%, so retention efforts are also critical alongside new member acquisition.
General Data Protection Regulation kick offJoe Orlando
The document discusses the General Data Protection Regulation (GDPR) which takes effect on May 25, 2018. It defines personal data as any information relating to an identified or identifiable natural person, including various types of data like name, location, identification number, online ID, genetic, gender, physical, ethnic, cultural, social identity, memberships, and biometric. Data can exist in different states including at rest, at work, and in motion. The GDPR requires that everyone who handles personal data, including data controllers and processors, must be able to explain what data they have, where it is stored, when it is shared, who has access to it, why it is needed, and how it is secured. Responsive
The document discusses information security strategies for securing personal identifiable information (PII) and protected health information (PHI) under the General Data Protection Regulation (GDPR). It provides options for securing data at rest, in motion, and in use, including access controls, encryption, data minimization techniques, and pseudonymization. It also outlines an initial approach and recommendations for securing PII/PHI pre- and post-May 2018 that focus on access restrictions, secure data transmission, and encryption of workstations and data.
This document outlines best practices for avoiding common "landmines" or pitfalls in outsourcing deals. It identifies five main landmines: 1) inadequate knowledge transfer from the customer to the vendor, 2) inadequate measurement of service level performance, 3) lack of response scenario planning, 4) lack of executive sponsorship and commitment to seeing the project through challenges, and 5) lack of flexibility built into the contract. For each landmine, it provides recommendations for remedies to reduce risks and complications. It then provides a detailed checklist of elements that should be addressed when constructing an outsourcing agreement to help make it a performance-based agreement and protect the customer.
This document discusses innovation and perspectives on innovation. It encourages considering different perspectives, such as viewing Icarus's story as one of genius not just tragedy. It also suggests asking if a "glass is too small or too big" rather than just if it is half full or empty. The document provides themes around innovation initiatives and projects, including people resisting change. It advocates revisiting the story of Icarus to identify opportunities, create visions, articulate steps, rally resources, unblock obstacles, and stay the course. Innovation is portrayed as a journey where every small change in direction can cause one to lose ground. Innovation should be woven into an organization's very identity.
The Strategic Value of offloading non core functions as a cost saver and empowering the business to better focus on you core competence is rarely questioned - WHEN DONE WELL.
This document discusses the importance of creating brand advocates through delivering excellent customer experiences. It defines brand advocates as highly satisfied, loyal customers who recommend a brand to others. Companies with strong brand advocates are more profitable due to lower marketing costs, higher customer retention and willingness to pay more. The document provides steps to create brand advocates, including defining best customer segments, understanding customer motivations, ensuring consistency across all customer touchpoints, and measuring advocacy through recommendations and repeat purchases.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
4. SignificantDataProtectionEU
Personal data is defined as “any information relating to
an identified or identifiable natural person ‘data
subject…:”
• Name
• Location
• Identification Number
• OnLine ID / Cookies
• Gender
• Personal Preferences
• Ethnic
• Cultural
• Social Identity
• Memberships
• Biometric
• CCTV Video
• Event photos
• Insurance
• Visas
• Religion
• Insurance
Claims 4Joe Orlando
6. NOT“Justanother ITProject!”
6
EVERYONE “owns”
the Solution.
Data Controller (who NEEDS
the data)
Why Do You NEED the Data?
Data Processor (who uses the data
to complete tasks)
What Do You DO with the Data?
How is this Data Stored; Managed;
Secured; Shared; Refreshed;
Processed and Destroyed?
ICTonlyFACILITATES
theOutcome:
Store Move Protect
ICTCannotDoThis Alone.
Joe Orlando
9. GDPR requires businesses to implement “technical and organizational
measures to provide appropriate protection to the personal data they
hold.”
3
GDPRexpresslystatesthat suchmeasuresinclude:
1. The pseudonymization and encryption of personal data
2. Measures to ensure resilience of systems and services
processing data
3. Measures that allow businesses to restore the availability and
access to the data in the event of a breach
4. Frequent testing of the effectiveness of the security
measures
Joe Orlando
11. AnIndividual’sRights
• Right to Know
• What PII You Have
• Source of the PII you Have
• ToWhere and to Whom does my PII Go
• Right to Edit Inaccuracies
• Right to Be Forgotten (Delete)
• Right to Opt Out
• Object to Processing
• Object to Automatic Decision Making
• Right to Portability
• Limit Retention Period
Joe Orlando
12. OBJECTIVE: SECURE THE DATA
Secure the Personal
Identifiable Information (PII)
& Personal Health
Information (PHI) to Prevent
Unauthorized Access and, in
the event of unauthorized
access …
the data they get is
unintelligible.
Joe Orlando
13. Of the 261 pages of GDPR, “encryption” appears
4
• "...implement measures to mitigate those
risks, such as encryption." (P51. (83))
• "...appropriate safeguards, which may
include encryption" (P121 (4.e))
• "...including inter alia as appropriate: (a) the
pseudonymisation and encryption of personal
data." (P160 (1a))
• "...unintelligible to any person who is not
authorised to access it, such as encryption"
(P163 (3a))
Joe Orlando
14. Regulatory “PASS” if Using Encryption
“…in case of a data breach, the
controller is not required to
communicate to the data subject if
he or she has implemented
encryption as a technical and
organisational protection measure”
(Article 34 Par.3 (a) GDPR).
Joe Orlando
15. OPTION
S
(Easy to
Hardest)
RISK to PII/ PHI EXPOSURE (High to
Low)
SUBSET DATA COMING OUT OF
PRODUCTION
ACCESS MANAGEMENT &
MONITORING FIELD PRESERVING
DATA MASKING
DATA
PSEUDONYMIZATION
FIELD/ROW/COLUMN
ENCRYPTION
FULL
DISK
ENCRYPTIO
N
20. 3rd Party Partners
• Sales Channel Partners
• Distributors
• Resellers
• Marketing Campaign Providers
• 3rd Party Processors
• Off Prem Storage and Backup Vendors
• 3rd Party Administrators (ESOP; Benefits;
Pension)
• Security Providers (Physical; Swipe cards; CCTV)
• 3rd Party Analytics Providers
Joe Orlando
21. The likelihood of
data going OUT
from INSIDE is
greater than the
likelihood of data
being exfiltrated
from OUTSIDE
Things to Consider…
Joe Orlando
22. Amendmentsto the 3rd PartyProviderAgreements
DataPrivacyAmendments(GPOandLegal)
22
• Commitment to Compliance
• Commitment to Cooperation
• Commitment to Validation and Audit
• Commitment to Being Responsive to Our Organization and
DSAR
• Commitment to Incident Response
• Commitment to Appropriate Record Keeping
Joe Orlando
24. UnderGDPR–VendorAssessmentQuestions
24
• Awareness and understanding of GDPR regulations and data protection principles
• Lawfulness of processing and further processing and legitimate interests
• Consent management
• Information notices
• Data Subject rights, access, rectification, portability, erasure, object & restriction of
processing processes
• Record retention policies and processes
• Privacy By Design, including ImpactAssessments
• Cross Border Transfers of Personal and Sensitive Data
• Data governance obligations
• Personal data breaches and notifications
• Sub-Contractor Agreements and Controls
• Codes of conduct and certifications
• Roles, Responsibilities and Competencies
• Co-operation and consistency between supervisory authorities, remedies and liabilities
• Derogations, special conditions and delegated acts, implementing acts and final provisions
• Subcontracted processes, processors and security controls
Joe Orlando
27. I
Section Sub-section Criteria - Checks Score
Section Sub-section
Participating 3rd Party Vendor must ensure that they are fully compliant with the Our Organization Security Policy.
0
The 3rd Party Provider Security Policy Baseline creates a general security and data protection baseline adapted
to Our Organization needs.
The 3rd Party Provider Security Policy Baseline addresses all elements of data flows into Our Organization,
including national and cross-border data flows.
0
The 3rd Party Provider shall take all reasonable steps to ensure data security (including data confidentiality,
integrity, authenticity, availability and non-repudiation).
0
3rd Party Provider must ensure that cross-border data is not transmitted via these services to a Member State
that either does not belong to or is not allowed into the cross-border environment.
0
3rd Party Vendor shall ensure that communication of identifiable personal data is subject to secure
communication and end-to-end security measures.
0
6.3rd Party Vendor shall ensure that their 3rd Party Provider establish an appropriate system of audit trail and
shall
0
a) allow authorised official bodies to duly inspect the established mechanisms 3rd Party Vendor for
data collection, processing, translation and transmitting
0
b) make logs available for legal purposes, e.g. if requested by a individual.
0
The 3rd Party Vendor must ensure that we have clearly identified the responsible data controller and data
processor in accordance with the provisions of the General Data Protection Regulation.
0
28. Area
Not Compliant
Security IncidentManagement Information
Security Incidents Does the 3rd Party Provider has policies in place which set out how information security incidents, and
breaches to the confidentiality of data, should be managed?
0
Are the security responsibilities of technical staff, data security officer addressed at the
recruitment stage, included in contracts, and monitored during an individual’s employment?
Does the 3rd Party Provider engage employees and third party users of information processing facilities
to sign a confidentiality (non-disclosure) agreement?
0
Incidents affecting security MUST be reported to the designated (by each
3rd Party Vendor ) point of contact through appropriate management channels as quickly as possible.
0
Is all staff trained in security procedures and the correct use of the information processing facilities to
minimize possible security incidents and risks.
0
Responsibilities and procedures for the management and operation of information processing
facilities must be established. This includes the development of appropriate operating instructions
and incident response procedures.
0
Average Area Score 0
Area
Not Compliant
Cryptography
Cryptograph
ic controls
-Does the 3rd Party Provider verify that CA (Certificate Authorities) are registered as such in the EU
Trusted Lists of Certification Service Providers?
- Is there a documented procedure and defining this and where?
0
- Does the 3rd Party Provider have documented descriptions on service addresses and certificates
compliant to the appropriate Regulators?
0
0
Average Area Score 0
Area
Not Compliant
Information security aspects of business continuitymanagement
Information
security
continuity
Planning
information
security continuity
• Have the availability requirements been established for the 3rd Party network?
•Have the availability requirements between the 3rd Party Provider and its service providers been
defined and established? Are these documented in the Service Level or similar Agreements?
0
Redundancies Availability of
information
processing facilities
• Does the 3rd Party Provider have a backup procedure for at least the critical assets?
•Does the 3rd Party Provider have defined backup times (Recovery Point Objective) in alignment with
the business and (if applicable) in the multilateral or other agreements between the partners in the
3rd
0
29. Average Area Score 0
Area
Not Compliant
Physical and
environmental security
Physical security measures should exist in the 3rd Party Vendor premisses where authorized users have
access to the e Information System and the respective information storing facilities (i.e. network, server
roo3rd Party Vendor etc.) to ensure that only authorized personnel have physical access.
Environmental Safeguard measures should protect premises and syste3rd Party Vendor from hazards and
destruction.
0
Secure Areas Physical
security
perimeter
•Are the physical areas where the processing facilities and staff operating the e system defined
and documented (e.g. under Asset Management, Procedure or elsewhere)?
•Is the 3rd Party Vendor operations environment including networks adequately segragated from
environments operated by external parties?
•Are the 3rd Party Vendor personnel offices segragated in order to protect security of operations and
preclude access by unauthorised personnel?
0
Physical entry controls •Are the 3rd Party Vendor building premises where staff operates the system have controlled
building entrances and exits?
•Are building entrances and exits equipped with intruder prevention and alarm syste3rd Party Vendor ?
Are visitors logged in a visitors logbook and guided when visiting the 3rd Party Vendor premises?
•Does server/computer room facilities have a visitor log system used by 3rd Party Vendor for
logging entrances and exits to the systems rooom of the 3rd Party Vendor , either automatically
or manually?
•Are Intruder Alarm Systems attached to a backup power supply system (battery, generator or UPS) to
ensure that server rooms are adequately protected and accessible during a disruption to the main power
supply system?
•Are the permission rights of personnel to those areas documented, reviewed and updated at
specified intervals?
(Note: Retention period of access logs and any CCTV recordings respect the nationally applicable
legislation for private and personal data protection)
0
A.11.1.3 Securing
offices, roo3rd
Party Vendor and
facilities
•Are 3rd Party Vendor offices where staff operates the e information system protected by physical
measures adequate for the level of sensitivity of the system?
0
Equipment should be physically protected from security threats and environmental
hazards. Protection of equipment is necessary to reduce the risk of unauthorized access
to data and to protect against loss or damage. This should also take into consideration
equipment location and disposal. Special controls may be required to protect against
hazards or unauthorized access, and to safeguard supporting facilities, such as the
electrical supply and cabling infrastructure.
0
30. Information security policies
Management
direction for
information
security
Policies for
information security
•Does the 3rd Party Provider have documented policies that define how personally identified information
is safeguarded?
0
0
Review of the policies
for information
security
•Are the 3rd Party Vendor responsibilities defined for managing the lifecycle of the Security Policies ensuring
that they are always kept up to date? 0
Average Area Score 0
Area Not Compliant
Organization of information security
Internal organization Information
security roles and
responsibilities
•Are the responsibilities for the 3rd Party Vendor Processes (especially for information security) included in
the security policies?
• Are the specific processes and assets of the 3rd Party Vendor identified and defined?
• Are the local responsibilities for the protection of assets for the 3rd Party Vendor documented and carried
out?
• Is the process of information security risk management documented and suitable?
• Does the information security risk management process include the 3rd Party Vendors processes and
assets?
0
Segregation of duties • Does the 3rd Party Provider a responsible for the security of information within the context of e ?
0
Average Area Score 0
Area Not Compliant
Operations Security
Integrity When information is sent from one country to another, it must be assured that the information has been
properly received by the end user (source of country B). (note: this requirement is applicable under
Information Security Domain in the area "Integrity") 0
Confidentiality The 3rd Party Provider must ensure that Our Organization data is not transmitted to 3rd Party Vendor not
belonging or allowed into the Our Organization environment.
The 3rd Party Provider must ensure the security (confidentiality, integrity, availability, non-repudiation,
authenticity and auditability) of data processed on their territory.
Event loggin,
protection of log
information
Event logs recording user activities, exceptions, faults and information security events shall be produced,
kept and regularly reviewed.
Logging facilities and log information shall be protected against tampering and unauthorized access.
System administrator and system operator activities shall be logged and the logs protected and
regularly reviewed.
3rd Party Vendor shall ensure that their 3rd Party Provider establish an appropriate system of audit trail
and shall enable a review of the mechanisms in place to protect 3rd Party data.
A62:G67A59:G67C63
Not Scored
Area
32. There are options… where to start
2/5/2018
Subsetting Data used in Test/QAandDev
Data Minimization
Pseudonymisation / Masking
Rigid Roles BasedAccess Controls and Management
Reduce UnauthorizedAccess toPII/PHI
Automatic Logging and Monitoring of UserActivities (Regular Testing)
Lock Down Download and Mobile MediaAbility
Make “Data in Motion” and “At Rest”Unintelligible
Format Preserving Encryption
Field; Column; Row Encryption
Encrypt Workstations (& Laptops)or
Full Disk Encryption with Individual Workstation Keys
Provide end to end encryption (in motion and atrest)
Joe Orlando
33. Some First Steps…
Reduce the number ofAccess Points (Minimize User and
AuthorizedAccess)
Segregate,As MuchAs Possible, the Production Users –
Testers - Developers and QAUsers
Ensure Secure DataTransmission
Rigidly RestrictAccess by Well Defined Role/Authorization
Prevent Data Download to PortableMedia
Ensure Comprehensive Training on Handling PII/PHIas Part
of Employee Code of Ethics
Reduce # of people who are “authorized to see”Sensitive Data
(PII/PHI)
2/5/2018 Joe Orlando
34. Some First Steps…
Minimize; Pseudonymise; Mask Data as Much as
Viable
Ensure Data Secured “At Rest” and “In Motion”
Rigidly Restrict Access by WellDefined
Role/Authorization
Implement End Point Security (DLP)
Deliberately Reduce Potential Attack Surfaces
(Vulnerabilities) that Potentially Expose PII/PHI
Administer Regular Test & Audits on Internal and3rd
Party “Data Privacy by Design and Default”
Procedures, Policies and Protocols
2/5/2018 Joe Orlando
35. OPTIONS (not mutually exclusive)
Data At Rest
• Pseudonymisation and
Masking
• Rigid Roles Based
Access Controls
and Management
• Encrypt Workstations
(& Laptops) to Prevent
Download and Export
Data In Motion
• Safe or Encrypted
Transfer (SFTP
(connection); encrypt
(the data))
• TLS Tunnel and/or
ZIX for mail
transport
Data In Use
• Data Minimization
• Data Subsetting
• Rigid Roles Based
Access Controls
and Management
• Pseudonymisation and
Masking
• Format Preserving
Encryption
• Field; Column;
Row
Encryption
Joe Orlando
36. Options: Specific Ideas
Data At Rest
• File Share
• BitLocker
• USB/Media
Lock down
• DLP Policies
• Restricted Access to
Db
Data In Motion
• CASB
• DLP
• Network Protocols
• ACLS
• VPN
• Firewall
Data In Use
• Rigid User
Access Rules and
Regular Reviews
• Proactive User
Lifecycle
Management
• Multi Factor
Authentication
Joe Orlando