SlideShare a Scribd company logo

Assessing the impact of security services

Download as PPTX, PDF
Jisc
Jisc

A presentation from the Jisc security conference 2018 by Andrew Cormack, chief regulatory adviser, Jisc technologies

Technology
1 of 41
Assessing the impact of security services Andrew Cormack chief regulatory adviser, Jisc technologies, Jisc.
Why assess DP impact?
Why assess DP impact? Legal requirement? •GDPR Art.35 Data Protection Impact Assessment (DPIA) •“if likely to result in a high risk to the rights and freedoms of natural persons”
Why assess DP impact? Legal requirement? •GDPR Art.35 Data Protection Impact Assessment (DPIA) •“if likely to result in a high risk to the rights and freedoms of natural persons” Regulator recommendation? •ICO Legitimate Interests Assessment (LIA) •“if relying on legitimate interests”
5 But mostly… To reassure us, members, customers and users that we’re creating privacy/security benefits, not risks!
Factors likely to require DPIA (Art29WP/EDPB) Match 2 or more => Usually need DPIA •Evaluation or scoring •Automated decision-making •Systematic monitoring •Sensitive (or highly-personal) data •Data processed on large scale •Matching/combining datasets •Vulnerable data subjects •Innovative use or new technological/organisational solutions •Processing prevents data subject exercising right/using service/contract
Jisc security services…
Jisc security services… Security operations centre (SOC) •Large scale •Applies to all Janet traffic •Passive monitoring •Mostly by machine •Some automation (e.g. DDoS) => DPIA
Jisc security services… Security operations centre (SOC) •Large scale •Applies to all Janet traffic •Passive monitoring •Mostly by machine •Some automation (e.g. DDoS) => DPIA Penetration testing service •Small scale •Commissioned by organisation • Limited scope: systems and people •Active attacks/social engineering => LIA
10 SOC DPIA
DPIA process NOT based on ICO guide – it hadn’t been published 11
DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A 12
DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another 13
DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another •ICO (now) suggests cyclic DPIA process • Consultation apparently before own risk/mitigation assessment? • Surely more efficient to ask users for issues you didn’t spot? 14
DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another •ICO (now) suggests cyclic DPIA process • Consultation apparently before own risk/mitigation assessment? • Surely more efficient to ask users for issues you didn’t spot? •So use 1st round DPIA report for 2nd round consultation (~18 months) 15
ICO DPIA cycle 16 Identify need Describe process Consult? Nec. and Prop. Identify risks Identify controls Record and Sign off Integrate actions into plan Review
DPIA data gathering/reporting Based on GDPR structure 17
DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… 18
DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too 19
DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too •Assessment of risks to rights and freedoms (see later) •Measures to address risks, and demonstrate compliance (see later) 20
DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too •Assessment of risks to rights and freedoms (see later) •Measures to address risks, and demonstrate compliance (see later) •Conclusions •Are risks mitigated? Recommendations 21
DPIA risk management 22
DPIA risk management Assess impact •Think data and processing 23
DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause 24
DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 25
DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 26 Manage likelihood •Think causes •Internal (accident/malicious) • External (accident/malicious) • Environment (accident)
DPIA risk management Assess impact •Think processing and data •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 27 Manage likelihood •Think causes •Internal (accident/malicious) • External (accident/malicious) • Environment (accident) •Think mitigations • Most of which reduce likelihood • Some reduce impact too •How to monitor/maintain compliance?
DPIA conclusions •All risks mitigated to (well) below high •Automated processing itself a significant mitigation •Some new opportunities for controls/monitoring • See https://ji.sc/SOC-DPIA 28
29 Penetration testing LIA
LIA process Based on ICO light-touch risk assessment… 30
LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A 31
LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? 32
LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? •Necessity: any less intrusive way to do it? [No] 33
LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? •Necessity: any less intrusive way to do it? [No] •Balance benefits vs harms •What is relationship with individuals? What is possible impact? •Will you explain it? Will they object/feel intrusion? •What safeguards can you provide? Can they opt-out? 34
LIA conclusions 35
LIA conclusions •Technical pentests have strong safeguards/minimisation 36
LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals 37
LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals •Targets are in positions of authority/responsibility; significant risks to others •Organisations must support/explain what was done and why •And provide guidance, training, etc. so they don’t fall for a real attack 38
LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals •Targets are in positions of authority/responsibility; significant risks to others •Organisations must support/explain what was done and why •And provide guidance, training, etc. so they don’t fall for a real attack •Organisations must fix vulnerabilities, otherwise no benefit to justify risk! • See https://ji.sc/PENTEST-LIA 39
References • DPIA • Art.29 https://ji.sc/DPIA-art29 • CNIL https://ji.sc/CNIL-PIA-guides • [ICO https://ji.sc/ICO-DPIA] • https://ji.sc/SOC-DPIA • LIA • ICO https://ji.sc/ICO-legitimate-interests • https://ji.sc/PENTEST-LIA 40
Get in touch… Except where otherwise noted, this work is licensed under CC-BY Andrew Cormack chief regulatory adviser Andrew.Cormack@jisc.ac.uk

Recommended

#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
Sebastien Deleersnyder
 
Social Business =Cloud + Big Data + Social Media + Mobile Computing
Social Business =Cloud + Big Data + Social Media + Mobile ComputingSocial Business =Cloud + Big Data + Social Media + Mobile Computing
Social Business =Cloud + Big Data + Social Media + Mobile Computing
William Tanenbaum
 
Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!
Performance Tuning Corporation
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas Company
Eryk Budi Pratama
 
ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast
Logikcull.com
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)
Bright
 

Recommended

#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
Sebastien Deleersnyder
 
Social Business =Cloud + Big Data + Social Media + Mobile Computing
Social Business =Cloud + Big Data + Social Media + Mobile ComputingSocial Business =Cloud + Big Data + Social Media + Mobile Computing
Social Business =Cloud + Big Data + Social Media + Mobile Computing
William Tanenbaum
 
Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!
Performance Tuning Corporation
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas Company
Eryk Budi Pratama
 
ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast
Logikcull.com
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)
Bright
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
Eryk Budi Pratama
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq
 
Data protection within development
Data protection within developmentData protection within development
Data protection within development
owaspsuffolk
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
IT Governance Ltd
 
Isaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceIsaca csx2018-continuous assurance
Isaca csx2018-continuous assurance
François Samarcq
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
Vuzion
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Eryk Budi Pratama
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
AIIM International
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
TrustArc
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
EQS Group
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?
Christiana Kozakou
 
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds Sutherland
 
2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar
Richard Hogg,Global GDPR Offerings Evangelist
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Brian Miller, Solicitor
 
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
IBM Sverige
 
Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance Office
Cloud Watchmen Inc.
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 

More Related Content

What's hot

Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
Eryk Budi Pratama
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq
 
Data protection within development
Data protection within developmentData protection within development
Data protection within development
owaspsuffolk
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
IT Governance Ltd
 
Isaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceIsaca csx2018-continuous assurance
Isaca csx2018-continuous assurance
François Samarcq
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
Vuzion
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Eryk Budi Pratama
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
AIIM International
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
TrustArc
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
EQS Group
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?
Christiana Kozakou
 
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds Sutherland
 
2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar
Richard Hogg,Global GDPR Offerings Evangelist
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Brian Miller, Solicitor
 
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
IBM Sverige
 

What's hot (20)

Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...
 
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
 
Data protection within development
Data protection within developmentData protection within development
Data protection within development
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Isaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceIsaca csx2018-continuous assurance
Isaca csx2018-continuous assurance
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?
 
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
 
2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
 
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
 

Similar to Assessing the impact of security services

Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance Office
Cloud Watchmen Inc.
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
Security Innovation
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
CGTI
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
Dimitri Sirota
 
[Webinar] Is Your Database Ready for GDPR?
[Webinar] Is Your Database Ready for GDPR?[Webinar] Is Your Database Ready for GDPR?
[Webinar] Is Your Database Ready for GDPR?
Yaniv Yehuda
 
GDPR and EA Commissioning a web site part 2 - Legal Environment
GDPR and EA Commissioning a web site part 2 - Legal EnvironmentGDPR and EA Commissioning a web site part 2 - Legal Environment
GDPR and EA Commissioning a web site part 2 - Legal Environment
Allen Woods
 
General Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, LondonGeneral Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, London
Browne Jacobson LLP
 
Week 4.pptx
Week 4.pptxWeek 4.pptx
Week 4.pptx
JohnLagman3
 
CIO 360 grados: empoderamiento total
CIO 360 grados: empoderamiento totalCIO 360 grados: empoderamiento total
CIO 360 grados: empoderamiento total
Corporacion Colombia Digital
 
GDPR Scotland 2018
GDPR Scotland 2018GDPR Scotland 2018
GDPR Scotland 2018
Ray Bugg
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
PECB
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
AIIM International
 
Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011
Atlantic Security Conference
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
NCVO - National Council for Voluntary Organisations
 
Compliance as Culture Strategy
Compliance as Culture StrategyCompliance as Culture Strategy
Compliance as Culture Strategy
Cornerstone OnDemand
 
TrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA Compliance
TrustArc
 
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QAFest
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 

Similar to Assessing the impact of security services (20)

Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance Office
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
[Webinar] Is Your Database Ready for GDPR?
[Webinar] Is Your Database Ready for GDPR?[Webinar] Is Your Database Ready for GDPR?
[Webinar] Is Your Database Ready for GDPR?
 
GDPR and EA Commissioning a web site part 2 - Legal Environment
GDPR and EA Commissioning a web site part 2 - Legal EnvironmentGDPR and EA Commissioning a web site part 2 - Legal Environment
GDPR and EA Commissioning a web site part 2 - Legal Environment
 
General Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, LondonGeneral Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, London
 
Week 4.pptx
Week 4.pptxWeek 4.pptx
Week 4.pptx
 
CIO 360 grados: empoderamiento total
CIO 360 grados: empoderamiento totalCIO 360 grados: empoderamiento total
CIO 360 grados: empoderamiento total
 
GDPR Scotland 2018
GDPR Scotland 2018GDPR Scotland 2018
GDPR Scotland 2018
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
 
Compliance as Culture Strategy
Compliance as Culture StrategyCompliance as Culture Strategy
Compliance as Culture Strategy
 
TrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA Compliance
 
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 

More from Jisc

Adobe Express Engagement Webinar (Delegate).pptx
Adobe Express Engagement Webinar (Delegate).pptxAdobe Express Engagement Webinar (Delegate).pptx
Adobe Express Engagement Webinar (Delegate).pptx
Jisc
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
Jisc
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
Jisc's value to HE: the University of Sheffield
Jisc's value to HE: the University of SheffieldJisc's value to HE: the University of Sheffield
Jisc's value to HE: the University of Sheffield
Jisc
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
Jisc
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
Jisc
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
Jisc
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
Jisc
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
Jisc
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
Jisc
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
Jisc
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
Jisc
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
Jisc
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
Jisc
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
Jisc
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
Jisc
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
Jisc
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
Jisc
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
Jisc
 

More from Jisc (20)

Adobe Express Engagement Webinar (Delegate).pptx
Adobe Express Engagement Webinar (Delegate).pptxAdobe Express Engagement Webinar (Delegate).pptx
Adobe Express Engagement Webinar (Delegate).pptx
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
Jisc's value to HE: the University of Sheffield
Jisc's value to HE: the University of SheffieldJisc's value to HE: the University of Sheffield
Jisc's value to HE: the University of Sheffield
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 

Recently uploaded

Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 

Recently uploaded (20)

Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 

Assessing the impact of security services

  • 1. Assessing the impact of security services Andrew Cormack chief regulatory adviser, Jisc technologies, Jisc.
  • 2. Why assess DP impact?
  • 3. Why assess DP impact? Legal requirement? •GDPR Art.35 Data Protection Impact Assessment (DPIA) •“if likely to result in a high risk to the rights and freedoms of natural persons”
  • 4. Why assess DP impact? Legal requirement? •GDPR Art.35 Data Protection Impact Assessment (DPIA) •“if likely to result in a high risk to the rights and freedoms of natural persons” Regulator recommendation? •ICO Legitimate Interests Assessment (LIA) •“if relying on legitimate interests”
  • 5. 5 But mostly… To reassure us, members, customers and users that we’re creating privacy/security benefits, not risks!
  • 6. Factors likely to require DPIA (Art29WP/EDPB) Match 2 or more => Usually need DPIA •Evaluation or scoring •Automated decision-making •Systematic monitoring •Sensitive (or highly-personal) data •Data processed on large scale •Matching/combining datasets •Vulnerable data subjects •Innovative use or new technological/organisational solutions •Processing prevents data subject exercising right/using service/contract
  • 8. Jisc security services… Security operations centre (SOC) •Large scale •Applies to all Janet traffic •Passive monitoring •Mostly by machine •Some automation (e.g. DDoS) => DPIA
  • 9. Jisc security services… Security operations centre (SOC) •Large scale •Applies to all Janet traffic •Passive monitoring •Mostly by machine •Some automation (e.g. DDoS) => DPIA Penetration testing service •Small scale •Commissioned by organisation • Limited scope: systems and people •Active attacks/social engineering => LIA
  • 11. DPIA process NOT based on ICO guide – it hadn’t been published 11
  • 12. DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A 12
  • 13. DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another 13
  • 14. DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another •ICO (now) suggests cyclic DPIA process • Consultation apparently before own risk/mitigation assessment? • Surely more efficient to ask users for issues you didn’t spot? 14
  • 15. DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another •ICO (now) suggests cyclic DPIA process • Consultation apparently before own risk/mitigation assessment? • Surely more efficient to ask users for issues you didn’t spot? •So use 1st round DPIA report for 2nd round consultation (~18 months) 15
  • 16. ICO DPIA cycle 16 Identify need Describe process Consult? Nec. and Prop. Identify risks Identify controls Record and Sign off Integrate actions into plan Review
  • 17. DPIA data gathering/reporting Based on GDPR structure 17
  • 18. DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… 18
  • 19. DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too 19
  • 20. DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too •Assessment of risks to rights and freedoms (see later) •Measures to address risks, and demonstrate compliance (see later) 20
  • 21. DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too •Assessment of risks to rights and freedoms (see later) •Measures to address risks, and demonstrate compliance (see later) •Conclusions •Are risks mitigated? Recommendations 21
  • 23. DPIA risk management Assess impact •Think data and processing 23
  • 24. DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause 24
  • 25. DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 25
  • 26. DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 26 Manage likelihood •Think causes •Internal (accident/malicious) • External (accident/malicious) • Environment (accident)
  • 27. DPIA risk management Assess impact •Think processing and data •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 27 Manage likelihood •Think causes •Internal (accident/malicious) • External (accident/malicious) • Environment (accident) •Think mitigations • Most of which reduce likelihood • Some reduce impact too •How to monitor/maintain compliance?
  • 28. DPIA conclusions •All risks mitigated to (well) below high •Automated processing itself a significant mitigation •Some new opportunities for controls/monitoring • See https://ji.sc/SOC-DPIA 28
  • 30. LIA process Based on ICO light-touch risk assessment… 30
  • 31. LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A 31
  • 32. LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? 32
  • 33. LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? •Necessity: any less intrusive way to do it? [No] 33
  • 34. LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? •Necessity: any less intrusive way to do it? [No] •Balance benefits vs harms •What is relationship with individuals? What is possible impact? •Will you explain it? Will they object/feel intrusion? •What safeguards can you provide? Can they opt-out? 34
  • 36. LIA conclusions •Technical pentests have strong safeguards/minimisation 36
  • 37. LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals 37
  • 38. LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals •Targets are in positions of authority/responsibility; significant risks to others •Organisations must support/explain what was done and why •And provide guidance, training, etc. so they don’t fall for a real attack 38
  • 39. LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals •Targets are in positions of authority/responsibility; significant risks to others •Organisations must support/explain what was done and why •And provide guidance, training, etc. so they don’t fall for a real attack •Organisations must fix vulnerabilities, otherwise no benefit to justify risk! • See https://ji.sc/PENTEST-LIA 39
  • 40. References • DPIA • Art.29 https://ji.sc/DPIA-art29 • CNIL https://ji.sc/CNIL-PIA-guides • [ICO https://ji.sc/ICO-DPIA] • https://ji.sc/SOC-DPIA • LIA • ICO https://ji.sc/ICO-legitimate-interests • https://ji.sc/PENTEST-LIA 40
  • 41. Get in touch… Except where otherwise noted, this work is licensed under CC-BY Andrew Cormack chief regulatory adviser Andrew.Cormack@jisc.ac.uk

Editor's Notes

  1. UK ICO adds Risk of Physical Harm, Tracking, Invisible Processing; deletes large scale, automated decision-making, arguably systematic monitoring (which may be a superset of “tracking”); interestingly the EDPB pushes back against such modifications… Maybe it *is* harmonising?