Downloaded 14 times
Uploaded byDigia Plc
Continuous Compliance 14.9.2016
The document outlines the agenda for a DevOps and cybersecurity meetup held on September 14, 2016, featuring discussions on continuous compliance, GDPR, and data privacy. It emphasizes the importance of compliance in data management, identifying business risks, and the responsibilities of registry owners under new EU regulations. The document also highlights the need for automation in compliance processes and the significance of understanding data management practices to avoid pitfalls.
More Related Content
Similar to Continuous Compliance 14.9.2016
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
Continuous Compliance 14.9.2016
- 1. DevOps & CyberSecmeetup agenda 14th September 2016 • 18:00 Welcome to Digia • 18:10 Continuous Compliance / Tessa Viitanen, Digia • 18:55 Break • 19:05 Ilari Mäkelä, Verkkokauppa.com • 19:45 Break • 19:55 DevSecOps - from the backlog to forensics / Antti Vähä-Sipilä, F-Secure • 20:40 Networking • 21:30 Event ends
- 2. Digia Continuous Compliance TessaViitanen 14.9.2016 Digia Continuous Compliance Team: Tessa Viitanen, Jan Grela, Ville Lindroos, Petri Rosenström
- 3.
- 4. 2015 Change inFinnish criminal law paragraph 38, article 9 a §: Identity theft is as a crime. Change from the people to companies Unhashed passwords Data Breaches 2011 Enough breaches 2012 EU Commission Proposal 2014 Parliament Approval 2016 EU Approved by the Commission 2018 Enters into the force Sanction 4% of a company Global turnover 20M€ Which ever is HIGHER More data breaches Poor Security Policies No proper encryption Personal data all over.. As paper Personal data sold all over used for business Personal data sold all over used for organized crime Medical data all over Unsalted passwords
- 5. LEGISTLATION VS REGULATION LEGISLATIONA DIRECTIVE (GENERAL): • Somebody did something, which caused impact to many people and hence the legislation was set in broader level. REGULATION: • Governing agency were made to be more specific of how it is done to comply with the legislation in technical terms. EU Data Privacy The Directive entered into force on 5 May 2016 Regulation entered into force on 24 May 2016. EU Member States have to transpose it into their national law by 6 May 2018 Applies from 25 May 2018.
- 6. EU DATA PRIVACYOBJECTIVES The objective of this new set of rules is: • To give citizens back control over of their personal data • To simplify the regulatory environment for business. When it comes to law, you cannot move your responsibility of a registry owner to anyone else.
- 7.
- 8. A certificate isa snapshot of the current state. It’s a baseline where your security starts from. It breaks, when you do the first change if you don’t follow up. • We will be fully compliant until the next audit (PCI DSS, ISO 27001/ISO27002, GxP certificate etc.) • Our Hosting provider has a certificate, we don’t need it for our solution COMMON DELUTIONS OF COMPLIANCE
- 9. The better youare aware of your business risks, better you will survive in Data Breach situations. Its not just money, it is also Brand, Image and trust matter for your company. • Information Security Policies (ISP) Compliance • Business Impact Analysis (BIA) Risks against the compliance • Privacy Impact Assessment (PIA) Risks against the overall solution data flow • Assess your Sub-Contractors! EXAMPLE GDPR CONTROLS FOR CXO LEVEL
- 10. MANDATORY Even though youcan outsource DPO role, you cannot outsource your responsibility as a registry owner SAR must generally be complied with within 40 days. • Data Protection Officer (DPO), as a new role within all companies (can be outsourced) • Notification 72 hours after data breach to officer and to the person that the data belongs to • Subject Access Request (SAR)
- 11. • Audit Trailis more expensive than the manual processing of SAR’s • Pseydonymisation of data complicates work • Light encryption is enough • Privacy Notices to end users can be complex • Sub-contractors are paying their share in case of breach without contractual agreement • International data transfer is not happening • Cloud will solve all of the problems including sanctions • On-Premises is more secure than the Cloud and hence does not require verification as it is on certified paper Calculate the whole process from the beginning in the end. Manual work at first glance looks cheaper, however automation will be cheaper in the long run. Do the math not a probability forecast! PITFALL MINDSETS
- 12. CONSIDERATIONS OF AVOIDINGTHE PITFALLS Know what data you store, where you store it and who has access to it! Know who operates and what in your systems! • Investing to decent data processing • Web-platform for SAR’s • Security frameworks as a security baseline • Automate as much as it is possible • Full stack security testing • SOC / Forensics • PIA for sub-contractors • Compliance requirements for subcontractors • Subcontractor Contract
- 13. PRIVACY BY DESIGN(example: Finland 2017 estimated) Are you really sure you want to do it all manually?
- 14. FINNISH REGISTRY OWNERRESPONSIBILITIES In Finland the Company will be responsible of providing a report similarly as the companies are required to leave their Taxation Report Company is responsible of proofing that they are compliant with the regulation
- 15. www.digia.com You cannot usecompliance certificates for your own solution! Fiva
- 16. IaaS, PaaS, SaaS(VPC, Private Cloud, Public Cloud) Verify what is certified Who is accessing and where the data is accessed from Verify where the system is operated Create clear security classes for data It is your Registry! Mindset Error 01001101 01101001 01101110 01100100 01110011 01100101 01110100 00100000 01100101 01110010 01110010 01101111 01110010 00001101 00001010 01001001 01110100 00100000 01101001 01110011 00100000 01011001 01001111 01010101 01010010 00100000 01110010 01100101 01100111 01101001 01110011 01110100 01110010 01111001 00100001 It is YOUR registry!
- 17. Always verify WHAT hasbeen certified, assessed or audited!
- 18. But there isa solution… And best part of it is that it’s all technical … and you can automate it!
- 19. Compliance Scan Automated Delivery with ComplianceScan Monitor and alert Compliance deviations Deliver or Fix MonitorTest ChangeFollow up
- 20. Jump to thebureau”crazy “ roller coaster and enjoy the demo ride!
- 21.
- 22. Automate and enjoy the coffee! Moreinformation: Tessa Viitanen tessa.viitanen@digia.com
Editor's Notes
- #3 How many has been wondering, why there is still so much paper in the world? How many has been questioning, why some things are done manually, as it could be automated? 2018 is coming and there is a lot you can do about it as a technical person Let’s nail the bureaucracy first
- #5 Picture Permission details The image above depicts a euro banknote. This design is copyrighted by the European Central Bank (ECB), and its use is permitted by ECB, subject to the conditions set forth in decisions ECB/2003/4 and ECB/2003/5 of 20 March 2003 and "as long as reproductions in advertising or illustrations cannot be mistaken for genuine banknotes". 1. Sony CD Spyware Sony BMG ran into a major privacy flap in fall 2005 because of the anti-piracy measures called XCP that it added to music CDs. When a customer played one of these CDs on a Windows PC, the CD installed hidden rootkit software onto the PC that communicated the CD being played and the IP address of the PC back to Sony. This so-called spyware also created vulnerabilities on PCs for worms or viruses to exploit. Critics said Sony had created a backdoor onto its customers' machines, leading Sony to recall the CDs and offer a free removal tool for the rootkit software. Class action lawsuits were filed against Sony in Texas, New York and California. The U.S. Federal Trade Commission required Sony to pay $150 to any consumer whose PC was damaged by the software as part of a settlement for violating federal law. (Also see: Sony BMG rootkit scandal - five years later) 2. The Craigslist Experiment In February 2006, Seattle Web developer Jason Fortuny posed as a woman seeking sex on Craigslist to see how many responses he would get in 24 hours. He received 178 responses, including photos, names, e-mail addresses and telephone numbers of the men who answered the ad. Fortuny then published all of these responses on a Web site called Encyclopedia Dramatica. The incident received a significant amount of mainstream media coverage, including the Associated Press and MSNBC. Fortuny was later sued in Illinois court by an anonymous plaintiff, and in May 2009 Fortuny ended up receiving a $75,000 default judgment. 3. AOL Search Leak In August 2006, AOL released a file containing 20 million search keywords used by 650,000 of its users over a three-month period. The file was supposed to be anonymous data available for research purposes, but personally identifiable information was available in many of the searches making it possible to identify an individual and their search history. AOL admitted it was a mistake to release the data and removed it from its Web site after three days, but by then the data had been mirrored at sites across the Internet. AOL's CTO Maureen Govern quit two weeks later. In September 2006, a class action lawsuit was filed - that's still lingering in California courts -- against AOL demanding $5,000 per user. 4. Google Street View In May 2007, Google added its Street View feature to Google Maps, and it has been battling privacy complaints, paying fines and facing audits ever since. Google Street View provides panoramic views of streets gathered by webcams. It prompted privacy worries for showing men leaving strip clubs, people entering adult bookstores, and people picking up prostitutes, among other activities. Google allows users to flag worrisome images for removal and added a blurring feature for faces and license plates. Nonetheless, Street Views has run into privacy battles with Switzerland, France, Belgium, Germany and South Korea, to name a few countries. France fined Google the equivalent of $142,000 in March 2011 related to Street Views, but an August 2011 review by the U.K. government gave Google positive marks for improving the privacy of Street View. Meanwhile, Google must undergo regular privacy audits mandated by the FTC for the next 20 years as the result of a settlement over improper privacy disclosures in its now-defunct Buzz social media service. 5. Hotmail Hot Mess RESOURCES VIDEO/WEBCAST Sponsored Securing the New Digital Enterprise: Trackable, Controlled, and Authorized CASE STUDY Sponsored Franciscan Missionaries of Our Lady Health Speeds Clinician Access to Critical Patient Data SEE ALL Search Resources Go One of the biggest privacy scandals in terms of scale involved Microsoft's Hotmail free e-mail service. In October 2009, Microsoft urged hundreds of millions of its Hotmail users to change their passwords due to a privacy breach. Microsoft said it discovered that users' details from 10,000 e-mail accounts were posted on the www.pastebin.com Web site as the result of a likely phishing scheme. Microsoft urged users of email accounts ending in @hotmail.com, @msn.com and @live.com to begin changing their passwords every 90 days. 6. Webcamgate A Pennsylvania school district that used built-in Webcams to monitor the use of several thousand Apple laptops that it provided to students for their use at home ran afoul of online privacy issues and was forced to pay up. The school district admitted it had over 56,000 photos and screen grabs gathered by the Webcams and security software installed on the laptops. These photos were taken without the knowledge or consent of the students, including in their bedrooms and in various stages of undress. In April 2010, high school sophomore Blake Robbins filed a class action lawsuit against the Lower Merion School District for invasion of privacy. In October 2010, the school district agreed to pay $610,000 to settle two lawsuits related to the incident. 7. Facebook Apps The popular social media site has been plagued by privacy issues over the years. Its highest-profile problem was in October 2010, when Facebook admitted that its top 10 most popular applications including FarmVille and Texas Hold`em shared user data, including names and friends' names, with advertisers. A Wall Street Journal investigation uncovered the Facebook privacy breach and said it affected tens of millions of users, including some that had used Facebook's most stringent privacy settings. Facebook had previously been in trouble for transmitting user ID numbers to advertising companies when users clicked on ads. In November 2011, Facebook settled a case with the U.S. Federal Trade Commission about several incidents and agreed to 20 years of third-party privacy audits (Also see: 10 must-know Facebook privacy/security settings.) RELATED STORIES atm cash machine money Shared malware code links SWIFT-related breaches at banks and North Korean... atm cash machine money Up to a dozen banks are reportedly investigating potential SWIFT breaches Legislation of privacy security keyboard law legal gavel Celebrity hacker Guccifer's confession gives us all a lesson in security 8. Patient Data Exposed In March 2011, California-based insurer HealthNet announced a privacy breach for nearly 2 million of its customers, exposing their names, addresses, Social Security numbers, health and financial data. The data were unencrypted and stored on hard drives that have gone missing from contractor IBM's data center. A nationwide class action suit was filed against HealthNet and IBM as a result of this incident. It was HealthNet's second big data breach in two years, having lost the Social Security numbers of 1.5 million policyholders stored on a hard drive in 2009. HealthNet isn't the only healthcare provider to lose private medical data or inadvertently post it online. The U.S. Department of Health and Human Services says personal medical data for more than 11 million people have been exposed online in the last two years. 9. Behavior Targeting is Targeted A new area of concern for privacy advocates is behavioral targeting by online advertising services. These services create behavioral profiles based on anonymous data of how computer users surf the web and then serve up targeted ads based on these profiles. The FTC ruled in 2009 that these services must provide consumers with notice about the collecting of behavioral data and provide them with the ability to opt out. In March 2011, the FTC reached its first behavioral profiling settlement with advertising network Chitika for deceptive opt-out practices. Chitika said it mistakenly programmed the opt-out setting for 10 days, instead of the intended 10 years. 10. iPhone Tracking Apple received so much criticism about how its iPhones and iPads were collecting and storing user location data that then-CEO Steve Jobs made a rare apology in April 2011. Jobs conceded Apple's mistakes in dealing with the location data after security researchers discovered an unencrypted file inside the devices contained a cache of locations visited over the last 12 months. Jobs emphasized that Apple was not tracking its customers: "Never have. Never will," he said, in response to the criticism from Congress and others. Apple provided a free software update to users to fix the glitch. But that wasn't the last time that location data gathered by mobile devices from Wi-Fi hotspots has come under fire. Google and Microsoft later admitted that they store the same kind of user location data on their mobile operating systems, too. (Read "Rating apologies.") 11. PlayStation Network Hacked Also in April 2011, Sony announced that hackers had stolen personal data from 77 million PlayStation subscribers. Although this was a security breach of Sony's PlayStation Network, the privacy implications were significant given that the intruder had stolen names, addresses, email addresses and birthdates for so many customers. Sony said it was unclear whether credit card data was stolen, and it warned customers to be on the lookout for identity theft. Security experts said the Sony privacy breach was one of the largest on record. Sony estimated that the incident cost the company $171 million to rebuild its computers and purchase credit protection services for its customers. 12. Disney Violates Kid Data Rule U.S. Web sites that target children for subscriptions or sales must comply with special rules aimed at gathering permission from parents under the Children's Online Privacy Protection Act (COPPA). In May, 2011, Disney's Playdom, Inc. had the dubious honor of paying the largest-ever COPPA fine, which was a $3 million civil penalty from the FTC for gathering and sharing personal information about hundreds of thousands of children without parental consent. Playdom, which runs the popular Pony Stars site, collected kids' ages and email addresses and allowed them to post their full names and locations. Other sites that have run afoul of COPPA rules include blogging outlet Xanga.com and mobile app developer Broken Thumbs. 13. Carrier IQ The year 2011 closed out with another privacy-oriented brouhaha, this time surrounding Carrier IQ, which sells analytics software for mobile devices. The software is used in an estimated 142 million smartphones. A systems analyst/amateur security researcher discovered this software on his smartphone, and found that it was capturing battery life, connections, text messages, emails and other actions. A slew of accusations followed, with Carrier IQ and its carrier customers being taken to task for allegedly keylogging, spying and tracking. But more detailed analysis by other professional security researchers found that the systems analyst who originally raised the issue was confusing Carrier IQ's actions with those of debug statements mistakenly left in the Android code by phone maker HTC's programmers. As it turns out, Carrier IQ was simply collecting performance data for optimizing the end users' experience. Nevertheless, the original discovery prompted Sprint and HTC to reportedly no longer include the Carrier IQ software on their devices. 14. GM to Sell Vehicle Data General Motors has run into privacy issues with its OnStar GPS-based system, which may continue to track vehicles even after a customer cancels the service. General Motors changed its OnStar privacy policy in December 2011, indicating that it reserves the right to share data it has collected - such as a vehicle's speed, location, odometer reading, seat belt usage and airbag deployment - with other companies. This is true even for customers who have cancelled the OnStar service unless they explicitly ask for the two-way communications link to be disabled. General Motors says the data would be anonymous and aggregated before being sold. Vehicle-based telematics systems like OnStar are an emerging area for privacy concerns, with new worries about the possibility of misuse of data. 15. Voicemail Hacking One of the biggest stories of 2011 was the shuttering of News Corps' weekly U.K. publication, News of the World, as the result of widespread hacking of the mobile voicemail accounts of politicians, celebrities and crime victims in the pursuit of stories by the tabloid publication. Investigations of this illegal behavior are ongoing, but have already led to several high-profile arrests and resignations of News Corps executives. Reporters apparently hacked into the voicemail accounts by using the default PINs that shipped with the phones
- #17 Hosting provider certified data center Solution audited for another environment Solution is in the same compliance level than the data center Own solution deployed to cloud instance is in the same compliance level than the Cloud provider certificates of compliance level On-premises solution does not need to be compliant as there are firewalls and used only internally