Gdpr action plan - ISSA
-
Upload
ulf-mattsson -
Category
Technology
-
view
207 -
download
1
Transcript of Gdpr action plan - ISSA
Ulf Mattsson
Inventor of more than 55 Issued US Patents
Industry Involvement:
• PCI DSS - PCI Security Standards CouncilEncryption & Tokenization Task Forces, Cloud &
Virtualization SIGs• IFIP - International Federation for Information Processing• CSA - Cloud Security Alliance• ANSI - American National Standards Institute
ANSI X9 Tokenization Work Group• NIST - National Institute of Standards and Technology
NIST Big Data Working Group • User Groups
Security: ISACA & ISSADatabases: IBM & Oracle
2
4
Verizon 2017 Data Breach Investigations Report
Source: Verizon 2017 Data Breach Investigations Report 4
Source: Verizon
2016 Data
Breach
Investigations
Report
6Source: Verizon 2016 Data Breach Investigations Report
Verizon 2016 Data Breach Investigations Report – Breach Discovery
Source: Verizon
2016 Data Breach
Investigations
Report
7Source: Verizon 2016 Data Breach Investigations Report
Verizon 2016 Data Breach Investigations Report – Malware
Ransomware are Getting Worse
• The cyber security solutions that are in place today are somewhat effective
• But a significant proportion of decision makers report that their problems with phishing
• Ransomware are getting worse over time
• For most of the cyber security capabilities that organizations have deployed to combat these threats, the majority of decision makers report they are not highly effective
Source: Osterman Research, Inc., 201714
Impact
Do you control or process personal data about ANY EU Citizens?
If so you have to be GDPR compliant by 25th May 2018 or manage the implications of the fines and the
reputational damage of any and every Data Breach
– including Customers Employees Suppliers
© 2017 - The GDPR Institute - All Rights Reserved 17
The Institutes’ Purpose
Create a community of Data Privacy, Data Security and Data Governance experts to assist Large, Medium and Small Organisations address the
challenge and maximise the opportunity created by the General Data Protection Regulation
GDPR Challenge
Or
GDPR Opportunity© 2017 - The GDPR Institute - All Rights Reserved 18
The Institutes’ Community
CorporateClients
61 MillionGlobalExperts
GDPRConsultingProviders
GDPRTechnologySolutions
GDPRAudit
Services
GDPRLegal
Advisors
GDPRTraining
ProvidersGDPR
RecruitmentServices
© 2017 - The GDPR Institute - All Rights Reserved
19
Bringing Together to Solve GDPR
GDPRDefensible
Position
GDPRConsultingProviders
GDPRTechnologySolutions
GDPRLegal
Advisors GDPRRecruitment
Services
GDPRTraining
Providers
GDPRAudit
Services
61 MillionGlobalExperts
© 2017 - The GDPR Institute - All Rights Reserved
20
Opportunity or Challenge?
1. Fines2. Loss of Customers
3. Reputational Damage
COST of
Compliance
© 2017 - The GDPR Institute - All Rights Reserved
21
Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change
GDPR = Enterprisewide Change Management
Post Room Board Room
People Process Technology Information
© 2017 - The GDPR Institute - All Rights Reserved
22
Scale of Data Breaches
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/23
Key Questions
1. What Personal Data do you hold – Customer, Employee, Supplier, Contractor, Sub-Contractor, Citizen, Patient etc
2. Where is that Data Located? PC hard drive, Remote Storage or Backup Device, On Premise Database or Content Server, or in The Cloud
3. How are you using that Data?
4. Do you have Explicit or Implied Permission to use
the data in the way you are using it?
© 2017 - The GDPR Institute - All Rights Reserved
25
Compliance
Gap
Analysis
Security
Reviews
Use Case
Management
Consent
Management
Technology
Assessments
Business
Process
Management
The GDPR Roadmap
Privacy
Impact
Assessment
Legal
Advice
Detailed
Readiness
Assessment
Educate
&
Train
Subject Access
ManagementThreat
Detection
Case
Management
GDPR
Defensible
Position
Annual
GDPR
Audits
© 2017 - The GDPR Institute - All Rights Reserved
26
Immediate Action Plan
1. Seek Legal Advice
2. Conduct a Privacy Impact Assessment
3. Complete a Readiness Assessment to address the key questions
4. Secure Executive Sponsorship and a meaningful budget
5. Develop a Consent Management Strategy
6. Build a Data Subject Access Request process before you get swamped
7. Ensure you have all your Breach Detection technology in place –Database, Content Repositories, Network Traffic, Dark Web
8. Prepare for the worst, and breathe a sigh of relief if it doesn’t happen
© 2017 - The GDPR Institute - All Rights Reserved
27
The GDPR Institute
Helping you resolve YOUR GDPR Challenge& Maximise the GDPR Opportunity
A Members Owned Not-for-Profit Organisation
www.gdpr.institute
28
GDPR Case Studies
41
• US and Spain – customer data• Italy, Germany and more – financial data • Germany – outsourcing• Sweden – PII data
GDPR Simplified into 12 blocks
1. Legitimate basis for data: organizations must know and be able to prove that processing has a legitimate purpose.
2. Information you hold: organization should keep data only in so far as necessary.
3. Individuals rights: individuals (customer…) have the right to ask questions about their personal data.
4. Consent: there should be explicit and clear consent for processing of personal data.
5. Children´s data: explicit consent of the child’s parents (or guardian) for minors less than 16 years of age.
6. Privacy notices: Organizations must transparently state their approach to personal data protection in a privacy notice.
7. Data breaches: Organizations must maintain a data breach register and, data subject should be informed within 72 hours.
8. Privacy by design: Mechanisms to protect personal data should be incorporated in design of new systems and processes.
9. Privacy impact assessment: organization must conduct a privacy impact assessment to review the impact and possible risks.
10. Data Protection Officers: organization should assess the need to assign a Data Protection Officer.
11. Third parties: The controller of personal data has the responsibility to ensure that personal data is protect
12. Awareness: To create awareness among your staff about key principles on data protection, conduct regular training.
To know more read my book https://goo.gl/HMDRfk
Webcast title : EU GDPR Details
• Duration : 60 min
• Date & Time : Oct 25 2017 10:00 am
• Timezone : United States - New York
• Webcast URL : https://www.brighttalk.com/webcast/14723/269681
Protect Sensitive Cloud Data
Internal Network Administrator
AttackerRemote
User
Internal User
Public Cloud
Examples
Each sensitive
field is protectedEach
authorized
field is in
clear
Cloud Gateway
45
Data Security Agents, including encryption, tokenization or masking of fields or files (at transit
and rest)
SecDevOps
The issue is INTENTIONAL use of
UNSANCTIONED public cloud storage for ease of use for
corporate data
Securing Big Data - Examples of Security Agents
Import de-identified
data
Export identifiable data
Export audit for
reporting
Data protection at
database,
application, file
Or in a
staging area
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce
(Job Scheduling/Execution System)
OS File System
Big Data
Data Security Agents, including encryption, tokenization or
masking of fields or files (at transit and rest)
46
SecDevOps
Virtual Machines
Docker
Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and
rest)
Source: http://www.slideshare.net/GiacomoVacca/docker-from-scratch
SecDevOps
SecDevOps
47