GPDR_Get-Data-Protection-Right
36
GPDR == get.data.protection.right(!) James Mckinlay – CSO Praetorian Consulting International
-
Upload
infosecresearch -
Category
Technology
-
view
378 -
download
2
Transcript of GPDR_Get-Data-Protection-Right
GPDR == get.data.protection.right(!)
James Mckinlay – CSO Praetorian Consulting International
#whoami
Electoral Role
Landline
Broadband
Mobile Phone
Gas Electric
TV licence
Passport
Inland Revenue
High Street Bank
Online Retailers
Online webmail
Companies House
Online accountant
Births & Marriages Register
Hospital records / GP records
Husband, Father, Son
Cyber Consulting <-IT Security <- IT Solutions
https://uk.linkedin.com/in/jmck4cybersecurity
Shares / Child ISA
Pension
Car Insurance
House Insurance
Flight Records (ARINC)
Mortgage
Postcode Address File
University Records
Water / Utilities
Council Tax
Driving Licence
Car registration
Equifax Experian Callcredit
Published Agenda* Know what you know
* Know what you don't know
* Know where your going
* Get started
@CisoAdvisor
We could debate this
from now until xmas
but we only have 20
minutes so I have
revised the agenda
“Everything should be
as simple as it can be,
but not simpler”
@CisoAdvisor
Now let’s pick up the pace
Actual Agenda
* How it was
* Where it is going
* What (I suggest) you can do
(1) Before we go any further, I feel I should first point out that everything I’m about to say is obviously just my personal opinion, which you are of course entitled to take with the appropriate pinch of salt. I would expect that if you asked someone else who was considering the same points, they might have very different things that they are looking for.
(2) I am not currently in the GPDR region
(but …...)
(3) I am not a lawyer
{but …..}
Disclaimer
* Section 1: How It was
Revolution Quote 1:
“You will not be able to stay
home, brother.
You will not be able to plug in,
turn on and cop out.
You will not be able to lose
yourself on skag and
Skip out for beer during
commercials,
Because the revolution will not
be televised.”
- Gil Scott-Heron (1949 –2011)
Ap
po
int
a D
PO
Fill
ou
t IC
O r
eg
istr
atio
n
Se
nd
IC
O c
he
qu
es
Up
da
te r
eg
istr
atio
n (
e.g
. A
NP
R)
Talk
to
le
ga
l de
pa
rtm
en
t
Loo
k f
or
som
e e
xte
rna
l tr
ain
ing
Ho
pe
no
thin
g g
oe
s w
ron
g
Ad
d a
DP
A98
mo
du
le t
o L
MS
ISO comments on P7a The Data Protection Act says that:
This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
be clear about who in your organisation is responsible for ensuring information security;
make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
be ready to respond to any breach of security swiftly and effectively.
Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data.
ISO comments on P7b What needs to be protected by information security arrangements?
It is important to understand that the requirements of the Data Protection Act go beyond the
way information is stored or transmitted. The seventh data protection principle relates to the
security of every aspect of your processing of personal data.
So the security measures you put in place should seek to ensure that:
only authorised people can access, alter, disclose or destroy personal data;
those people only act within the scope of their authority; and
if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any
damage or distress to the individuals concerned.
Credit : https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/
Remember: The domain google.com was registered on September 15, 1997. They formally
incorporated their company, Google, on September 4, 1998
Any Questions
No is a valid answer
* Section 2: Where It is going
Revolution quote 2:
“The first revolution is when you
change your mind about how
you look at things, and see there
might be another way to look at
it that you have not been
shown. What you see later on is
the results of that, but that
revolution, that change that
takes place will not be
televised.”
- Gil Scott-heron (1949 –2011)
Two year count down
The two-year countdown to the General Data Protection Regulation (GDPR) is
underway, and the consensus seems to be that most companies haven't got a
clue how they're going to approach it.
Research from Egress found that 87 percent of CIOs believe they would be
exposed if the regulations came into force today, while research by YouGov for
Netskope found that 80 percent of IT professionals in medium and large
organisation were not confident of ensuring compliance by 25 May 2018.
"It's 2 years away, but 2 years with any IT project is actually very short," he says.
"Most businesses where they are running April to April will have already spent their
budget for this year. So you are looking at preparing to spend budget on it next
year.“ – Guy Bunker @ Clearswift
Credit: http://www.cbronline.com/news/cybersecurity/data/2-years-to-gdpr-
how-you-can-prepare-for-the-eu-data-protection-regulation-4903975
How to lie with statistics
https://www.amazon.com/How-Lie-Statistics-Darrell-Huff/dp/0393310728
https://en.wikipedia.org/wiki/List_of_cognitive_biases
https://blog.osvdb.org/
Higher Fines – breaches of the GDPR can result in fines up to 4% of a business’ global turnover or €20M EUR (whichever is greater).
Consent – Businesses will need to be able to demonstrate that active consent has been given for any personal information they collect or process and that they provide very clear information beforehand on how this personal information will be stored and used (privacy notices).
Privacy by Design – increasingly, Businesses will need to be able to demonstrate that they have actively considered privacy and adequately addressed any associated information security risks and that this is built into the DNA of their organization
Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours).
Data Processors – at present only organisations acting as Data Controllers have legal obligations for looking after personal information under the UK Data Protection Act. The GPDR aims to extend some of the direct legal obligations on to Data Processors as well as Data Controllers.
Sensitive personal data – the definition of sensitive personal data has been widened to include genetic and biometric data and there will be stricter rules for processing this kind of (medical) information.
Data Subjects Rights – generally, individuals will have stronger rights to request the transfer of their
personal information from one service provider to another and also when requesting their “right to be forgotten”
Data Protection Officers – Data Protection Officers will become mandatory for organisations whose primary purpose involves processing sensitive personal data or who monitor data subjects regularly on a large scale.
Credit: fruition blog Feb 2016
Higher Fines – breaches of the GDPR can result in fines up to 4% of a business’ global turnover or €20M EUR (whichever is greater).
Consent – Businesses will need to be able to demonstrate that active consent has been given for any personal information they collect or process and that they provide very clear information beforehand on how this personal information will be stored and used (privacy notices).
Privacy by Design – increasingly, Businesses will need to be able to demonstrate that they have actively considered privacy and adequately addressed any associated information security risks and that this is built into the DNA of their organization
Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours).
Data Processors – at present only organisations acting as Data Controllers have legal obligations for looking after personal information under the UK Data Protection Act. The GPDR aims to extend some of the direct legal obligations on to Data Processors as well as Data Controllers.
Sensitive personal data – the definition of sensitive personal data has been widened to include genetic and biometric data and there will be stricter rules for processing this kind of (medical) information.
Data Subjects Rights – generally, individuals will have stronger rights to request the transfer of their
personal information from one service provider to another and also when requesting their “right to be forgotten”
Data Protection Officers – Data Protection Officers will become mandatory for organisations whose primary purpose involves processing sensitive personal data or who monitor data subjects regularly on a large scale.
Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours).
https://www.visaeurope.com/media/pdf/security%20compromise%20factsheet%
20-%20march%202015.pdf
Immediately
Bank + PCI-PFI
Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours).
https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-compromised.pdf
72hrs
Actual or
suspected
Report sent to
Visa
Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours).
http://www.theregister.co.uk/2016/09/01/talktalk_appeal_against_ico_data_breach_fine_dismissed/
24hrs
Report sent to
ICO
Converge with Information Security
Quality Management LegalRecruitment
Other
disciplines talk
about it more
than us !
Any Questions
No is a valid answer
* Section 3: What You can do
Revolution quote 3:
“There can't be any large-scale
revolution until there's a personal
revolution, on an individual
level. It's got to happen inside
first.”
- Jim Morrison (1943 - 1971)
Disclaimer I haven’t yet tried this next bit ;)
ISO27001
PCIDSSv3.2
AML / TCF
TOP20 CCNSA MNP
Remember
DPA98:Pr7
from part one
ISO9001
ISO27002
SOC_I
SOC_II
Company CEO
Group Security Office
Mubadala Group
Injazat CEO
Data Protection / Data Security “Tone at the Top” Directive from CEO
Data Protection Management Policy Scope of ICO registration
Data Governance Forum (Steering Group) - Charter and Minutes
Go
ve
rna
nc
eM
an
ag
em
en
t
Data Protection Strategy Paper & sub-plans
DPO Measurement Plan
Data Quality Management
Information Asset Register
Privacy Impact Analysis
Project (RA)
Data Discovery with
Business Impact Analysis DPO Annual Objectives
05.Sep.16
b
a
d
c
1
2
3
5
6
7
8
9
Company CEO
Group Security Office
DPO Annual Audit Plan
DPO Communications Plan
DSARs/Complaints DPO Data Breach Plan4
Short cycle error correction (F3)
Variations,
F2T2E : Find, Fix, Target, Track, and Execute
F2T2EA : Find, Fix, Track, Target, Engage, Assess
F2T2 : Find Fix Track Target
F3EAD : Find, Fix, Finish, Exploit, Analyze and Disseminate
FIND FIX FINISH
If your interested in military tactics that might support Cyber Security look into
http://www.pogoarchives.org/straus/shaping-and-adapting-boyd-20150422.pdf
And F3EAD paper - http://www.dtic.mil/dtic/tr/fulltext/u2/a547092.pdf
Data Discovery
BC / DR Team
Vulnerability
Scanner
IT Ops / ITIL
HR / Legal /
Finance
ICO
registration
Information Asset Register
Where you are Data Controller
Where you outsourcehttps://www.linkedin.com/pulse/25-exciting-things-do-information-asset-
register-reynold-leming?trk=hp-feed-article-title-like
Information Asset Registerby
Reynold Leming
1. Understanding Relationships: A related series of records sharing the same purpose (a "master asset" if you will) might have a variety of constituent entities ("sub assets") in different formats - e.g. physical records, digital content, database records. Identifying these within an IAR will enable an understanding of their relationships and purpose over time.
2. Security Classification: Assets can be classified within the IAR to an approved security classification / protective marking scheme, with current protective measures recorded, in order to identify if there are in any risks relating to the handling of confidential personal or commercially sensitive information.
3. Personal Data: Specifically you can identify confidential personal information to ensure that data protection / privacy obligations are met, for example in terms of security and disposal.
4. Ownership: The ability to know - who owns what? Also to understand who owns both in terms of corporate accountability and ownership of the actual information itself.
Internal Training (1)
Does the data
enables you to
identify
directly the
person?
YES
NO
It is personal
data
Does the data
enables you to
identify the person
indirectly?
NO
YESIt is personal
data
It is not
personal data
Internal Training (2)
Fair and lawful processing
Proportionate processing
Accurate and up to date
Data retention limitation
Data transfers limitation
Privacy Impact Assessment
Name of the processing service
Date of service implementation
Name of the software/ application used
Key contact internal
Key contact external
List of data collected and processed (detailed)
Purpose of the processing (detailed)
Period during which data are stored and processed
Persons who need to have access (detailed R&R)
Does the processing need development or maintenance by a third party?
Does the processing imply transfer out of EU within the company?
Does the processing imply to transfer out of EU to a third party?
How will data transfers be secured to provide adequate level of protection?
Are you a Data Controller
Are you a Data Processor
Data Breach Planning
https://otalliance.org/resources/data-breach-protection
Summary
There are many overlaps in the ISMF and managing Data Protection in the Enterprise
Establish a Data Protection Steering Group
Choose a DPO
Find and Classify the data, assigning a business owner
Prepare internal training
Prepare a holistic Data Breach Plan – not just a technical response
Use this activity to enforce better Information Security Controls
E.g. Data classification, Information Asset Register, Data retention cleanup + evidence
Takeaways
Take it seriously we’ve had 18 years to get this
Get started if you haven’t already
Use what has been learnt from years of ISMS governance
and certification
Tailor it to your organisation (size and maturity)
Learn from other disciplines (collaborate or die)
Challenge conference organisers on GPDR agendas
Network with likeminded peers
Time is precious
thank you for yours
James
