GDP-Argh! – Some comments

After reading the Article from… full of common sense, it looks that I’m not fully ok with a purely technical approach, including a massive data encryption / backup solution.

We have to be sure that GDPR is a specific and dedicated process to put in place, with governance and changes in the way we manage data and ICT.

I added some points and comments

The article :

These 10 steps will ease the pain of compliance with the General Data Protection Regulation, the EU’s new privacy law that goes into effect in a little over a year.

If your organization does business with Europe, or more specifically does anything with the personal data of EU citizens, you’re going to be living the dream (or perhaps nightmare) that is preparing for the General Data Protection Regulation (GDPR).

For many organizations, this is going to be a tedious exercise; even if you have implemented processes and technologies to meet current regulations, there is still work to be done to steer clear of penalties. And, as you might expect, infringement carries heavy fines: €20 million or 4 percent of your worldwide annual gross revenue, depending on the violation.
The regulation comes into effect on May 25, 2018, at which point organizations will be held accountable –  immediately. It’s hard to say exactly how organizations are doing, but depending on which news you choose to read, it doesn’t appear that too many are ready. And for good reason.

For one thing, preparing for GDPR is likely to be a cross-functional exercise, as legal, risk and compliance, IT, and security all have a part to play. Some organizations will need to adopt new roles and responsibilities, such as appointing a data protection officer and nominating representatives within the EU to be points of contact.

So, with just over a year to get this sorted, what do you need to do?

If you’re just beginning your GDPR compliance quest, start by having employees attend a training to learn about the best practices for implementing GDPR. Training can also save you from the costly fines down the line, which, depending on the level of GDPR infringement, can amount to 4% of your organization’s worldwide annual gross revenue for the previous year.

You’ll also need to determine where the personal data of EU citizens physically resides, the categories of personal data you control or process, how and by whom it is accessed, and how it is secured. In addition, processes for access control, incident detection and response, and breach notification will also need review or implementation.

To help get you started, I’ve put together a list of 10 steps your company can take toward becoming GDPR-compliant:

Step 0: Do a Data Classification (what to protect and what to not protect)

Step 0.2: Do a Privacy Risk Assessment and determine the measure to put in place

Step 0.1 : Do Awareness of management, staff and 3rd parties

Step 0.2 : Review your contracts with 3rd parties (Security, Confidentiality Availability, Privacy)

Step 1: Encrypt data both at-rest and in-transit. Why? If you are breached but the personal data is rendered unintelligible to the attacker, then you do not have to notify the person whose data has been breached.

This advice – which may be seen as a bit silly – is an unfortunately important one, even in the US and in other more lightly regulated jurisdictions.  Even in the absence of regulations, the revelation of the lack of at-rest encryption in the case of a data breach — even where it would not have actually helped mitigate matters any — can be highly brand damaging.

But know what to encrypt … ok ? 

Step 2: Limit access. (Enforce Access Management and responsibilities) The idea of a “need-to-know-basis” has been around in the military for eons. The same process now needs to apply to personal data. Review who has access to personal data and why they have access, then revoke rights as necessary. When gaining consent to process personal data you will need to state the reasons for processing the data, and identify people who have access to the data. Shared admin accounts and overinflated user privileges are generally bad practices, but with GDPR they become totally unacceptable.

Step 3: Have a broad-based vulnerability management process in place. Make sure you’re scanning all devices on your network to maintain visibility into weaknesses in your infrastructure. If you have remote employees, don’t forget about them! Remote workers create additional risk because their devices can house sensitive data while they are connected to unsecured networks. Ensuring the ongoing confidentiality, integrity, and availability of all systems across your company is key.

Step 4: Backups. Backups. Backups. Make backups! Not just in case of a dreaded ransomware attack, but as a good housekeeping practice in case of storage failure, asset loss, natural disaster, even a full cup of coffee spilled on a laptop. If you don’t currently have a backup vendor in place, there are a number of server and database options available. Disaster recovery should always be high on your list, regardless of the regulations you are required to meet.

No, … backups is a way to protect your data from a Privacy point of view, but a data loss or destruction, even if you have a good backup is a DATA Breach and must be declared as is (even if you internal staff delete files by mistake, or if you are targeted with a cryptolocker).

And Encrypt your backups to avoid creating an extra possible Breach

Doing only backups doesn’t prevent you to put in place a Data Retention / archiving policy and to delete obsolete Private data. This is required too.

Step 5: Secure your web applications (and internal applications too, including your back-end relation with 3rd parties hosting your data). Privacy-by-design needs to be built into processes and systems. If you’re collecting personal data via a web app, and still using http/clear text, then it’s likely you already have a problem.

Step 6: Pen tests are your friend. Attacking your systems and environment to understand your weak spots will tell you where you need to focus. It’s also better to go through this exercise with an opportunity to course correct, rather than wait for an attacker to point out your weaknesses by getting onto your network. You can do this internally or employ a professional team to perform regular external tests.

This is a pure ICT vision of security, required, but not enough. Privacy by design and by default is mandatory too, it must be part of the entire chain of your development. PenTests is the final control.

Step 7: Detect attackers quickly and early. Finding out that you’ve been breached after the fact is an all too common scenario. The Verizon Data Breach Investigations Report has called out compromised credentials as a top attack vector, yet many organizations still can’t detect when these credentials are used by attackers. User behavior analytics is one way to quickly investigate and remediate anomalous user account activity within your environment. Deploying deception technologies, like honey pots and honey credentials, is another strategy for spotting attackers early.

Step 8: Don’t ignore shadow IT. You likely have some approved cloud services deployed already, but unless you’ve switched off the internet, it’s also possible that there are unsanctioned services and apps occurring in your environment with data that needs to be protected. And don’t ignore all your 3rd parties.

Step 9: Prioritize and respond to the alerts your security products generate daily. Attackers can easily take advantage of the flood of information bombarding security teams every day. It’s great if you have a SIEM in place and have the capability to respond 24/7.  (Attackers work evenings and weekends too!) But if you don’t have SIEM, or the time or budget to take on a traditional deployment, consider products or managed offerings that can offer round-the-clock protection.

Step 10: Don’t wait for an attack to engage an incident response team. GDPR stipulates that companies report personal data breaches to a supervisory authority within 72 hours of discovery. But aside from the reporting requirements, it’s critical to contain the attack and limit damage as quickly as possible. So If you don’t have dedicated IR capabilities in-house, at least have a clear and fast route to third-party services. That means, going through the process of vetting and engaging potential vendors and partners in advance in order to know exactly who to call with the necessary expertise  should the worst happen.

Step 11: Awareness, awareness, controls, and awareness. (Yes Dirty Job)

Be the first to comment

Leave a Reply

Your email address will not be published.