GDPR Security: How to do IT? IT reediness for competitive advantage

Slides:



Advertisements
Similar presentations
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Advertisements

First Practice - Information Security Management System Implementation and ISO Certification.
Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
The EU General Data Protection Regulation Frank Rankin.
Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
How Prepared are Nordic CIOs for GDPR Compliance?
General Data Protection Regulation (EU 2016/679)
An Information Security Management System
Data Protection Officer’s Overview of the GDPR
Accountability & Structured Privacy Management
The future of data protection: General Data Protection Regulation
GDPR (General Data Protection Regulation)
Running a Privacy Impact Assessment (PIA)
Microsoft 365 Get help with regulatory compliance
WORLD OF CLOUD COMPUTING AFTER GDPR challenges, opportunities and the unknown Matjaž Drev, MA. National Supervisor for Personal Data Protection, Information.
Presentation to GTMC on GDPR
GDPR – What’s it all about???
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
Introduction to the Federal Defense Acquisition Regulation
GDPR Awareness and Training Workshop
General Data Protection Regulations: what you really need to know
General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
KEY CHANGES TO THE DATA PROTECTION LANDSCAPE
GDPR Overview Gydeline – October 2017
Microsoft Corporation
GDPR Overview Gydeline – October 2017
Head of Information Management Services Crown Worldwide
GDPR Road map to Compliance.
Introducing GDPR: How the General Data Protection Regulation transforms the world Laura Mudd November 2016.
Bob Siegel President Privacy Ref, Inc.
GDPR - Individual’s Rights
GENERAL DATA PROTECTION REGULATION (GDPR)
GDPR - New Data Protection Regulation
General Data Protection Regulation
Introduction to GDPR 09/11/2018.
Reporting personal data breaches to the ICO
The Rise of Privacy: Complying with GDPR in the United States
GDPR and paper records Why it’s not all cyber and fines Gary Shipsey
Sue Cawthray, CEO/ Gill Thrush, Catering Manager
Software for ambitious enterprises
State of the privacy union
G.D.P.R General Data Protection Regulations
The GDPR and research data
The GDPR & Schools - An Introduction -
General Data Protection Regulation
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Personal data: electronic capture, storage and security
How we’ll prepare for the General Data Protection Regulation (GDPR)
IMPLICATIONS OF GDPR ROBERT BELL.
Welcome!.
Data transfers to non-EU countries under the new GDPR
 How does GDPR impact your business? Pro Tip: Pro Tip: Pro Tip:
GDPR & Accountability ISACA Ireland Annual Conference 2018
 GDPR Readiness Quiz Quick Insight: Quick Insight: Quick Insight:
The General Data Protection Regulation: Are You Ready?
What YOUR ORGANIZATION CAN be doing to prepare
General Data Protection regulation (GDPR)
What Governors need to know about GDPR
Session 4: Data Mapping and Data Subject Rights
The General Data Protection Regulations 2016
Session 4: Data Mapping and Data Subject Rights
GDPR: Understanding your obligations and the ongoing challenges
Data Privacy by Design Expanding Security for bepress Users
Is your medico-legal practice GDPR compliant?
Getting Ready For GDPR Simon Marks Director
Presentation transcript:

GDPR Security: How to do IT? IT reediness for competitive advantage NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholder to insert your own image. Reza Alavi 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

GDPR is approaching fast: 25th May 2018 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

What is GDPR? GDPR concerns the protection and free movement of “personal data” 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

Information Security Audit Control Consultancy (ISACC)© GDPR Background 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

Information Security Audit Control Consultancy (ISACC)© The Brexit question? The UK firms treating identifiable personal data will need to comply with the GDPR, irrespective of Brexit. The UK government has confirmed it and the Information Commissioner Office (ICO) endorsed it. 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

Information Security Audit Control Consultancy (ISACC)© GDPR Chart Chapters 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

Concepts/Players Security ≠ Privacy DPIA (Data Protection Impact Assessment) Personally Identifiable Information (PII) DPO (Data Protection Officer) / GDPR Owner PIMS (Personal Information Management System) DPPS (Data Protection Policy Statement) DP (Data processor) DC (Data Collector) Confidentiality, Integrity, Availability, Authenticity, Compliance, Resilience, Correctness ICO (Information Commissioner Office - UK) EU (European Union 28 countries, soon 27!) NIST (National Institute for Standards and Technology) 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

GDPR Main Characteristics Scope Consent Fines and Penalties Privacy by Design Data Protection Impact Analysis (DPIA or PIA) Data Portability Right to Access Right to be Forgotten Breach Notification 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

Where to Start: Roadmap Identify GDPR Data Map GDPR Data Mapping GDPR data to the Risks Mapping safeguarding requirements to data classification Mapping safeguarding requirements to the IT governance framework Confidentiality, Integrity, Availability, Authenticity, Compliance, Resilience and Correctness 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

Information Security Audit Control Consultancy (ISACC)© Roadmap (Cont.) Resilience is related to business continuity and DR Adequate incident management GDPR requires Authenticity and Corrective Action Management 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

Information Security Audit Control Consultancy (ISACC)© Roadmap (Cont.) Minimisation: Least Privilege Pseudonymisation: the processing of personal data in a way that they can no longer be attributed to a specific data subject Encryption of all communication, file systems, storage, backups, ….. Documentation: all relevant matters to be documented for the purpose of change management Risk Assessment (GDPR does not instruct any security measures but requires the RA to be performed. But which Risk? Data Protection Impact Assessment (DPIA) or Privacy Impact Analysis (PIA) – ISO/IEC31000 or ISO/IEC29134) Implementation of SIEM, Security Analytics, MDM,… 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

DATA Protection Policy Statement (DPPS) Organisations should answer the following questions in regards to DPPS: what will be done? what resources will be required? who will be responsible? when it will be completed? how the results will be evaluated? 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

DATA Protection Policy Statement (DPPS) (Cont.) DPPS describes the GDPR compliance which is relevant to other policies such as the Information Security Policy The Board of Directors should approve and support the development, implementation, maintenance and continual improvement of a documented Personal Information Management System (PIMS). BoD are responsible and accountable The establishment of objectives for data protection and privacy, which are in PIMS and GDPR Objectives Record. 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

DATA Protection Policy Statement (DPPS) (Cont.) Data Protection Officer (DPO)/GDPR owner, is responsible for reviewing the register of processing annually in the light of any changes to organisation’s activities. The DPPS should be applied to all Employees/Staff Partners and any third parties working with or for the organisation, and who have or may have access to personal data, will be expected to have read, understood and to comply with DPPS. 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

Standards and Guidelines ISO 27000:2014 ISO 27001:2013 ISO/IEC 27017:2015 ISO 27018:2014 ISO/EC 29151 ISO/IEC 29100 ISO/IEC 29134:2017 ISO/IEC 29151:2017 COBIT ISO 31000 NIST 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

Information Security Audit Control Consultancy (ISACC)© IT Must Ensure: Implement controls to reduce risk of data being compromised but make sure controls really manage risks Authentication and Authorisation provided to a single entity of GDPR data The creation of a single application allocated to GDPR data All systems and services are monitored Incident management process is in place 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

GDPR Misunderstandings Fine obscurity It is not just about EU Citizens GDPR is not simply a DLP To purchase new solution doesn’t cover everything Outsourcing doesn’t let us to be free 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

Information Security Audit Control Consultancy (ISACC)© Concluded Points Data classifications and risk assessment are at the heart of GDPR thus, GDPR will be tied up to risks management and assurance objectives. The maturity level of risk mitigation and IT governance defines the maturity of GDPR readiness. GDPR will reinforce the IT security governance framework for organisations who have one. For those who don’t have it, will create a legal purpose to build one. GDPR will help organisations to build effective, more secure IT services and systems and create an environment of trust and simplification of complex IT security measures. 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

Information Security Audit Control Consultancy (ISACC)© Thank you All! Dr. Reza Alavi Cyber Security Lead  Tel: +44 (0)7900 480039 info@isacc.consulting www.isacc.consulting @SecurityVPeople 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.