GDPR Workshop G.LEFTHERIOTIS / 21.3.18.

Slides:



Advertisements
Similar presentations
Security and Personnel
Advertisements

Security of eGovernment, European Parliament, Brussels 2013 Max Snijder, Linda Kool, Geert Munnichs L Kool | 1 19 February 2013 Findings from the ePassport.
Security Controls – What Works
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
First Practice - Information Security Management System Implementation and ISO Certification.
Complying With The Federal Information Security Act (FISMA)
Information Security Framework & Standards
SecureAware Building an Information Security Management System.
Accreditation and Notification in Poland CEOC CEE meeting, Prague, 8th – 10th April 2014.
ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.
SECURITY Is cloud computing secure? Are Microsoft Online Services secure? Is cloud computing secure? Are Microsoft Online Services secure? PRIVACY What.
IT Pro Day Auditing in SQL Server 2012 Charley Hanania Principal Consultant, QS2 AG – Quality Software Solutions
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Idaho Cybersecurity Task Force Department of Administration 16 Sep 2015.
ICTF Conference – Workshop – 2010 Sarah Lawson – IT Coordinator, NPEU
ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.
10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
European Data Protection reform: preparing for the future Richard Syers - Strategic Liaison, ICO 12 September 2014.
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.
European Union Agency For Network And Information Security Security and resilience for eHealth Infrastructures and Service – ENISA study Dimitra Liveri.
The EU General Data Protection Regulation Frank Rankin.
Harmonised use of accreditation for assessing the competence of various Conformity Assessment Bodies Dr Andreas Steinhorst, EA ERA workshop 13 April 2016,
-1- WORKSHOP ON DATA PROTECTION AND DATA TRANSFERS TO THIRD COUNTRIES Technical and organizational security measures Skopje, 16 May - 17 May 2011 María.
Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health
MS in IT Auditing, Cyber Security, and Risk Assessment
Safeguarding CDI - compliance with DFARS
GDPR Impact.
Accountability & Structured Privacy Management
European app matters Charles Lowe
Dr. Stephan Finke Deutsche Akkreditierungsstelle GmbH
Understanding EU GDPR from an Office 365 perspective
Microsoft 365 Get help with regulatory compliance
GDPR Awareness and Training Workshop
1st December 2009, Bratislava
Museums + Heritage webinar, 30 November 2017
INTRODUCTION TO GDPR 19/09/2018.
GDPR Security: How to do IT? IT reediness for competitive advantage
Bob Siegel President Privacy Ref, Inc.
Assessing the Security of the Cloud
GDPR - New Data Protection Regulation
Introduction to GDPR 09/11/2018.
Information governance and information security
Data protection certification and cloud computing
Introducing the General Data Protection Regulation 2016
Dan Tofan | Expert in NIS 21st Art. 13a WG| LISBON |
Data protection reform – update from the ICO
State of the privacy union
Dealing with your GDPR Challenges
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
ISO IEC Toolkit ALL the knowledge and skills you need to meet your Information Security Management Systems standards can be found right here!
PRIVACY & PERSONAL DATA PROTECTION IS A DEFINING 21st CENTURY
Welcome!.
GDPR enforcement begins
Opportunities for Cybersecurity and Privacy clusters
Are you GDPR ready? Get help with regulatory compliance
GDPR & Accountability ISACA Ireland Annual Conference 2018
The General Data Protection Regulation: Are You Ready?
General Data Protection regulation (GDPR)
General Data Protection Regulation “11 months in”
Data Privacy by Design Expanding Security for bepress Users
THE IMPACT OF DATA PROTECTION RULES ON CORPORATE INFO SECURITY AND INCIDENT RESPONSE MANAGEMENT – The Energy sector CEER Cybersecurity Workshop Massimo.
Closing event 16th July 2019 Technical Assistance for Establishing the Institutional Framework for the Implementation of AIS/AES Project funded by the.
GDPR is here – are you ready?
A. Šidlauskas Mykolas Romeris University (LITHUANIA)
Presentation transcript:

GDPR Workshop G.LEFTHERIOTIS / 21.3.18

GDPR – Compliance / Business / Technological requirements G.LEFTHERIOTIS / 21.3.18

Privacy Management / PII Protection within a total IT / Security / Privacy Framework G.LEFTHERIOTIS / 21.3.18

Info Security vs. Privacy vs. PII Protection: Different Perspectives Security by Obscurity….. …….Privacy by Transparency G.LEFTHERIOTIS / 21.3.18

Privacy / PII Governance: Security vs. Privacy G.LEFTHERIOTIS / 21.3.18

“Mapping” GDPR requirements inside ISO 27001:2013

ISO 27001 GDPR

“Mapping” GDPR requirements inside BS 10012:2017

Privacy & Information Security: the basic Standards Ecosystem Framework - Overall Management System Level ISO/IEC 27001:2013 (Requirements for ISMS) ISO/IEC 29100:2011 (Privacy Framework) *PCI DSS (v. 3.2) * CSA & other Cloud schemes PIMS BS 10012:2017 Risk Management Level ISO/IEC 27005:2011 Risk Management NIST SP.800-30 ISO/IEC 29134:2017 (Guide for Privacy Impact Assessment) ISO/IEC 27002:2013 (Code of Practice for ISMS) ISO/IEC 27017:2015 (Code of practice for Cloud Services) NIST Codes of Practice (NIST SP.800-53) ISO/IEC 29151:2017 Code of practice for PII protection ISO 27799:2016 Health Data Controls Level ISO/IEC 27018:2014 Code of Practice for PII protection in public clouds acting as PII processors G.LEFTHERIOTIS / 21.3.18

Personal Data Discovery / Mapping / Classification Data Discovery Techniques comparison Technique “Known” Data “Unknown” Data / Unstructured Data Purpose of Processing & Data Flows IT Expertise needed Questionnaires   Interviews Automated Scanning Tools “Combined” Techniques (use of APIs)  G.LEFTHERIOTIS / 21.3.18

Personal Data Discovery / Inventory / Mapping: Techniques & Tools Use typical Vendors “Manual” Techniques Database & File Server “manual audit” PII Discovery Database “scripting” Excel or “simple” Databases PII Inventory & Mapping Microsoft Technical Flow Charters PII Flow & Mapping MS Visio & “similar” flowcharters (semi) Manual BPM suites PII Mapping / Modelling ARIS & other BPM suites Automated Tools Fileshare / Crawlers CASAHL Data Classification / Protection Tools PII Discovery & Classification *TITUS *Spirion / *Varonis Data Discovery / Mapping / Management Platforms & Visual Mappers PII Discovery & Mapping *One Trust *AvePoint *Altova MapForce GDPR-focused data inventory / mapping tools PII Inventory / Mapping *Trust Arc suite *Nymity (Expert Mapping tool) Integrated Database Security / Discovery suites PII Database Security / Data Discovery & Mapping *IBM Infosphere / Guardium *Imperva Data Loss Prevention (DLP) PII Discovery / Protection (many Vendors)

GDPR: the Legal & Compliance “ecosystem” “The Police Directive” 2016/680/EU *  6.5.2018 (replaces 2008/977/JHA) “ePD” Directive 2002/58/EC *** Originally amended by 2009/136/EC *under reform (2018) “GDPR” Regulation 2016/679/EU  25.5.2018 (replaces EC/95/46) “PNR” Directive 2016/681/EU ** 24.5.2018 (replaces 2004/82/EC) “eCD” Directive 2000/31/EC (eCommerce Directive) “NIS” Directive 2016/1148/EU *****  May 2018 “eIDAS” Regulation 910/2014/EU **** 1/7/16  Sep.2018 (replaces 1999/93/EC * “The Police Directive” (Police & Criminal Justice) - repealing Council Framework Decision 2008/977/JHA) **** eIDAS = Regulation for eID & Trust Services for electronic transactions ** PNR = “Passenger Name Record” Directive ***** NIS = “CyberSecurity” Directive on Networks & IT Systems Security *** ePD = Directive on Privacy and Electronic communications (incl. cookies) G.LEFTHERIOTIS / 21.3.18

GDPR Certification scheme (Art. 42-43) Article 29 WP261 “Guidelines on Accreditation of Certification Bodies” 6.2.2018 G.LEFTHERIOTIS / 21.3.18

GDPR: Seals & Marks / Codes of Conduct IT Products & IT-related Services Certification: ref. EuroPrise “Privacy Seal” - certification criteria & certified products / services / web sites list the new GDPR-ready criteria for the European Privacy Seal is operational as of January 2017 ref. CISPE.cloud (Cloud Infrastructure Services Providers – Code of Conduct) G.LEFTHERIOTIS / 21.3.18

Data Protection Officer (DPO) DPO Training & Personal Certification (Personnel Certification schemes) ref. GPDR – Art. 37 - 39 ref. 16/EN WP 243 (13.12.2016) “Guidelines for Data Protection Officers (DPOs)” & related FAQs http://ec.europa.eu/justice/data-protection/index_en.htm Designation of the DPO Position of the DPO Tasks of the DPO Spanish DPA (AEPD) DPO scheme (2017) “Person Certification” for DPOs (ISO/IEC 17024 scheme) DPOs Training (DPO Professional Seminars) G.LEFTHERIOTIS / 21.3.18

DPO: Climbing the “Ladder of Skills” Managerial / Business Skills Info Security Background / Skills Background / Skills Legal G.LEFTHERIOTIS / 21.3.18

DPO: Training issues Personal Data GDPR Legislative context Compliance Data Privacy Data Management Audit Skills “Technical” Skills A “single” seminar or “split” / specialized seminars ? Minimum training duration ? iapp / Certified Information Privacy Professional/Europe (CIPP/E) & Privacy Manager (CIPM) iapp / Certified Information Privacy Technologist G.LEFTHERIOTIS / 21.3.18