Download presentation
Presentation is loading. Please wait.
Published byShona Reynolds Modified over 6 years ago
1
GDPR Security: How to do IT? IT reediness for competitive advantage
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholder to insert your own image. Reza Alavi 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
2
GDPR is approaching fast: 25th May 2018
20/09/2018 Information Security Audit Control Consultancy (ISACC)©
3
What is GDPR? GDPR concerns the protection and free movement of “personal data” 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
4
Information Security Audit Control Consultancy (ISACC)©
GDPR Background 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
5
Information Security Audit Control Consultancy (ISACC)©
The Brexit question? The UK firms treating identifiable personal data will need to comply with the GDPR, irrespective of Brexit. The UK government has confirmed it and the Information Commissioner Office (ICO) endorsed it. 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
6
Information Security Audit Control Consultancy (ISACC)©
GDPR Chart Chapters 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
7
Concepts/Players Security ≠ Privacy
DPIA (Data Protection Impact Assessment) Personally Identifiable Information (PII) DPO (Data Protection Officer) / GDPR Owner PIMS (Personal Information Management System) DPPS (Data Protection Policy Statement) DP (Data processor) DC (Data Collector) Confidentiality, Integrity, Availability, Authenticity, Compliance, Resilience, Correctness ICO (Information Commissioner Office - UK) EU (European Union 28 countries, soon 27!) NIST (National Institute for Standards and Technology) 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
8
GDPR Main Characteristics
Scope Consent Fines and Penalties Privacy by Design Data Protection Impact Analysis (DPIA or PIA) Data Portability Right to Access Right to be Forgotten Breach Notification 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
9
Where to Start: Roadmap
Identify GDPR Data Map GDPR Data Mapping GDPR data to the Risks Mapping safeguarding requirements to data classification Mapping safeguarding requirements to the IT governance framework Confidentiality, Integrity, Availability, Authenticity, Compliance, Resilience and Correctness 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
10
Information Security Audit Control Consultancy (ISACC)©
Roadmap (Cont.) Resilience is related to business continuity and DR Adequate incident management GDPR requires Authenticity and Corrective Action Management 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
11
Information Security Audit Control Consultancy (ISACC)©
Roadmap (Cont.) Minimisation: Least Privilege Pseudonymisation: the processing of personal data in a way that they can no longer be attributed to a specific data subject Encryption of all communication, file systems, storage, backups, ….. Documentation: all relevant matters to be documented for the purpose of change management Risk Assessment (GDPR does not instruct any security measures but requires the RA to be performed. But which Risk? Data Protection Impact Assessment (DPIA) or Privacy Impact Analysis (PIA) – ISO/IEC31000 or ISO/IEC29134) Implementation of SIEM, Security Analytics, MDM,… 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
12
DATA Protection Policy Statement (DPPS)
Organisations should answer the following questions in regards to DPPS: what will be done? what resources will be required? who will be responsible? when it will be completed? how the results will be evaluated? 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
13
DATA Protection Policy Statement (DPPS) (Cont.)
DPPS describes the GDPR compliance which is relevant to other policies such as the Information Security Policy The Board of Directors should approve and support the development, implementation, maintenance and continual improvement of a documented Personal Information Management System (PIMS). BoD are responsible and accountable The establishment of objectives for data protection and privacy, which are in PIMS and GDPR Objectives Record. 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
14
DATA Protection Policy Statement (DPPS) (Cont.)
Data Protection Officer (DPO)/GDPR owner, is responsible for reviewing the register of processing annually in the light of any changes to organisation’s activities. The DPPS should be applied to all Employees/Staff Partners and any third parties working with or for the organisation, and who have or may have access to personal data, will be expected to have read, understood and to comply with DPPS. 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
15
Standards and Guidelines
ISO 27000:2014 ISO 27001:2013 ISO/IEC 27017:2015 ISO 27018:2014 ISO/EC 29151 ISO/IEC 29100 ISO/IEC 29134:2017 ISO/IEC 29151:2017 COBIT ISO 31000 NIST 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
16
Information Security Audit Control Consultancy (ISACC)©
IT Must Ensure: Implement controls to reduce risk of data being compromised but make sure controls really manage risks Authentication and Authorisation provided to a single entity of GDPR data The creation of a single application allocated to GDPR data All systems and services are monitored Incident management process is in place 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
17
GDPR Misunderstandings
Fine obscurity It is not just about EU Citizens GDPR is not simply a DLP To purchase new solution doesn’t cover everything Outsourcing doesn’t let us to be free 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
18
Information Security Audit Control Consultancy (ISACC)©
Concluded Points Data classifications and risk assessment are at the heart of GDPR thus, GDPR will be tied up to risks management and assurance objectives. The maturity level of risk mitigation and IT governance defines the maturity of GDPR readiness. GDPR will reinforce the IT security governance framework for organisations who have one. For those who don’t have it, will create a legal purpose to build one. GDPR will help organisations to build effective, more secure IT services and systems and create an environment of trust and simplification of complex IT security measures. 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
19
Information Security Audit Control Consultancy (ISACC)©
Thank you All! Dr. Reza Alavi Cyber Security Lead Tel: +44 (0) @SecurityVPeople 20/09/2018 Information Security Audit Control Consultancy (ISACC)©
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.