A 9-Step Guide For GDPR Compliance

Uploaded on 2017-10-09 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Resilience

In May 2018, the General Data Privacy Regulation will take effect, significantly altering the way organisations handle and store data.

At 200 pages and 99 articles, the comprehensive regulation is primarily intended to strengthen security and privacy protections around individual data, which it enforces by subjecting organizations to stricter requirements, adding new requirements, such as breach notification, and increasing fines on organisations that fail to comply.

GDPR applies to all organisations that control or process data within the EU as well as those that control or process data related to EU residents. This means that, while GDPR is rooted in the EU, organizations in the US that handle data from EU residents are very much impacted as well.

Among other things, organizations will be required to maintain a data breach detection plan, regularly evaluate the effectiveness of security practices, and document evidence of compliance.

However, GDPR doesn’t provide specific technical direction, meaning that organisations will be independently responsible for establishing and maintaining the best practices needed to uphold outlined data security requirements. With this in mind, below are nine steps to prepare for the security requirements within GDPR.

Step 1: Implement a Security Information and Event Management (SIEM) tool with log management capabilities.

Article 30 of GDPR states that every controller must track and record all processing activities under its responsibility. To do this, organisations typically leverage a SIEM tool, which centralizes logs from applications, systems and networks, allowing companies to monitor all user and system activity and to identify any suspicious or malicious behavior.

Users can create a view of what has occurred to investigate suspicious behavior, including analysing what kind of attack method was utilised and looking at related events, source IP addresses, destination IP addresses and other details.

Organisations with data stored in the cloud should ensure that their SIEM tool can record activity not only on-premises but also across the public and private cloud infrastructure, as personal data held there also falls within the scope of GDPR.

Step 2: Create an inventory of all critical assets that store or process sensitive data.

Because GDPR covers all IT systems, networks and devices, organizations must maintain an ongoing inventory of where personal data is stored across the entire infrastructure. This seems simple on the surface, but can be a difficult task, especially in public cloud environments and in cases where employees are using BYOD or non-IT-sanctioned assets.

It’s worth noting that organisations with employees that process or store data on unapproved devices are still liable and subject to regulatory fines in the event of an attack, so it’s critical that all components of an organization’s IT system are identified and monitored. There are a variety of asset discovery tools available to help organizations continually keep track of where sensitive data is held.

Step 3: Undertake vulnerability scanning to identify weaknesses.

New vulnerabilities arise almost daily, whether they’re in software, system configuration, business logic or processes. Therefore, organizations must stay on top of these with regular vulnerability scanning. It’s also important to determine the threat level of each vulnerability by considering factors such as:

  • Does the affected system fall within the scope of GDPR?
  • How critical is the threat? (i.e. how many personal records could be exposed?)
  • Have intrusions or exploits been attempted on the vulnerable asset?
  • Is the vulnerability being exploited by attackers in the wild, and if so, how?

Here too, it is equally important to monitor cloud environments in addition to on-premises environments.

Step 4: Conduct risk assessments and apply threat models relevant to the business.

Organizations must identify and evaluate all of their security risks, not just vulnerabilities. Article 35 of GDPR mandates data protection impact assessments (DPIAs), and Article 32 requires companies to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”

This mandate is intentionally broad so that organizations can leverage whichever information security framework provides the best understanding of the risks facing their systems. NIST and ISO / IEC 27001 are a few common and effective options.

Step 5: Regularly test your systems to gain assurance that security controls are working as designed.

Article 32 addresses the security of personal data processing by demanding that organisations create a procedure to regularly analyze the effectiveness of their security controls. This is by no means an easy feat (and becomes increasingly difficult as organisations grow and expand their technology stacks).
 
However, three possible strategies to validate the effectiveness of security controls include:

  • Using manual assurance (e.g., audits, assurance reviews, penetration testing and red-team activities).
  • Using automated assurance technologies.
  • Consolidating and integrating security products (so that fewer point products need to be managed and reported on).

It’s important to note that ensuring that systems are secured as intended is not a one-time effort; rather, it must be an ongoing, repeatable process.

Step 6: Put threat detection controls in place to ensure reliable and timely notification when a breach has occurred.

GDPR requires that organisations report a breach to the appropriate regulatory body within 72 hours of becoming aware of it. For high-risk incidents, impacted data subjects must be notified without undue delay (Article 31).

In order to be able to discover, adequately understand and respond to breaches so quickly, organisations must have threat detection controls in place to trigger immediate alerts around incidents. Users can then develop an understanding of the threat by collecting and correlating events, and referencing reliable threat intelligence, and then responding promptly as needed.

Step 7: Monitor network and user behavior to identify and investigate security incidents in a timely manner.

It is imperative that organisations maintain an understanding not only of external threats but also of potential internal threats. Internal threats often stem from unauthorized data access.

To determine whether internal incidents are threats or not, it’s important to consider the context in which corporate data is accessed. For example, an abundance of Skype traffic in the sales team’s network is probably a normal part of operations, but a burst in Skype traffic in the database server that houses a customer list is likely an indicator of a security issue.

Monitoring user behavioral patterns also helps determine whether an anomalous incident should be considered a threat. An example of a tool that does this is NetFlow, which provides high-level trends related to what protocols are used, identifies which hosts use the protocol, and calculates the associated bandwidth usage. When used in conjunction with a SIEM, users can orchestrate alerts to be sent whenever NetFlow goes above or below certain thresholds.

Step 8: Have a documented and practiced incident response plan.

To meet GDPR’s 72-hour breach notification rule, organizations need threat detection controls and processes in place to alert them to incidents, but they also need a data breach response plan that allows them to quickly and accurately determine the scope of impact.

The first steps of the response plan should focus on investigating all related events to establish a timeline and determine the source of the attack and the steps needed to contain the incident.

It’s a good idea to prioritise, and document, all response and remediation tactics, as organisations will be required to inform regulators of all steps taken.

Step 9: Have a communication plan in place to notify relevant parties.

Finally, upon completion of these steps, organizations should evaluate whether personal data was breached to determine if reporting is required under GDPR.

If so, the notification that organisations are required to send to the regulatory body within 72 hours must include all of the following:

  • Describe the nature of the breach.
  • Provide the name and contact details of the organization’s data protection officer.
  • Describe the likely consequences of the breach.
  • Describe the measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects.

If personal data has been impacted, organisations will also be required to inform any affected EU citizens of the incident in question.

Preparing for GDPR can seem like a daunting task, but organisations that follow the above steps and are equipped with the right security tools and strategies can rise to the challenge and strengthen their security, particularly their threat detection and response abilities, significantly along the way.

Information- Management:

You Might Also Read:

Will GDPR Protect Privacy Or Just Lead To More Hacks?:

UK Deal With EU On Post-Brexit Data Sharing:

 

« British Police’s First Cyber Dogs
Transforming Your Database »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Sistem Integra (SISB)

Sistem Integra (SISB)

SISB provide IT Security Infrastructure & Development, Mechanical & Electrical Services, Fire Safety & Detection Services, Facilities Management & Application Development.

Crypto4A Technologies

Crypto4A Technologies

Crypto4A quantum-ready cybersecurity solutions significantly improve protection for Cloud, loT, Blockchain, V2X, government and military application deployments.

Netacea

Netacea

Netacea provides a revolutionary bot management solution that protects websites, mobile apps and APIs from malicious attacks such as scraping, credential stuffing and account takeover.

Liquid Intelligent Technologies

Liquid Intelligent Technologies

Liquid Intelligent Technologies is a leading communications solutions provider across Africa, providing reliable connectivity, hosting, co-location, and digital services including cyber security.

BCN Group

BCN Group

BCN Group is an agile IT solutions provider. We are experts in delivering and managing business-critical technology solutions.

FDD Center on Cyber and Technology Innovation (CCTI)

FDD Center on Cyber and Technology Innovation (CCTI)

The Foundation for Defense of Democracies is a nonprofit research institute focusing on foreign policy and national security. Ares of focus include cyber security and technology innovation.

Support Link Technologies (SLT)

Support Link Technologies (SLT)

Support Link Technologies are an IT Solutions Company committed to achieving customer satisfaction through excellent customer service.

SensCy

SensCy

SensCy is a Trusted Guide for Sensible Cybersecurity for small and medium-sized organizations.

Cyber Crucible

Cyber Crucible

Cyber Crucible is a cybersecurity Software as a Service company definitively removing the risk of data extortion from customer environments.

Appknox

Appknox

Appknox is the world’s most powerful plug-and-play security platform that helps developers, security researchers, and enterprises to build a safe and secure mobile ecosystem.

Highen Fintech

Highen Fintech

Highen is a blockchain software development company with offices in the United States and development centers in India.

Solvo

Solvo

Solvo enables security teams and other stakeholders to automatically uncover, prioritize, mitigate and remediate cloud infrastructure access risks.

Leo CybSec

Leo CybSec

Leo CybSec unites a group of Cyber Security experts with 20+ years of collective expertise to help our clients realise and mitigate the cyber challenges and risks facing their business.

Technoware Solutions

Technoware Solutions

Technoware Solutions is a global company committed to helping entities navigate the digital waters of modernizing their system processes in an ever changing cybersecurity landscape.

Fusion5

Fusion5

Fusion5 is a leading ANZ Business Services and IT Solutions provider. Our customers trust us to make their potential reality by providing advisory, IT project deployment, and managed services.

Gibbs Consulting

Gibbs Consulting

Gibbs Consulting provides innovative, flexible, on-demand IT Services and IT Consulting that delivers value and successful outcomes for our clients.