A 9-Step Guide For GDPR Compliance

Uploaded on 2017-10-09 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Resilience

In May 2018, the General Data Privacy Regulation will take effect, significantly altering the way organisations handle and store data.

At 200 pages and 99 articles, the comprehensive regulation is primarily intended to strengthen security and privacy protections around individual data, which it enforces by subjecting organizations to stricter requirements, adding new requirements, such as breach notification, and increasing fines on organisations that fail to comply.

GDPR applies to all organisations that control or process data within the EU as well as those that control or process data related to EU residents. This means that, while GDPR is rooted in the EU, organizations in the US that handle data from EU residents are very much impacted as well.

Among other things, organizations will be required to maintain a data breach detection plan, regularly evaluate the effectiveness of security practices, and document evidence of compliance.

However, GDPR doesn’t provide specific technical direction, meaning that organisations will be independently responsible for establishing and maintaining the best practices needed to uphold outlined data security requirements. With this in mind, below are nine steps to prepare for the security requirements within GDPR.

Step 1: Implement a Security Information and Event Management (SIEM) tool with log management capabilities.

Article 30 of GDPR states that every controller must track and record all processing activities under its responsibility. To do this, organisations typically leverage a SIEM tool, which centralizes logs from applications, systems and networks, allowing companies to monitor all user and system activity and to identify any suspicious or malicious behavior.

Users can create a view of what has occurred to investigate suspicious behavior, including analysing what kind of attack method was utilised and looking at related events, source IP addresses, destination IP addresses and other details.

Organisations with data stored in the cloud should ensure that their SIEM tool can record activity not only on-premises but also across the public and private cloud infrastructure, as personal data held there also falls within the scope of GDPR.

Step 2: Create an inventory of all critical assets that store or process sensitive data.

Because GDPR covers all IT systems, networks and devices, organizations must maintain an ongoing inventory of where personal data is stored across the entire infrastructure. This seems simple on the surface, but can be a difficult task, especially in public cloud environments and in cases where employees are using BYOD or non-IT-sanctioned assets.

It’s worth noting that organisations with employees that process or store data on unapproved devices are still liable and subject to regulatory fines in the event of an attack, so it’s critical that all components of an organization’s IT system are identified and monitored. There are a variety of asset discovery tools available to help organizations continually keep track of where sensitive data is held.

Step 3: Undertake vulnerability scanning to identify weaknesses.

New vulnerabilities arise almost daily, whether they’re in software, system configuration, business logic or processes. Therefore, organizations must stay on top of these with regular vulnerability scanning. It’s also important to determine the threat level of each vulnerability by considering factors such as:

  • Does the affected system fall within the scope of GDPR?
  • How critical is the threat? (i.e. how many personal records could be exposed?)
  • Have intrusions or exploits been attempted on the vulnerable asset?
  • Is the vulnerability being exploited by attackers in the wild, and if so, how?

Here too, it is equally important to monitor cloud environments in addition to on-premises environments.

Step 4: Conduct risk assessments and apply threat models relevant to the business.

Organizations must identify and evaluate all of their security risks, not just vulnerabilities. Article 35 of GDPR mandates data protection impact assessments (DPIAs), and Article 32 requires companies to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”

This mandate is intentionally broad so that organizations can leverage whichever information security framework provides the best understanding of the risks facing their systems. NIST and ISO / IEC 27001 are a few common and effective options.

Step 5: Regularly test your systems to gain assurance that security controls are working as designed.

Article 32 addresses the security of personal data processing by demanding that organisations create a procedure to regularly analyze the effectiveness of their security controls. This is by no means an easy feat (and becomes increasingly difficult as organisations grow and expand their technology stacks).
 
However, three possible strategies to validate the effectiveness of security controls include:

  • Using manual assurance (e.g., audits, assurance reviews, penetration testing and red-team activities).
  • Using automated assurance technologies.
  • Consolidating and integrating security products (so that fewer point products need to be managed and reported on).

It’s important to note that ensuring that systems are secured as intended is not a one-time effort; rather, it must be an ongoing, repeatable process.

Step 6: Put threat detection controls in place to ensure reliable and timely notification when a breach has occurred.

GDPR requires that organisations report a breach to the appropriate regulatory body within 72 hours of becoming aware of it. For high-risk incidents, impacted data subjects must be notified without undue delay (Article 31).

In order to be able to discover, adequately understand and respond to breaches so quickly, organisations must have threat detection controls in place to trigger immediate alerts around incidents. Users can then develop an understanding of the threat by collecting and correlating events, and referencing reliable threat intelligence, and then responding promptly as needed.

Step 7: Monitor network and user behavior to identify and investigate security incidents in a timely manner.

It is imperative that organisations maintain an understanding not only of external threats but also of potential internal threats. Internal threats often stem from unauthorized data access.

To determine whether internal incidents are threats or not, it’s important to consider the context in which corporate data is accessed. For example, an abundance of Skype traffic in the sales team’s network is probably a normal part of operations, but a burst in Skype traffic in the database server that houses a customer list is likely an indicator of a security issue.

Monitoring user behavioral patterns also helps determine whether an anomalous incident should be considered a threat. An example of a tool that does this is NetFlow, which provides high-level trends related to what protocols are used, identifies which hosts use the protocol, and calculates the associated bandwidth usage. When used in conjunction with a SIEM, users can orchestrate alerts to be sent whenever NetFlow goes above or below certain thresholds.

Step 8: Have a documented and practiced incident response plan.

To meet GDPR’s 72-hour breach notification rule, organizations need threat detection controls and processes in place to alert them to incidents, but they also need a data breach response plan that allows them to quickly and accurately determine the scope of impact.

The first steps of the response plan should focus on investigating all related events to establish a timeline and determine the source of the attack and the steps needed to contain the incident.

It’s a good idea to prioritise, and document, all response and remediation tactics, as organisations will be required to inform regulators of all steps taken.

Step 9: Have a communication plan in place to notify relevant parties.

Finally, upon completion of these steps, organizations should evaluate whether personal data was breached to determine if reporting is required under GDPR.

If so, the notification that organisations are required to send to the regulatory body within 72 hours must include all of the following:

  • Describe the nature of the breach.
  • Provide the name and contact details of the organization’s data protection officer.
  • Describe the likely consequences of the breach.
  • Describe the measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects.

If personal data has been impacted, organisations will also be required to inform any affected EU citizens of the incident in question.

Preparing for GDPR can seem like a daunting task, but organisations that follow the above steps and are equipped with the right security tools and strategies can rise to the challenge and strengthen their security, particularly their threat detection and response abilities, significantly along the way.

Information- Management:

You Might Also Read:

Will GDPR Protect Privacy Or Just Lead To More Hacks?:

UK Deal With EU On Post-Brexit Data Sharing:

 

« British Police’s First Cyber Dogs
Transforming Your Database »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

SmartSearch

SmartSearch

SmartSearch is a leading online provider of Anti-Money Laundering and Fraud Prevention Services.

Nordic IT Security

Nordic IT Security

Nordic IT Security is a cyber security business forum in Scandinavia bringing together the converging worlds of IT, Cyber and Information Security.

Software Testing News

Software Testing News

Software Testing News provides the latest news in the industry; from the most up-to-date reports in web security to the latest testing tool that can help you perform better.

Bayshore Networks

Bayshore Networks

Bayshore Networks was founded to safely and securely protect Industrial IoT (IIoT) networks, applications, machines and workers from cyber threats.

K2 Integrity

K2 Integrity

K2 Integrity is a preeminent risk, compliance, investigations, and monitoring firm - built by industry leaders to safeguard our clients’ operations, reputations, and economic security.

ElcomSoft

ElcomSoft

ElcomSoft is a global leader in computer and mobile forensics, IT security and forensic data recovery.

Arete

Arete

Arete is a global cyber risk company whose mission is to transform the way organizations prepare for, respond to, and prevent cybercrime.

Method Cyber Security

Method Cyber Security

Method offers a Cyber Security Risk Management training course for those responsible for the security of industrial automation, control and safety systems.

Critical Insight

Critical Insight

Critical Insight provide Managed Detection and Response, Vulnerability Detection, and Consulting Services to help you secure your mission-critical systems.

Emagined Security

Emagined Security

Emagined Security is a leading provider of professional services for Information Security and Compliance solutions.

Appsec Phoenix

Appsec Phoenix

Appsec Phoenix is an end to end vulnerability management platform that focuses on workflows, threat feed, and real time data.

Akamai Technologies

Akamai Technologies

Akamai's leading security, compute, and delivery solutions are helping global companies make life better for billions of people, billions of times a day.

Beyon Cyber

Beyon Cyber

Beyon Cyber offer a complete portfolio of advanced solutions & services for cyber security in Bahrain.

SecureWeb3

SecureWeb3

SecureWeb3 helps businesses and brands to secure their Web3 presence by offering a full suite of security services including training, consultancy & brand protection solutions.

LOCH Technologies

LOCH Technologies

LOCH Wireless Machine Vision platform delivers next generation cybersecurity, performance monitoring, and cost management for all 5G and for broad-spectrum IoT, IoMT and OT wireless environments.

BluTinuity

BluTinuity

BluTinuity is a premier management consulting firm with a passion for information security, business continuity, incident response, disaster recovery, and HIPAA security.