[BreachExchange] Building a program for GDPR compliance: Can you answer these key questions?

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 4 18:57:20 EST 2018


The clock is ticking and the General Data Protection Regulation(GDPR) will
start to be enforced in May. Now is a critical time for organizations to
plan, budget and make any remaining changes needed to meet its guidelines.

Failure to comply with GDPR standards will result in hefty non-compliance
fines, and even U.S. organizations could be affected. Remember: GDPR
guidelines will affect any organization handling personal data of
individuals no matter where they are located, meaning even U.S. companies
that process the personal data of individuals residing in the EU will have
to comply.

GDPR is emerging as a board-level issue for many U.S. organizations and the
pressure is on cybersecurity professionals to ensure the necessary steps
are being taken to protect the personally identifiable information (PII) of
EU residents. Unfortunately, network complexity is causing real challenges.
It can be difficult to gain full control and visibility of the network
since today’s data resides across physical, virtual and cloud networks, as
well as on endpoints like smartphones, tablets and notebooks.

To make matters even more tricky, to comply with GDPR companies will need
to be able to answer where all PII is being stored, with whom it’s being
shared, how the organization is protecting it and what they’re using it for.

Key questions

To realistically achieve GDPR compliance in time for the May 25, 2018
deadline, organizations should first ask themselves the following questions:

How confident are you in identifying and securing every single related
asset that stores or processes sensitive user data? For instance, have your
cybersecurity professionals located all rogue or shadow IT infrastructure?
Have you determined what data is being held, where, and why? Who’s
accessing that data currently and who should have future access?

Can you truly see in real-time or is our “continuous” monitoring actually
just periodic polling? For instance, is your IT team tracking cloud apps or
virtual machines (VMs) each time they join or leave your network? Are all
ports and endpoints known in real-time? How are you managing IoT

Do you know your entire extended network across suppliers, customers,
consultants and other organizations you interact with? For instance, do any
trusted network assets show up on attacker lists? Are there any active
devices on your network using known Trojan or malware ports? Can known
threat or malware IP address space be reached from within your network?

Once these crucial questions have been evaluated, organizations and their
cybersecurity professionals can incorporate them into their compliance
program by leveraging the following key technology best practices:

Data processing and storage assessment: By identifying any EU-based PII,
evaluating all access rights and additional security measures, and
assessing current and future risk to the data, organizations can guarantee
the identification of all their assets at all times, even when processing.
They’ll also be able to better assess their data segmentation policies.

To identify any new network assets, cybersecurity professionals should make
sure correct patch level and endpoint protection is in place. They should
also identify whether those assets are changing any network topology, and
monitor them from a single, cohesive pane.

Breach prevention program implementation: When organizations are able to
restrict access to PII, define, document and implement data security
controls, and continuously evaluate the inevitable changes to PII and
access, they’re able to discover all new assets or changes in real-time and
properly test and execute network segmentation. To identify any
unauthorized network paths in real-time, cybersecurity professionals should
ensure segmentation for protecting access to PII, and continually identify
any segmentation violations across their GDPR environment.

Monitoring, detection and response execution: To achieve GDPR compliance,
organizations must have real-time visibility across all of their networks,
devices and endpoints, including any VMs. They also need to be able to
instantly detect any suspicious network behavior and get a faster picture
of the network and security context surrounding the malicious activity in
the event of a necessary remediation effort. Continual network monitoring,
threat detection and incident response plans can enable compliance and
allow cybersecurity professionals to identify any behaviors that could be
indicators of active breach activity.

A recent PwC survey found that more than half of U.S. companies are
concerned about GDPR regulations due to their processing and collection of
EU customer data, with 77 percent of them planning to spend $1 million or
more on ensuring their ability to meet GDPR standards.

Rather than falling victim to GDPR-induced panic or destroying entire IT
budgets, organizations should focus first and foremost on implementing
continuous, real-time network visibility. By monitoring all network
activity, devices and endpoints – including VMs in the darkest corners of
an infrastructure – organizations can achieve GDPR compliance and, even
more importantly, they can accurately identify potential malicious network
activity and gain the context and intelligence to detect and stop threats
before a breach ever occurs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180104/bcc5cd10/attachment.html>

More information about the BreachExchange mailing list