[BreachExchange] How cyber-security can embed a sustainable privacy operating model

Audrey McNeil audrey at riskbasedsecurity.com
Wed May 9 18:55:30 EDT 2018


Chief information security officers (CISO) have played a key role in
implementing the data security measures needed to meet the requirements of
the EU General Data Protection Regulation (GDPR). Now, as we move towards
its implementation on 25 May, organisations need to think about how they
can continue to embed sustainable improvements in their data management and
use that to create value for them.

Manage risk appropriately

A risk-based approach to security is central to complying with GDPR.
Article 32 requires that the measures taken by organisations must provide a
level of security appropriate to the risk. This ensures that priorities are
established and decisions are made by evaluating data sensitivity, system
vulnerability and the likelihood of threats. Many organisations will
already have remediated their high risk applications but it is important
they do not stop there and now look to apply relevant technical controls to
medium and low risk areas as well.

Provide assurance on unstructured data

While organisations have been focusing on remediating IT systems to make
them GDPR ready, much of the personal data they hold is in the form of
unstructured data (for example excel files, word documents and emails). To
manage the risk around this unstructured data, the CISO needs to provide
clear guidance to the business on how to secure it and how to minimise its
use where possible. They should also consider using tools that can discover
large stores of unstructured data which might have been undetected during
the inventory building process required for Article 30 compliance.

Deal with shadow IT and cloud risk

Shadow IT, which are systems and solutions used without explicit approval
from the IT department and are not supported by them, can also potentially
introduce a large amount of GDPR compliance risk, especially if the privacy
office and CISO are unaware of these. These risks can be mitigated by
encouraging business users, when building their inventory of personal data,
to identify the data they use in terms of business processes, rather than
IT systems. A time-limited amnesty for users to disclose if they use any
shadow IT services can also help identify where these are being used.

There is a need to work with the IT function to understand the reasons why
these shadow IT services are being used. That includes ensuring that
employees can access the tools they might need through official channels
rather than resorting to unapproved alternatives. Organisations can also
use data loss prevention solutions to monitor how personal data is used
within the organisation, and identify further sources of shadow IT.

Similarly, they should make sure that the cloud services they use have the
right technical and legal controls in place. That means avoiding using
cloud computing services in the absence of any guarantee about the
effective geographical location of the data or without ensuring the
lawfulness of the data transfers outside of the European Union.

Respond to data breaches

Another critical role for the CISO is in identifying and managing data
breaches. In many cases, the cyber-security team will be the first to
detect a data breach. A clear documented process will help to ensure this
is logged appropriately, and the relevant action is taken in a timely way.
A decision tree should make it possible to quickly identify the actions to
be taken for each incident type, based on the severity of the data breach.
The teams should then work with various internal and external stakeholders
(including suppliers if needed) to manage the incident, and notify
regulators and impacted individuals rapidly. After the immediate management
of the breach is complete, a rigorous testing regime should be put in
place. This should cover technical controls, policy, people and process and
be tested against the real world scenarios appropriate for the business.

Audit and monitor technical controls

Finally, periodical security audits should be carried out on the technical
controls to check that they remain embedded in the organisation, and
continue to be effective. Each audit must produce an action plan, and its
implementation should be monitored at the appropriate level within the
organisation. Taking these actions will ensure that organisations are not
just compliant on the day GDPR comes in but that they have a sustainable
model that can secure the value of better data governance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180509/529c783a/attachment.html>

More information about the BreachExchange mailing list