In May 2018, the General Data Privacy Regulation (GDPR) will take effect, significantly changing the way organizations process and store data.
The comprehensive regulation contains 200 pages and 99 articles and aims to strengthen the security and privacy protections around individual data, by subjecting organizations to stricter and new requirements, such as breach notification, and increasing fines on organizations that fail to comply.
GDPR applies to all organizations that control or process data within the EU as well as those that manage or process data related to EU residents. This means that although the GDPR is an EU regulation, US organizations processing data for EU residents will also have to comply with it, Cybersecurityintelligence.com said.
Organizations will have to maintain a data breach detection plan, regularly evaluate the effectiveness of security practices and document evidence of compliance.
However, the GDPR does not provide specific technical direction, which means that the organizations themselves will be responsible for creating and maintaining the best practices needed to uphold outlined data security requirements. With this in mind, we are offering to you nine steps to prepare for the security requirements within GDPR.
Implement a SIEM tool with log management capabilities.
Article 30 of GDPR states that each administrator should monitor and record all the processing activities under its responsibility. To do so, organizations typically use a Security Information and Event Management (SIEM) tool that centralizes logs from applications, systems, and networks, allowing companies to monitor all user and system activity and to identify any suspicious or malicious behavior.
Users can create a view of what has occurred to investigate suspicious behavior, including analyzing what attack is being utilized and looking at attack-related events, source IP addresses, and so on.
Organisations with data stored in the cloud should ensure that their SIEM tool can record not only local activity but also public and private cloud infrastructure, as personal data held there also falls within the scope of GDPR.
Create an inventory of all critical assets storing or processing sensitive data.
GDPR covers all IT systems, networks and devices, so organizations must maintain an ongoing inventory of where personal data is stored across the entire infrastructure. This can be a difficult task, especially in a public cloud environment and in cases where employees are using BYOD.
Organizations with employees who process or store data on unapproved devices will continue to be liable and subject to regulatory fines in the event of an attack, so it is essential that all components of an organization’s IT system are identified and monitored.
There are various asset discovery tools through which organizations can continuously monitor where sensitive data is held.
New vulnerabilities appear almost daily, whether in software, system configuration, or processes. For this reason, organizations must stay on top of these with regular vulnerability scanning.
It is also important to determine the threat level of each vulnerability, taking into account various factors:
Does the affected system fall within the scope of GDPR?
How critical is the threat, how many personal records could be compromised?
Are there any real attempts to exploit the vulnerable asset?
Is the vulnerability being already exploited by hackers in real hacker attacks, and if so - how?
Conduct risk assessments and apply business-minded threat models.
Organizations must identify and evaluate all security risks, not just vulnerabilities. Art. 35 of the GDPR requires data protection impact assessments (DPIAs), and Article 32 requires companies to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
This mandate deliberately sounds general in order for organizations to leverage whichever information security framework provides the best understanding of the risks facing their systems. NIST and ISO / IEC 27001 are some of the effective options.
Test your systems regularly to make sure that security controls are working as designed.
Art. 32 addresses the security of personal data processing by requiring organizations to establish a procedure to regularly analyze the effectiveness of their security controls. This is also not easy at all, and it is becoming increasingly difficult as organizations grow.
There are three possible strategies to validate the effectiveness of your security measures:
Manual assurance - security audit, penetration testing.
Automated assurance technologies.
Consolidating and integrating security products so that fewer point products need to be managed and reported.
Repetition - checking that your systems are protected is not a one-time action, rather, it must be a constant, repetitive process.
Take measures to detect threats to ensure reliable and timely notification when a breach has occurred.
The GDPR requires organizations to report a breach to the appropriate regulatory body within 72 hours of becoming aware of it. For high-risk incidents, impacted data subjects must be notified without undue delay (Article 31). To be able to detect, understand and respond to breaches so quickly, organizations must have threat detection controls in place to be alerted immediately around incidents.
Monitor network and user behavior so you can identify and investigate security incidents in a timely fashion.
Organizations need to understand not only external threats but also potential internal threats.
Internal threats often result from unauthorized data access.
To determine whether internal incidents are threats or not, you need to consider the context in which corporate data is accessed. For example, a burst in Skype traffic in the sales team`s network is probably a normal part of its
operations, but an abundance in the database server that contains a customer list is likely to be a security issue.
Observing consumer behavior patterns also helps determine whether an anomalous incident should be considered a threat. There are tools that perform such monitoring, for example, NetFlow.
A documented and practical incident response plan.
To comply with the GDPR`s 72-hour breach notification rules, organizations need threat detection controls and processes in place to alert them to incidents. They also need a data breach response plan to allow them to quickly and accurately determine the scope of impact.
The response plan should first focus on investigating all related events in order to establish the timeline, determine the source of the attack and the measures needed to mitigate the damage from the incident.
Prepare a communication plan to inform concerned parties.
Finally, once all these actions have been completed, organizations have to assess whether personal data is compromised to determine if a breach is required to be reported under GDPR. If so, the organization must send a message to the regulatory body within 72 hours, which must include the following elements:
What is the nature of the breach?
Provide the name and contact details of your data protection officer.
What are the likely consequences of the breach?
Describe the measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects.
If personal data has been affected, organizations will also be required to inform any affected EU citizens of the incident.
Preparing for GDPR may seem an extremely complex task, but organizations following the above steps can cope with the challenge and significantly improve their security, especially with regard to the threat detection and their ability to react.