EU General data protection regulation (GDPR)

Information Security Audit Control Consultancy (ISACC) GDPR Security: How to do IT? IT REEDINESS FOR COMPETITIVE ADVANTAGE 01/26/2020 Information Security Audit Control Consultancy (ISACC) Reza Alavi 1 GDPR is approaching fast: 25th May 2018 01/26/2020

Information Security Audit Control Consultancy (ISACC) 2 What is GDPR? GDPR concerns the protection and free movement of personal data 01/26/2020 Information Security Audit Control Consultancy (ISACC) 3

GDPR Background 01/26/2020 Information Security Audit Control Consultancy (ISACC) 4 The Brexit question? The UK firms treating identifiable personal data will need to comply with the GDPR, irrespective of Brexit. The UK government has confirmed it and the Information Commissioner Office (ICO) endorsed it.

01/26/2020 Information Security Audit Control Consultancy (ISACC) 5 GDPR Chart Chapters 01/26/2020 Information Security Audit Control Consultancy (ISACC) 6 Concepts/Players Security Privacy

DPIA (Data Protection Impact Assessment) Personally Identifiable Information (PII) DPO (Data Protection Officer) / GDPR Owner PIMS (Personal Information Management System) DPPS (Data Protection Policy Statement) DP (Data processor)

DC (Data Collector) Confidentiality, Integrity, Availability, Authenticity, Compliance, Resilience, Correctness ICO (Information Commissioner Office UK) EU (European Union 28 countries, soon 27!) NIST (National Institute for Standards and Technology) 01/26/2020

Information Security Audit Control Consultancy (ISACC) 7 GDPR Main Characteristics

Scope Consent Fines and Penalties Privacy by Design Data Protection Impact Analysis (DPIA or PIA) Data Portability Right to Access Right to be Forgotten Breach Notification 01/26/2020 Information Security Audit Control Consultancy (ISACC) 8

Where to Start: Roadmap Identify GDPR Data Map GDPR Data Mapping GDPR data to the Risks Mapping safeguarding requirements to data classification Mapping safeguarding requirements to the IT governance framework Confidentiality, Integrity, Availability, Authenticity, Compliance, Resilience and Correctness 01/26/2020 Information Security Audit Control Consultancy (ISACC) 9

Roadmap (Cont.) Resilience is related to business continuity and DR Adequate incident management GDPR requires Authenticity and Corrective Action Management 01/26/2020 Information Security Audit Control Consultancy (ISACC) 10 Roadmap (Cont.) Minimisation: Least Privilege Pseudonymisation: the processing of personal data in a way that they can no longer be attributed to a specific data subject

Encryption of all communication, file systems, storage, backups, .. Documentation: all relevant matters to be documented for the purpose of change management Risk Assessment (GDPR does not instruct any security measures but requires the RA to be performed. But which Risk? Data Protection Impact Assessment (DPIA) or Privacy Impact Analysis (PIA) ISO/IEC31000 or ISO/IEC29134) Implementation of SIEM, Security Analytics, MDM, 01/26/2020 Information Security Audit Control Consultancy (ISACC) 11 DATA Protection Policy Statement

(DPPS) Organisations should answer the following questions in regards to DPPS: what will be done? what resources will be required? who will be responsible? when it will be completed? how the results will be evaluated? 01/26/2020 Information Security Audit Control Consultancy (ISACC) 12 DATA Protection Policy Statement (DPPS) (Cont.)

DPPS describes the GDPR compliance which is relevant to other policies such as the Information Security Policy The Board of Directors should approve and support the development, implementation, maintenance and continual improvement of a documented Personal Information Management System (PIMS). BoD are responsible and accountable The establishment of objectives for data protection and privacy, which are in PIMS and GDPR Objectives Record. 01/26/2020 Information Security Audit Control Consultancy (ISACC) 13 DATA Protection Policy Statement (DPPS)

(Cont.) Data Protection Officer (DPO)/GDPR owner, is responsible for reviewing the register of processing annually in the light of any changes to organisations activities. The DPPS should be applied to all Employees/Staff Partners and any third parties working with or for the organisation, and who have or may have access to personal data, will be expected to 01/26/2020 Information Security Audit Control Consultancy (ISACC) 14

Standards and Guidelines ISO 27000:2014 ISO 27001:2013 ISO/IEC 27017:2015 ISO 27018:2014 ISO/EC 29151 ISO/IEC 29100 ISO/IEC 29134:2017 ISO/IEC 29151:2017 COBIT ISO 31000 NIST 01/26/2020 Information Security Audit Control Consultancy (ISACC)

15 IT Must Ensure: Implement controls to reduce risk of data being compromised but make sure controls really manage risks Authentication and Authorisation provided to a single entity of GDPR data The creation of a single application allocated to GDPR data All systems and services are monitored Incident management process is in place 01/26/2020 Information Security Audit Control Consultancy (ISACC)

16 GDPR Misunderstandings Fine obscurity It is not just about EU Citizens GDPR is not simply a DLP To purchase new solution doesnt cover everything Outsourcing doesnt let us to be free 01/26/2020 Information Security Audit Control Consultancy (ISACC) 17 Concluded Points

Data classifications and risk assessment are at the heart of GDPR thus, GDPR will be tied up to risks management and assurance objectives. The maturity level of risk mitigation and IT governance defines the maturity of GDPR readiness. GDPR will reinforce the IT security governance framework for organisations who have one. For those who dont have it, will create a legal purpose to build one. GDPR will help organisations to build effective, more secure IT services and systems and create an environment of trust and simplification of complex IT security measures. 01/26/2020 Information Security Audit Control Consultancy (ISACC) 18

Thank you All! Dr. Reza Alavi Cyber Security Lead Tel: +44 (0)7900 480039 [email protected] www.isacc.consulting @SecurityVPeople 01/26/2020 Information Security Audit Control Consultancy (ISACC) 19

Recently Viewed Presentations

  • PSSC June Meeting

    PSSC June Meeting

    support conflict resolution between primary-aged students during recess. The . Teaching Playground . and . Teaching Cafeteria . initiatives support proactive skill development for safe and successful transitions for students. Parents/guardians can report hurtful behaviour through the school website's "Support...
  • Final Presentation The University of Akron Advisor: Dr.

    Final Presentation The University of Akron Advisor: Dr.

    Supports pumps on back wheel. Prevents tipping/falling. Finishing Touches. Handlebars/Grips. Painting. Grind away excess bolts. Replace zip ties . Vehicle Testing. ... Bob - Wheel and Wrench Bike Shop. Steve Gerbetz - UA Senior Technician. Wade Nelson - Welding Master....
  • LENT AND MARDI GRAS  But the Word Lent

    LENT AND MARDI GRAS But the Word Lent

    Lent is a season of soul-searching and repentance. It is a season for reflection and taking stock. Lent originated in the very earliest days of the Church as a preparatory time for Easter, when the faithful rededicated themselves and when...
  • Parliamentary Procedure - Weebly

    Parliamentary Procedure - Weebly

    For a Moderated Caucus. Used for structured debate about more specific issues within topic; a "break" from the speaker's list. Delegate specifies purpose of caucus, length of caucus, and speaking time. Needs a simple majority to pass. During a moderated...
  • A DFD to model the programming of a VCR

    A DFD to model the programming of a VCR

    Times New Roman Arial Narrow Arial Default Design Context level (0) DFD to model the programming of a VCR A level 1 DFD to model the programming of a VCR DSD for control flow "VCR status" DSD for control flow...
  • Section 8-4: Angles of Elevation and Depression

    Section 8-4: Angles of Elevation and Depression

    Careful of "eye level" problems. The only difference is you add the eye level height above the ground to your FINAL answer "You see a rock climber on a cliff at a 32 degree angle of elevation. Your eye level...
  • Cellular Respiration Foldable - MS. RAGO'S CLASS WEBSITE

    Cellular Respiration Foldable - MS. RAGO'S CLASS WEBSITE

    Chemical Formula. Overview of the Cell Respiration Process. 3 Stages of Cellular Respiration *Anaerobic Fermentation for Energy. Cellular Respiration: How Cells Harvest Energy
  • English Language Arts and Content Literacy: The Key Shifts

    English Language Arts and Content Literacy: The Key Shifts

    English Language Arts and Content Literacy: The Key Shifts. College and Career Ready Standards Implementation Team. Quarterly - Session 1. Welcome to the first of four College and Career Ready Standards Implementation meetings. Today we will give you an overview...