don’t let gdpr blow you away: 5 tips to help you set sail
TRANSCRIPT
Don’t Let GDPR Blow You Away: 5 Tips to Help you Set Sail
09/13/2016
Cindy E. Compert CIPT/M CTO Data Security & Privacy, IBM Security @CCBigData
2 IBM Security
3 IBM Security
Agenda
• GDPR: A Quick Overview
• 5 Tips to Help You Get Underway
• *Bonus Tip!*
• Q&A
Nothing in this presentation should be considered Legal guidance or direction. IBM does not provide Legal advice. IBM recommends that your
clients consult with the appropriate Legal Counsel as necessary
4 IBM Security
The new General Data Protection Regulation (GDPR) has arrived!
• Three primary objectives of the GDPR
To create a unified data protection law for all 28 European Countries.
To enhance the level of data protection for EU data subjects
To modernize the law in line with existing and emerging technologies
• GDPR will fundamentally change the way companies must manage their data
4
Caveat: The GDPR is still a “work in progress”
and the details for its implementation have not yet been finalized
5 IBM Security
• Data Protection
Data Protection in the EU = Data Privacy
Data Protection in the US = Data Security
Data Protection in the EU covers both Data Privacy requirements and Data Security Requirements
• Data processing
Any handling of Personal Data throughout its entire life cycle, from collection to deletion, is considered “processing”. Even remote access is considered “processing”.
! Personal Data
! Data Controllers, Data Processors, Data Subjects
Caveat about terminology
9/14/16 5
GDPR Glossary: http://www.eugdpr.org/glossary-of-terms.html
6 IBM Security
• GDPR came into force in May 2016 and will be applicable as of May 2018
• It also has international reach – applying to any organization that processes data of EU data subjects.
• Fines for non-compliance will increase substantially up to a maximum fine of € 20 million or 4% of global annual turnover per incident, whichever is higher
Key aspects of the Regulation
The majority of US and EU companies are not ready for the new Privacy requirements of the GDPR
6
7 IBM Security
• Definition of “Personal Data” now explicitly includes online identifiers, location data and biometric/genetic data
• Higher standards for privacy notices and for obtaining consent
• Easier access to personal data by a data subject
• Enhanced right to request the erasure of their personal data
• Right to transfer personal data to another organization (portability)
• Right to object to processing now explicitly includes profiling.
Enhanced level of protection for data subjects
7
8 IBM Security
• Operationalization of a Data Protection by Design and by Default Process
• Requirement to conduct risk analysis and Data Protection Impact Assessments (DPIA)
• Appointment of a Data Protection Officer (DPO)
• Implementation of technical and organizational security measures appropriate to the risks presented
• Breach notification obligations
• Increased obligations for data processors
Enhanced obligations on data controllers and processors
8
9 IBM Security
GDPR Readiness Assessment • IBM’s Data Privacy Consulting services can help your organization identify areas of their business
which will be impacted by their requirements and obligations under the GDPR.
• Through our customized end-to-end GDPR Readiness Assessment, IBM is able to evaluate your organization’s current practices against the new requirements with a focus on process development, best practices and organizational need.
• IBM will also provide your organization with a maturity model and gap/remediation plan to assist your organization in developing and implementing their roadmap towards compliance.
• The Readiness Assessment also pairs IBM products and services to the GDPR requirements, enabling a one-stop-shop for necessary software and/or services to implement GDPR compliance.
This should not be considered Legal advice – it is process advice only.
Reach out to the appropriate Legal Counsel for guidance as necessary
5 Top Tips + Bonus
11 IBM Security
Tip 1: Know your vulnerabilities
12 IBM Security
Tip 1: Identify and mitigate security vulnerabilities What is it? Article 35- Data Protection Impact Assessments (DPIA) enable organizations to identify and mitigate risks of proposed data processing activities before those activities start. Data Protection includes Privacy and Security.
Why it matters: Article.35(7)(d)- The Data Protection Impact Assessments include assessing risks, ‘including safeguards, security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with this regulation’
13 IBM Security
What should vulnerability assessment help you do? Analyze risk, automate compliance and harden your data environment
Extensible design
• Use industry best-practices and primary research • 2000+ Predefined tests to uncover database and OS
vulnerabilities • Recommendations for remediation • Vulnerability Assessment scorecard • Configuration audit system (CAS) monitors
configuration changes • View graphical representation of trends • Relational and NoSQL Databases • Includes Quarterly DPS Updates
• Enables custom designed defined tests • Tuning existing tests to match needs • Report builder for custom reports
Comprehensive testing and reporting
14 IBM Security
Anatomy of a Vulnerability Assessment Report
Result History Shows Trends
Detailed Remediation Suggestions
Detailed Test
Results
Overall Score
Detailed Scoring Matrix Filter control for easy use
Summary Test
Results
External Reference
15 IBM Security
Tip 1: Set Sail Identify areas of risk first: most data, most shared, etc.
Consider a consolidated approach to your security assessments (network, application, data, infrastructure, etc.)
16 IBM Security
Tip 2: Create a (good) map
17 IBM Security
Tip 2: To create a good map, you need to discover and classify Personal Data
What & where is it? Understand and document where Personal Data is stored and processed, including with/by 3rd parties
Why it matters:
• Organizations need to understand what data they hold and process to assess risk and design adequate controls
• Personal data is the foundation of GDPR
• Classification and Data Mapping are necessary to support Data Portability, Right of Access, Right of Erasure.
18 IBM Security
Tip 2: Automation makes discovery and classification easier for databases and files
• Discover database instances on the network
• Catalog Search: Search the database catalog for table or column name
• Search for Data: Match specific values or patterns in the data
• Search for Unstructured Data: Match specific values or patterns in an unstructured data file (CSV, Text, HTTP, HTTPS, Samba)
• Classify Data: Put data in actionable groups, automatically or manually
19 IBM Security
Jump start your efforts with Personal Data Discovery and Classification services
MONITOR SECURE BASELINE DISCOVER DEFINE
! Understand overall data security strategy
! Determine data protection objectives
! Develop organizational data model / taxonomy
! Understand data environment, infrastructure and lifecycle
! Perform iterative discovery, analysis and classification
! Establish baseline security requirements for personal data
! Assess current data security processes and controls
! Determine gaps and identify solutions
! Plan and prioritize technical and business process transformations
! Design and implement solutions that protect critical data, enable access and align to business growth objectives
! Develop governance framework, risk metrics and monitoring processes
! Periodically validate data protection strategy and methodology
Supported by: Consulting Method | Industry-specific Data Models | Global Consulting Expertise | IBM Data Security Research
IBM Guardium, StoredIQ, DLP and other leading data protection technologies
IBM DATA AND APPLICATION SECURITY
What is the personal data?
Where are they? How are they used?
What is required to protect critical data?
How to plan, design and implement?
How to manage critical data protection?
20 IBM Security
Tip 2: Find identifiers first, since personal data must be identifiable
21 IBM Security
Tip 3: Data Processor/Controller Governance: Track where data is processed
What is it? Data Controllers and Processors need to implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with the Regulation.
Why it matters:
• GDPR requires demonstrating compliance.
• How will you document and manage data processing audit trails?
22 IBM Security
Tip 3: Monitoring policies track privileged user access to GDPR Personal data
23 IBM Security
Tip 3: Track where data is processed: Audit local and remote activity
GDPR Personal Data Activity Report
24 IBM Security
… and record and audit policy violations and quarantine connections if there is unauthorized access to Personal Data
25 IBM Security
Tip 3: Make your audit trail scalable
! Watch sensitive data & data access all the time
! Monitor it everywhere it lives
! Protect data at rest and in motion
! Easily review results and monitor your data security heartbeat
26 IBM Security
Tip 4
“I am thankful the most important key in history was invented. It's not the key to your house, your car, your boat, your safety deposit box, your bike lock or your private community. It's the key to order, sanity, and peace of mind. The key is 'Delete.’” - Elayne Boosler
27 IBM Security
Tip 4: Track data subject’s right to access, modify, delete, transfer data What is it? Individuals can request organizations produce information held about them as well as the right to rectify (correct), delete, or transfer data. “The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.”
Why it matters:
• GDPR’s highest fines (4%) are for violating data subject rights such as failing to respond and failure to provide adequate information
• Data subjects also have the right to recover monetary damages
28 IBM Security
Tip 4 at work: Automating the audit compliance workflow
29 IBM Security
Tip 4: Enhance your tracking using Privileged Identity Management credentials for requests
30 IBM Security
Tip 5: Scramble!
31 IBM Security
Tip 5: Encrypt/ Obfuscate (Pseudonimize) data before processing What is it? GDPR Article 32, Security of processing – “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including…the pseudonymisation and encryption of personal data;”
Why it matters: Article 33- Clients may not need to notify data subjects about a breach if the personal data has been rendered “unintelligible to any person who is not authorised to access it, such as encryption”. The only technical controls mentioned in GDPR are encryption and pseudonymisation (de-identifying data with a mechanism to re-identify if necessary)
32 IBM Security
Tip 5: Consider a centralized key management solution to support all encryption solutions
33 IBM Security
Tip 5: Encryption Examples
Database Encryption Unstructured Data Encryption
Cloud Encryption
Usage: Encrypt Tablespace, Log, and other Database files
Common Databases: DB2, Informix, Oracle, MSSQL, Sybase, MySQL…
Usage: Encrypt and Control access to any type of data used by LUW server
Common Data Types: Logs, Reports, Images, ETL, Audio/Video Recordings, Documents, Big Data…
Examples: FileNet, Documentum, Nice, Hadoop, Home Grown, etc…
Usage: Encrypt and Control Access to data used by Cloud Instances
Common Cloud Providers: Amazon EC2, Rackspace, MS Azure
34 IBM Security
Tip 5: A Safe Harbor
35 IBM Security
Tip 6: You need to support breach management and notification (including incident forensics) What is it? GDPR Article 33, “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.”
Why it matters: Both processors and controllers have responsibilities to report breaches in a timely manner, or risk substantial fines. EU has never had mandated breach reporting. Organizations will struggle with coordinating the people, process, and information needed to report and respond to a breach within the 72 hour window.
36 IBM Security
Tip 6: Automate your Incident Response
Summary
38 IBM Security
ANALYZE. PROTECT. ADAPT
Discovery, classification, vulnerability assessment, entitlement reporting
Encryption, masking, and redaction
Data and file activity monitoring
Dynamic blocking and masking, alerts, and quarantine
Compliance automation and auditing
ANALYTICS
Know your personal data and intelligently safeguard it
39 IBM Security
SECURITY TRANSFORMATION SERVICES Management consulting | Systems integration | Managed security
Threat Intelligence
Security Analytics
Cloud
Identity and
Access
Data and
Apps
Mobile Advanced Fraud
Network Endpoint
Security Ecosystem
App Exchange
MaaS360
INFORMATION RISK AND PROTECTION
Trusteer Mobile
Trusteer Rapport
AppScan
Guardium
Cloud Security Enforcer
Privileged Identity Manager Identity Governance and Access
Cloud Identity Service Key Manager
zSecure
Trusteer Pinpoint QRadar Vulnerability Manager Resilient Incident Response
X-Force Exchange
QRadar Incident Forensics
SECURITY OPERATIONS AND RESPONSE
BigFix Network Protection XGS
QRadar SIEM QRadar Risk Manager
GDPR Security Immune System
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU
41 IBM Security
Supplemental Information
42 IBM Security
Don’t stop now: There’s more to Tip 1 Take the next step & identify additional risks
There are many types of risks
• Unauthorized Users ! Anyone that can connect to the database
to see the cardholder data
• Unauthorized IP Addresses ! Only certain servers are allowed to
communicate together
• Unauthorized Programs ! Access by other programs bypasses
other security controls
• Monitoring Database Objects ! Only certain tables contain sensitive data
42
10.10.9.27 Joe
MS Excel
-- - - - - -- - -- - -- -
However, to simplify these risks, let’s call it an unauthorized “connection”
43 IBM Security
• Understand how the new GDPR obligations will impact their business
• Determine what personal data they have, where it is located,-and how it flows within the organization
• Determine how the personal data are secured
• Appoint a Data Protection Officer where necessary
• Review all privacy notices
• Review data subject consent and choice mechanisms
• Review processes addressing data subjects’ access, correction and erasure requests
• Review data retention schedules
• Assess external contracts, both as a controller and/or as a processor
• Review all cross-border data transfers
GDPR Readiness: Activities your company should be performing
43
44 IBM Security
• Implement a Data Protection By Design approach to new systems, services and products
• Conduct a Data Protection Impact Assessment (DPIA) where required
• Document privacy compliance activities
• Implement and document appropriate security measures
• Create breach response and notification protocols
• Develop audit capabilities and processes
• Train employees
• Make sure the appropriate budgets are in place to support the changes
GDPR Readiness: Embark on organizational change
IBM data privacy consulting is ready and available to assist 44
45 IBM Security
The IBM Privacy Consulting team
• Dedicated IBM Security Services Privacy Consulting experts are available to collaborate with your organization to design, develop and implement solutions in line with simple and complex global privacy requirements. The Privacy Consulting team has a proven track record of developing successful data privacy solutions from start-ups, to global Fortune 500 companies, including those in the financial, insurance and automotive industries.
• The Privacy Consulting team is closely tied with IBM Security Services and Software experts enabling us to also pair IBM tools and security services to assist in meeting your specific GDPR needs (e.g. Guardium, Stored IQ, Resilient, Q-Radar MSIEM).
46 IBM Security 9/14/16 IBM DATA PRIVACY SERVICES
We have a team of dedicated experts to help you
IBM Key Privacy Contacts
Robert W. Dyson Partner
[email protected] 1-972-345-4450
Adam Nelson Executive Consultant
[email protected] 1-847-805-2040
Jayne Golding Senior Managing Consultant
[email protected] +44 7584 202232
Monique Altheim Managing Consultant [email protected]
1-347-628-1479
46