Description : This session will cover how to test for compliance
Presenter : Ulf Mattsson, Ian White, Mark Rasch
Duration : 63 min
Date & Time : Jan 22 2018 4:00 pm
Timezone : United States - New York
Tags : SEC, Compliance
Feature Image :
Public / Private webcast : Public webcast
Published : Publish
Webcast URL : https://www.brighttalk.com/webcast/14723/292579
EU/GDPR Compliance - How do you test for Compliance?
1. EU/GDPR Compliance - How
do you test for Compliance?
Morris
Cybersecurity
Ian West,
Ianwest348
@gmail.com
Ulf Mattsson,
Umattsson
@tokenex.com
David Morris,
david.morris
@morriscybersecurity.com
Mark Rasch,
Mdrasch
@gmail.com
2. DAVID MORRIS
KNOWN AS THE "SHERLOCK HOLMES" OF CYBERSECURITY
MARKETING & SALES
EARLY PIONEER IN THE CYBERSECURITY MARKET.
EXPERTISE IN LARGE ENTERPRISE SECURITY SYSTEMS WITH A
DEEP SECURITY SKILL SET THAT INCLUDES:
CYBER THREAT INTELLIGENCE,
ENCRYPTION/CRYPTOGRAPHY,
PENETRATION TESTING, VULNERABILITY ASSESSMENTS,
MULTI- FACTOR AUTHENTICATION,
THIRD PARTY VENDOR RISK MANAGEMENT
MALWARE DETECTION AND REMEDIATION,
RANSOMWARE, OWASP, PCI, AND HIPPA.
TRAINED BODY LANGUAGE READER
PROFILED IN “THE HUMAN SIDE OF HIGH-TECH”
2
3. Director of Digital Information at Project One
Head of EU-GDPR Practice
Cognizant: Vice President: Digital Information Analytics
& Information Management and GDPR
Consulting Advisor to the EU GDPR Institute
Ian West
4. ULF MATTSSON
INVENTOR OF MORE THAN 55 ISSUED US PATENTS
INDUSTRY INVOLVEMENT:
• PCI DSS - PCI SECURITY STANDARDS COUNCIL
ENCRYPTION & TOKENIZATION TASK FORCES, CLOUD &
VIRTUALIZATION SIGS
• IFIP - INTERNATIONAL FEDERATION FOR INFORMATION
PROCESSING
• CSA - CLOUD SECURITY ALLIANCE
• ANSI - AMERICAN NATIONAL STANDARDS INSTITUTE
ANSI X9 TOKENIZATION WORK GROUP
• NIST - NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
NIST BIG DATA WORKING GROUP
• USER GROUPS
SECURITY: ISACA & ISSA
DATABASES: IBM & ORACLE
4
5. Chief Legal and Compliance Partner for
Digital Risk Management & GDPR
Chief Security Evangelist for
Verizon Enterprise Solutions
Chief Privacy Officer
Led U.S. Department of
Justice’s Cyber Crime Unit
Mark Rasch
8. GDPR CHANGE MANAGEMENT
Project One Confidential 8
GDPR is the largest Change Management initiative to hit organisations in a generation. GDPR
impacts every Person; every Process; all Technology in production, test, development, archive or
backup; and every piece of person related Information in your organisation.
People
Every person has to be educated on what they can
do and cannot do with personally identifiable
information
Process
Every process using personally identifiable
information either online or offline within your
organisation or any third party contractors
Technology
All technology holding or processing personal data
within your business or shared with partners,
wherever that technology is located
Information
Every piece of personally identifiable data, content or
information no matter where it is located and no
matter what you are doing with it
It is critical to assess every component of your infrastruture to fully understand what personal
information you are holding and processing and why you are doing this. And more importantly do
you have explicit permission or a justifiable reason to do so.
9. SETTING UP FOR GDPR SUCCESS
Project One Confidential 9
The Project One Change Leadership framework is the main lens through which we view the
challenges of delivery and change. It forms the basis for assessing large, complex programmes
such as GDPR.
Business Leadership
Setting, communicating and
achieving the business vision for GDPR
Strategy Implementation
Defining, directing and controlling
the delivery of GDPR business compliance
Ownership
Owning and embedding the change
required to deliver GDPR compliance
Delivery
Deliver GDPR compliance effectively
(what’s needed – on time – to budget)
It is critical to assess all areas of the framework – in our experience
the symptoms in delivery are often the result of root causes elsewhere.
Change
Leadership
Business
Transformation
Solution
Delivery
Change
Management
10. GDPR – FEARS, MYTHS AND REALITY
THE FEAR FACTORS – but true!
• Upto €20m
• Or 4% of global annual turnover
• WHICHEVER IS THE HIGHER!!
• Consequential damage
1. Reputational damage
2. Reduction in shareholder value
3. Revenue decline
4. Profit decline
5. Reduction in customer confidence
6. Loss of customers
7. Executives getting fired
8. Company extinction
• Cessation of data processing rights
in the EU or for EU Citizens
• Removal of the license to trade in
any or all EU countries
THE MYTHS – all lies!
• Its an IT Project
• It’s a Legal Regulatory Problem
• A Software Application can fix it
• Its just a tax of doing business in
Europe
• Its just hype being put about by
consultancy firms to generate
business
• The regulator wont impose the
fines – it’s a storm in a teacup
• Its nothing really, the hype will
disappear
REALITY
• GDPR is the largest change management
programme undertaken by any company
• Project One is the Largest Independent
Change Management Consultancy in the UK
• GDPR needs a holistic enterprise wide
operational approach
• Project One has helped many Global
Corporations deliver real change
• Executive ownership and leadership is
critical
• Project One has assisted hundreds of
Executives deliver a real difference for their
business
• GDPR impacts every part of every
company its a very simple concept but
its hideously complicated to comply with
• Project One has the expertise to make GDPR
a real difference for your business
13. COMPANYWIDE GDPR TESTING – WHERE IS YOUR PERSONALLY IDENTIFIABLE INFORMATION?
Sales
Customer
Services Marketing Logistics Admin Legal
Executive
Committee Finance HR IT Operations
Production
& R&D
Supply
Chain Buying
People – general and functional training, privacy training monitoring & certification
Process – every on and off line business process accessing any form of personally identifiable data
IT – every app, system, machine, device, network, cloud, database, content server, website, social media, backup
Information – every online and offline information repository, all locations, everywhere – including storage boxes
Contracts – every customer, partner & supplier contract, and their third party contracts and their third parties, etc
DSAR – answer every access request providing full and complete disclosure in under 30 days – automatically?
Consent Management – do you have a reason, or consent, for every piece of personally identifiable data you hold?
Breach Case Management – don’t wait until you have the inevitable data breach, get a plan and test it, regularly!
14. The GDPR Institut
Helping you resolve YOUR GDPR Challenge
& Maximise the GDPR Opportunity
www.gdpr.associates
15. Ulf Mattsson
Industry Involvement:
• PCI DSS - PCI Security Standards Council
Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs
• IFIP - International Federation for Information Processing
• CSA - Cloud Security Alliance
• ANSI - American National Standards Institute
ANSI X9 Tokenization Work Group
• NIST - National Institute of Standards and Technology
NIST Big Data Working Group
• User Groups
Security: ISACA & ISSA
Databases: IBM & Oracle
15
19. Protect Sensitive Cloud Data
Internal Network Administrator
Attacker
Remote
User
Internal User
Public Cloud
Examples
Each sensitive
field is protectedEach
authorized
field is in
clear
Cloud Gateway
19
Data Security Agents, including encryption, tokenization or masking of fields or files (at transit
and rest)
SecDevOps
The issue is
INTENTIONAL use of
UNSANCTIONED
public cloud storage
for ease of use for
corporate data
20. Securing Big Data - Examples of Security Agents
Import de-identified
data
Export identifiable data
Export audit for
reporting
Data protection at
database,
application, file
Or in a
staging area
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce
(Job Scheduling/Execution System)
OS File System
Big Data
Data Security Agents, including encryption, tokenization or
masking of fields or files (at transit and rest)
20
SecDevOps
21. Virtual Machines & Containers
Docker
Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and
rest)
Source: http://www.slideshare.net/GiacomoVacca/docker-from-scratch
SecDevOps
SecDevOps
24. GDPR
• Applies to all companies processing the personal data of data subjects
residing in the EU, regardless of the company’s location.
• Fines of up to 4% of annual global turnover
• Previously fines were limited in size and impact.
• GDPR fines will apply to both controllers and processors.
• Breach notification within 72 hours of discovery
• Mandatory Data Protection Officers
• Privacy By Design
• Right to access and portability
• Explicit and retractable consent
• Right to be forgotten
25. DPO
• Data Protection Officer (DPO) may be required to ensure compliance.
• 28,000 new DPOs will be required in Europe alone.
• Huge fines for noncompliance
• Organizational accountability
• proactive,
• robust privacy governance,
• privacy policies
• Plain language
• Opt out
26. Privacy By Design
• How data is collected
• How it is used
• How it flows through organization
• How it flows through technology
• Privacy Impact Assessment
• BOTH technological and policy assessment
• Data masking, data anonymization, pseudo anonymization, encryption at
rest and in transmission
• Data life-cycle
27. Stages for GDPR Assessment
• Know your industry and business (what are you doing)
• Know what you are collecting – and how and from whom
• Know where the data is
• Know what you are processing for others
• Know what others are processing for you
• Know how information flows through your networks and devices
• Anticipate future uses
28. What Laws Apply
• Where do you do business
• Where are your customers
• Who are your customers
• What are your future plans (including merger, acquisition)
• What could go wrong
• What is your role – collector, processor, regulator?
29. Difference Between GDPR and Security
• Security looks at technology
• GDPR looks at data flows
• You can be secure without being GDPR compliant
• You can even be GDPR complaint without being “secure” IF the Personal
data is secured
30. Enforcement
• Fines of up to 4% of annual global turnover
• Serious non-compliance could result in fines of up to 4% of annual global
turnover, or €20 million –whichever is higher.
• Enforcement action will extend to countries outside of the EU, where
analysis on EU citizens is performed.
• Apply to US companies processing data on EU citizens
• Apply to US or Cloud based processing
• Coordination with individual DPA’s
31. Notices
• Clear and consistent notices
• Auidit trails and data journeys
• Reporting to DPAs proactively
• Burden of proof now on the organisation, to show compliance
• DPO is part of an independent reporting line
• Consent must be ‘freely given, specific, informed and unambiguous’
consent.”
32. First Steps
• Management buy in
• Current readiness
• Assessment
• Policy
• Data flows
• Security
• Third parties
• Gap analysis
• Impact
Ian West ianwest348@gmail.com Ulf Mattsson umattsson@tokenex.com David Morris david.morris@morriscybersecurity.com Mark Rasch mdrasch@gmail.com
Risk Assessment. We evaluate your digital footprint and infrastructure to find and resolve vulnerabilities in your network, databases, applications, storage, and other infrastructure.
Data Security. We map the flow of data across your digital footprint, applications environment, library framework, source code, and storage to pinpoint risks before they turn into attacks.
Secure Hosting. We create dynamic, cloud-based environments with inside-out security controls to protect your systems and storage from attacks and other service disruptions.
Application Security. We practice “secure by design” discipline in our software development. This protects your custom applications by automating secure coding standards and testing at every step.
Integrated Tools. We architect holistic security solutions that integrate traditionally siloed tools to give you a lean and flexible security stack—reducing the effects of tools sprawl and wasted level of effort.
Monitoring and Contingency Plans. We monitor your systems, applications, and digital interactions for threats and architect back-up capabilities to quickly restore service if a breach occurs.
https://www.atlanticbt.com/services/cybersecurity/
The reason for high interest is based on the Cloud Gateway Benefits
Example
Eliminates the threat of third parties exposing your sensitive information
Delivers a secure and uncompromised SaaS user experience
Identifies malicious activity and proves compliance to third parties and detailed audit trails
Eases cloud adoption process and acceptance
Product is transparent and has close to 0% overhead impact
Simplifies compliance requirements
Ability to outsource a portion of your IT security requirements
Eliminates data residency concerns and requirements
Greatly reduces cloud application security risk
Enables partner access to your sensitive data
Controls cloud security from the enterprise
Protects your business from third party access
Data protection at database, application or file
Data protection in a staging area
3. Volume encryption in Hadoop
4. Hbase, Pig, Hive, Flume and Scope using protection API
5. MapReduce using protection API
6. File and folder encryption in HDFS
8. Export de-identified data
7. Import de-identified data
9. Export identifiable data
10. Export audit s for reporting
Examples of Services That Can Fill The Gap
Security Services
Audit & Assessment Services
Application Security Consulting
Managed Vulnerability Scanning
Security Tools Implementation
Virtual CISO
Application Services
Application Hosting & Cloud Migration
IT Consulting & Information Architecture
Software Development & User Experience Design