SlideShare a Scribd company logo
1 of 33
Download to read offline
EU/GDPR Compliance - How
do you test for Compliance?
Morris
Cybersecurity
Ian West,
Ianwest348
@gmail.com
Ulf Mattsson,
Umattsson
@tokenex.com
David Morris,
david.morris
@morriscybersecurity.com
Mark Rasch,
Mdrasch
@gmail.com
DAVID MORRIS
KNOWN AS THE "SHERLOCK HOLMES" OF CYBERSECURITY
MARKETING & SALES
EARLY PIONEER IN THE CYBERSECURITY MARKET.
EXPERTISE IN LARGE ENTERPRISE SECURITY SYSTEMS WITH A
DEEP SECURITY SKILL SET THAT INCLUDES:
CYBER THREAT INTELLIGENCE,
ENCRYPTION/CRYPTOGRAPHY,
PENETRATION TESTING, VULNERABILITY ASSESSMENTS,
MULTI- FACTOR AUTHENTICATION,
THIRD PARTY VENDOR RISK MANAGEMENT
MALWARE DETECTION AND REMEDIATION,
RANSOMWARE, OWASP, PCI, AND HIPPA.
TRAINED BODY LANGUAGE READER
PROFILED IN “THE HUMAN SIDE OF HIGH-TECH”
2
Director of Digital Information at Project One
Head of EU-GDPR Practice
Cognizant: Vice President: Digital Information Analytics
& Information Management and GDPR
Consulting Advisor to the EU GDPR Institute
Ian West
ULF MATTSSON
INVENTOR OF MORE THAN 55 ISSUED US PATENTS
INDUSTRY INVOLVEMENT:
• PCI DSS - PCI SECURITY STANDARDS COUNCIL
ENCRYPTION & TOKENIZATION TASK FORCES, CLOUD &
VIRTUALIZATION SIGS
• IFIP - INTERNATIONAL FEDERATION FOR INFORMATION
PROCESSING
• CSA - CLOUD SECURITY ALLIANCE
• ANSI - AMERICAN NATIONAL STANDARDS INSTITUTE
ANSI X9 TOKENIZATION WORK GROUP
• NIST - NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
NIST BIG DATA WORKING GROUP
• USER GROUPS
SECURITY: ISACA & ISSA
DATABASES: IBM & ORACLE
4
Chief Legal and Compliance Partner for
Digital Risk Management & GDPR
Chief Security Evangelist for
Verizon Enterprise Solutions
Chief Privacy Officer
Led U.S. Department of
Justice’s Cyber Crime Unit
Mark Rasch
6www.ProjectOne.com
Email - Ian.West@ProjectOne.com
https://uk.linkedin.com/in/ianwest1
Twitter - @IanWest12
GDPR - HOW DO YOU TEST FOR
COMPLIANCE?
IAN WEST
DIRECTOR OF DIGITAL INFORMATION
ADVISORY BOARD MEMBER - GDPR INSTITUT
Impact
Do you control or process personal data about
ANY EU Citizens?
If so you have to be GDPR compliant by 25th May 2018
or manage the implications of the fines and the
reputational damage of any and every Data Breach
– including Customers Employees Suppliers
© 2018 - The GDPR Institut - All Rights Reserved
GDPR CHANGE MANAGEMENT
Project One Confidential 8
GDPR is the largest Change Management initiative to hit organisations in a generation. GDPR
impacts every Person; every Process; all Technology in production, test, development, archive or
backup; and every piece of person related Information in your organisation.
People
Every person has to be educated on what they can
do and cannot do with personally identifiable
information
Process
Every process using personally identifiable
information either online or offline within your
organisation or any third party contractors
Technology
All technology holding or processing personal data
within your business or shared with partners,
wherever that technology is located
Information
Every piece of personally identifiable data, content or
information no matter where it is located and no
matter what you are doing with it
It is critical to assess every component of your infrastruture to fully understand what personal
information you are holding and processing and why you are doing this. And more importantly do
you have explicit permission or a justifiable reason to do so.
SETTING UP FOR GDPR SUCCESS
Project One Confidential 9
The Project One Change Leadership framework is the main lens through which we view the
challenges of delivery and change. It forms the basis for assessing large, complex programmes
such as GDPR.
Business Leadership
Setting, communicating and
achieving the business vision for GDPR
Strategy Implementation
Defining, directing and controlling
the delivery of GDPR business compliance
Ownership
Owning and embedding the change
required to deliver GDPR compliance
Delivery
Deliver GDPR compliance effectively
(what’s needed – on time – to budget)
It is critical to assess all areas of the framework – in our experience
the symptoms in delivery are often the result of root causes elsewhere.
Change
Leadership
Business
Transformation
Solution
Delivery
Change
Management
GDPR – FEARS, MYTHS AND REALITY
THE FEAR FACTORS – but true!
• Upto €20m
• Or 4% of global annual turnover
• WHICHEVER IS THE HIGHER!!
• Consequential damage
1. Reputational damage
2. Reduction in shareholder value
3. Revenue decline
4. Profit decline
5. Reduction in customer confidence
6. Loss of customers
7. Executives getting fired
8. Company extinction
• Cessation of data processing rights
in the EU or for EU Citizens
• Removal of the license to trade in
any or all EU countries
THE MYTHS – all lies!
• Its an IT Project
• It’s a Legal Regulatory Problem
• A Software Application can fix it
• Its just a tax of doing business in
Europe
• Its just hype being put about by
consultancy firms to generate
business
• The regulator wont impose the
fines – it’s a storm in a teacup
• Its nothing really, the hype will
disappear
REALITY
• GDPR is the largest change management
programme undertaken by any company
• Project One is the Largest Independent
Change Management Consultancy in the UK
• GDPR needs a holistic enterprise wide
operational approach
• Project One has helped many Global
Corporations deliver real change
• Executive ownership and leadership is
critical
• Project One has assisted hundreds of
Executives deliver a real difference for their
business
• GDPR impacts every part of every
company its a very simple concept but
its hideously complicated to comply with
• Project One has the expertise to make GDPR
a real difference for your business
Key Questions
1. What Personal Data do you hold – Customer, Employee, Supplier,
Contractor, Sub-Contractor, Citizen, Member, Pupil, Student, Patient etc
2. Where is that Data Located? PC hard drive, Remote Storage or Backup
Device, On Premise Database or Content Server, or in The Cloud
3. How are you using that Data?
4. Do you have PERMISSION to use the data
in the way you are using it?
© 2018 - The GDPR Institut - All Rights Reserved
Compliance
Gap
Analysis
Security
Reviews
Use Case
Management
Consent
Management
Technology
Assessments
Business
Process
Management
The GDPR Roadmap
Privacy
Impact
Assessment
Legal
Advice
Detailed
Readiness
Assessment
© 2018 - The GDPR Institut - All Rights Reserved
Educate
&
Train
Data
Subject Access
Management
Threat
Detection
GDPR
Testing
GDPR
Defensible
Position
Annual
GDPR
Audits
Breach Case
Management
COMPANYWIDE GDPR TESTING – WHERE IS YOUR PERSONALLY IDENTIFIABLE INFORMATION?
Sales
Customer
Services Marketing Logistics Admin Legal
Executive
Committee Finance HR IT Operations
Production
& R&D
Supply
Chain Buying
People – general and functional training, privacy training monitoring & certification
Process – every on and off line business process accessing any form of personally identifiable data
IT – every app, system, machine, device, network, cloud, database, content server, website, social media, backup
Information – every online and offline information repository, all locations, everywhere – including storage boxes
Contracts – every customer, partner & supplier contract, and their third party contracts and their third parties, etc
DSAR – answer every access request providing full and complete disclosure in under 30 days – automatically?
Consent Management – do you have a reason, or consent, for every piece of personally identifiable data you hold?
Breach Case Management – don’t wait until you have the inevitable data breach, get a plan and test it, regularly!
The GDPR Institut
Helping you resolve YOUR GDPR Challenge
& Maximise the GDPR Opportunity
www.gdpr.associates
Ulf Mattsson
Industry Involvement:
• PCI DSS - PCI Security Standards Council
Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs
• IFIP - International Federation for Information Processing
• CSA - Cloud Security Alliance
• ANSI - American National Standards Institute
ANSI X9 Tokenization Work Group
• NIST - National Institute of Standards and Technology
NIST Big Data Working Group
• User Groups
Security: ISACA & ISSA
Databases: IBM & Oracle
15
Case Studies
Case Studies
17
• US and Spain – customer data
• Italy, Germany and more – financial data
• Germany – outsourcing
• Sweden – PII data
Data Security
for Cloud,
Big Data and
Containers
Protect Sensitive Cloud Data
Internal Network Administrator
Attacker
Remote
User
Internal User
Public Cloud
Examples
Each sensitive
field is protectedEach
authorized
field is in
clear
Cloud Gateway
19
Data Security Agents, including encryption, tokenization or masking of fields or files (at transit
and rest)
SecDevOps
The issue is
INTENTIONAL use of
UNSANCTIONED
public cloud storage
for ease of use for
corporate data
Securing Big Data - Examples of Security Agents
Import de-identified
data
Export identifiable data
Export audit for
reporting
Data protection at
database,
application, file
Or in a
staging area
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce
(Job Scheduling/Execution System)
OS File System
Big Data
Data Security Agents, including encryption, tokenization or
masking of fields or files (at transit and rest)
20
SecDevOps
Virtual Machines & Containers
Docker
Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and
rest)
Source: http://www.slideshare.net/GiacomoVacca/docker-from-scratch
SecDevOps
SecDevOps
Preparing for GDPR
22
GDPR Asessment
Mark Rasch
MDRasch@gmail.com
GDPR
• Applies to all companies processing the personal data of data subjects
residing in the EU, regardless of the company’s location.
• Fines of up to 4% of annual global turnover
• Previously fines were limited in size and impact.
• GDPR fines will apply to both controllers and processors.
• Breach notification within 72 hours of discovery
• Mandatory Data Protection Officers
• Privacy By Design
• Right to access and portability
• Explicit and retractable consent
• Right to be forgotten
DPO
• Data Protection Officer (DPO) may be required to ensure compliance.
• 28,000 new DPOs will be required in Europe alone.
• Huge fines for noncompliance
• Organizational accountability
• proactive,
• robust privacy governance,
• privacy policies
• Plain language
• Opt out
Privacy By Design
• How data is collected
• How it is used
• How it flows through organization
• How it flows through technology
• Privacy Impact Assessment
• BOTH technological and policy assessment
• Data masking, data anonymization, pseudo anonymization, encryption at
rest and in transmission
• Data life-cycle
Stages for GDPR Assessment
• Know your industry and business (what are you doing)
• Know what you are collecting – and how and from whom
• Know where the data is
• Know what you are processing for others
• Know what others are processing for you
• Know how information flows through your networks and devices
• Anticipate future uses
What Laws Apply
• Where do you do business
• Where are your customers
• Who are your customers
• What are your future plans (including merger, acquisition)
• What could go wrong
• What is your role – collector, processor, regulator?
Difference Between GDPR and Security
• Security looks at technology
• GDPR looks at data flows
• You can be secure without being GDPR compliant
• You can even be GDPR complaint without being “secure” IF the Personal
data is secured
Enforcement
• Fines of up to 4% of annual global turnover
• Serious non-compliance could result in fines of up to 4% of annual global
turnover, or €20 million –whichever is higher.
• Enforcement action will extend to countries outside of the EU, where
analysis on EU citizens is performed.
• Apply to US companies processing data on EU citizens
• Apply to US or Cloud based processing
• Coordination with individual DPA’s
Notices
• Clear and consistent notices
• Auidit trails and data journeys
• Reporting to DPAs proactively
• Burden of proof now on the organisation, to show compliance
• DPO is part of an independent reporting line
• Consent must be ‘freely given, specific, informed and unambiguous’
consent.”
First Steps
• Management buy in
• Current readiness
• Assessment
• Policy
• Data flows
• Security
• Third parties
• Gap analysis
• Impact
Thank you!
Morris
Cybersecurity
Ian West,
Ianwest348
@gmail.com
Ulf Mattsson,
Umattsson
@tokenex.com
David Morris,
david.morris
@morriscybersecurity.com
Mark Rasch,
Mdrasch
@gmail.com

More Related Content

More from Ulf Mattsson

The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchainUlf Mattsson
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protectionUlf Mattsson
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKUlf Mattsson
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonUlf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAUlf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics   ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics   ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bUlf Mattsson
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020Ulf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
Protecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningProtecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningUlf Mattsson
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 
Isaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyIsaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyUlf Mattsson
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston  - Practical data privacy and de-identification techniquesISACA Houston  - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesUlf Mattsson
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london   data protection, security and privacy risks - on premis...Jul 16 isaca london   data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Ulf Mattsson
 
Privacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationPrivacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationUlf Mattsson
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 

More from Ulf Mattsson (20)

The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchain
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protection
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS London
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACA
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics   ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics   ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 
Protecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningProtecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine Learning
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...
 
Isaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyIsaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacy
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston  - Practical data privacy and de-identification techniquesISACA Houston  - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniques
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london   data protection, security and privacy risks - on premis...Jul 16 isaca london   data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...
 
Privacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationPrivacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computation
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
 

Recently uploaded

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 

Recently uploaded (20)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 

EU/GDPR Compliance - How do you test for Compliance?

  • 1. EU/GDPR Compliance - How do you test for Compliance? Morris Cybersecurity Ian West, Ianwest348 @gmail.com Ulf Mattsson, Umattsson @tokenex.com David Morris, david.morris @morriscybersecurity.com Mark Rasch, Mdrasch @gmail.com
  • 2. DAVID MORRIS KNOWN AS THE "SHERLOCK HOLMES" OF CYBERSECURITY MARKETING & SALES EARLY PIONEER IN THE CYBERSECURITY MARKET. EXPERTISE IN LARGE ENTERPRISE SECURITY SYSTEMS WITH A DEEP SECURITY SKILL SET THAT INCLUDES: CYBER THREAT INTELLIGENCE, ENCRYPTION/CRYPTOGRAPHY, PENETRATION TESTING, VULNERABILITY ASSESSMENTS, MULTI- FACTOR AUTHENTICATION, THIRD PARTY VENDOR RISK MANAGEMENT MALWARE DETECTION AND REMEDIATION, RANSOMWARE, OWASP, PCI, AND HIPPA. TRAINED BODY LANGUAGE READER PROFILED IN “THE HUMAN SIDE OF HIGH-TECH” 2
  • 3. Director of Digital Information at Project One Head of EU-GDPR Practice Cognizant: Vice President: Digital Information Analytics & Information Management and GDPR Consulting Advisor to the EU GDPR Institute Ian West
  • 4. ULF MATTSSON INVENTOR OF MORE THAN 55 ISSUED US PATENTS INDUSTRY INVOLVEMENT: • PCI DSS - PCI SECURITY STANDARDS COUNCIL ENCRYPTION & TOKENIZATION TASK FORCES, CLOUD & VIRTUALIZATION SIGS • IFIP - INTERNATIONAL FEDERATION FOR INFORMATION PROCESSING • CSA - CLOUD SECURITY ALLIANCE • ANSI - AMERICAN NATIONAL STANDARDS INSTITUTE ANSI X9 TOKENIZATION WORK GROUP • NIST - NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY NIST BIG DATA WORKING GROUP • USER GROUPS SECURITY: ISACA & ISSA DATABASES: IBM & ORACLE 4
  • 5. Chief Legal and Compliance Partner for Digital Risk Management & GDPR Chief Security Evangelist for Verizon Enterprise Solutions Chief Privacy Officer Led U.S. Department of Justice’s Cyber Crime Unit Mark Rasch
  • 6. 6www.ProjectOne.com Email - Ian.West@ProjectOne.com https://uk.linkedin.com/in/ianwest1 Twitter - @IanWest12 GDPR - HOW DO YOU TEST FOR COMPLIANCE? IAN WEST DIRECTOR OF DIGITAL INFORMATION ADVISORY BOARD MEMBER - GDPR INSTITUT
  • 7. Impact Do you control or process personal data about ANY EU Citizens? If so you have to be GDPR compliant by 25th May 2018 or manage the implications of the fines and the reputational damage of any and every Data Breach – including Customers Employees Suppliers © 2018 - The GDPR Institut - All Rights Reserved
  • 8. GDPR CHANGE MANAGEMENT Project One Confidential 8 GDPR is the largest Change Management initiative to hit organisations in a generation. GDPR impacts every Person; every Process; all Technology in production, test, development, archive or backup; and every piece of person related Information in your organisation. People Every person has to be educated on what they can do and cannot do with personally identifiable information Process Every process using personally identifiable information either online or offline within your organisation or any third party contractors Technology All technology holding or processing personal data within your business or shared with partners, wherever that technology is located Information Every piece of personally identifiable data, content or information no matter where it is located and no matter what you are doing with it It is critical to assess every component of your infrastruture to fully understand what personal information you are holding and processing and why you are doing this. And more importantly do you have explicit permission or a justifiable reason to do so.
  • 9. SETTING UP FOR GDPR SUCCESS Project One Confidential 9 The Project One Change Leadership framework is the main lens through which we view the challenges of delivery and change. It forms the basis for assessing large, complex programmes such as GDPR. Business Leadership Setting, communicating and achieving the business vision for GDPR Strategy Implementation Defining, directing and controlling the delivery of GDPR business compliance Ownership Owning and embedding the change required to deliver GDPR compliance Delivery Deliver GDPR compliance effectively (what’s needed – on time – to budget) It is critical to assess all areas of the framework – in our experience the symptoms in delivery are often the result of root causes elsewhere. Change Leadership Business Transformation Solution Delivery Change Management
  • 10. GDPR – FEARS, MYTHS AND REALITY THE FEAR FACTORS – but true! • Upto €20m • Or 4% of global annual turnover • WHICHEVER IS THE HIGHER!! • Consequential damage 1. Reputational damage 2. Reduction in shareholder value 3. Revenue decline 4. Profit decline 5. Reduction in customer confidence 6. Loss of customers 7. Executives getting fired 8. Company extinction • Cessation of data processing rights in the EU or for EU Citizens • Removal of the license to trade in any or all EU countries THE MYTHS – all lies! • Its an IT Project • It’s a Legal Regulatory Problem • A Software Application can fix it • Its just a tax of doing business in Europe • Its just hype being put about by consultancy firms to generate business • The regulator wont impose the fines – it’s a storm in a teacup • Its nothing really, the hype will disappear REALITY • GDPR is the largest change management programme undertaken by any company • Project One is the Largest Independent Change Management Consultancy in the UK • GDPR needs a holistic enterprise wide operational approach • Project One has helped many Global Corporations deliver real change • Executive ownership and leadership is critical • Project One has assisted hundreds of Executives deliver a real difference for their business • GDPR impacts every part of every company its a very simple concept but its hideously complicated to comply with • Project One has the expertise to make GDPR a real difference for your business
  • 11. Key Questions 1. What Personal Data do you hold – Customer, Employee, Supplier, Contractor, Sub-Contractor, Citizen, Member, Pupil, Student, Patient etc 2. Where is that Data Located? PC hard drive, Remote Storage or Backup Device, On Premise Database or Content Server, or in The Cloud 3. How are you using that Data? 4. Do you have PERMISSION to use the data in the way you are using it? © 2018 - The GDPR Institut - All Rights Reserved
  • 12. Compliance Gap Analysis Security Reviews Use Case Management Consent Management Technology Assessments Business Process Management The GDPR Roadmap Privacy Impact Assessment Legal Advice Detailed Readiness Assessment © 2018 - The GDPR Institut - All Rights Reserved Educate & Train Data Subject Access Management Threat Detection GDPR Testing GDPR Defensible Position Annual GDPR Audits Breach Case Management
  • 13. COMPANYWIDE GDPR TESTING – WHERE IS YOUR PERSONALLY IDENTIFIABLE INFORMATION? Sales Customer Services Marketing Logistics Admin Legal Executive Committee Finance HR IT Operations Production & R&D Supply Chain Buying People – general and functional training, privacy training monitoring & certification Process – every on and off line business process accessing any form of personally identifiable data IT – every app, system, machine, device, network, cloud, database, content server, website, social media, backup Information – every online and offline information repository, all locations, everywhere – including storage boxes Contracts – every customer, partner & supplier contract, and their third party contracts and their third parties, etc DSAR – answer every access request providing full and complete disclosure in under 30 days – automatically? Consent Management – do you have a reason, or consent, for every piece of personally identifiable data you hold? Breach Case Management – don’t wait until you have the inevitable data breach, get a plan and test it, regularly!
  • 14. The GDPR Institut Helping you resolve YOUR GDPR Challenge & Maximise the GDPR Opportunity www.gdpr.associates
  • 15. Ulf Mattsson Industry Involvement: • PCI DSS - PCI Security Standards Council Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs • IFIP - International Federation for Information Processing • CSA - Cloud Security Alliance • ANSI - American National Standards Institute ANSI X9 Tokenization Work Group • NIST - National Institute of Standards and Technology NIST Big Data Working Group • User Groups Security: ISACA & ISSA Databases: IBM & Oracle 15
  • 17. Case Studies 17 • US and Spain – customer data • Italy, Germany and more – financial data • Germany – outsourcing • Sweden – PII data
  • 18. Data Security for Cloud, Big Data and Containers
  • 19. Protect Sensitive Cloud Data Internal Network Administrator Attacker Remote User Internal User Public Cloud Examples Each sensitive field is protectedEach authorized field is in clear Cloud Gateway 19 Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and rest) SecDevOps The issue is INTENTIONAL use of UNSANCTIONED public cloud storage for ease of use for corporate data
  • 20. Securing Big Data - Examples of Security Agents Import de-identified data Export identifiable data Export audit for reporting Data protection at database, application, file Or in a staging area HDFS (Hadoop Distributed File System) Pig (Data Flow) Hive (SQL) Sqoop ETL Tools BI Reporting RDBMS MapReduce (Job Scheduling/Execution System) OS File System Big Data Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and rest) 20 SecDevOps
  • 21. Virtual Machines & Containers Docker Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and rest) Source: http://www.slideshare.net/GiacomoVacca/docker-from-scratch SecDevOps SecDevOps
  • 24. GDPR • Applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. • Fines of up to 4% of annual global turnover • Previously fines were limited in size and impact. • GDPR fines will apply to both controllers and processors. • Breach notification within 72 hours of discovery • Mandatory Data Protection Officers • Privacy By Design • Right to access and portability • Explicit and retractable consent • Right to be forgotten
  • 25. DPO • Data Protection Officer (DPO) may be required to ensure compliance. • 28,000 new DPOs will be required in Europe alone. • Huge fines for noncompliance • Organizational accountability • proactive, • robust privacy governance, • privacy policies • Plain language • Opt out
  • 26. Privacy By Design • How data is collected • How it is used • How it flows through organization • How it flows through technology • Privacy Impact Assessment • BOTH technological and policy assessment • Data masking, data anonymization, pseudo anonymization, encryption at rest and in transmission • Data life-cycle
  • 27. Stages for GDPR Assessment • Know your industry and business (what are you doing) • Know what you are collecting – and how and from whom • Know where the data is • Know what you are processing for others • Know what others are processing for you • Know how information flows through your networks and devices • Anticipate future uses
  • 28. What Laws Apply • Where do you do business • Where are your customers • Who are your customers • What are your future plans (including merger, acquisition) • What could go wrong • What is your role – collector, processor, regulator?
  • 29. Difference Between GDPR and Security • Security looks at technology • GDPR looks at data flows • You can be secure without being GDPR compliant • You can even be GDPR complaint without being “secure” IF the Personal data is secured
  • 30. Enforcement • Fines of up to 4% of annual global turnover • Serious non-compliance could result in fines of up to 4% of annual global turnover, or €20 million –whichever is higher. • Enforcement action will extend to countries outside of the EU, where analysis on EU citizens is performed. • Apply to US companies processing data on EU citizens • Apply to US or Cloud based processing • Coordination with individual DPA’s
  • 31. Notices • Clear and consistent notices • Auidit trails and data journeys • Reporting to DPAs proactively • Burden of proof now on the organisation, to show compliance • DPO is part of an independent reporting line • Consent must be ‘freely given, specific, informed and unambiguous’ consent.”
  • 32. First Steps • Management buy in • Current readiness • Assessment • Policy • Data flows • Security • Third parties • Gap analysis • Impact
  • 33. Thank you! Morris Cybersecurity Ian West, Ianwest348 @gmail.com Ulf Mattsson, Umattsson @tokenex.com David Morris, david.morris @morriscybersecurity.com Mark Rasch, Mdrasch @gmail.com

Editor's Notes

  1. Ian West ianwest348@gmail.com Ulf Mattsson umattsson@tokenex.com David Morris david.morris@morriscybersecurity.com Mark Rasch mdrasch@gmail.com
  2. Risk Assessment. We evaluate your digital footprint and infrastructure to find and resolve vulnerabilities in your network, databases, applications, storage, and other infrastructure. Data Security. We map the flow of data across your digital footprint, applications environment, library framework, source code, and storage to pinpoint risks before they turn into attacks. Secure Hosting. We create dynamic, cloud-based environments with inside-out security controls to protect your systems and storage from attacks and other service disruptions. Application Security. We practice “secure by design” discipline in our software development. This protects your custom applications by automating secure coding standards and testing at every step. Integrated Tools. We architect holistic security solutions that integrate traditionally siloed tools to give you a lean and flexible security stack—reducing the effects of tools sprawl and wasted level of effort. Monitoring and Contingency Plans. We monitor your systems, applications, and digital interactions for threats and architect back-up capabilities to quickly restore service if a breach occurs. https://www.atlanticbt.com/services/cybersecurity/
  3. The reason for high interest is based on the Cloud Gateway Benefits Example Eliminates the threat of third parties exposing your sensitive information Delivers a secure and uncompromised SaaS user experience  Identifies malicious activity and proves compliance to third parties and detailed audit trails Eases cloud adoption process and acceptance Product is transparent and has close to 0% overhead impact Simplifies compliance requirements Ability to outsource a portion of your IT security requirements Eliminates data residency concerns and requirements Greatly reduces cloud application security risk Enables partner access to your sensitive data Controls cloud security from the enterprise Protects your business from third party access
  4. Data protection at database, application or file Data protection in a staging area 3. Volume encryption in Hadoop 4. Hbase, Pig, Hive, Flume and Scope using protection API 5. MapReduce using protection API 6. File and folder encryption in HDFS 8. Export de-identified data 7. Import de-identified data 9. Export identifiable data 10. Export audit s for reporting
  5. Examples of Services That Can Fill The Gap Security Services Audit & Assessment Services Application Security Consulting Managed Vulnerability Scanning Security Tools Implementation Virtual CISO Application Services Application Hosting  & Cloud Migration             IT Consulting & Information Architecture Software Development & User Experience Design