How does Information Security support the EU GDPR?

Everyone has a digital footprint from many sources of data, and personal data privacy is now a major area of focus in global government compliance and regulation. You will likely see the consequences and results of non-compliance with the European Union’s General Data Protection Regulations (GDPR) as we progress into 2018.

How does Information Security support the EU GDPR_ (1).jpg

There is a bit of confusion in the market related to the GDPR. Some claim that GDPR is a security framework to operate by, but it is not that at all. GDPR is consumer and data privacy legislation that will require full support from information security best practices. GDPR’s core tenants are privacy, policy, and lastly information security. You have to build all three pillars successfully to meet the strict requirements of the GDPR.

Are you interested in what information security best practices will be needed to support compliance with the EU GDPR? Take a look at the security controls required below to manage the data of EU subjects according to the GDPR.

Using a Solid Information Security Policy for Breach Notification

Perhaps one of the most critical aspects of the EU GDPR is breach notification in Article 33. As a company that handles EU subject data, you must, without undue delay, notify an EU supervisory authority competent in breach notification. If you already have a well-developed information security policy and procedure for incident response, then you will be in the right place for meeting this portion of the EU GDPR. You may need to update your information security policy, or if you don’t have one, you may want to consider using a template to start and customize as you go.

In preparing your information security policy, you should consider including the following areas from SANS Institute:

General Information Security Policy

Network Security Policy Server Security Policy Application Security

(Template Sources: SANS Institute Security Resources)

Interested in GDPR Assessment and Consulting? Learn more about CIPHER's GDPR Services. 

If you operate under a multinational organization, you might face a bit of a dilemma with the GDPR breach notification requirement. For example, if you’re working within a U.S. multinational organization and you experienced a significant data breach, you may be forced to prematurely notify your U.S. customers by waiting to notify an EU supervisory authority. This could place your organization at risk for noncompliance with the GDPR, and your organization could face fines up to 4% of your Adjusted Gross Revenue (AGR).

With a robust information security policy, you can show follow best practices for information security and security incident response.

Check out these blog articles on Incident Response Plans:

Leveraging a Security Framework to Support Compliance

If you already adopted an industry-recognized framework, such as ISO, NIST, ICGS, SANS or PCI DSS, you are already one step ahead of the pack. The GDPR encourages organizations to align their compliance with the GDPR with a major security framework, noted in GDPR Article 32.

A solid security framework will help you in providing organization and structure for handling EU data subjects and meeting the compliance requirements of the GDPR. Not only that, but a security framework also shows regulators that your company has implemented proper security controls and made their due diligence in ensuring the organizational security measures are aligned to best practices.

Measure your security maturity in CIPHER’s simplified security framework based on NIST here.

Or, check out our self-assessment tools to gauge your maturity across core domains: https://www.cipher.com/resources

Data Privacy and Encryption

Since the GDPR is entirely related to data privacy, data encryption is paramount. An organization must ensure that its EU subject data, both Personal Identifiable Information (PII) and highly sensitive personal information, are protected from hackers and third-parties attempting to harvest that information.

If you are using encryption, it protects your organization from physically stolen devices and from a hacker accessing your device through malware or virus. Most of your EU subject data will be at rest or archived within a database. However, your organization may be a data processing organization or use data processors and must do everything to safeguard EU subject data with encryption. Consider these three types of encryption in the context of the GDPR as well the common areas you should encrypt within your environment: 

Encrypted Data Types:

  • Data at Rest: you encrypt data archived in the database; field encryption is preferable, table and database are also options
  • Data in Transit: encrypt both the data and use an encrypted transport protocol such as SSL or VPN
  • Data in Use: sensitive data should be obfuscated, such as showing dots for a credit card number (except possibly the last four digits)

Areas of Encryption

  • Data Encryption: you must ensure that files, media, and data are encrypted using disk encryption
  • Server and Storage Encryption: you must use full disk encryption to protect your servers, storage, and applications running on the IT equipment
  • Network Encryption: you need network encryption for any data in transit over your network (web-based transactions, internal network traffic,

In the event of a security incident or data breach, encryption can ensure that EU subject data is unusable. Encryption makes it much more difficult for common hackers to make any connection between the data and its subject.

Generating Security Logs on Incidents

GDPR calls for a record of any data processing activities on EU data subjects in Article 30. A Security Incident and Event Management (SIEM) tool is a security best practice for complying with the EU GDPR. A SIEM will generate a substantial amount of data on malicious security incidents and network activity. It will also allow you to monitor user and system activity closely. SIEM logs can be used by a security analyst to identify patterns, detect malicious activity, and create an actionable alert for your organization if someone attempts to access sensitive EU subject data.

You may also want to consider advanced security analytics tools that can free up the security analyst’s time on analyzing logs. Advanced security analytics tools can enable the security analyst to know exactly what data has been accessed and what data events are a priority for your team.

Are you prepared for the enactment of GDPR? Tell us below in the comments what steps you’re taking to become compliant.

EU GDPR Whitepaper Three Primary Domains of GDPR

Did you enjoy this blog article? Share it with your friends or comment below.
 
.

 

About CIPHER

Founded in 2000, CIPHER is a global cybersecurity company that delivers highly accredited SOC I and SOC II Type 2 certified Managed Security Services and Security Consulting Services with expertise across ISO 20000 and ISO 27001, and PCI DSS holding the QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past five years. These services are supported by the best-in-class security intelligence lab: CIPHER Intelligence. Our offices are located in North America, Europe, and Latin America with 24×7×365 Security Operations Centers and R&D laboratories, complemented by strategic partners around the globe. 

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions. 

Subscribe to Us!

Recent Security Posts

Essential-Cyber-Security-Tips-Guide.jpg

Twitter Feed