Unless you’ve been in a disconnected state for the past two years, the beating of the General Data Protection Regulation (GDPR)-deadline drumroll has grown louder and louder every day – culminating on the 25th of May 2018 with the GDPR “go live.”
Not only did the enforcement for GDPR come into effect on this date, but the UK government even went a step further by updating their Data Protection Act, to include all GDPR info. Please have a listen to my GDPR podcast if you like to consume information this way.
So now that we have an additional set of privacy laws to comply with, everything is safe and secure, right? Well not quite, if history has taught us anything we should know that: not everyone complies and, even when they do, compliance does not equal information security.
There’s so much more to learn in regards to what GDPR means for information security, so in this blog I’ll explain what else needs to be done (besides pure compliance) to protect your organization.
GDPR Article 32 – the Security of Data Processing
I could attempt to run through the 88 pages, and the 99 GDPR Articles, of the formal GDPR document, but many people have already blogged on this (for example: How to Explain GDPR to a 5 Year Old and GDPR Explained In 5 Minutes: Everything You Need to Know). What I’m instead going to talk about are some of the technical requirements, which some might feel are hidden away in Article 32 (which relates to the security of data processing).
Without copying the Article line by line, I’m going to call out a few statements, such that you can understand the type of wording used by the GDPR legislation in helping organizations to implement technical controls:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk…”
Not very helpful is it?
Sadly, Article 32 does little to help organizations understand what they need to do to actually “make the world a safer place.” And, until some case law is developed, we’ll probably be in a gray space for some time.
However, it’s not to say that we can’t work with the principles and spirit of GDPR to help secure the data of our customers, the public, and our organization.
8 Steps for Better Information Assurance
If you haven’t already done so, there are eight key areas to start with when providing information assurance to your customers:
- Develop a risk appetite statement. This will provide guidance to people within the organization as to the overall approach to risk within the organization. Here’s an example. Greater detail can be developed as part of risk tolerances and threshold statements.
- Understand your assets, business processes, and critical data (critical data includes personally identifiable information (PII)). Here there’s a need to consider the usage, type, and quantity specifically to help your organization to understand the associated risks and impacts.
- Understand your organization’s security posture, i.e. how strong and resilient to cyber-attacks it is. You’ll need to look at your current state relative to people, process, and technology capabilities. There are many ways of doing this, but one example is to use a capability maturity model. This can be achieved via an internal assessment or using a third-party assessment service.
- Create a threat model to assist you in understanding the threats that apply to your organization. Protecting a business is no easy feat, so make sure your security efforts are addressing possible, and probable, attack vectors from likely threats.
- Assess if your organization is mandated to appoint a Data Protection Officer (DPO) – a data protection expert within your organization. The GDPR legislation’s view is that you should assume that your organization needs a DPO, unless you can demonstrate that it doesn’t.
- Conduct “crown-jewels analysis,” i.e. identifying your organization’s most important data assets, and create data-flow models – these are key to not only visualizing assets and data-flows but also in ensuring that your efforts are focused on protecting the right information.
- Conduct privacy impact assessments (the Information Commissioner’s Office (ICO) has some good guidance here). This will help you understand the risks and impacts to privacy, and help you understand the controls that will be required. The ICO guidance is UK-centric but is useful for any organization regardless of their geography.
- Think about the system as a whole, including your supply chains, and – where appropriate –conduct security assurance exercises with your suppliers.
Tighten Information Security Too
The above is rather generic guidance that starts to help your organization to make the world safer and securer. However, there are other technical approaches and controls that would provide even greater assurance:
- Build security into your organization’s DNA and review and adjust your information security controls on a continual basis.
- Establish organizational security principles and update or create relevant policy documentation. Don’t forget that communication and training is key here, this shouldn’t be just an exercise in paperwork.
- Leverage encryption (both at-rest and in-transit) – in 2017 over 50% of the internet was using SSL/TLS.
- Secure your supply chain – if you work with third-parties, ensure that they’re providing the right levels of security and, even more so, ensure that your organization is using their services in a secure manner/configuration. For example, hosting services in an ISO 27001 compliant datacenter doesn’t go a long way to stopping a breach if you leave your services wide open, and exposed, to the internet.
- Use a strong authentication mechanism, ensuring that weak credentials are not allowed. Also think about integrating into a service such as haveibeenpwned.com, which is an API whereby you can check if a password has been leaked by a previous breach (and therefore is likely to be part of attackers’ dictionary attacks, and therefore is weak).
- Conduct continual, or regular, vulnerability assessments.
- Ensure traceability of events, incidents, and requests.
- Practice good service asset and configuration management (this also includes practicing good change and release processes).
- Secure your endpoints. Most malware occurs through phishing exercises, which result in either compromised credentials or initial malware infections on endpoint devices.
- It’s easy to say, but harder to do (unless you employ automation) – but please patch your systems.
- Ensure that you have functional backups! No one wants to resort to typewriters if ransomware hits.
- Segment the network. I know it sounds simple, but a lot of organizations believe that just having a VLAN segments their networks. Reality check, it doesn’t. You don’t want to have servers in the same segment as devices, just like printers should have a dedicated segment. New technologies such as Software-Defined Networking can help here.
- Enable firewalls. It might sound crazy to those who did this years ago, but some organizations still operate a large number of systems with the host-based firewalls disabled. Please turn them on!
- Stay on top of the threat and vulnerability landscape. Having good intelligence on common threats, vulnerabilities, and campaigns helps you stay ahead of the game.
Better Security in a GDPR World
Ensuring GDPR compliance, and implementing technical controls that will stand up to attackers, is no longer something organizations can ignore. This is a board-level priority that needs to be addressed.
Changes to the legal and regulatory landscapes are thankfully helping to improve information security and privacy, however it’s not a one-stop-shop. The increase in potential penalties enabled by the GDPR legislation and the Data Protection Act 2018 haven’t solved the world’s security concerns, but they have provided a well-needed jolt to boards to ensure that they have their information-security houses in order (when it comes to protecting their business’ brand, data, and most importantly its customers).
The world might not yet be as secure as it should, but GDPR – among a great many initiatives – is a step in the right direction. The key question is: What are you going to do to enable your business to protect its customers?