Date post: | 19-Mar-2017 |
Category: |
Technology |
Upload: | tripwire |
View: | 224 times |
Download: | 0 times |
The EU GDPR
What Is It & Why Should I Care?
Brian Honan
CEO of BH Consulting – Independent Information Security Firm
Founder & Head of IRISSCERT – Ireland’s first Computer Emergency Response Team
Special Advisor on Internet Security Europol's CyberCrime Centre (EC3)
Adjunct Lecturer at University College Dublin
Expert Advisor to European Network & Information Security Agency (ENISA)
Regularly comments on media stories – BBC, Forbes, Bloomberg, FT, Guardian, Sunday Times
Who Am I?
Courtesy Dermot Casey
“Why do you rob banks?”
“Because that's where the money is.”
Willie Sutton
Courtesy Dermot Casey
“Why do you hack companies?”“Because that's where the Data is.”
CyberWillie Sutton
The EU General Data Protection Regulation (GDPR) is the update to the EU Data Protection Directive
Came into Force 24th May 2016
Will Apply Across All 28 EU Member States
25th May 2018 (Just over 15 months to be ready)
What is GDPR?
Updates the EU Data Protection Directive with a Strong Focus on Individual’s Privacy Rights
Harmonises the Data Protection Regime Across All 28 EU Member States
Will Apply Across All 28 EU Member States
Significant (and Fines) Obligations on Organisations Holding Personal Data
What is GDPR?
Personal Data
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’
What is GDPR?
EU GDPR Applies to EU Member States
EU GDPR Also Applies Globally
The Right to be Informed The Right of Access The Right to Rectification The Right to Erasure
Otherwise Known As The Right to Be Forgotten The Right to Restrict Processing The Right to Data Portability The Right to Object Rights in Relation to Automated Decision Making and
Profiling
What it Means to The Individual
Obtain Clear Consent Obtain parental consent if Data Subject Under 16 Provide a Copy of an Individual’s Personal Data on
Request Erase all Personally Identifiable Records if Requested Provide “Adequate Security” Privacy Impact Assessments One Supervisory Authority to Deal With You Can Select your Preferred Supervisory Authority
What it Means to Organisations?
If Personal Data Breach“likely to result in a risk to the rights and freedoms of individuals”
Notify The Supervisory Authority Within 72 Hours of Becoming Aware of Breach
If High Risk Breach Likely To Affect Rights and Freedoms of Individuals
“ You Must Notify Those Concerned Directly”
Mandatory Breach Notifications
The Nature of the Personal Data Breach Including: Categories and Approximate Number of Individuals
Impacted; Categories and Approximate Number of Personal Data
Records Concerned; Contact Details of the Data Protection Officer or Other Contact
Point; Description of Likely consequences of the Personal Data
Breach; Description of Measures Taken, or Will be Taken to;
Deal with the Breach Measures (if appropriate) Taken to Mitigate any Possible
Adverse Effects.
Mandatory Breach Notifications
Mandatory For A Public Authority (with some exceptions); Companies with;
Large Scale Systematic Monitoring of Individuals, Large Scale Processing of Special Categories of Data Large Scale Processing of Data Relating to Criminal
Convictions and Offence Data Protection Officer Must
Report to the Highest Management Level of Organisation
Operates independently Is not Dismissed or Penalised for Performing their
Task. Have Adequate Resources are Provided
Appoint A Data Protection Officer
Significant Fines
Supervisory Authority Can Fine; Up to €20,000,000 (or 4% of total annual global turnover,
whichever is greater) for the most serious infringements Failing to notify a breach when required to do so can result
in a significant fine up to 10 million Euros or 2 per cent of your global turnover On Top of Fine for the Breach itself
An Individual(s) Can Complain to Supervisory Authority Right To Compensation Potential for Group Actions
Trend Micro's UK Study re GDPR
50% of UK IT decision makers were unaware of the impending legislation
25% percent adamant that compliance is not achievable
Ready for GDPR?
May 25th 2018
Identify Key Data Assets
Establish Policies
Use Existing Frameworks
ISO/IEC 27001:2013 Information Security Standard ISO/IEC/27002:2013 Guidance
NIST CyberSecurity Framework
The Center for Internet Security - Critical Security Controls
Security Awareness
Training
Monitor & Respond
Start Your GDPR Project Now
TRIPWIRE OVERVIEWFoundational Controls for GDPR
Tim ErlinSr. Dir. Product Management, Tripwire
• Foundational controls for Security, Compliance and IT Operations
• Stable, growing public company in a chaotic industry
• Relied on by thousands of customers since 1997
A Leader in Security, Compliance and Operational Excellence
1000s of successfulcustomerdeployments
Trustedby half the Fortune 500
96% customer satisfaction
F500
20M critical endpoints covered globally
30
Extensive library of security configuration best-practices to establish and monitor configurations
Detection and alerts on all changes to established baseline—what, who and business context
Discover assets, vulnerabilities and malicious changes, and help automate the workflow and process of remediation
Automate manual processes associated with dealing with change—isolate and escalate changes and events of interest
How we enable Security
Assess configurations against security policies
Detect unauthorized changes
Identify risks on assets
Deal with securitydata overload
31
Out-of-the-box audit report templates, and automated compliance reporting
Industry’s most comprehensive library of policy tests for all major standards
Logging of changes to in-scope assets with details on who and when
Continuous monitoring andreporting to flag remediationneeded to stay compliant
How we support Compliance
Reduce the time spenton compliance
Demonstrate compliance with standards
Produce data for auditsand for forensics
Maintain complianceover time
32 TRIPWIRE PROPRIETARY & CONFIDENTIAL. NOT FOR DISTRIBUTION
Configuration & Compliance Management
Log Management
Flexible Log Storage and
Retention
Correlation and Log Forwarding
Secure, Reliable Log Collection
Automated Remediation
Policy Management
Configuration Management
VulnerabilityManagement
Asset Inventory and Profiling
Vulnerability Assessment
Risk Scoring and Prioritization
Network Security
IT ServiceManagement
Threat Intelligence
SIEM & Analytics
Tripwire Capabilities
Integrity Monitoring
Database Configuration
Monitoring
System Configuration
Monitoring
File Integrity Monitoring
33 TRIPWIRE PROPRIETARY & CONFIDENTIAL. NOT FOR DISTRIBUTION
Configuration & Compliance Management
Log Management
Flexible Log Storage and
Retention
Correlation and Log Forwarding
Secure, Reliable Log Collection
Automated Remediation
Policy Management
Configuration Management
VulnerabilityManagement
Asset Inventory and Profiling
Vulnerability Assessment
Risk Scoring and Prioritization
Network Security
IT ServiceManagement
Threat Intelligence
SIEM & Analytics
Tripwire Capabilities
Database Configuration
Monitoring
System Configuration
Monitoring
File Integrity Monitoring
34
Tripwire supports numerous frameworks and standards
35
Tripwire Supports Security & Compliance FrameworksThe Center for Internet Security - Critical Security Controls
Tripwire supports security and compliance frameworks including NIST, CoBIT, PCI, ISO 27000, FISMA
20 Critical Security Controls Tripwire Solutions
CSC1 Inventory of Authorized and Unauthorized Devices
CSC2 Inventory of Authorized and Unauthorized Software
CSC3 Secure Configurations for Hardware and Software
CSC4 Continuous Vulnerability Assessment and Remediation
CSC5 Controlled Use of Administrative Privileges
CSC6 Maintenance, Monitoring, and Analysis of Audit Logs
CSC7 Email and Web Browser Protections
CSC8 Malware Defenses
CSC9 Limitation and Control of Network Ports
CSC10 Data Recovery Capability
20 Critical Security Controls Tripwire Solutions
CSC11 Secure Configurations for Network Devices
CSC12 Boundary Defense
CSC13 Data Protection
CSC14 Controlled Access Based on the Need to Know
CSC15 Wireless Access Control
CSC16 Account Monitoring and Control
CSC17 Security Skills Assessment and Appropriate Training to Fill Gaps
CSC18 Application Software Security
CSC19 Incident Response and Management
CSC20 Penetration Tests and Red Team Exercises
36
NIST Cyber Security Framework
37
GDPRTripwire Supports Your Efforts
Article 25 Data Protection by design and by default Article 30 Records of processing activities Article 32 Security Processing Article 35 Data protection impact assessment Article 39 Tasks of the data protection officer Article 59 Activity reports
tripwire.com | @TripwireInc
Thank You
Brian HonanOwner/FounderBH Consulting@BrianHonan
Tim ErlinSr. Dir. Product ManagementTripwire@terlin
http://www.tripwire.com@TripwireInc