Date post: | 23-Jan-2018 |
Category: |
Technology |
Upload: | sabsacourses |
View: | 312 times |
Download: | 2 times |
Compliance to Enablement
Enterprise Security Architecture & GDPR
Maurice Smit
SABSA Instructor &
Principal Consultant
SABSA Framework & Methodology
Methodology for developing business-driven, risk and opportunity focused enterprise security & information assurance architectures, and for delivering security infrastructure solutions that traceably support critical business initiatives
Comprised of a number of integrated frameworks, models, methods and processes
© 2017 David Lynas Consulting Ltd 2
The World’s Leading Security Architecture
Free use methodology and framework
6000+ certified Architects in 50+ countries
Formal regulated professional Institute
Official & de facto standard Government, Finance & Industry
© 2017 David Lynas Consulting Ltd 3
Change the Landscape of Security & Risk Management, Enable Business and Bring Demonstrable Value to Your Security Program
www.SABSA.org
Top 10 SABSA Applications
Security Architecture
Enterprise Architecture
Traceability & Alignment of Solutions to Business Requirements
Enterprise Risk & Opportunity Management
Assurance, Compliance & Audit
Governance & Policy Architecture
Technical Solution Design
Integration & Alignment of approaches, frameworks & standards
Security Service Management / Security Programme Management
Critical National Infrastructure Strategy
© 2017 David Lynas Consulting Ltd 4
Concepts, Models & Frameworks
Business Attributes Profiling
Threat & Opportunity Model
Multi-Tiered Control Strategy
Two-way Traceability
Extended RACI Matrix
Policy Framework
Domain Modelling
© 2017 David Lynas Consulting Ltd 5
Approaches to Traceability
A flawed approach Stakeholder “I need to sell more product”
Security “Then you need a firewall”
© 2017 David Lynas Consulting Ltd 6
A credible approach Collect business drivers, goals and objectives
Stakeholder “I need to sell more product”
Security “We can sell more product if security enhances the core product through higher levels of trust and ease of use
SABSA Business Attributes Profiling
Provide an engineering technique for modelling Business Requirements into normalised, measurable, demonstrable, re-usable, reportable form
The “Things that matter most”
Instinctive to stakeholders at all levels
Measurable to define performance targets and risk appetite
Populates the missing link between Business and Security
© 2017 David Lynas Consulting Ltd 7
SABSA Attributes Profiles
Attributes need a :
Name
Definition
Classification/Category
Measurement Approach
Metrics type
Performance Target
© 2017 David Lynas Consulting Ltd 8
Attributes for Two-way Traceability
© 2017 David Lynas Consulting Ltd 9
Attributes for Threat & Opportunity Management
© 2017 David Lynas Consulting Ltd 10
Attributes for Strategic Planning / Roadmap
© 2017 David Lynas Consulting Ltd 11
Attributes for Executive Reporting
© 2017 David Lynas Consulting Ltd 12
SABSA Applied
© 2017 David Lynas Consulting Ltd 13
Business Targets – Enterprise Strategy
Empower people to stay a step ahead in life and in business
Banking should be possible anytime and anywhere
Customers need to understand their choices, and the implications, both today and for the future
Our strengths include our well-known, strong brand with positive recognition from customers in many countries, strong financial position, omni-channel distribution strategy and international network
We are Honest – We give honest, clear and frank advice to our customers. We respect the law and the rules we set for ourselves. We tell the truth
© 2017 David Lynas Consulting Ltd 14
Business Targets – Enterprise Strategy
Empower people to stay a step ahead in life and in business [Empowered]
Banking should be possible anytime and anywhere [Accessible, Continuous]
Customers need to understand their choices, and the implications, both today and for the future [Informed, Intelligible]
Our strengths include our well-known, strong brand with positive recognition from customers in many countries, strong financial position, omni-channel distribution strategy and international network [Branded, Reputable, Sustainable]
We are Honest – We give honest, clear and frank advice to our customers. We respect the law and the rules we set for ourselves. We tell the truth [Honest, Trustworthy, Compliant]
© 2017 David Lynas Consulting Ltd 15
Business Attributes
Empowered
Branded
Sustainable
Informed
Intelligible
Trustworthy
Honest
Compliant
Reputable
Accessible© 2017 David Lynas Consulting Ltd 16
Cascading the Strategy
© 2017 David Lynas Consulting Ltd 17
Cascading the Strategy
© 2017 David Lynas Consulting Ltd 18
Cascading the Strategy
© 2017 David Lynas Consulting Ltd 19
Integrated Compliance Framework
© 2017 David Lynas Consulting Ltd 20
BalancedScoreCards
CapabilityMaturityModels
Financial ModelsROI/NPV/IRR
ISO27005ISO31000Business
LegislationBusiness
SectorRegulation
COSO
Total Quality Framework
Labelling
© 2017 David Lynas Consulting Ltd 21
Big Data
© 2017 David Lynas Consulting Ltd 22
Processing Customer Information
The EU’s General Data Protection Regulation (GDPR) is the most stringent and burdensome privacy mandate in the world. The penalty for major violations can be up to 20 million euros or 4% of your company’s annual global revenue.
You have until May 2018 to centralise unstructured data governance across on-premises and cloud (3rd Party)
© 2017 David Lynas Consulting Ltd 23
GDPR – Example Articles
Once passed the appointment of Data Protection Officer, Legal Basis for Processing, and more like:Right of Access by the Data Subject (15)
Right to Rectification (16)
Right to Erasure/to be Forgotten (17)
Right to Restriction of Processing (18)
Right to Object (21)
Standard of consent
(numbers are articles from : REGULATION (EU) 2016/679 / Directive 95/46/EC)
© 2017 David Lynas Consulting Ltd 24
Standard of Consent
In GDPR Regulation document, page 8:
“(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular, in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC (1) a declaration of consent pre- formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”
© 2017 David Lynas Consulting Ltd 25
Standard of Consent
In GDPR Regulation document, page 8:
“(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular, in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC (1) a declaration of consent pre- formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”
© 2017 David Lynas Consulting Ltd 26
GDPR Attributes
Demonstrable
Intelligible
Accessible
Identified
© 2017 David Lynas Consulting Ltd 27
Threat & Opportunity Model
© 2017 David Lynas Consulting Ltd 28
Overall
likelihood
of loss
Likelihood of
threat
materialising
Likelihood of
weakness
exploited
Negative
Outcomes
Threats
Loss Event
Positive
Outcomes
Opportunities
Beneficial Event
Overall
loss
value
Asset
value
Negative
impact
value
Overall
benefit
value
Asset
value
Positive
impact
value
Overall
likelihood
of benefit
Likelihood of
opportunity
materialising
Likelihood of
strength
exploited
Attributes
Risk Context
Threats and Opportunities to GDPR Attributes
Threat to Demonstrable and Intelligible: Consent is incomplete regarding data actually stored/processed.
Threat to Accessible: Consent is not easily accessible, unclear process for viewing consent.
Opportunity of Demonstrable and Intelligible: Data Subject is informed about what we do in clear and readable words
Opportunity of Accessible: Data Subject and Controller both have quick access to boundaries of
data stored/processed
© 2017 David Lynas Consulting Ltd 29
Multi-Tiered Attributes for Compliant
© 2017 David Lynas Consulting Ltd 30
Threats and Opportunities to Traceable and Labelled
© 2017 David Lynas Consulting Ltd 31
Attribute Threats Opportunities
Traceable - Gathered data is not linked to Data Subject Profile- Gathered data contains other Data Subject information,
disclosing unwanted information
- Provide real-time/efficient processing of Data Subject consent,rejection, deletion.
- Exchange data with 3rd Party/Data subject easily.
Labelled - Storing unstructured data (without real purpose) - Structured and labelled data provides relevant picture of customer using product(s), increasing productivity and product development
- Increase of Trustworthiness due to smooth data processing- Efficient data exchange with 3rd Parties
Multi-Tiered Attributes and Systemic relations
© 2017 David Lynas Consulting Ltd 32
More GDPR
Another GDPR example: Article 72: “[..]secure personal data in a manner that takes account of
the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation [..]
In other words, we need to at least prevent unauthorised access
© 2017 David Lynas Consulting Ltd 33
Attribute Secure in GDPR
© 2017 David Lynas Consulting Ltd 34
Conclusion
Using SABSA techniques, models and concepts can help us demonstrably enable business while showing effect of regulations on elements, goals and targets of the organization.
We showed that with an architected approach, it is possible that compliance can enable business and help achieve goals.
© 2017 David Lynas Consulting Ltd 35
David Lynas Consulting Ltd17 Ensign HouseAdmirals WayLondonE14 9XQUK
@SABSAcourses
davidlynas.com
+44 (0) 207 863 7834
SABSAcourses