Date post: | 16-Apr-2017 |
Category: |
Technology |
Upload: | digia-plc |
View: | 553 times |
Download: | 0 times |
DevOps & CyberSec meetup agenda 14th September 2016
• 18:00 Welcome to Digia• 18:10 Continuous Compliance / Tessa Viitanen, Digia• 18:55 Break • 19:05 Ilari Mäkelä, Verkkokauppa.com • 19:45 Break• 19:55 DevSecOps - from the backlog to forensics / Antti Vähä-Sipilä,
F-Secure• 20:40 Networking • 21:30 Event ends
Digia Continuous Compliance
Tessa Viitanen
14.9.2016
Digia Continuous Compliance Team:
Tessa Viitanen, Jan Grela, Ville Lindroos, Petri Rosenström
www.digia.com
GDPRGeneral Data Protection Regulation
PCI DSS
GxP
ISO 27001
ISO 27002
ISO 27018
CIS
Security Policies
Fiva
Regulators
Laws
FIMEA
2015 Change in Finnish criminal law paragraph 38, article 9 a §: Identity theft is as a crime.
Change from the people to companies
Unhashed passwords
Data Breaches
2011 Enough breaches
2012 EU Commission
Proposal
2014 Parliament Approval
2016 EU Approved by the
Commission
2018 Enters into the force
Sanction 4% of a company Global turnover 20M€
Which ever is HIGHER
More data breaches
Poor Security Policies
No proper encryption
Personal data all over..
As paper
Personal data sold all over used
for businessPersonal data sold all over used for organized crime
Medical data all over
Unsalted passwords
LEGISTLATION VS REGULATION
LEGISLATION A DIRECTIVE (GENERAL):• Somebody did something, which caused
impact to many people and hence the legislation was set in broader level.
REGULATION:• Governing agency were made to be more
specific of how it is done to comply with the legislation in technical terms.
EU Data Privacy The Directive entered into force on 5 May 2016
Regulation entered into force on 24 May 2016.
EU Member States have to transpose it into their national law by 6 May 2018
Applies from 25 May 2018.
EU DATA PRIVACY OBJECTIVES
The objective of this new set of rules is:
• To give citizens back control over of their personal data
• To simplify the regulatory environment for business.
When it comes to law, you cannot move your responsibility of a registry owner to anyone else.
www.digia.com
What is Compliance?
PCI DSS
GxP
ISO 27001
ISO 27002
ISO 27018
CIS
Security Policies
Fiva
Regulators
Laws
FIMEA
A certificate is a snapshot of the current state.
It’s a baseline where your security starts from.
It breaks, when you do the first change if you don’t follow up.
• We will be fully compliant until the next audit (PCI DSS, ISO 27001/ISO27002, GxP certificate etc.)
• Our Hosting provider has a certificate, we don’t need it for our solution
COMMON DELUTIONS OF COMPLIANCE
The better you are aware of your business risks, better you will survive in Data Breach situations.
Its not just money, it is also Brand, Image and trust matter for your company.
• Information Security Policies (ISP) Compliance• Business Impact Analysis (BIA) Risks against
the compliance• Privacy Impact Assessment (PIA) Risks against
the overall solution data flow• Assess your Sub-Contractors!
EXAMPLE GDPR CONTROLS FOR CXO LEVEL
MANDATORY
Even though you can outsource DPO role, you cannot outsource your responsibility as a registry owner
SAR must generally be complied with within 40 days.
• Data Protection Officer (DPO), as a new role within all companies (can be outsourced)
• Notification 72 hours after data breach to officer and to the person that the data belongs to
• Subject Access Request (SAR)
• Audit Trail is more expensive than the manual processing of SAR’s
• Pseydonymisation of data complicates work• Light encryption is enough• Privacy Notices to end users can be complex• Sub-contractors are paying their share in case of
breach without contractual agreement• International data transfer is not happening• Cloud will solve all of the problems including
sanctions• On-Premises is more secure than the Cloud and hence
does not require verification as it is on certified paper
Calculate the whole process from the beginning in the end.
Manual work at first glance looks cheaper, however automation will be cheaper in the long run. Do the math not a probability forecast!
PITFALL MINDSETS
CONSIDERATIONS OF AVOIDING THE PITFALLS
Know what data you store, where you store it and who has access to it!
Know who operates and what in your systems!
• Investing to decent data processing• Web-platform for SAR’s• Security frameworks as a security baseline • Automate as much as it is possible• Full stack security testing• SOC / Forensics• PIA for sub-contractors• Compliance requirements for subcontractors• Subcontractor Contract
PRIVACY BY DESIGN (example: Finland 2017 estimated)
Are you really sure you want to do it all manually?
FINNISH REGISTRY OWNER RESPONSIBILITIES
In Finland the Company will be responsible of providing a report similarly as the companies are required to leave their Taxation Report
Company is responsible of proofing that they are compliant with the regulation
www.digia.com
You cannot use compliance certificates for your own solution!
PCI DSS
GxP
ISO 27001
ISO 27002
ISO 27018
CIS
FIMEA
Fiva
Regulators
Laws
IaaS, PaaS, SaaS (VPC, Private Cloud, Public Cloud)
Verify what is certifiedWho is accessing and where the data is accessed fromVerify where the system is operatedCreate clear security classes for dataIt is your Registry!
Mindset Error 01001101 01101001 01101110 01100100 01110011 01100101 01110100 00100000 01100101 01110010 01110010 01101111 01110010 00001101 00001010 01001001 01110100 00100000 01101001 01110011 00100000 01011001 01001111 01010101 01010010 00100000 01110010 01100101 01100111 01101001 01110011 01110100
01110010 01111001 00100001It is YOUR registry!
ComplianceScan
Automated Delivery withCompliance Scan
Monitor and alertCompliance deviations
Deliveror Fix
MonitorTest
ChangeFollow up