DevOps & CyberSec meetup agenda 14th September 2016

• 18:00 Welcome to Digia• 18:10 Continuous Compliance / Tessa Viitanen, Digia• 18:55 Break • 19:05 Ilari Mäkelä, Verkkokauppa.com • 19:45 Break• 19:55 DevSecOps - from the backlog to forensics / Antti Vähä-Sipilä,

F-Secure• 20:40 Networking • 21:30 Event ends

Digia Continuous Compliance

Tessa Viitanen

14.9.2016

Digia Continuous Compliance Team:

Tessa Viitanen, Jan Grela, Ville Lindroos, Petri Rosenström

www.digia.com

GDPRGeneral Data Protection Regulation

PCI DSS

GxP

ISO 27001

ISO 27002

ISO 27018

CIS

Security Policies

Fiva

Regulators

Laws

FIMEA

2015 Change in Finnish criminal law paragraph 38, article 9 a §: Identity theft is as a crime.

Change from the people to companies

Unhashed passwords

Data Breaches

2011 Enough breaches

2012 EU Commission

Proposal

2014 Parliament Approval

2016 EU Approved by the

Commission

2018 Enters into the force

Sanction 4% of a company Global turnover 20M€

Which ever is HIGHER

More data breaches

Poor Security Policies

No proper encryption

Personal data all over..

As paper

Personal data sold all over used

for businessPersonal data sold all over used for organized crime

Medical data all over

Unsalted passwords

LEGISTLATION VS REGULATION

LEGISLATION A DIRECTIVE (GENERAL):• Somebody did something, which caused

impact to many people and hence the legislation was set in broader level.

REGULATION:• Governing agency were made to be more

specific of how it is done to comply with the legislation in technical terms.

EU Data Privacy The Directive entered into force on 5 May 2016

Regulation entered into force on 24 May 2016.

EU Member States have to transpose it into their national law by 6 May 2018

Applies from 25 May 2018.

EU DATA PRIVACY OBJECTIVES

The objective of this new set of rules is:

• To give citizens back control over of their personal data

• To simplify the regulatory environment for business.

When it comes to law, you cannot move your responsibility of a registry owner to anyone else.

www.digia.com

What is Compliance?

PCI DSS

GxP

ISO 27001

ISO 27002

ISO 27018

CIS

Security Policies

Fiva

Regulators

Laws

FIMEA

A certificate is a snapshot of the current state.

It’s a baseline where your security starts from.

It breaks, when you do the first change if you don’t follow up.

• We will be fully compliant until the next audit (PCI DSS, ISO 27001/ISO27002, GxP certificate etc.)

• Our Hosting provider has a certificate, we don’t need it for our solution

COMMON DELUTIONS OF COMPLIANCE

The better you are aware of your business risks, better you will survive in Data Breach situations.

Its not just money, it is also Brand, Image and trust matter for your company.

• Information Security Policies (ISP) Compliance• Business Impact Analysis (BIA) Risks against

the compliance• Privacy Impact Assessment (PIA) Risks against

the overall solution data flow• Assess your Sub-Contractors!

EXAMPLE GDPR CONTROLS FOR CXO LEVEL

MANDATORY

Even though you can outsource DPO role, you cannot outsource your responsibility as a registry owner

SAR must generally be complied with within 40 days.

• Data Protection Officer (DPO), as a new role within all companies (can be outsourced)

• Notification 72 hours after data breach to officer and to the person that the data belongs to

• Subject Access Request (SAR)

• Audit Trail is more expensive than the manual processing of SAR’s

• Pseydonymisation of data complicates work• Light encryption is enough• Privacy Notices to end users can be complex• Sub-contractors are paying their share in case of

breach without contractual agreement• International data transfer is not happening• Cloud will solve all of the problems including

sanctions• On-Premises is more secure than the Cloud and hence

does not require verification as it is on certified paper

Calculate the whole process from the beginning in the end.

Manual work at first glance looks cheaper, however automation will be cheaper in the long run. Do the math not a probability forecast!

PITFALL MINDSETS

CONSIDERATIONS OF AVOIDING THE PITFALLS

Know what data you store, where you store it and who has access to it!

Know who operates and what in your systems!

• Investing to decent data processing• Web-platform for SAR’s• Security frameworks as a security baseline • Automate as much as it is possible• Full stack security testing• SOC / Forensics• PIA for sub-contractors• Compliance requirements for subcontractors• Subcontractor Contract

PRIVACY BY DESIGN (example: Finland 2017 estimated)

Are you really sure you want to do it all manually?

FINNISH REGISTRY OWNER RESPONSIBILITIES

In Finland the Company will be responsible of providing a report similarly as the companies are required to leave their Taxation Report

Company is responsible of proofing that they are compliant with the regulation

www.digia.com

You cannot use compliance certificates for your own solution!

PCI DSS

GxP

ISO 27001

ISO 27002

ISO 27018

CIS

FIMEA

Fiva

Regulators

Laws

IaaS, PaaS, SaaS (VPC, Private Cloud, Public Cloud)

Verify what is certifiedWho is accessing and where the data is accessed fromVerify where the system is operatedCreate clear security classes for dataIt is your Registry!

Mindset Error 01001101 01101001 01101110 01100100 01110011 01100101 01110100 00100000 01100101 01110010 01110010 01101111 01110010 00001101 00001010 01001001 01110100 00100000 01101001 01110011 00100000 01011001 01001111 01010101 01010010 00100000 01110010 01100101 01100111 01101001 01110011 01110100

01110010 01111001 00100001It is YOUR registry!

Always verifyWHAT has been certified, assessed or

audited!

But there is a solution…And best part of it is that it’s all technical …

and you can automate it!

ComplianceScan

Automated Delivery withCompliance Scan

Monitor and alertCompliance deviations

Deliveror Fix

MonitorTest

ChangeFollow up

Jump to the bureau”crazy “roller coaster and enjoy the demo ride!

Questions?

Automate and

enjoy the coffee!More information:

Tessa Viitanentessa.viitanen@digia.com