Test and Verification Solutions
Data Security in GDPR
Delivering Tailored Solutions for
Hardware Verification and Software Testing
Presentation to : UKTI - GDPR & Austin Startup Week
Copyright TVS Limited | Private & Confidential | Page 2
Agenda
▪ Intro to T&VS
▪ Why GDPR? & What are the threats?
▪ Data security in GDPR
▪ GDPR security testing
▪ Summary
Copyright TVS Limited | Private & Confidential | Page 3
TVS - Leaders in Verification
India - 2011
UK - 2008
Germany - 2011
Singapore - 2014
ChinaSouth KoreaUSA - 2014
Japan - 2016
Global presence in all
high-end technology
locations
Test and Verification Solutions
Why GDPR?
&
What are the threats?
Delivering Tailored Solutions for
Hardware Verification and Software Testing
Copyright TVS Limited | Private & Confidential | Page 5
Data Privacy Security attacks
Copyright TVS Limited | Private & Confidential | Page 6
Varied types of data security incidents 2017
Source: ICO ORG data trends 2017 = https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/09/data-security-incident-trends-q1/
Cyber 'old' breach type Cyber ‘new’ breach type
Information Commissioners Office: The UK’s independent authority set up to
uphold information rights in the public interest, promoting openness by public
bodies and data privacy for individuals.
Copyright TVS Limited | Private & Confidential | Page 7
Threat Assessment
Threat Capability
Threat Accessibility
System Susceptibility
Successful
Attack
VulnerabilitiesAttack Surface
Value to attackerLogical and
physical
reachability
Resources
Techniques
Tools
Copyright TVS Limited | Private & Confidential | Page 8
Supply Chain Implications
IP
Vendor
Comms Module
Vendor
ODM –
Develops
& makes
device
Chip Vendor
SW Developer
Brand
Owner -
marketing
& support
services
End
Users
OTS
RTOS
= Certificated at every step= not approved, requires extra audit
Data security
considerations at every
level
Test and Verification Solutions
Data Security in GDPR
Delivering Tailored Solutions for
Hardware Verification and Software Testing
Copyright TVS Limited | Private & Confidential | Page 10
Data Security – GDPR articles
• Implement appropriate technical and organisational measures, such as:
• pseudonymisation & data minimisation
• integrate the necessary safeguards
• only personal data necessary for purpose of the processing
Article 25 - Data protection by design and by default
• Pseudonymisation & encryption of personal data
• Ability to ensure the confidentiality, integrity, availability and resilience
• The ability to restore access to personal data in a timely manner
• A process for regularly testing, assessing and evaluating
Article 32 – Security of processing
• In the case of a personal data breach, the controller shall without undue delay notify the personal data breach to the supervisory authority
Article 33 - Notification of a personal data breach to the
supervisory authority
• If personal data breach is likely to result in a high risk, the controller shall communicate the personal data breach without undue delay.
• The communication shall not be required if the controller has implemented appropriate technical protection measures
Article 34 - Communication of a personal data breach to
the data subject
• If using new technologies is likely to result in a high risk, the controller shall carry out an assessment
• The assessment shall contain at least the measures envisaged to address the risks, including safeguards, security measures
Article 35 - Data protection impact assessment
▪ Accountability, responsibility, and the ability to demonstrate data privacy plans and implementations
Test and Verification Solutions
GDPR Security Testing
Delivering Tailored Solutions for
Hardware Verification and Software Testing
Copyright TVS Limited | Private & Confidential | Page 12
T&VS 360 Security solutions
▪ TVS Application Security Testing services bridge the crucial security gap between perimeter defences and penetration testing
don’t wait to come under attack, build in application security from the start
Security by design
discover vulnerabilities, assess their likely impact, recommend fixes and ultimately help protect your business.
Regular security testing
to review security approach is up to date and evolving
Security gap analysis
perform regular testing of backup and restore of data
Ability to restore data
Copyright TVS Limited | Private & Confidential | Page 13
Penetration Testing Services
▪ What is Penetration Testing?▪ Penetration Testing is ethical hacking.
▪ If your company has computers, applications, email servers or devices that are connected to the internet then they are likely to be open to attack.
▪ Penetration testing finds the holes, discover security weaknesses and help you fix them.
▪ The Goals of Penetration Tests▪ Determine feasibility of a particular set of attack vectors
▪ Identify high-risk vulnerabilities from a combination of lower-risk vulnerabilities exploited in a particular sequence
▪ Identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
▪ Assess the magnitude of potential business and operational impacts of successful attacks
▪ Test the ability of network defenders to detect and respond to attacks
▪ Provide evidence to support increased investments in security personnel and technology
Copyright TVS Limited | Private & Confidential | Page 14
Example Penetration tests
Social Engineering
• Make a person reveal the sensitive information like password, business critical data
• Human errors are the main causes of security vulnerability
Web application
• Verify if the application is exposed to security vulnerabilities
Physical
• All physical network devices and access points are tested for possibilities of any security breach
Network
• Openings in the network are identified through which entry is being made in the systems
Remote access
• Login to the systems connected through these modems by password guessing or brute forcing
Wireless Security
• discovers the open, unauthorized and less secured hotspots or Wi-Fi networks and connects through them
Copyright TVS Limited | Private & Confidential | Page 15
Penetration Testing Services
▪ Experts take care of highly technical tests and work with your project teams to investigate those hard-to-find vulnerabilities
▪ Penetration Testing Report that includes detailed information: ▪ identified risks
▪ vulnerability findings
▪ an action plan to apply fixes.
▪ post-exploitation (clean-up) work such as removing traces, backdoors, and deleting logs will also be conducted
Web & Application
Device & IoT
Network & Infrastructure
Copyright TVS Limited | Private & Confidential | Page 16
Marketing of Secure Products
Companies that can demonstrate:
•industry security best practice for data
•conformance to latest standards
•guidelines for customers to follow for security best practice
•ongoing checks on the threat landscape
Build Customer Confidence
Gain trust of clients
Win new business
Increase sales
Test and Verification Solutions
SUMMARY
Copyright TVS Limited | Private & Confidential | Page 18
Summary
▪ GDPR is going to drive the standard for data protection across Europe and the rest of the world.
▪ Companies must comply with the regulation or there is a high chance they will be subject to a large fine.
▪ Organisations must ensure the data they hold is safe and be able to demonstrate data security best practice.
Copyright TVS Limited | Private & Confidential | Page 19
T&VS Recommendation - Embrace GDPR
Companies should look on GDPR as a positive and utilise compliance as a way
to demonstrate security best practice to ensure customers continue to trust in
their brand.
Let T&VS help ensure you are ready for the 25th May 2018:
Guiding you through the challenging data privacy environment
Compliance to the latest international regulations
Review where you have GDPR data stored
Analyse your infrastructure for potential weaknesses
Provide security by design best practice
EXTRA SLIDES IF NEEDED
Copyright TVS Limited | Private & Confidential | Page 22
Engagement models & why TVS?
Engagement Models Why TVS?
• Onsite • Cost for internal test capability is
high
• Offshore • Flexible resourcing models
• Access to our facility • Testing experts
• Nearshore • Global offices
Thought leaders:
• Verification Conferences and Clubs
• GDPR workshop
• NMI IoT Security Foundation