Data Security in GDPR - T&VS · TVS Application Security Testing services bridge the crucial...

Test and Verification Solutions

Data Security in GDPR

Delivering Tailored Solutions for

Hardware Verification and Software Testing

Presentation to : UKTI - GDPR & Austin Startup Week

Copyright TVS Limited | Private & Confidential | Page 2

Agenda

▪ Intro to T&VS

▪ Why GDPR? & What are the threats?

▪ Data security in GDPR

▪ GDPR security testing

▪ Summary


TVS - Leaders in Verification

India - 2011

UK - 2008

Germany - 2011

Singapore - 2014

ChinaSouth KoreaUSA - 2014

Japan - 2016

Global presence in all

high-end technology

locations

http://www.arm.com/index.php

http://www.panasonic.co.uk/

http://www.intel.com/index.htm


Why GDPR?

&

What are the threats?




Data Privacy Security attacks


Varied types of data security incidents 2017

Source: ICO ORG data trends 2017 = https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/09/data-security-incident-trends-q1/

Cyber 'old' breach type Cyber ‘new’ breach type

Information Commissioners Office: The UK’s independent authority set up to

uphold information rights in the public interest, promoting openness by public

bodies and data privacy for individuals.

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/09/data-security-incident-trends-q1/


Threat Assessment

Threat Capability

Threat Accessibility

System Susceptibility

Successful

Attack

VulnerabilitiesAttack Surface

Value to attackerLogical and

physical

reachability

Resources

Techniques

Tools


Supply Chain Implications

IP

Vendor

Comms Module

Vendor

ODM –

Develops

& makes

device

Chip Vendor

SW Developer

Brand

Owner -

marketing

& support

services

End

Users

OTS

RTOS

= Certificated at every step= not approved, requires extra audit

Data security

considerations at every

level


Data Security in GDPR




Data Security – GDPR articles

• Implement appropriate technical and organisational measures, such as:

• pseudonymisation & data minimisation

• integrate the necessary safeguards

• only personal data necessary for purpose of the processing

Article 25 - Data protection by design and by default

• Pseudonymisation & encryption of personal data

• Ability to ensure the confidentiality, integrity, availability and resilience

• The ability to restore access to personal data in a timely manner

• A process for regularly testing, assessing and evaluating

Article 32 – Security of processing

• In the case of a personal data breach, the controller shall without undue delay notify the personal data breach to the supervisory authority

Article 33 - Notification of a personal data breach to the

supervisory authority

• If personal data breach is likely to result in a high risk, the controller shall communicate the personal data breach without undue delay.

• The communication shall not be required if the controller has implemented appropriate technical protection measures

Article 34 - Communication of a personal data breach to

the data subject

• If using new technologies is likely to result in a high risk, the controller shall carry out an assessment

• The assessment shall contain at least the measures envisaged to address the risks, including safeguards, security measures

Article 35 - Data protection impact assessment

▪ Accountability, responsibility, and the ability to demonstrate data privacy plans and implementations


GDPR Security Testing




T&VS 360 Security solutions

▪ TVS Application Security Testing services bridge the crucial security gap between perimeter defences and penetration testing

don’t wait to come under attack, build in application security from the start

Security by design

discover vulnerabilities, assess their likely impact, recommend fixes and ultimately help protect your business.

Regular security testing

to review security approach is up to date and evolving

Security gap analysis

perform regular testing of backup and restore of data

Ability to restore data


Penetration Testing Services

▪ What is Penetration Testing?▪ Penetration Testing is ethical hacking.

▪ If your company has computers, applications, email servers or devices that are connected to the internet then they are likely to be open to attack.

▪ Penetration testing finds the holes, discover security weaknesses and help you fix them.

▪ The Goals of Penetration Tests▪ Determine feasibility of a particular set of attack vectors

▪ Identify high-risk vulnerabilities from a combination of lower-risk vulnerabilities exploited in a particular sequence

▪ Identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software

▪ Assess the magnitude of potential business and operational impacts of successful attacks

▪ Test the ability of network defenders to detect and respond to attacks

▪ Provide evidence to support increased investments in security personnel and technology


Example Penetration tests

Social Engineering

• Make a person reveal the sensitive information like password, business critical data

• Human errors are the main causes of security vulnerability

Web application

• Verify if the application is exposed to security vulnerabilities

Physical

• All physical network devices and access points are tested for possibilities of any security breach

Network

• Openings in the network are identified through which entry is being made in the systems

Remote access

• Login to the systems connected through these modems by password guessing or brute forcing

Wireless Security

• discovers the open, unauthorized and less secured hotspots or Wi-Fi networks and connects through them


Penetration Testing Services

▪ Experts take care of highly technical tests and work with your project teams to investigate those hard-to-find vulnerabilities

▪ Penetration Testing Report that includes detailed information: ▪ identified risks

▪ vulnerability findings

▪ an action plan to apply fixes.

▪ post-exploitation (clean-up) work such as removing traces, backdoors, and deleting logs will also be conducted

Web & Application

Device & IoT

Network & Infrastructure


Marketing of Secure Products

Companies that can demonstrate:

•industry security best practice for data

•conformance to latest standards

•guidelines for customers to follow for security best practice

•ongoing checks on the threat landscape

Build Customer Confidence

Gain trust of clients

Win new business

Increase sales


SUMMARY


Summary

▪ GDPR is going to drive the standard for data protection across Europe and the rest of the world.

▪ Companies must comply with the regulation or there is a high chance they will be subject to a large fine.

▪ Organisations must ensure the data they hold is safe and be able to demonstrate data security best practice.


T&VS Recommendation - Embrace GDPR

Companies should look on GDPR as a positive and utilise compliance as a way

to demonstrate security best practice to ensure customers continue to trust in

their brand.

Let T&VS help ensure you are ready for the 25th May 2018:

Guiding you through the challenging data privacy environment

Compliance to the latest international regulations

Review where you have GDPR data stored

Analyse your infrastructure for potential weaknesses

Provide security by design best practice


THANK YOU

[email protected]

EXTRA SLIDES IF NEEDED


Engagement models & why TVS?

Engagement Models Why TVS?

• Onsite • Cost for internal test capability is

high

• Offshore • Flexible resourcing models

• Access to our facility • Testing experts

• Nearshore • Global offices

Thought leaders:

• Verification Conferences and Clubs

• GDPR workshop

• NMI IoT Security Foundation

Date post:	01-Oct-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Data Security in GDPR - T&VS · TVS Application Security Testing services bridge the crucial...

Documents