A partire dal 25 maggio 2018 le aziende dovranno essere compliant alla normativa GDPR . in questo webinar Insieme a Varonis abbiamo fatto il punto sulla roadmap per la compliance.
15. Our mission is to protect data from insider threats and cyberattacks.
Operational Plan GDPR
Andrea Cantarelli – Business Development
acantarelli@varonis.com
16. GDPR : General approach
Step 1: Governance Step 2: Mapping
Nominate a DPO
Setup a "GDPR
Committee" (CISO /
IT / DPO)
Data processing inventory +
applications / portals / contracts
Classification / discovery for
unstructured data
Step 2 - bis: Align and quickly
reduce the risk on data
Delete stale data. Delete
abusive access rights on
listings
Step 2 - ter: Protect Behavioral
Alerts to Prevent Data Leakage or
Disclosure
Step 3: Prioritize &
awareness
Ex: website /
intranet mentions
Risk treatments
Employee
enablement
VARONIS reports
to make
transparent /
remind
Step 5: Organize
Review & Process
Adaptation
Step 4: Manage the
risks
PIA - risk analysis for
risk treatments
Automate
processes
Continuous
improvement
Step 6: Document
See ISO PDCA /
documentation of
each step
17. Introduction : GDPR, also a story of unstructured data
People Rights enforcement
• Access, rectification, forgetting, opposition ...
• Information
• Data Retention …
Personal Data Security
• Privacy Impact Assessment. Privacy, Integrity, Availability
• Obligation to notify violations within 72 hours
• Privacy By Design / By default
B2B B2C Support functions
Internet
Portal
Bussiness app.
Unstructured data (Office Shares, Office 365 - OneDrive,
SharePoint, ...)
Exports, listings
Data processing (Supplier management, Payroll, Services, retailer, ...)
GDPR
objectives
Business / Activity
Data processing
Data &
Applications
VARONIS Compliance Scope
18. Introduction : Value proposition
Enterprise class solutions for
business productivity (cloud like,
search…)
Structured
data (ERP,
CRM, …)
DATA!
Unstructured Data (File servers, SharePoint, Exchange, Cloud platforms,…) and Active Directory
PHI
(Personal Health Identifier)
PII
(Personal Information Identifier)
PCI
(Payment Card Industry)
IP
(Intellectual Property)
HR, Customer, Supplier, Intellectual Property, Regulated Data, …
Discover on
sensitive Data
& Classify
Control Access
to data
(permissions)
Track control &
inspect data
usage
Analyze data
and directory
security
Remediation &
Alignment
Analytics &
Alerts
GDPR
19. Align and quickly reduce the risk
Step :
Fix inconsistent/broken ACL’s
Eliminate global access groups around sensitive data
Eliminate remaining global access groups
Address AD artifacts (empty, unused security groups,
non-expiring passwords, etc.)
Address retention/disposition by quarantining, archiving,
and deleting stale data
Benefits :
Significant risk reduction
Defensible position with respect to compliance
More efficient usage of storage
Reduced complexity increases operational efficiency
Requires: DA, DCF, AE, DS
20. Deploy Varonis
Map your environment
Begin monitoring user/account/data
behavior
Start automated discovery/classification
Prioritize and assess risks, identify
sensitive data
Prioritize scope by sensitivity, staleness,
department criticality, etc.
Discovering your information heritage in the
GDPR context
Can be accomplished quickly
Requires: DA, DCF, DS
Classification / discovery for unstructured data
21. Protect / UBA Alerts
Steps :
Prioritize and create incident response plan for alerts, including automated
responses
Train staff on day to day management, including reports, permissions and AD
management, finding lost files, etc.
Identify known data retention and disposition policies in a GDPR context
Benefits :
Incident response plans and automation reduce risk of data theft and loss
Staff becomes more operationally efficient with day to day tasks
Requis : DA, DCF, DLS