GDPR is the most significant change to data protection in a generation and an imminent global issue that will dominate data privacy, management and regulation discussions in 2017. According to recent research, over half of businesses lack preparedness for GDPR. With a quarter of the EU’s grace period over and with fines of up to €20 million (or 4% of global turnover), there is a lot at stake for companies falling behind the May 2018 deadline. So, where do you start?
Join renowned information security consultant and GDPR expert, Brian Honan, along with Tim Erlin, Senior Director, Security and IT Risk Strategist at Tripwire as they walk you through the essential steps to accelerate your GDPR preparedness.
In this session you will learn:
• The key facts about the GDPR regulations
• The implications of the new rules and how they will impact your business
• Practical steps your business can take to prepare
• How your existing security frameworks (ISO/NIST/CSC) can help set the foundation
• How Tripwire can help
2. CEO of BH Consulting – Independent Information Security Firm
Founder & Head of IRISSCERT – Ireland’s first Computer
Emergency Response Team
Special Advisor on Internet Security Europol's CyberCrime
Centre (EC3)
Adjunct Lecturer at University College Dublin
Expert Advisor to European Network & Information Security
Agency (ENISA)
Regularly comments on media stories –
BBC, Forbes, Bloomberg, FT, Guardian, Sunday Times
Who Am I?
3.
4.
5. “Why do you rob
banks?”
“Because that's
where
the money is.”
Willie Sutton
6. “Why do you hack
companies?”
“Because that's
where
the Data is.”
CyberWillie Sutton
7. The EU General Data Protection Regulation (GDPR)
is the update to the EU Data Protection Directive
Came into Force 24th May 2016
Will Apply Across All 28 EU Member States
25th May 2018
(Just over 15 months to be ready)
What is GDPR?
8. Updates the EU Data Protection Directive with a
Strong Focus on Individual’s Privacy Rights
Harmonises the Data Protection Regime Across All
28 EU Member States
Will Apply Across All 28 EU Member States
Significant (and Fines) Obligations on Organisations
Holding Personal Data
What is GDPR?
9. Personal Data
‘personal data’ means any information relating to an
identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who
can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person;’
What is GDPR?
12. The Right to be Informed
The Right of Access
The Right to Rectification
The Right to Erasure
Otherwise Known As The Right to Be Forgotten
The Right to Restrict Processing
The Right to Data Portability
The Right to Object
Rights in Relation to Automated Decision Making and
Profiling
What it Means to The Individual
13. Obtain Clear Consent
Obtain parental consent if Data Subject Under 16
Provide a Copy of an Individual’s Personal Data on
Request
Erase all Personally Identifiable Records if Requested
Provide “Adequate Security”
Privacy Impact Assessments
One Supervisory Authority to Deal With
You Can Select your Preferred Supervisory Authority
What it Means to Organisations?
14. If Personal Data Breach
“likely to result in a risk to the rights and freedoms
of individuals”
Notify The Supervisory Authority Within 72 Hours of
Becoming Aware of Breach
If High Risk Breach Likely To Affect Rights and
Freedoms of Individuals
“ You Must Notify Those Concerned Directly”
Mandatory Breach Notifications
15. The Nature of the Personal Data Breach Including:
Categories and Approximate Number of Individuals
Impacted;
Categories and Approximate Number of Personal Data
Records Concerned;
Contact Details of the Data Protection Officer or Other Contact
Point;
Description of Likely consequences of the Personal Data
Breach;
Description of Measures Taken, or Will be Taken to;
Deal with the Breach
Measures (if appropriate) Taken to Mitigate any Possible
Adverse Effects.
Mandatory Breach Notifications
16. Mandatory For
A Public Authority (with some exceptions);
Companies with;
Large Scale Systematic Monitoring of Individuals,
Large Scale Processing of Special Categories of Data
Large Scale Processing of Data Relating to Criminal
Convictions and Offence
Data Protection Officer Must
Report to the Highest Management Level of
Organisation
Operates independently
Is not Dismissed or Penalised for Performing their
Task.
Have Adequate Resources are Provided
Appoint A Data Protection Officer
17. Significant Fines
Supervisory Authority Can Fine;
Up to €20,000,000 (or 4% of total annual global turnover,
whichever is greater) for the most serious infringements
Failing to notify a breach when required to do so can result
in a significant fine up to 10 million Euros or 2 per cent of
your global turnover
On Top of Fine for the Breach itself
An Individual(s) Can
Complain to Supervisory Authority
Right To Compensation
Potential for Group Actions
18. Trend Micro's UK Study re GDPR
50% of UK IT decision makers were unaware of the
impending legislation
25% percent adamant that compliance is not
achievable
Ready for GDPR?
23. Use Existing Frameworks
ISO/IEC 27001:2013 Information Security Standard
ISO/IEC/27002:2013 Guidance
NIST CyberSecurity Framework
The Center for Internet Security - Critical Security
Controls
30. Extensive library of security
configuration best-practices to establish
and monitor configurations
Detection and alerts on all changes to
established baseline—what, who and
business context
Discover assets, vulnerabilities and
malicious changes, and help automate
the workflow and process of remediation
Automate manual processes associated
with dealing with change—isolate and
escalate changes and events of interest
Assess configurations
against security policies
Detect unauthorized changes
Identify risks on assets
Deal with security
data overload
31. Out-of-the-box audit report templates,
and automated compliance reporting
Industry’s most comprehensive library of
policy tests for all major standards
Logging of changes to in-scope assets
with details on who and when
Continuous monitoring and
reporting to flag remediation
needed to stay compliant
Reduce the time spent
on compliance
Demonstrate compliance with
standards
Produce data for audits
and for forensics
Maintain compliance
over time
35. 20 Critical Security Controls
Tripwire
Solutions
CSC1
Inventory of Authorized and
Unauthorized Devices
CSC2
Inventory of Authorized and
Unauthorized Software
CSC3
Secure Configurations for Hardware
and Software
CSC4
Continuous Vulnerability Assessment
and Remediation
CSC5
Controlled Use of Administrative
Privileges
CSC6
Maintenance, Monitoring, and Analysis
of Audit Logs
CSC7 Email and Web Browser Protections
CSC8 Malware Defenses
CSC9 Limitation and Control of Network Ports
CSC10 Data Recovery Capability
CSC11
Secure Configurations for Network
Devices
CSC12 Boundary Defense
CSC13 Data Protection
CSC14
Controlled Access Based on the Need
to Know
CSC15 Wireless Access Control
CSC16 Account Monitoring and Control
CSC17
Security Skills Assessment and
Appropriate Training to Fill Gaps
CSC18 Application Software Security
CSC19 Incident Response and Management
CSC20
Penetration Tests and Red Team
Exercises
PURPOSE = purpose of meeting & decisions to be made by end of conversation
SALES REP AGENDA = goals & questions, challenges, actions results
PROSPECT AGENDA = embed objections, use 3rd party stories
TIME = confirm time available
OUTCOME = proceed or stop the selling process, clear yes or no outcome
Most people know us for File Integrity Monitoring – this was our first product and we are still the best in the industry at detecting integrity changes and not just on files
We’ve added configuration and policy management to our core capability to make it more robust and useful, and added automation to reduce the workload associated with compliance management
We added log management capabilities to make sense of the data generated by your operations
And we acquired technology that helps you identify the biggest risks on your network, with the industry’s most precise risk scoring algorithm so you can set actionable priorities
We’ve integrated all these capabilities to work together seamlessly for real risk reduction
And finally we have an open architecture so we can exchange our unique asset state data with many of the most used vendors in the IT security and operations space
Most people know us for File Integrity Monitoring – this was our first product and we are still the best in the industry at detecting integrity changes and not just on files
We’ve added configuration and policy management to our core capability to make it more robust and useful, and added automation to reduce the workload associated with compliance management
We added log management capabilities to make sense of the data generated by your operations
And we acquired technology that helps you identify the biggest risks on your network, with the industry’s most precise risk scoring algorithm so you can set actionable priorities
We’ve integrated all these capabilities to work together seamlessly for real risk reduction
And finally we have an open architecture so we can exchange our unique asset state data with many of the most used vendors in the IT security and operations space