Weitere Ă€hnliche Inhalte Ăhnlich wie Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection, and Response (20) KĂŒrzlich hochgeladen (20) Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection, and Response1. The General Data Protection Regulation:
Leveraging Technology for Breach Detection,
Notification, and Response
Ken Durbin, CISSP
Sr. Strategist of Global Government
Affairs and Cyber Security,
Symantec
2. Legal Disclaimer
The materials contained in this presentation are not intended to provide, and
do not constitute or comprise, legal advice on any particular matter and are
provided for general information purposes only.
You should not act or refrain from acting on the basis of any material
contained in this presentation, without seeking appropriate legal or other
professional advice.
5. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
EU General Data Protection Regulation (GDPR)
5
28 Interpretations of the Data Protection
Directive
One Data Protection Regulation
Harmonized across all EU member states
TODAY: 2018:
Right to be forgotten Parental Consent Data Protection Officer
Extra-territoriality of GDPR
Fines and penalties
Joint Liability of Controllers and Processors
Mandatory Breach Notification
6. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Whoâs Who in the Protection of Personal Data
6
DATA CONTROLLER DATA SUBJECTDATA PROCESSOR
DATA PROTECTION OFFICER
Data Protection Officers are designated persons responsible for making sure the
organization follows the new regulations.
DATA PROTECTION AUTHORITY
7. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Whoâs Who in the Protection of Personal Data
The Regulatory Terms of Reference
Article 4 paragraph 12: THE BREACH
What can happen to data?
â⊠a breach of security leading to the
accidental or unlawful destruction,
loss, alteration, unauthorized
disclosure of, or access to, personal
data transmitted, stored or otherwise
processedâ
Recital 75: THE IMPACT
What can happen to the data subject?
âThe risk to the rights and freedoms of
natural persons, of varying likelihood
and severity, may result from personal
data processing which could lead to
physical, material or non-material
damageâ
GDPR / DPA REQUIREMENT:
Prevent, Detect, Log, Report, Remedy
GDPR / DPA EXPECTATION:
Anticipate, Avoid, Mitigate, Compensate
8. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
8
The organization is subject to the GDPR for personal
data processing operations performed by or on behalf
of its entity(-ies) established in the European Union.
The organization is not subject to the GDPR.
Does the organization process personal data?
Article 2(1)
Is the organization established in the European Union?
Article 3(1)
Is the organization established in another location where a
European Member Stateâs law applies?
Article 3(3)
Does the organization target individuals located in the European
Union with commercial offerings?
Article 3(2)(a)
Does the organization monitor the behavior of individuals
located in the European Union?
Article 3(2)(b)
The organization is subject to the GDPR for personal
data processing operations related to such
commercial offerings to, and/or monitoring of,
individuals located in the European Union.
The organization should appoint a representative in
the European Union.
Article 3(2), Article 27
NO Yes
No Yes
No Yes
No Yes
No Yes
Are You Impacted by the GDPR?
10. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Breach Notification Requirements
Articles 33, 34, Recitals 83, 85, 86, 87
10
Provision / Requirement What it Means?
Mandatory personal data breach
notification except if the data was
adequately encrypted
If you suffer a data breach, you must
respond to it to understand and minimize
the consequences, and you must report it
within 72 hours to your competent
authority, as well as, if appropriate, also to
the impacted individuals. However no
notification is required to the individuals
where the data was adequately encrypted
11. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Should I Report My Breach?*
11
All breaches recordable under Article 33(5). Breach should be documented and record maintained by the controller.
No requirement to notify supervisory
authority or individuals
The controller becomes âawareâ of a personal
data breach and assesses risk to individuals.
Notify competent supervisory authority.
If the breach affects individuals in more
than one Member State, notify the lead
supervisory authority
No requirement to notify individuals.
Notify affected individuals and, where
required, provide information on steps
they can take to protect themselves
from consequences of the breach.
No
Yes
No
Yes
Is the breach
likely to result
in a risk to
individualsâ
rights? and
freedoms?
Is the breach
likely to result in
a high risk to
individualsâ
rights and
freedoms?
*Based on ARTICLE 29 DATA PROTECTION WORKING PARTY Annex A
12. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Breach Notification Examples*
Example Notify the supervisory authority? Notify the data subject?
A controller stored a backup of an archive
of personal data encrypted on a USB key.
The key is stolen during a break-in.
No. No.
A controller maintains an online service. As
a result of a cyber attack personal data of
individuals are exfiltrated.
Yes, report to the supervisory authority if
there are likely consequences to individuals.
Yes, report to individuals if the severity of
the likely consequences to individuals is
high.
A brief power outage lasting several
minutes at a controllerâs call center.
No. No.
A controller suffers a ransomware attack
which results in all data being encrypted.
No back-ups are available and the data
cannot be restored.
Yes, report to the supervisory authority, if
there are likely consequences to individuals
as this is a loss of availability.
Yes, report to individuals the possible effect
of the lack of availability of the data.
A controller operates an online
marketplace. The marketplace suffers a
cyber-attack and usernames, passwords
and purchase history are published online
by the attacker.
Yes, report to lead supervisory authority if
involves cross-border processing.
Yes, as could lead to high risk.
12*Based on ARTICLE 29 DATA PROTECTION WORKING PARTY Annex B
13. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Breach Notification Examples, cont.
Example Notify the supervisory authority? Notify the data subject?
A website hosting company acting as a data
processor identifies an error in the code
which controls user authorization allowing
any user access to the account details of
other user.
As the processor, the website hosting
company must notify its affected clients
(the controllers) without undue delay.
If there is likely no high risk to the
individuals they do not need to be notified.
Medical records in a hospital are
unavailable for the period of 30 hours due
to a cyber-attack.
Yes, the hospital is obliged to notify as high-
risk to patientâs well-being and privacy may
occur.
Yes, report to the affected individuals.
Personal data of a large number of students
are mistakenly sent to the wrong mailing list
with 1000+ recipients.
Yes, report to supervisory authority.
Yes, report to individuals depending on the
scope and type of personal data involved
and the severity of possible consequences.
A direct marketing e-mail is sent to
recipients in the âto:â or âcc:â fields,
thereby enabling each recipient to see the
email address of other recipients.
Yes, notifying the supervisory authority may
be obligatory if a large number of
individuals are affected, and sensitive data
are revealed or if other factors present high
risks (e.g. the mail contains the initial
passwords).
Yes, report to individuals depending on the
scope and type of personal data involved
and the severity of possible consequences.
13*Based on ARTICLE 29 DATA PROTECTION WORKING PARTY Annex B
15. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
ïŒ
ïŒ
ïŒ
The Symantec Data Loss Prevention Platform
Architecture
23
16. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Encrypt Personal Data with Symantec
The Symantec Encryption Portfolio
16
Protects individual files in
transit and at rest from
unauthorized parties
FILE & FOLDER ENCRYPTION
Protects email in transit
and at rest from
unauthorized parties
EMAIL ENCRYPTION
Renders data at rest on
devices inaccessible to
unauthorized parties
ENDPOINT ENCRYPTION
ENDPOINT ENCRYPTION
MANAGEMENT SERVER
ENCRYPTION MANAGEMENT SERVER
Manages individual and group keys, creates encryption policies, and reports on encryption
status. Third-party encryption management
âą BitLocker (Microsoft)
âą FileVault (Apple)
âą Opal compliant self-encrypting drives
PROTECT
17. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Symantec Cloud Data Protection
Obfuscate Data with Tokenization
Symantec
Cloud Data
Protection
Gateway
Cloud Data Protection
Token Map Repository
User Cloud App
Cloud Application
Example: enterprise defined a policy to protect FIRST
NAME And LAST NAME Fields in ServiceNow
Without impacting the cloud appsâ
functionality (e.g. search, sort e-mail)
17PROTECT
18. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Content Analysis (CAS)
Hash Reputation
Dual AV
Predictive File
Analysis
Acceptable files passed through
based on file reputation,
whitelist/blacklist
Signatures evaluated
for known bad
Analyzes code for
malicious character
Broker to Sandbox
ICAP
API
.JAR .EXEPROXY
Symantec Content Analysis and Malware Analysis
Multiple Engines Detect & Prevent Advanced Persistent Threats
18
DETECT
19. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Symantec Security Analytics
Can we quickly and thoroughly notify in the event of a breach?
Within 72 hours of detection,
the notification must:
a) Describe the nature of the personal
data breach including the categories
and number of data subjects
concerned and the categories and
number of data records concerned;
b) Recommend measures to mitigate the
possible adverse effects of the personal
data breach;
c) Describe the consequences of the
personal data breach;
d) Describe the measures proposed or
taken by the controller to address the
personal data breach.
âą Security Analytics is able to provide full
context of what happened before,
during, and after a breach, including:
â How the breach occurred
â What data was compromised
â What measures are needed to resolve it
âą Find all indicators of compromise
associated with a data breach, including
root cause analysis
âą Records of what files were lost or
compromised make it easy identify
personal data records that were lost
19
RESPOND
20. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Symantec Cyber Security Services
Managed Cyber Defense
A Comprehensive Integrated Portfolio for Every Stage of the Attack Lifecycle
Track and Analyze Adversary Groups and Key
Trends and Events around the globe for
Actionable Intelligence
DeepSight
Intelligence
Detect and Proactively Hunt for Targeted
Attacks, Advanced Threats and Campaigns
Managed
Security Services
Respond Quickly and Effectively to Credible
Security Threats and Incidents
Incident
Response
Strengthen Cyber Readiness to Build Employee
Resiliency and Prevent Sophisticated Attacks
Cyber Skills
Development
World-Class Security Expertise > Reactive to Proactive > Integrated, End-to-End Security
Before
an Attack
During
an Attack
After an
Attack
Preparing
for an
Attack
DETECT
RESPOND
PREPARE
21. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Advanced Breach Detection, Remediation, & Notification
ATP
Analytics
Endpoint
Email
Server
Web /
CASB Cyber Security
Services
DLP
CASB
Web
CDPEncryption
Personal Data Protection Everywhere
PROTECTDETECT
RESPOND
RECOVER
Technology Risk Management
DLP
Data Insight
CASB
Audit
CCS
EPM
Understand
Data Risk
Understand,
Report, and
Remediate
Compliance
Unparalleled Threat
Intelligence
Endpoint
175M
endpoints
protected
Email
2Bm emails
scanned/day
Web
1.2Bn web
requests
secured/day
Physical &
Virtual
Workloads
64K Datacenters
protected
Cloud
Security
12,000 cloud
applications
secured
IDENTIFY
VIP
Technology Considerations for the GDPR
Symantec Supports Across Data Privacy and Security
23. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Located in the Attachments Section of this Presentation
GDPR Resources
IDC GDPR Readiness Assessment
Benchmark your progress to GDPR
compliance
Privacy by Design
Uncover how to adopt this approach to
personal data security
Solving the Security Challenge
A technical review of GDPR and the
recommended solutions
Symantec GDPR Website
Visit our website for a complete list of
resources, tools, and onDemand videos
24. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Why Symantec
24
World Class
Information protection
Global Leader in
Cyber Security
Leading Breach
detection and
response
Unbiased and
lower operating
costs
Compliance
monitoring &
reporting
State of the Art
Technology
25. The General Data Protection Regulation:
Leveraging Technology for Breach Detection,
Notification, and Response
Ken Durbin, CISSP
Sr. Strategist of Global Government
Affairs and Cyber Security,
Symantec
Thank you!!