Gdpr action plan - ISSA
âąAls PPTX, PDF herunterladenâą
1 gefĂ€llt mirâą885 views
GDPR Action Plan - NJ ISSA - Sep 27 2017
Empfohlen
Empfohlen
Weitere Àhnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ăhnlich wie Gdpr action plan - ISSA
Ăhnlich wie Gdpr action plan - ISSA (20)
Mehr von Ulf Mattsson
Mehr von Ulf Mattsson (20)
KĂŒrzlich hochgeladen
KĂŒrzlich hochgeladen (20)
Gdpr action plan - ISSA
- 1. Do You Have a Roadmap for EU GDPR Compliance? Ulf Mattsson, CTO Security Solutions Atlantic BT
- 2. Ulf Mattsson Inventor of more than 55 Issued US Patents Industry Involvement: âą PCI DSS - PCI Security Standards Council Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs âą IFIP - International Federation for Information Processing âą CSA - Cloud Security Alliance âą ANSI - American National Standards Institute ANSI X9 Tokenization Work Group âą NIST - National Institute of Standards and Technology NIST Big Data Working Group âą User Groups Security: ISACA & ISSA Databases: IBM & Oracle 2
- 3. 3 3
- 4. 4 Verizon 2017 Data Breach Investigations Report Source: Verizon 2017 Data Breach Investigations Report 4
- 5. Source: Verizon 2017 Data Breach Investigations Report 5
- 6. Source: Verizon 2016 Data Breach Investigations Report 6 Source: Verizon 2016 Data Breach Investigations Report Verizon 2016 Data Breach Investigations Report â Breach Discovery
- 7. Source: Verizon 2016 Data Breach Investigations Report 7Source: Verizon 2016 Data Breach Investigations Report Verizon 2016 Data Breach Investigations Report â Malware
- 10. 10
- 11. Will You Ever Get Your Data 11
- 12. 12
- 13. 13
- 14. Ransomware are Getting Worse âą The cyber security solutions that are in place today are somewhat effective âą But a significant proportion of decision makers report that their problems with phishing âą Ransomware are getting worse over time âą For most of the cyber security capabilities that organizations have deployed to combat these threats, the majority of decision makers report they are not highly effective Source: Osterman Research, Inc., 2017 14
- 15. GDPR Action Plan A Members Owned Not-for-Profit Organisation 15
- 16. GDPR = Trust ENTERPRISE wide Trust © 2017 - The GDPR Institute - All Rights Reserved 16
- 17. Impact Do you control or process personal data about ANY EU Citizens? If so you have to be GDPR compliant by 25th May 2018 or manage the implications of the fines and the reputational damage of any and every Data Breach â including Customers Employees Suppliers © 2017 - The GDPR Institute - All Rights Reserved 17
- 18. The Institutesâ Purpose Create a community of Data Privacy, Data Security and Data Governance experts to assist Large, Medium and Small Organisations address the challenge and maximise the opportunity created by the General Data Protection Regulation GDPR Challenge Or GDPR Opportunity © 2017 - The GDPR Institute - All Rights Reserved 18
- 19. The Institutesâ Community Corporate Clients 61 Million Global Experts GDPR Consulting Providers GDPR Technology Solutions GDPR Audit Services GDPR Legal Advisors GDPR Training Providers GDPR Recruitment Services © 2017 - The GDPR Institute - All Rights Reserved 19
- 20. Bringing Together to Solve GDPR GDPR Defensible Position GDPR Consulting Providers GDPR Technology Solutions GDPR Legal Advisors GDPR Recruitment Services GDPR Training Providers GDPR Audit Services 61 Million Global Experts © 2017 - The GDPR Institute - All Rights Reserved 20
- 21. Opportunity or Challenge? 1. Fines 2. Loss of Customers 3. Reputational Damage COST of Compliance © 2017 - The GDPR Institute - All Rights Reserved 21
- 22. Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change GDPR = Enterprisewide Change Management Post Room Board Room People Process Technology Information © 2017 - The GDPR Institute - All Rights Reserved 22
- 23. Scale of Data Breaches http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 23
- 24. You will have a Data Breach © 2017 - The GDPR Institute - All Rights Reserved 24
- 25. Key Questions 1. What Personal Data do you hold â Customer, Employee, Supplier, Contractor, Sub-Contractor, Citizen, Patient etc 2. Where is that Data Located? PC hard drive, Remote Storage or Backup Device, On Premise Database or Content Server, or in The Cloud 3. How are you using that Data? 4. Do you have Explicit or Implied Permission to use the data in the way you are using it? © 2017 - The GDPR Institute - All Rights Reserved 25
- 26. Compliance Gap Analysis Security Reviews Use Case Management Consent Management Technology Assessments Business Process Management The GDPR Roadmap Privacy Impact Assessment Legal Advice Detailed Readiness Assessment Educate & Train Subject Access Management Threat Detection Case Management GDPR Defensible Position Annual GDPR Audits © 2017 - The GDPR Institute - All Rights Reserved 26
- 27. Immediate Action Plan 1. Seek Legal Advice 2. Conduct a Privacy Impact Assessment 3. Complete a Readiness Assessment to address the key questions 4. Secure Executive Sponsorship and a meaningful budget 5. Develop a Consent Management Strategy 6. Build a Data Subject Access Request process before you get swamped 7. Ensure you have all your Breach Detection technology in place â Database, Content Repositories, Network Traffic, Dark Web 8. Prepare for the worst, and breathe a sigh of relief if it doesnât happen © 2017 - The GDPR Institute - All Rights Reserved 27
- 28. The GDPR Institute Helping you resolve YOUR GDPR Challenge & Maximise the GDPR Opportunity A Members Owned Not-for-Profit Organisation www.gdpr.institute 28
- 30. 30
- 31. 31
- 32. 32
- 34. 34
- 35. 35
- 36. 36
- 38. GDPR Already a Reality Source: Cordery Legal Compliance, UK, 2017 38
- 39. GDPR Rules Requires Data Protection Technology Source: Imperva, 2017 39
- 40. Case Studies
- 41. GDPR Case Studies 41 âą US and Spain â customer data âą Italy, Germany and more â financial data âą Germany â outsourcing âą Sweden â PII data
- 42. GDPR Simplified into 12 blocks 1. Legitimate basis for data: organizations must know and be able to prove that processing has a legitimate purpose. 2. Information you hold: organization should keep data only in so far as necessary. 3. Individuals rights: individuals (customerâŠ) have the right to ask questions about their personal data. 4. Consent: there should be explicit and clear consent for processing of personal data. 5. ChildrenÂŽs data: explicit consent of the childâs parents (or guardian) for minors less than 16 years of age. 6. Privacy notices: Organizations must transparently state their approach to personal data protection in a privacy notice. 7. Data breaches: Organizations must maintain a data breach register and, data subject should be informed within 72 hours. 8. Privacy by design: Mechanisms to protect personal data should be incorporated in design of new systems and processes. 9. Privacy impact assessment: organization must conduct a privacy impact assessment to review the impact and possible risks. 10. Data Protection Officers: organization should assess the need to assign a Data Protection Officer. 11. Third parties: The controller of personal data has the responsibility to ensure that personal data is protect 12. Awareness: To create awareness among your staff about key principles on data protection, conduct regular training. To know more read my book https://goo.gl/HMDRfk
- 43. Webcast title : EU GDPR Details âą Duration : 60 min âą Date & Time : Oct 25 2017 10:00 am âą Timezone : United States - New York âą Webcast URL : https://www.brighttalk.com/webcast/14723/269681
- 44. Data Security for Cloud, Big Data and Containers
- 45. Protect Sensitive Cloud Data Internal Network Administrator Attacker Remote User Internal User Public Cloud Examples Each sensitive field is protectedEach authorized field is in clear Cloud Gateway 45 Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and rest) SecDevOps The issue is INTENTIONAL use of UNSANCTIONED public cloud storage for ease of use for corporate data
- 46. Securing Big Data - Examples of Security Agents Import de-identified data Export identifiable data Export audit for reporting Data protection at database, application, file Or in a staging area HDFS (Hadoop Distributed File System) Pig (Data Flow) Hive (SQL) Sqoop ETL Tools BI Reporting RDBMS MapReduce (Job Scheduling/Execution System) OS File System Big Data Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and rest) 46 SecDevOps
- 47. Virtual Machines Docker Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and rest) Source: http://www.slideshare.net/GiacomoVacca/docker-from-scratch SecDevOps SecDevOps 47
Hinweis der Redaktion
- Welcome to my session and Thank you for inviting me FinTech - Wikipedia https://en.wikipedia.org/wiki/Financial_technology Financial technology, also known as FinTech, is an industry composed of companies that use new technology and innovation to leverage available resources in . Cyber Risk Management in 2017: Challenges & Recommendations With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isnât robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk. Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines. Viewers will learn: - The latest cybercrime trends and targets - Trends in board involvement in cybersecurity - How to effectively manage the full range of enterprise risks - How to protect against ransomware - Visibility into third party risk - Data security metrics
- Will Your Data Be Sold?
- May 12 2017, 3:13 p.m. IN MID-APRIL, an arsenal of powerful software tools apparently designed by the NSA to infect and control Windows computers was leaked by an entity known only as the âShadow Brokers.â Not even a whole month later, the hypothetical threat that criminals would use the tools against the general public has become real, and tens of thousands of computers worldwide are now crippled by an unknown party demanding ransom. An infected NHS computer in Britain Gillian Hann The malware worm taking over the computers goes by the names âWannaCryâ or âWanna Decryptor.â It spreads from machine to machine silently and remains invisible to users until it unveils itself as so-called ransomware, telling users that all their files have been encrypted with a key known only to the attacker and that they will be locked out until they pay $300 to an anonymous party using the cryptocurrency Bitcoin. At this point, oneâs computer would be rendered useless for anything other than paying said ransom. The price rises to $600 after a few days; after seven days, if no ransom is paid, the hacker (or hackers) will make the data permanently inaccessible (WannaCry victims will have a handy countdown clock to see exactly how much time they have left). Ransomware is not new; for victims, such an attack is normally a colossal headache. But todayâs vicious outbreak has spread ransomware on a massive scale, hitting not just home computers but reportedly health care, communications infrastructure, logistics, and government entities. Reuters said that âhospitals across England reported the cyberattack was causing huge problems to their services and the public in areas affected were being advised to only seek medical care for emergencies,â and that âthe attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.â The worm has also reportedly reached universities, a major Spanish telecom, FedEx, and the Russian Interior Ministry. In total, researchers have detected WannaCry infections in over 57,000 computers across over 70 countries (and counting â these things move extremely quickly). View image on TwitterView image on Twitter Follow ïŒïŒïŒą @dodicin A ransomware spreading in the lab at the university 7:24 AM - 12 May 2017 1,711 1,711 Retweets 1,340 1,340 likes According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs as MalwareTech told The Intercept, âIâve never seen anything like this with ransomware,â and âthe last worm of this degree I can remember is Conficker.â Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over 9 million computers in nearly 200 countries. Most importantly, unlike previous massively replicating computer worms and ransomware infections, todayâs ongoing WannaCry attack appears to be based on an attack developed by the NSA, code-named ETERNALBLUE. The U.S. software weapon would have allowed the spy agencyâs hackers to break into potentially millions of Windows computers by exploiting a flaw in how certain versions of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in government) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them â but from the moment the agency lost control of its own exploit last summer, thereâs been no such assurance. Today shows exactly whatâs at stake when government hackers canât keep their virtual weapons locked up. As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, âI am actually surprised that a weaponized malware of this nature didnât spread sooner.â Screenshot of an infected computer via Avast. The infection will surely reignite arguments over whatâs known as the Vulnerabilities Equity Process, the decision-making procedure used to decide whether the NSA should use a security weakness it discovers (or creates) for itself and keep it secret, or share it with the affected companies so that they can protect their customers. Christopher Parsons, a researcher at the University of Torontoâs Citizen Lab, told The Intercept plainly: âTodayâs ransomware attack is being made possible because of past work undertaken by the NSA,â and that âideally it would lead to more disclosures that would improve the security of devices globally.â But even if the NSA were more willing to divulge its exploits rather than hoarding them, weâd still be facing the problem that too many people really donât seem to care about updating their software. âMalicious actors exploit years old vulnerabilities on a routine basis when undertaking their operations,â Parsons pointed out. âThereâs no reason that more aggressive disclose of vulnerabilities through the VEP would change such activities.â A Microsoft spokesperson provided the following comment: Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance. Update: May 12, 2017, 3:45 p.m. This post was updated with a comment from Microsoft. Update: May 12, 2017, 4:10 p.m. This post was updated with a more current count of the number of affected countries.
- Will You Ever Get Your Data Back?
- SPONSOR OF THIS WHITE PAPER KnowBe4 is the worldâs most popular integrated Security Awareness Training and Simulated Phishing platform. Realizing that the human element of security was being seriously neglected, KnowBe4 was created to help organizations manage the problem of social engineering through a comprehensive new-school awareness training approach.
- Risk Assessment. We evaluate your digital footprint and infrastructure to find and resolve vulnerabilities in your network, databases, applications, storage, and other infrastructure. Data Security. We map the flow of data across your digital footprint, applications environment, library framework, source code, and storage to pinpoint risks before they turn into attacks. Secure Hosting. We create dynamic, cloud-based environments with inside-out security controls to protect your systems and storage from attacks and other service disruptions. Application Security. We practice âsecure by designâ discipline in our software development. This protects your custom applications by automating secure coding standards and testing at every step. Integrated Tools. We architect holistic security solutions that integrate traditionally siloed tools to give you a lean and flexible security stackâreducing the effects of tools sprawl and wasted level of effort. Monitoring and Contingency Plans. We monitor your systems, applications, and digital interactions for threats and architect back-up capabilities to quickly restore service if a breach occurs. https://www.atlanticbt.com/services/cybersecurity/
- Risk Assessment. We evaluate your digital footprint and infrastructure to find and resolve vulnerabilities in your network, databases, applications, storage, and other infrastructure. Data Security. We map the flow of data across your digital footprint, applications environment, library framework, source code, and storage to pinpoint risks before they turn into attacks. Secure Hosting. We create dynamic, cloud-based environments with inside-out security controls to protect your systems and storage from attacks and other service disruptions. Application Security. We practice âsecure by designâ discipline in our software development. This protects your custom applications by automating secure coding standards and testing at every step. Integrated Tools. We architect holistic security solutions that integrate traditionally siloed tools to give you a lean and flexible security stackâreducing the effects of tools sprawl and wasted level of effort. Monitoring and Contingency Plans. We monitor your systems, applications, and digital interactions for threats and architect back-up capabilities to quickly restore service if a breach occurs. https://www.atlanticbt.com/services/cybersecurity/
- Risk Assessment. We evaluate your digital footprint and infrastructure to find and resolve vulnerabilities in your network, databases, applications, storage, and other infrastructure. Data Security. We map the flow of data across your digital footprint, applications environment, library framework, source code, and storage to pinpoint risks before they turn into attacks. Secure Hosting. We create dynamic, cloud-based environments with inside-out security controls to protect your systems and storage from attacks and other service disruptions. Application Security. We practice âsecure by designâ discipline in our software development. This protects your custom applications by automating secure coding standards and testing at every step. Integrated Tools. We architect holistic security solutions that integrate traditionally siloed tools to give you a lean and flexible security stackâreducing the effects of tools sprawl and wasted level of effort. Monitoring and Contingency Plans. We monitor your systems, applications, and digital interactions for threats and architect back-up capabilities to quickly restore service if a breach occurs. https://www.atlanticbt.com/services/cybersecurity/
- The reason for high interest is based on the Cloud Gateway Benefits Example Eliminates the threat of third parties exposing your sensitive information Delivers a secure and uncompromised SaaS user experience Identifies malicious activity and proves compliance to third parties and detailed audit trails Eases cloud adoption process and acceptance Product is transparent and has close to 0% overhead impact Simplifies compliance requirements Ability to outsource a portion of your IT security requirements Eliminates data residency concerns and requirements Greatly reduces cloud application security risk Enables partner access to your sensitive data Controls cloud security from the enterprise Protects your business from third party access
- Data protection at database, application or file Data protection in a staging area 3. Volume encryption in Hadoop 4. Hbase, Pig, Hive, Flume and Scope using protection API 5. MapReduce using protection API 6. File and folder encryption in HDFS 8. Export de-identified data 7. Import de-identified data 9. Export identifiable data 10. Export audit s for reporting
- Examples of Services That Can Fill The Gap Security Services Audit & Assessment Services Application Security Consulting Managed Vulnerability Scanning Security Tools Implementation Virtual CISO Application Services Application Hosting  & Cloud Migration            IT Consulting & Information Architecture Software Development & User Experience Design