Navigating GDPR from a cyber security perspective…..
- Identify the personal data you collect and where data is stored - Is it stored appropriately how are you protecting the data from a cyber standpoint? Are your applications secure, regularly tested, designed with security in mind? Can you prove this?
- Review your internal policies including a review of security breach response policy. - Incident response, DR and BCP. What happens if something goes badly wrong. Whats happens in the event of a breach? Do I have mitigation controls and notification procedures in place?
- Review the type of data processing carried out, identify the legal basis for the processing and document it. - do you need all that client data you possess and do you have a legal basis for storing client data.
- Review how you handle all applicable client's rights, including the deletion of personal data, right to be forgotten (RTBF).
- Review if and how you seek, obtain and record client consent and whether any changes are needed. - Do clients know you are storing their data and what you are using it for? Have they consented to what you are doing? Can you prove this?
- Review your external privacy policies and EULA's and do a refresh with necessary changes for transparency and relevancy.
- Review and update your processor/subprocessor, third party agreements. Third party risk for up/down stream processors of your clients data. - You can outsource the service but not the risk. Do you know if your B2B partners are secure, store your client data properly and don't use it for any other reason other than what is agreed? Do they have a policy to reflect this and how is it policed? How often do they get technical security assessments of the systems used to process your clients data? How do they demonstrate this?
- Review the lawful basis for the transfer of personal data outside the EU. If you transfer data outside of the EU are you permitted to do so by the data owner (client)?
Cyber-security, GDPR, Articles and Controls:
The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec which is enforceable as of May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.
The GDPR does suggest actions to take in order to be compliant such as a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
From a cybersecurity standpoint this covers aspects such as technical assessment, patching and maintenance, vulnerability management, threat detection /prevention, asset and service profiling & visibility and overall better governance of an organisations digital estate and technical controls.
• EU GDPR – Article 32, Security of Processing
• Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
GDPR in effect is mandating that appropriate technical security controls are required amongst other equally important controls (citizen access and control of their data) to ensure a level of security based on the data and risk/impact of disclosure of such information.
“to ensure a level of security appropriate to the risk” is an important aspect which should be considered. Given that a firm may be custodians of a users financial or Personal Identifiable Information (PII) there is a duty of care to protect the data and ensure proper authorisation and security controls surround it.
From a technical standpoint security assessments and vulnerability management are some of the tools used to help maintain that level of assurance……
edgescan provides continuous assessment of technical systems in order to help discover vulnerabilities which may lead to breach. The “win” in using edgescan is you have an auditable history of all assessments and individual vulnerability history to demonstrate the vulnerability lifecycle to easily demonstrate compliance and continuous improvement.
The idea of a single or bi-annual assessment is becoming non-sustainable given the rate of change of systems in particularly cloud based deployments.
The ability to continually assess security posture on an ongoing basis and exploiting a combination of automation and human intelligence is taking traction globally resulting in cost reduction and increasing rigor depending on the vendor used.
There is a trend in the industry to move towards Managed Security Services Providers (MSSP) and leveraging experts who deliver services such as vulnerability management on a fulltime basis. An MSSP should address requirements where you don’t have in-house expertise.
EU GDPR - Recitals of Interest
• Recital (78) The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this regulation are met.
Appropriate technical measures are easily confirmed and identified using edgescan as a complete security history can be reviewed for any period of time on an on-going basis.
In the case of a reasonable fast moving technical environment which undergoes change on a frequent basis e.g Cloud environment, Agile system development methodologies an annual or a bi-annual security assessment to help ensure the security of the systems in scope may seem like a reasonable approach but the risk is the rate of change of the environment and the resulting window of exposure due to the infrequency of technical security assessment.
Continuous assessment as per the edgescan service helps you maintain constant vigilance in order to assist with GDPR compliance.
• In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.....
Demonstrating compliance in relation to cyber security is easily delivered as the edgescan portal delivers a complete history of all vulnerabilities (web & infrastructure) discovered and closed over the entire licensing period.
Many of our clients in highly regulated industries use edgescan to demonstrate to external auditor’s constant assessment approach they have adopted to cyber security.
Data Protection by default can be assessed in both pre-production environments and deployed production systems. Using edgescan to detect and mitigate vulnerabilities (via WAF integration) is core to being able to demonstrate compliance.
• Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.
“You can’t improve what you can’t measure”; edgescan gives our clients the ability to continuously improve by tracking security posture at any point in time. The metrics supplied by edgescan let our clients easily focus on what is the most common vulnerability, the root cause and identify quick wins in a clear and easy fashion.
• When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.
In pre-production environments edgescan gives our clients the ability to assess the security of a solution quickly and on-demand. This assists with detection of cyber security issues before a system is deployed to production, resulting in a “secure by default” posture.
• Recital (49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.
• This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
Detecting weaknesses of the security posture in an ever-changing environment is core to what edgescan provides. Our fullstack approach to security gives our users visibility of both web application and supporting host/cloud security.
As new deployments and features are delivered edgescan automatically assesses the security posture of the deployment and associated subsystems.
This approach including validation of all discovered vulnerabilities by our experts in effect removes the need for expensive consulting firms and also improve security resilience on an ongoing basis.
• Recital (81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.
edgescan’s continuous and on demand fullstack approach provides sufficient guarantees that your systems are constantly being assessed for security weaknesses. Provision of historical assessment frequency, vulnerability data and proof of continuous improvement and vigilance is what is required to be GDPR compliant. You can easily demonstrate compliance with
• Recital (83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.
• Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.
• In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.
edgescan detects weaknesses in cyber security posture so you can quickly address issues as they are found. Via our API, alerting or integration you can easily and quickly understand risks by priority easily evaluate potential impacts and prevent the destructive forces of being hacked and associated fines of being non-GDPR compliant.
Want to know more:
Client reviews: Gartner Peer Insights
GDPR Document: EU GDPR