Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR Security: How to do IT? IT reediness for competitive advantage

Published byShona Reynolds Modified over 5 years ago

Similar presentations

Presentation on theme: "GDPR Security: How to do IT? IT reediness for competitive advantage"— Presentation transcript:

1 GDPR Security: How to do IT? IT reediness for competitive advantage
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholder to insert your own image. Reza Alavi 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

2 GDPR is approaching fast: 25th May 2018
20/09/2018 Information Security Audit Control Consultancy (ISACC)©

3 What is GDPR? GDPR concerns the protection and free movement of “personal data” 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

4 Information Security Audit Control Consultancy (ISACC)©
GDPR Background 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

5 Information Security Audit Control Consultancy (ISACC)©
The Brexit question? The UK firms treating identifiable personal data will need to comply with the GDPR, irrespective of Brexit. The UK government has confirmed it and the Information Commissioner Office (ICO) endorsed it. 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

6 Information Security Audit Control Consultancy (ISACC)©
GDPR Chart Chapters 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

7 Concepts/Players Security ≠ Privacy
DPIA (Data Protection Impact Assessment) Personally Identifiable Information (PII) DPO (Data Protection Officer) / GDPR Owner PIMS (Personal Information Management System) DPPS (Data Protection Policy Statement) DP (Data processor) DC (Data Collector) Confidentiality, Integrity, Availability, Authenticity, Compliance, Resilience, Correctness ICO (Information Commissioner Office - UK) EU (European Union 28 countries, soon 27!) NIST (National Institute for Standards and Technology) 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

8 GDPR Main Characteristics
Scope Consent Fines and Penalties Privacy by Design Data Protection Impact Analysis (DPIA or PIA) Data Portability Right to Access Right to be Forgotten Breach Notification 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

9 Where to Start: Roadmap
Identify GDPR Data Map GDPR Data Mapping GDPR data to the Risks Mapping safeguarding requirements to data classification Mapping safeguarding requirements to the IT governance framework Confidentiality, Integrity, Availability, Authenticity, Compliance, Resilience and Correctness 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

10 Information Security Audit Control Consultancy (ISACC)©
Roadmap (Cont.) Resilience is related to business continuity and DR Adequate incident management GDPR requires Authenticity and Corrective Action Management 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

11 Information Security Audit Control Consultancy (ISACC)©
Roadmap (Cont.) Minimisation: Least Privilege Pseudonymisation: the processing of personal data in a way that they can no longer be attributed to a specific data subject Encryption of all communication, file systems, storage, backups, ….. Documentation: all relevant matters to be documented for the purpose of change management Risk Assessment (GDPR does not instruct any security measures but requires the RA to be performed. But which Risk? Data Protection Impact Assessment (DPIA) or Privacy Impact Analysis (PIA) – ISO/IEC31000 or ISO/IEC29134) Implementation of SIEM, Security Analytics, MDM,… 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

12 DATA Protection Policy Statement (DPPS)
Organisations should answer the following questions in regards to DPPS: what will be done? what resources will be required? who will be responsible? when it will be completed? how the results will be evaluated? 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

13 DATA Protection Policy Statement (DPPS) (Cont.)
DPPS describes the GDPR compliance which is relevant to other policies such as the Information Security Policy The Board of Directors should approve and support the development, implementation, maintenance and continual improvement of a documented Personal Information Management System (PIMS). BoD are responsible and accountable The establishment of objectives for data protection and privacy, which are in PIMS and GDPR Objectives Record. 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

14 DATA Protection Policy Statement (DPPS) (Cont.)
Data Protection Officer (DPO)/GDPR owner, is responsible for reviewing the register of processing annually in the light of any changes to organisation’s activities. The DPPS should be applied to all Employees/Staff Partners and any third parties working with or for the organisation, and who have or may have access to personal data, will be expected to have read, understood and to comply with DPPS. 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

15 Standards and Guidelines
ISO 27000:2014 ISO 27001:2013 ISO/IEC 27017:2015 ISO 27018:2014 ISO/EC 29151 ISO/IEC 29100 ISO/IEC 29134:2017 ISO/IEC 29151:2017 COBIT ISO 31000 NIST 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

16 Information Security Audit Control Consultancy (ISACC)©
IT Must Ensure: Implement controls to reduce risk of data being compromised but make sure controls really manage risks Authentication and Authorisation provided to a single entity of GDPR data The creation of a single application allocated to GDPR data All systems and services are monitored Incident management process is in place 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

17 GDPR Misunderstandings
Fine obscurity It is not just about EU Citizens GDPR is not simply a DLP To purchase new solution doesn’t cover everything Outsourcing doesn’t let us to be free 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

18 Information Security Audit Control Consultancy (ISACC)©
Concluded Points Data classifications and risk assessment are at the heart of GDPR thus, GDPR will be tied up to risks management and assurance objectives. The maturity level of risk mitigation and IT governance defines the maturity of GDPR readiness. GDPR will reinforce the IT security governance framework for organisations who have one. For those who don’t have it, will create a legal purpose to build one. GDPR will help organisations to build effective, more secure IT services and systems and create an environment of trust and simplification of complex IT security measures. 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

19 Information Security Audit Control Consultancy (ISACC)©
Thank you All! Dr. Reza Alavi Cyber Security Lead  Tel: +44 (0) @SecurityVPeople 20/09/2018 Information Security Audit Control Consultancy (ISACC)©

Download ppt "GDPR Security: How to do IT? IT reediness for competitive advantage"

Similar presentations

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Www.adira.org Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology.

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.

IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.

Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.
Internal Audit Section. Authorized in Section 20.055, Florida Statutes Section 20.055, Florida Statutes (F.S.), authorizes the Inspector General to review.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
How Prepared are Nordic CIOs for GDPR Compliance?

How Prepared are Nordic CIOs for GDPR Compliance?
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
An Information Security Management System

An Information Security Management System
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
GDPR (General Data Protection Regulation)

GDPR (General Data Protection Regulation)
Running a Privacy Impact Assessment (PIA)

Running a Privacy Impact Assessment (PIA)
Microsoft 365 Get help with regulatory compliance

Microsoft 365 Get help with regulatory compliance
WORLD OF CLOUD COMPUTING AFTER GDPR challenges, opportunities and the unknown Matjaž Drev, MA. National Supervisor for Personal Data Protection, Information.

WORLD OF CLOUD COMPUTING AFTER GDPR challenges, opportunities and the unknown Matjaž Drev, MA. National Supervisor for Personal Data Protection, Information.
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???

Similar presentations

Ads by Google