In May 2018, the General Data Privacy Regulation will take effect, significantly altering the way organizations handle and store data.
At 200 pages and 99 articles, the comprehensive regulation is primarily intended to strengthen security and privacy protections around individual data, which it enforces by subjecting organizations to stricter requirements, adding new requirements – such as breach notification – and increasing fines on organizations that fail to comply.
GDPR applies to all organizations that control or process data within the EU as well as those that control or process data related to EU residents. This means that, while GDPR is rooted in the EU, organizations in the U.S. that handle data from EU residents are very much impacted as well.
Among other things, organizations will be required to maintain a data breach detection plan, regularly evaluate the effectiveness of security practices, and document evidence of compliance. However, GDPR doesn’t provide specific technical direction, meaning that organizations will be independently responsible for establishing and maintaining the best practices needed to uphold outlined data security requirements. With this in mind, below are nine steps to prepare for the security requirements within GDPR.
Step 1: Implement a Security Information and Event Management (SIEM) tool with log management capabilities.
Article 30 of GDPR states that every controller must track and record all processing activities under its responsibility. To do this, organizations typically leverage a SIEM tool, which centralizes logs from applications, systems and networks, allowing companies to monitor all user and system activity and to identify any suspicious or malicious behavior.
Users can create a view of what has occurred to investigate suspicious behavior, including analyzing what kind of attack method was utilized and looking at related events, source IP addresses, destination IP addresses and other details. Organizations with data stored in the cloud should ensure that their SIEM tool can record activity not only on-premises but also across the public and private cloud infrastructure, as personal data held there also falls within the scope of GDPR.
Step 2: Create an inventory of all critical assets that store or process sensitive data.
Because GDPR covers all IT systems, networks and devices, organizations must maintain an ongoing inventory of where personal data is stored across the entire infrastructure. This seems simple on the surface, but can be a difficult task, especially in public cloud environments and in cases where employees are using BYOD or non-IT-sanctioned assets.
It’s worth noting that organizations with employees that process or store data on unapproved devices are still liable and subject to regulatory fines in the event of an attack, so it’s critical that all components of an organization’s IT system are identified and monitored. There are a variety of asset discovery tools available to help organizations continually keep track of where sensitive data is held.
Step 3: Undertake vulnerability scanning to identify weaknesses.
New vulnerabilities arise almost daily, whether they’re in software, system configuration, business logic or processes. Therefore, organizations must stay on top of these with regular vulnerability scanning. It’s also important to determine the threat level of each vulnerability by considering factors such as:
- Does the affected system fall within the scope of GDPR?
- How critical is the threat? (i.e. how many personal records could be exposed?)
- Have intrusions or exploits been attempted on the vulnerable asset?
- Is the vulnerability being exploited by attackers in the wild, and if so, how?
Here too, it is equally important to monitor cloud environments in addition to on-premises environments.
Step 4: Conduct risk assessments and apply threat models relevant to the business.
Organizations must identify and evaluate all of their security risks, not just vulnerabilities. Article 35 of GDPR mandates data protection impact assessments (DPIAs), and Article 32 requires companies to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” This mandate is intentionally broad so that organizations can leverage whichever information security framework provides the best understanding of the risks facing their systems. NIST and ISO / IEC 27001 are a few common and effective options.
Step 5: Regularly test your systems to gain assurance that security controls are working as designed.
Article 32 addresses the security of personal data processing by demanding thatorganizations create a procedure to regularly analyze the effectiveness of their security controls. This is by no means an easy feat (and becomes increasingly difficult as organizations grow and expand their technology stacks). However, three possible strategies to validate the effectiveness of security controls include:
- Using manual assurance (e.g., audits, assurance reviews, penetration testing and red-team activities).
- Using automated assurance technologies.
- Consolidating and integrating security products (so that fewer point products need to be managed and reported on).
It’s important to note that ensuring that systems are secured as intended is not a one-time effort; rather, it must be an ongoing, repeatable process.
Step 6: Put threat detection controls in place to ensure reliable and timely notification when a breach has occurred.
GDPR requires that organizations report a breach to the appropriate regulatory body within 72 hours of becoming aware of it. For high-risk incidents, impacted data subjects must be notified without undue delay (Article 31). In order to be able to discover, adequately understand and respond to breaches so quickly, organizations must have threat detection controls in place to trigger immediate alerts around incidents. Users can then develop an understanding of the threat by collecting and correlating events, and referencing reliable threat intelligence, and then responding promptly as needed.
Step 7: Monitor network and user behavior to identify and investigate security incidents in a timely manner.
It is imperative that organizations maintain an understanding not only of external threats but also of potential internal threats. Internal threats often stem from unauthorized data access. To determine whether internal incidents are threats or not, it’s important to consider the context in which corporate data is accessed. For example, an abundance of Skype traffic in the sales team’s network is probably a normal part of operations, but a burst in Skype traffic in the database server that houses a customer list is likely an indicator of a security issue.
Monitoring user behavioral patterns also helps determine whether an anomalous incident should be considered a threat. An example of a tool that does this is NetFlow, which provides high-level trends related to what protocols are used, identifies which hosts use the protocol, and calculates the associated bandwidth usage. When used in conjunction with a SIEM, users can orchestrate alerts to be sent whenever NetFlow goes above or below certain thresholds.
Step 8: Have a documented and practiced incident response plan.
To meet GDPR’s 72-hour breach notification rule, organizations need threat detection controls and processes in place to alert them to incidents, but they also need a data breach response plan that allows them to quickly and accurately determine the scope of impact. The first steps of the response plan should focus on investigating all related events to establish a timeline and determine the source of the attack and the steps needed to contain the incident.
It’s a good idea to prioritize – and document – all response and remediation tactics, as organizations will be required to inform regulators of all steps taken.
Step 9: Have a communication plan in place to notify relevant parties.
Finally, upon completion of these steps, organizations should evaluate whether personal data was breached to determine if reporting is required under GDPR. If so, the notification that organizations are required to send to the regulatory body within 72 hours must include all of the following:
- Describe the nature of the breach.
- Provide the name and contact details of the organization’s data protection officer.
- Describe the likely consequences of the breach.
- Describe the measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects.
If personal data has been impacted, organizations will also be required to inform any affected EU citizens of the incident in question.
Preparing for GDPR can seem like a daunting task, but organizations that follow the above steps and are equipped with the right security tools and strategies can rise to the challenge and strengthen their security – particularly their threat detection and response abilities – significantly along the way.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access