On the Radar: IBM Resilient applies incident response orchestration to GDPR data breaches

Transcription

1 On the Radar: IBM Resilient applies incident response orchestration to GDPR data breaches An incident response orchestration platform tailored to GDPR breach management needs Publication Date: 24 Oct 2018 Product code: INT Alan Rodger

2 Summary Catalyst The EU General Data Protection Regulation (GDPR) legislation requires any organization that processes personal data of data subjects in the EU to notify appropriate authorities of personal data breaches within 72 hours. An additional obligation requires notification of affected data subjects without undue delay. Failing to meet these requirements exposes the non-compliant organization to fines of 20m euros or 4% of annual revenues, whichever is greater. Meeting these requirements brings new challenges to corporate security incident response teams and requires collaboration with and across other corporate functions such as legal, privacy, and governance, risk, and compliance (GRC) teams. Key messages IBM Resilient ships with the breach notification regulations for the 28 EU member states. Built in guidance and templates makes it easier for users to progress the breach management and reporting process through incident submission, analysis, and notification. IBM has created a privacy-focused risk assessment to help customers determine who to notify in case of a breach. Ovum view The IBM Resilient Incident Response Platform was already a mature and well-adopted solution prior to its application to the requirements arising from GDPR. Organizations challenged by the compliance obligations will find the GDPR-related instructions, workflows, and templates provide a step-by-step approach to enable efficiency and compliance in meeting the 72-hour breach notification deadline. Recommendations for enterprises Why put IBM Resilient on your radar? IBM Resilient spans both security and privacy breach use cases. The Resilient Privacy Module is designed to help improve corporate incident response and breach notification processes and has been updated to reflect the needs arising from GDPR (plus details of regulatory authorities within all 28 EU member states), with significant input from customers. IBM says the solution is integrated with one of the world s largest breach-notification databases, and offers detailed workflows for complying with specific regulations in the event of a breach. Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 2

3 Highlights Background Resilient Systems was founded in 2010 to address the increase in cybersecurity risks and threats. It was acquired by IBM in 2016 and is now part of IBM Security, organizationally. IBM says the solution now has more than 300 customers globally, across 39 countries and verticals including financial, healthcare, retail, services, technology, manufacturing, federal, education, and critical infrastructure. About a quarter of customers are Fortune 1000 companies, 60 of which are in the Fortune 500, and over half of customers are midsize organizations (with annual revenues in excess of $100m). From acquisition in 2016 to early 2018, customer numbers grew by 134%. Current position The IBM Resilient Privacy Module, part of the overall incident response platform, enables organizations to keep abreast of and comply with various breach notification regulations, including GDPR, and to build and manage workflow-based processes for use where a breach occurs. In 2018, the solution was updated with details of the breach notification regulations for the 28 EU member states, with guidance on choosing the relevant Supervisory Authority in line with the GDPR Article 29 Working Party. New features added to help with GDPR compliance include: Risk assessment for GDPR breaches that contains guidance and examples to help with assessment completion. The "Notify Supervisory Authority" workflow task, which provides instructions about who to notify, what must be included in the notification, and how to notify. Resilient also provides the relevant notification template, and the option to provide follow-on notification if notifying in phases. The Notify Affected Individuals workflow task, which provides instructions on what must be included in the notification, guidance on acceptable formats, and a notification template. The Document Breach workflow task, which prompts and guides users about how best to document incidents. The IBM Resilient Privacy Module can now therefore guide organizations through the required response steps for dealing with GDPR-related data-loss incidents, especially in meeting the regulatory 72-hour deadline. Incidents can be manually submitted or automatically generated via integrations with help desk/ticketing, security information and event management (SIEM), and data lost prevention (DLP) systems. Resilient has specialist integrations with more than 100 security tools. The solution is compliant with the Business Process Model and Notation (BPMN) standard, and ships with out-of-the-box runbooks based on industry good practices. Its Workflow Editor enables customers to define more complex processes for incident handling and management, with unlimited notifications/alerts, approvals, and escalations. Configurable timers can be included to enable adherence to GDPR s 72-hour deadline, because customers can break down the overall 72 hours into relevant segments with sub-timers and alerts related to specific tasks. Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 3

4 Reminders and alerts built in to workflows can be integrated with critical event management solutions such as Whispir and Everbridge to distribute urgent communications. Orchestration can also be used to automatically invoke required activities, such as the immediate triggering of a conference call for a preselected group of people/roles. The solution also provides a GDPR simulation capability, enabling organizations to rehearse or informally audit their processes and responses, and to train people in GDPR data breach scenarios. Data sheet Key facts Table 1: Data sheet: IBM Resilient Product name IBM Resilient Product classification Security incident response/orchestration Version number v.31 Release date May 2018 Industries covered All Geographies covered All Relevant company sizes Midsize and larger Licensing options SaaS or Perpetual URL resilientsystems.com Routes to market Direct and IBM-approved VARs Company headquarters Cambridge, MA, US Source: Ovum Appendix On the Radar On the Radar is a series of research notes about vendors bringing innovative ideas, products, or business models to their markets. Although On the Radar vendors may not be ready for prime time, they bear watching for their potential impact on markets and could be suitable for certain enterprise and public sector IT organizations. Further reading The importance and breadth of GDPR obligations on data breach reporting should not be underestimated, INT (May 2018) Author Alan Rodger, Senior Analyst, Infrastructure Solutions Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 4

5 Ovum Consulting We hope that this analysis will help you make informed and imaginative business decisions. If you have further requirements, Ovum s consulting team may be able to help you. For more information about Ovum s consulting capabilities, please contact us directly at consulting@ovum.com. Copyright notice and disclaimer The contents of this product are protected by international copyright laws, database rights and other intellectual property rights. The owner of these rights is Informa Telecoms and Media Limited, our affiliates or other third party licensors. All product and company names and logos contained within or appearing on this product are the trademarks, service marks or trading names of their respective owners, including Informa Telecoms and Media Limited. This product may not be copied, reproduced, distributed or transmitted in any form or by any means without the prior permission of Informa Telecoms and Media Limited. Whilst reasonable efforts have been made to ensure that the information and content of this product was correct as at the date of first publication, neither Informa Telecoms and Media Limited nor any person engaged or employed by Informa Telecoms and Media Limited accepts any liability for any errors, omissions or other inaccuracies. Readers should independently verify any facts and figures as no liability can be accepted in this regard readers assume full responsibility and risk accordingly for their use of such information and content. Any views and/or opinions expressed in this product by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Informa Telecoms and Media Limited. Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 5

6 CONTACT US ovum.informa.com INTERNATIONAL OFFICES Beijing Dubai Hong Kong Hyderabad Johannesburg London Melbourne New York San Francisco Sao Paulo Tokyo