Embedding GDPR into the SDLC

Similar documents
Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

V Conference on Application Security and Modern Technologies

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Knowing and Implementing the GDPR Part 3

Google Cloud & the General Data Protection Regulation (GDPR)

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

The Common Controls Framework BY ADOBE

EXAM PREPARATION GUIDE

EU General Data Protection Regulation (GDPR) Achieving compliance

Data Protection and GDPR

SECURITY & PRIVACY DOCUMENTATION

Eco Web Hosting Security and Data Processing Agreement

WORKSHARE SECURITY OVERVIEW

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

DATA PROTECTION POLICY THE HOLST GROUP

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

The Role of the Data Protection Officer

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

Breach Notification in the GDPR Era. Speakers: Sam Pfeifle, IAPP Dennis Holmes, PwC

Manchester Metropolitan University Information Security Strategy

Data Processing Clauses

GDPR: Is it just another regulation or a great opportunity for operational excellence? Athens, February 2018

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

SDLC Maturity Models

General Data Protection Regulation (GDPR)

Data Protection Policy

SCHOOL SUPPLIERS. What schools should be asking!

PS Mailing Services Ltd Data Protection Policy May 2018

Data Processing Agreement

Protecting your data. EY s approach to data privacy and information security

Cybersecurity Considerations for GDPR

GDPR: A QUICK OVERVIEW

How the GDPR will impact your software delivery processes

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

LBI Public Information. Please consider the impact to the environment before printing this.

OWASP - SAMM. OWASP 12 March The OWASP Foundation Matt Bartoldus Gotham Digital Science

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Information Security Controls Policy

BHConsulting. Your trusted cybersecurity partner

Information Security. How to be GDPR compliant? 08/06/2017

An Introduction to the ISO Security Standards

Information Security In Pakistan. & Software Security As A Quality Aspect. Nahil Mahmood, Chairman, Pakistan Cyber Security Association (PCSA)

ngenius Products in a GDPR Compliant Environment

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

All you need to know and do to comply with the EU General Data Protection Regulation

Smart Software Licensing tools and Smart Account Management Privacy DataSheet

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

External Supplier Control Obligations. Cyber Security

01.0 Policy Responsibilities and Oversight

Checklist: Credit Union Information Security and Privacy Policies

GDPR compliance: some basics & practical to do list

General Data Protection Regulation

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Security Management Models And Practices Feb 5, 2008

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Arkadin Data protection & privacy white paper. Version May 2018

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Unified Communications Phase 2 Presentation to IT Services Users Group

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

Cyber Security Program

A company built on security

The NIS Directive and Cybersecurity in

Accelerate GDPR compliance with the Microsoft Cloud

GDPR: A GUIDE TO READINESS

Will your application be secure enough when Robots produce code for you?

Managing SaaS risks for cloud customers

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

IAPP-OneTrust Research: Bridging ISO to GDPR

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

TEL2813/IS2820 Security Management

Oracle Data Cloud ( ODC ) Inbound Security Policies

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

GDPR: A technical perspective from Arkivum

GDPR is coming in less than 2 months Are you ready?

NYDFS Cybersecurity Regulations

The checklist is dynamic, not exhaustive, and will be updated regularly. If you have any suggestions or comments, we would like to hear from you.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Information Technology Branch Organization of Cyber Security Technical Standard

WELCOME ISO/IEC 27001:2017 Information Briefing

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Version 1/2018. GDPR Processor Security Controls

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

THE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE

Our agenda. The basics

Altius IT Policy Collection Compliance and Standards Matrix

Charting the Course to GDPR: Setting Sail

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Certified Information Security Manager (CISM) Course Overview

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

General Data Protection Regulation (GDPR)

DATA PROCESSING AGREEMENT

Transcription:

Embedding GDPR into the SDLC Sebastien Deleersnyder Siebe De Roovere Toreon 2

Who is Who? Sebastien Deleersnyder Siebe De Roovere 5 years developer experience 15+ years information security experience Application security consultant Toreon Belgian OWASP chapter founder OWASP volunteer www.owasp.org 4 years Governance, Risk, Compliance (GRC) Information Security experience Information Security (ISO27001 implementor) Privacy (certified DPO) GRC security consultant at Toreon IAPP (international association of privacy professionals) member. https://iapp.org/ 11-May-2017 Embedding GDPR into the SDLC 3

Agenda GDPR Introduction SDLC/SAMM Introduction Embedding GDPR into the SDLC Conclusions & Next Steps Q&A 11-May-2017 Embedding GDPR into the SDLC 4

GDPR General Data Protection Regulation Directly applicable within EU + UK 25 th of may 2018 Goals Unification of Privacy Legislation Improve protection of personal data and data subject rights 11-May-2017 Embedding GDPR into the SDLC 5

What is Personal Data? Personal data is all information related to an identified or identifiable person ( data subject ). Card number, IP address, biometric, user id, email address, employee mobile phone traffic data, surf history, employee mailbox, 11-May-2017 Embedding GDPR into the SDLC 6

GDPR 7 Principles Justification Transparency Finality Proportionality Accuracy Confidentiality Accountability Legal Privacy by Design Information Security DevOps 11-May-2017 Embedding GDPR into the SDLC 7

GDPR Article 25. Privacy by Design & Default GDPR Secure Development GDPR Content implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 32. Security of Processing The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate tothe risk 35. DPIA s Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact on the protection of personal data. 11-May-2017 Embedding GDPR into the SDLC 8

SDLC SAMM Coding guidelines Configuration guidelines DESIGN BUILD TEST PRODUCTION web / mobile application project (acquisition / development) Threat modeling Source code review (static) Security testing (dynamic) WAF tuning TRAINING 11-May-2017 Embedding GDPR into the SDLC 9

OWASP SAMM For each of the Business Functions, 3 Security Practices are defined The Security Practices cover areas relevant to software security assurance Each one is a silo for improvement 11-May-2017 Embedding GDPR into the SDLC 10

Mapping GDPR / SAMM SAMM Domains GDPR Articles SM Strategy & Metrics 5, 24, 32, 33 PC Policy & Compliance 7, 24, 32, (12-21) EG Education & Guidance 37, 39 TA Threat Assessment 25, 35 SR Security Requirements 24, 28, 32 SA Secure Architecture 25 DR Design Review 24, 25, 30, 32 IR Implementation Review 24, 25, 32 ST Security Testing 24, 25, 32 IM Issue Management 33, 34, 39 EH Environment Hardening 25, 33 OE Operational Enablement 32, 33 11-May-2017 Embedding GDPR into the SDLC 11

SM Strategy & Metrics SAMM Estimate overall business risk profile Build and maintain assurance program roadmap Classify data and applications based on risks Establish and measure per classification security goals Conduct periodic industrywide cost comparisons Collect metrics for historic security spenditure GDPR Include privacy/gdpr within Entreprise Risk Management Create a GDPR implementation Roadmap and involve DPO Create a Personal Data Inventory (Records of Processing), integrate this with an application security classification scheme. DPIA threshold questionnaire Define personal data risks within applications / 11-May-2017 Embedding GDPR into the SDLC 12

PC Policy & Compliance SAMM Identify and monitor external compliance drivers Build and maintain compliance guidelines Build policies and standards for security and compliance Establish project audit experience Create compliance gates for projects Adopt solution for audit data collection GDPR GDPR isan external compliance driver Build and maintain GDPR policies and processes and integrate GDPR into existing Info. Sec. and operational policies, processes and guidelines. Build and maintain GDPR policies and processes and integrate GDPR into existing Info. Sec. and operational policies, processes and guidelines. DPO should monitor GDPR compliance within the organization. DPO should monitor and approve security of new developed applications at different timeframes in the project 11-May-2017 Embedding GDPR into the SDLC 13

EG Education & Guidance SAMM Conduct technical security awareness training Build and maintain technical guidelines Conduct role-specific application security training Utilize security coaches to enhance projects teams Create formal application security support portal Establish role-based examination and certification GDPR Include GDPR requirements (opt-in, consent details, information portability ) in secure coding guidelines The DPO should raise GDPR awareness within the organization. The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and implementation practices. 11-May-2017 Embedding GDPR into the SDLC 14

TA Threat Assessment SAMM Build and maintain application specific threat models Develop attacker profile from software architecture Build and maintain abusecase models per project Adopt a weighting system for measurement of threats Explicitly evaluate risk from third-party components Elaborate threat models with compensating controls GDPR Include DPIA threshold analysis in threat modeling phase. If appropriate perform a full DPIA. / Conduct due diligence on processors 11-May-2017 Embedding GDPR into the SDLC 15

Data Protection Impact Assessment (DPIA) Methodology for identifying and mitigating compliance nonconformities and personal data risks. A DPIA should contain at least: Description of processing and purposes Legitimate interests pursued by controller List of recipients & processors of personal data Proportionality Assessment Assessment Data Subject Rights Foreseen measures to control security & compliance risks Identification and quantification of risks Additional security & compliance risk mitigating measures Timeframes to implement additional controls Describe Identify Mitigate 11-May-2017 Embedding GDPR into the SDLC 16

SR Security Requirements SAMM Derive security requirements from business functionality Evaluate security and compliance guidance for requirements Build an access control matrix for resources and capabilities Specify security requirements based onknown risks Build security requirements into supplier agreements Expand audit program for security requirements GDPR Add GDPR security compliance requirements (opt-in, consent details, information portability ) Consider extra security controls to protect privacy sensitive information Apply least privilege, need to know and segregation of duties principles Create audit trail of data access Apply data retention requirements Consider encryption of data (stored or in transit) Have data processing agreement in place with suppliers (and include security requirements at the same time). Verify that data is not transferred out of Europe 11-May-2017 Embedding GDPR into the SDLC 17

SA Security Architecture SAMM Maintain list of recommended software frameworks Explicitly apply security principles to design Identify and promote security services and infrastructure Identify security design patterns from architecture Establish formal reference architectures and platforms Validate usage of frameworks, patterns, and platforms GDPR Apply privacy by design principles. Apply minimization / pseudonymization if possible (risk based approach, comply or explain) Apply encryption (risk based approach, comply or explain) / / 11-May-2017 Embedding GDPR into the SDLC 18

DR Design Review SAMM Identify software attack surface Analyze design against known security requirements Inspect for complete provision of security mechanisms Deploy design review service for project teams Develop data-flow diagrams for sensitive resources Establish release gates for design review GDPR Review design against GDPR controls decided during previous phases. / / 11-May-2017 Embedding GDPR into the SDLC 19

IR Implementation Review SAMM Create review checklists from known security requirements Perform point-review of highrisk code Utilize automated code analysis tools Integrate code analysis into development process Customize code analysis for application-specific concerns Establish release gates for code review GDPR Include GDPR checks in security reviews/reporting / / 11-May-2017 Embedding GDPR into the SDLC 20

ST Security Testing SAMM Derive test cases from known security requirements Conduct penetration testing on software releases Utilize automated security testing tools Integrate security testing into development process Employ application-specific security testing automation Establish release gates for security testing GDPR Include GDPR checks in security reviews/reporting Assure pseudonymisation and/or anonymization of test data Minimize orremove production data from test environments Consider/review privacy scanning tools (e.g. IAAP OneTrust that scans for cookies, tags, forms and policies ) / 11-May-2017 Embedding GDPR into the SDLC 21

VM- Vulnerability Management SAMM Define contact point for data breaches Create informal security response team Establish consistent incident response process Adapt a security issue disclosure process Conduct root-cause analysis for incidents Collect per-incident metrics GDPR DPO should be notified of all Data Breaches Organization must be able to identify data breaches Data Protection Authorities and affected Data subjects must be notified / 11-May-2017 Embedding GDPR into the SDLC 22

EH Environment Hardening SAMM Maintain operational environment specification Identify and install critical security upgrades and patches Establish routine patch management process Monitor baseline environment configuration status Identify and deploy relevant operations protection tools Expand audit program for environment configuration / GDPR Privacy by default (most privacy friendly setting should be the default setting) Forward / trigger on privacy or security related alerts/logs (automate with WAF, SIEM) 11-May-2017 Embedding GDPR into the SDLC 23

OE Operational Enablement SAMM Capture critical security information for deployment Document procedures for typical application alerts Create per-release change management procedures Maintain formal operational security guides Expand audit program for operational information Perform code signing for application components GDPR Identify/document breach indicators to assure timely followup (for DPA notification) Include GDPR considerations in the operational security guides to demonstrate compliance! / 11-May-2017 Embedding GDPR into the SDLC 24

Use Case Project ongoing with customer Combined SAMM, GDPR & PCI assessment Integrated approach Security group & champions in the development teams Anonymized questionnaire will be shared with the SAMM project 11-May-2017 Embedding GDPR into the SDLC 25

Integrate GDPR! Do not bold on extra compliance activities Integrate compliance in appsec / infosec activities Add GDPR epics and stories to product backlog & include in sprints. 11-May-2017 Embedding GDPR into the SDLC 26

Advantages GDPR and SDLC re-inforce each other (ab)use GDPR to start SDLC (business case) Improve SDLC by including GDPR activities SDLC deliverables with GDPR demonstrate compliance 11-May-2017 Embedding GDPR into the SDLC 27

Key Success Factors Extend your appsec community with DPO & legal allies. Turn your DPO into an SDLC advocate 11-May-2017 Embedding GDPR into the SDLC 28

Next steps Share the mappings with the OWASP SAMM project Improve GDPR / SAMM activity mappings at OWASP Summit Feedback & improvements will be included! http://owaspsummit.org/ 11-May-2017 Embedding GDPR into the SDLC 29

11-May-2017 Embedding GDPR into the SDLC 30

That s all folks OWASP: seba@owasp.org Toreon: seba@toreon.com / siebe.deroovere@toreon.com 11-May-2017 Embedding GDPR into the SDLC 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback