File Transfer and the GDPR

Similar documents
AN IPSWITCH WHITEPAPER. 7 Steps to Compliance with GDPR. How the General Data Protection Regulation Applies to External File Transfers

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Understand & Prepare for EU GDPR Requirements

Are You Avoiding These Top 10 File Transfer Risks?

GDPR Controls and Netwrix Auditor Mapping

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

EU General Data Protection Regulation (GDPR) Achieving compliance

MiContact Center Business Important Product Information for Customer GDPR Compliance Initiatives

Data Sheet The PCI DSS

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Network Security Policy

SECURE DATA EXCHANGE

How the GDPR will impact your software delivery processes

Google Cloud & the General Data Protection Regulation (GDPR)

Islam21c.com Data Protection and Privacy Policy

General Data Protection Regulation (GDPR) The impact of doing business in Asia

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Data Protection and GDPR

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Prohire Software Systems Limited ("Prohire")

SWIFT SERVICES. Enabling the global exchange of electronic financial messages. Delivering value. Enabling success. Integrated Services

PCI DSS and VNC Connect

GLBA. The Gramm-Leach-Bliley Act

Secure Access & SWIFT Customer Security Controls Framework

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Sarbanes-Oxley Act (SOX)

Site Builder Privacy and Data Protection Policy

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Achieving End-to-End Security in the Internet of Things (IoT)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

The Role of the Data Protection Officer

WHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report

A guide to understanding the implications of GDPR on print and document management

PCI DSS and the VNC SDK

GDPR Update and ENISA guidelines

SONICWALL SECURITY HEALTH CHECK SERVICE

Secure coding practices

Getting ready for GDPR

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

General Data Protection Regulation

SARBANES-OXLEY (SOX) ACT

Eco Web Hosting Security and Data Processing Agreement

Best Practices for PCI DSS Version 3.2 Network Security Compliance

How Managed File Transfer Addresses HIPAA Requirements for ephi

GDPR: A technical perspective from Arkivum

Cyber security tips and self-assessment for business

IBM Security Guardium Analyzer

The isalon GDPR Guide Helping you understand and prepare for the legislation

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Guide to Cyber Security Compliance with GDPR

SDL Privacy Policy Cloud Services

SONICWALL SECURITY HEALTH CHECK PSO 2017

A Practical Look into GDPR for IT

Online Services Security v2.1

General Data Protection Regulation. May 25, 2018 DON T PANIC! PLAN!

Meeting GDPR Requirements with GoAnywhere MFT

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Compliance in 5 Steps

Safeguarding Cardholder Account Data

The GDPR data just got personal

Watson Developer Cloud Security Overview

NEWSFLASH GDPR N 8 - New Data Protection Obligations

University of Sunderland Business Assurance PCI Security Policy

PCI DSS Compliance. White Paper Parallels Remote Application Server

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Projectplace: A Secure Project Collaboration Solution

SONICWALL SECURITY HEALTH CHECK SERVICE

EU-R VIDEO SECURITY, DATA PROTECTION AND DATA SECURITY

Data Security and Privacy at Handshake

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

SCHOOL SUPPLIERS. What schools should be asking!

Data Protection Policy

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Information Security Controls Policy

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

GLOBAL DATA PROTECTION POLICY

Information Security Practices

Introduction. The Safe-T Solution

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

SECURITY & PRIVACY DOCUMENTATION

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Website Privacy Notice

WHITEPAPER. Security overview. podio.com

Data Protection Policy

Daxko s PCI DSS Responsibilities

EU Data Protection Agreement

TRACKVIA SECURITY OVERVIEW

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

EBOOK The General Data Protection Regulation. What is it? Why was it created? How can organisations prepare for it?

Transcription:

General Data Protection Regulation Article 32 (2): In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Preparing for GDPR The General Data Protection Regulation (GDPR) has been accepted by the European Parliament and Council and becomes law on May 25, 2018. The GDPR sets a high standard for data protection and applies to any organisation that processes, or controls the processing of, the personal data of EU residents. Failure to comply with the GDPR can result in penalties of 20 million or 4% of worldwide annual turnover, whichever amount is greater. The GDPR defines two types of organisations whose activities are regulated; Controllers and Processors. A processor is any organisation that collects, processes, stores or transmits personal data of EU citizens. A controller is an organisation that directs the processors activities. This extends the responsibility of the original data collector (the controller in this case) to the actual processing of data by an outsourcer or business partner (the processor). Under GDPR, both collectors and processors are responsible for data protection and both are subject to fines for non-compliance. In Controller/Processor relationships, it behooves both parties to coordinate compliance efforts with regards to data transfers. Whichever side of the equation they fall on, organisations will need to review ARTICLE 32(1): CONTROLLERS AND PROCESSORS MUST ENSURE A LEVEL OF SECURITY APPROPRIATE TO THE RISK. ARTICLE 32(2): ACCOUNT SHALL BE TAKEN IN PARTICULAR OF THE RISKS PRESENTED... FROM ACCIDENTAL, LOSS, ALTERATION, UNAUTHORISED DISCLOSURE OF, OR ACCESS TO PERSONAL DATA TRANSMITTED, STORED OR OTHERWISE PROCESSED. (and likely improve) their data protection controls, processes and technology. In this undertaking, efforts should be guided by Article 32 of the GDPR which requires that the level of security implemented is appropriate to the risk. 2

File Transfers are High Risk Chances are your organisation has already invested substantially in a security infrastructure. GDPR requires the consideration of value provided by further expenditures in traditional areas versus training for personnel, new processes and technology investment requirements that have been overlooked. The external transfer of personal data is now a core operational business process of IT organisations across a wide variety of industries. From a security ARTICLE 4(2): PROCESSING MEANS ANY OPERATION... SUCH AS COLLECTION, RECORDING, ORGANISATION, STRUCTURING, STORAGE... TRANSMISSION, DISSEMINATION OR OTHERWISE MAKING AVAILABLE perspective, data in transit is data at risk as it presents a unique opportunity for interception in transmission, unauthorised access when stored for download on a transfer server, delivery to an unintended recipient or mishandling when processed at its destination. Clearly, external file transfers of personal data require considerable attention in preparation for GDPR. Under pressure to allocate limited time and resources, organisations need to focus their GDPR investments on the processing activities that pose the greatest risk to their sensitive personal data. Data transfer is explicitly identified as a processing activity under GDPR, 3

and for good reason. Data transfer activities can expose personal data to high risk. For example: > > > > > Personal data stored in files uploaded to FTP are unencrypted and rarely deleted FTP anonymous mode, out-of-date security patches and other vulnerabilities provide easy access to cybercriminals Desktop users may circumvent IT and send personal data over unsecured means such as email or cloud-based file share services Lack of centralised control over permissions exposes user credentials which hackers can exploit to gain control over protected data. Lack of centralised and tamper evident audit logs creates a risk of unauthorised or failed transfers going unnoticed. GDPR Data Protection Principles The GDPR lists Data Protection Principles that organisations must comply with. Many of these principles apply to personal data transfer activities. Fair, lawful and transparent processing Rec 39, Art 5(1)(a) Additional care when designing and implementing processing activities Data Security Rec 29, 71, 156 Art 5(1)(f), 24(1), 25(1,2), 28, 29, 32 Ensuring personal data are secure against internal and external treats, accidental loss, destruction and damage Accuracy Rec 39, Art 5(1)(d) Taking all reasonable steps to ensure that personal data is accurate Accountability Rec 85, Art 5(2) Demonstrating compliance with the Data Protection Principles Purpose limitation Rec 50, Art 5(1)(b) Personal data collected for one purpose should not be used for a new incompatible purpose Data minimisation Rec 39, Art 5(1)(c) Only processing the personal data it needs to achieve its purposes Retention periods Rec 39, Art 5(1)(e) Personal data should not be retained longer than needed for purpose 4

Secure FTP Servers are Not Compliant Attempting to upgrade an existing FTP environment to be GDPR compliant is a flawed strategy. You would have to assure that all external transfer processes use secure protocols (SFTP, FTPS and HTTPS) and encryption (SSH, TLS and SSL). You would also have to add AES-256 encryption to all upload processes to protect data at rest. However, these improvements are not enough. Secure FTP inherits many of the risks and vulnerabilities as the FTP servers they replace. If your organisation has experienced FTP sprawl, you may have a hodgepodge of FTP servers with different software, on different platforms, with different software revisions, OS revisions and security patches. This creates vulnerabilities that cybercriminals can exploit to access personal data. 5

FTP data transfers are typically reliant on scripts. Scripts can be written in different languages such as PERL, BASH, VB and PowerShell and are often undocumented. Without standardisation and centralised control, scripted workflows, installed across multiple FTP servers, can result in unauthorised processing of personal data. And lastly, GDPR requires IT and security teams to provide proof of compliance. Collecting and reporting on audit logs from multiple FTP servers is time consuming and raises red flags with auditors who have a Bash Bash Power Shell PERL AVOID FTP SERVER SPRAWL X FILES ARE UNENCRYPTED X LOGS ARE NOT CENTRALISED X SCRIPTS MAY BE UNDOCUMENTED PERL Power Shell PERL PERL X AUDITORS WILL BE SUSPICIOUS preference for a single source of log data in a consistent format and stored in a tamper-evident database. Addressing these limitations will require considerable time and expense to get data transfer environments up to GDPR standards. The question is Why would you want to? Another consideration is that under GDPR, auditors are going to have less tolerance for compensating controls. 6

How MOVEit Can Help GDPR Data Protection Principle: Fair and Lawful Processing, Data Security and Accuracy MOVEit provides security features to meet specific requirements called out in Articles 5, 24, 25, 28, 32 and 39 including: Encrypting personal data in transit and at rest. Non-repudiation to validate that personal data is transferred only between authorised senders and receivers. Integration with Data Loss Prevention and Anti-virus solutions. Browser and Microsoft Outlook integration to ensure desktop clients are using an IT authorised secure data transfer solution. Perimeter security to keep unencrypted personal data out of the DMZ. Centralised, fine grained access control to safeguard user credentials, permissions and personal data. MOVEit protects personal data in transit using secure data transfer protocols like SFTP, FTPS and HTTPS, as well as the SSH, TLS and SSL encryption protocols. MOVEit protects data at rest using AES-256 encryption. MOVEit s non-repudiation capability validates that personal data is only transferred between authorised senders and receivers. It is a safeguard against man-in-the-middle attacks, where data in transit is hijacked or tampered with. Automatic file integrity checking validates that a file has not been altered in any way - an additional safeguard for the GDPR Accuracy Principle. It provides additional protection by integrating with content scanning solutions like Data Loss Prevention (DLP) and Anti-Virus software. It logs all content scanning activities and alerts when data loss or malware is detected. 7

The Ipswitch Gateway is a proxy server that sits in the DMZ ensuring that no personal data is stored in the DMZ. It terminates all inbound connections in the DMZ and makes sure that all communications to the trusted network go through a secure tunnel. Ad Hoc functionality delivers easy to learn and use data transfer for desktop clients. Users can send large files securely through a web browser or Microsoft Outlook. This reduces the chances of users exposing sensitive data by circumventing IT with unsecured cloud-based file share solutions. MOVEit has its own built-in secure database, which is used to safeguard user credentials and permissions. Because of its unique combination of encrypted storage and secure permissions, it does not rely on the security of the underlying OS, where hackers can exploit known vulnerabilities GDPR Data Protection Principle: Accountability The principle of Accountability require organisations to demonstrate compliance with the GDPR Data Protection Principles. Organisations need to collect and secure audit trails of all data transfer activities involving personal data. MOVEit tracks all file transfer activities including authentications and modifications to workflows in a tamper-evident database. MOVEit automatically collects and reports on data transfer logs in one centralised consolidated location. MOVEit audit logs are tamper evident and can be trusted for accuracy. GDPR Data Protection Principles: Purpose Limitation, Data Minimisation and Data Retention Periods The principles of the Purpose of Limitation, Data Minimisation and Data Retention Periods limits the processing of personal data for a specific purpose and to only provide the data needed for that purpose, after which the data must be deleted. MOVEit replaces scripts with a forms-based solution that provides a standardised, more secure, and documented data transfer tasks. MOVEit centralises control over all data transfer activities. Its built-in scheduler enables organisations to schedule common repetitive data transfer tasks. Organisations can include post transfer tasks, such as the scheduled deletion of personal data files. Comprehensive analytics provide the required insights to transfer activities to assure on-going compliance with GDPR s data protection principles. 8

MOVEit s Adherence to the GDPR s Data Protection Principles The lowest risk, cost effective option is a managed data transfer solution like Ipswitch MOVEit. MOVEit is a centralised and consolidated data transfer solution. It integrates secure data transfer with centralised workflows, access control, and audit logging. It features turnkey high availability and failover. The result, fewer moving parts which translates into lower risk to personal data, and less time and money spent managing and supporting data transfer processing activities. 9

About Ipswitch Ipswitch helps solve complex IT problems with simple solutions. The company s software is trusted by millions of people worldwide to transfer files between systems, business partners and customers; and to monitor networks, applications and servers. Ipswitch was founded in 1991 and is based in Lexington, Massachusetts with offices throughout the U.S., Europe and Asia. For more information, visit www.ipswitch.com. 2017 Ipswitch, Inc. All rights reserved. Download your 30-Day FREE TRIAL of Ipswitch MOVEit 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback