NIS, GDPR and Cyber Security: Convergence of Cyber Security and Compliance Risk

Similar documents
The Role of the Data Protection Officer

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Data Breaches and the EU GDPR

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

EU General Data Protection Regulation (GDPR) Achieving compliance

Conducting a data flow mapping exercise under the GDPR. Presented by: Alan Calder, founder and executive chairman, IT Governance 4 October 2017

BHConsulting. Your trusted cybersecurity partner

Regulating Cyber: the UK s plans for the NIS Directive

Security Awareness Training Courses

BHConsulting. Your trusted cybersecurity partner

falanx Cyber ISO 27001: How and why your organisation should get certified

Digital Health Cyber Security Centre

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

General Data Protection Regulation (GDPR)

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

CYBER SECURITY AIR TRANSPORT IT SUMMIT

ADIENT VENDOR SECURITY STANDARD

Cyber Security Strategy

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

TRULY INDEPENDENT CYBER SECURITY SPECIALISTS. Cyber Major

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

WELCOME ISO/IEC 27001:2017 Information Briefing

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

SPECIALIST CYBER SECURITY SERVICES & CYBER VULNERABILITY HEALTH CHECK FOR SMALLER COMPANIES

Hong Kong s Personal Data (Privacy) Ordinance

General Data Protection Regulation (GDPR) The impact of doing business in Asia

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

John Snare Chair Standards Australia Committee IT/12/4

Cybersecurity Considerations for GDPR

Directive on security of network and information systems (NIS): State of Play

European Union Agency for Network and Information Security

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

Critical Information Infrastructure Protection Law

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

METHODOLOGY AND CRITERIA FOR THE CYBERSECURITY REPORTS

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Information Security Risk Strategies. By

Addressing penetration testing and vulnerabilities, and adding verification measures

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Securing Information Assets with ISO 27001

Governance and Compliance Learning from the Private Sector. David Coverdale

CNPD Course: Data Protection Basics

How will cyber risk management affect tomorrow's business?

GDPR compliance: some basics & practical to do list

The GDPR: The catalyst for customer July 2017

ENISA s Position on the NIS Directive

Data Protection and GDPR

Motorola Mobility Binding Corporate Rules (BCRs)

The NIS Directive and Cybersecurity in

Cybersecurity: balancing risks and controls for finance professionals

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Background FAST FACTS

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Information Security In Pakistan. & Software Security As A Quality Aspect. Nahil Mahmood, Chairman, Pakistan Cyber Security Association (PCSA)

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

CYBER INSURANCE: MANAGING THE RISK

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Protecting your data. EY s approach to data privacy and information security

GDPR: A QUICK OVERVIEW

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Cybersecurity Auditing in an Unsecure World

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

ENISA EU Threat Landscape

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Cyber Attack: Is Your Business at Risk?

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Avanade s Approach to Client Data Protection

Executive Insights. Protecting data, securing systems

Cyber Security in Europe

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Cybersecurity The Evolving Landscape

Cyber and data security How prepared is your charity?

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

locuz.com SOC Services

GDPR AND GRC: GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE FOR DATA PROTECTION

Cyber fraud and its impact on the NHS: How organisations can manage the risk

How ISO can assist with your GDPR compliance

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

Cybersecurity. Securely enabling transformation and change

GDPR Compliance. Clauses

Effective Strategies for Managing Cybersecurity Risks

GDPR COMPLIANCE REPORT

Business continuity management and cyber resiliency

General Data Protection Regulation (GDPR)

M&A Cyber Security Due Diligence

PROTECTING NATIONAL CRITICAL INFRASTRUCTURE AGAINST CYBER ATTACKS BEST PRACTICES RELATED TO TECHNOLOGY AND STANDARDS FROM EUROPE BANGKOK

Certified Cyber Security Specialist

Global Statement of Business Continuity

Cybersecurity in Higher Ed

NYDFS Cybersecurity Regulations

Why you should adopt the NIST Cybersecurity Framework

Cyber Insurance: What is your bank doing to manage risk? presented by

An Introduction to the ISO Security Standards

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

CYBERAID + The Cyber Solution for UK SMEs THBGROUP.COM

Transcription:

NIS, GDPR and Cyber Security: Convergence of Cyber Security and Compliance Risk IT Matters Forum July 2017 Alan Calder Founder & Executive Chairman IT Governance Ltd

Introduction Alan Calder Founder IT Governance Ltd World leaders in Information Security Management Systems, cyber risk management and GDPR compliance. IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6 th Edition (Open University textbook) (also sites in USA, EU, Asia Pacific, South Africa)

IT Governance Ltd: GRC One-Stop-Shop Thought Leaders Specialist publisher Implementation toolkits ATO Consultants Software and e-learning Distribution Point solutions that integrate

Agenda UK backdrop: cyber denial EU GDPR NIS Cyber resilience maturity model Immediate actions

Cyber disconnect Most organizations are confident in their cyber defences 70% of organizations say: Cyber security completely embedded in their processes Cyber security a board-level concern, with top executive focus However: Organizations face 100+ targeted attacks per year 1/3 are successful that s 2 or 3 per month! Most breaches are discovered by outsiders! (Accenture: Facing the Cybersecurity Conundrum 2016)

Cyber Health Check example National health organisation, founded in 1960s, established across UK, nearly 4000 staff Cyber Heath Check 14 Critical Internet-facing vulnerabilities 175 medium level vulnerabilities Uncertainty over roles and responsibilities Uncertainty over cyber insurance No risk management process, no risk assessment in last 3 years No data inventory but 1000 s of boxes of paper records and millions of electronic personal records No data classification, no retention policy 2 competing versions of a data protection policy Other documents, where they exist, up to 7 years old No BCMS, ISMS, or incident response process No formal staff training and awareness Physical security - internal and external highly vulnerable Windows operating systems 2003, 2008 and 2012 SQL server versions outdated, patching on average 18 months old Rogue devices will be assigned a network IP address 60 remote sites connect to the main network 50 of which are running end-of-life hardware and software Servers and mobile devices unencrypted No restrictions on data exports or file sharing PCI compliance status unclear Had some reported minor breaches

Data breaches in the UK January to March 2016-448 new cases Data Breaches by Sector Health (184) Local Government (43) Education (36) General Business (36) Finance, Insurance & Credit (25) Legal (25) Charitable & Voluntary (23) Justice (18) Land or Property Services (17) Other (41) NB: Mandatory reporting only for public sector, not private/not-for-profit How will these stats change after May 2018? Source: UK Information Commissioner s Office 2016

Cyber risk an overview Attackers Weaknesses Assets Hacktivists Terrorists People IP Card data PII Opportunists Criminals Competitors Enemies Process Technology Money Reputation Commercial Info

Security breach levels are rising Security breach levels continue to rise. Last year in the UK: 90% of large organisations reported suffering a security breach, up from 81% a year before. 74% of small businesses had a security breach, up from 60% a year before. Source: BIS/PwC 2015 Information Security Breaches Survey Hacked organizations continue struggling for years afterwards Target, Yahoo, Talk Talk

Cyber security, accountability & compliance The biggest vulnerability remediation rates have been achieved when boards of directors and executive management have been accountable for breaches. Interestingly, when breach accountability was with security departments, the lowest remediation rates have been achieved. It is worth noticing that the largest remediation rates of vulnerabilities are achieved when compliance is the driver, while vulnerability remediation due to a risk-oriented posture is delivering lowest remediation rates. ENISA Threat Report, 2015

ICO on accountability The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation. The GDPR mandates organisations to put into place comprehensive but proportionate governance measures. It means a change to the culture of an organisation. That isn t an easy thing to do, and it s certainly true that accountability cannot be bolted on: it needs to be a part of the company s overall systems approach to how it manages and processes personal data. Speech to ICAEW 17 January 2017

EU GDPR Complete overhaul of data protection framework All forms of personal data, including biometric, genetic and location data Applies across all member states of the EU In force on 25 May May 2018

The GDPR: Data subject actions Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Right to mandate a consumer protection agency Represent them, bring claims on their behalf Article 82: Right to compensation Any person who has suffered material or non-material damage No upper limit

The GDPR: Data breaches Mandatory data breach reporting within 72 hours Processors must report to controllers without undue delay Controllers must report to supervisory authority within 72 hours Describe actions being taken to º Address the breach º Mitigate the consequences Data subjects must be contacted without undue delay º Unless no risk to their data Failure to report within 72 hours must be explained

NIS: Network & Information Security Directive Applies to: Essential services eg CNI, Finance, Health, Utilities, Transport, Energy, Food, Marine etc Digital Service Providers Translated into national law by May 2018 Increase intra-eu cooperation, national CSIRT network Adopt technical and organizational measures appropriate to risk: Ensure the security of systems and facilities Processes for Incident handling Business continuity management Monitoring, auditing and testing Compliance with international standards Penalties for infringement must be effective, proportionate and dissuasive.

Cyber health check example: breach consequences after 25 May 2018 Report breach to ICO if they know about it, if they know how to report Investigation will reveal what my be described as sustained negligence Is likely to trigger monetary penalties in the upper bracket for multiple breaches of the data protection principles PCI compliance breach investigation and fines NIS breach penalties similar to GDPR Multiple individual court actions for non-material damage Reputation damage, funding problems Will tie up directors and senior managers for years Will not help avoid the necessary cyber security investment Enhanced by clean-up and emergency costs

Convergence: cyber security assurance GDPR Article 32: Adherence to an approved code of conduct or an approved certification mechanism.. may be used as an element by which to demonstrate compliance with the requirements.of this Article. ISO/IEC 27001:2013 Is an international standard meets the appropriate technical and organizational measures requirement Is widely recognised and adopted Provides assurance to the board that data security is being managed in accordance with business, contractual and regulatory requirements Information security/data protection policies Audit, monitoring and review Manage ALL information assets and all information security within the organization protecting against ALL threats

Cyber resilience maturity model 5 4 3 2 1 0-1 -2-3 -4-5 Incident response, business continuity integration Embedded ISMS,CMMI, SOC 2 ISO 27001 accreditation 10 Steps to Cyber Security PIMS, PCI DSS, 20 Critical Controls, IG Toolkit Cyber Essentials Plus certification Cyber Essentials certification The Basics Established cyber resilience framework (PAS 555) Include SCRM ISO 27036 Cyber governance framework ISO 27014

Key, immediate steps Board involvement Clear roles and responsibilities cyber security, data protection Budget for people, support and technology Update and patch systematically and comprehensively Penetration test then remediate Encrypt mobile devices, databases and email Inventory personal data delete/destroy old data, secure what you keep Prepare and test an incident response and data breach reporting process Initiate GDPR and NIS compliance plans In parallel cyber essentials and start climbing the maturity ladder as fast as possible

Questions? acalder@itgovernance.co.uk 0845 070 1750

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback