Information Security. How to be GDPR compliant? 08/06/2017

Similar documents
Designing GDPR compliant software

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Knowing and Implementing the GDPR Part 3

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Data Protection Policy

GDPR: A technical perspective from Arkivum

Embedding GDPR into the SDLC

General Data Protection Regulation (GDPR)

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

General Data Protection Regulation (GDPR) The impact of doing business in Asia

GENERAL DATA PROTECTION REGULATION (GDPR)

Data Processing Clauses

Security and Privacy in Car2Car Adhoc Networks

Technical Requirements of the GDPR

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Baseline Information Security and Privacy Requirements for Suppliers

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

Requirements for a Managed System

Les joies et les peines de la transformation numérique

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

How the GDPR will impact your software delivery processes

Recruitment Privacy Notice

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Checklist: Credit Union Information Security and Privacy Policies

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

GDPR: A GUIDE TO READINESS

University of Pittsburgh Security Assessment Questionnaire (v1.7)

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Altius IT Policy Collection Compliance and Standards Matrix

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

EY s data privacy service offering

Breach Notification Form

Data Management and Security in the GDPR Era

2. The Information we collect and how we use it: Individuals and Organisations: We collect and process personal data from individuals and organisation

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

Breach Notification in the GDPR Era. Speakers: Sam Pfeifle, IAPP Dennis Holmes, PwC

Accelerate GDPR compliance with the Microsoft Cloud

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

LBI Public Information. Please consider the impact to the environment before printing this.

Data Breach Notification: what EU law means for your information security strategy

Privacy by Design and Privacy by Default

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

GDPR Compliance. Clauses

Cyberspace : Privacy and Security Issues

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Information Security Data Classification Procedure

General Data Protection Regulation (GDPR) Key Facts & FAQ s

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

DATA PROTECTION POLICY THE HOLST GROUP

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

IAPP-OneTrust Research: Bridging ISO to GDPR

PRIVACY POLICY. Introduction:

GDPR Incident Response Process 25 September 2016

Individual Agreement. commissioned processing

ZIMBRA & THE IMPACT OF GDPR

SCHOOL SUPPLIERS. What schools should be asking!

Employee Security Awareness Training Program

Cybersecurity Considerations for GDPR

Membership Privacy Notice. 31 August 2018

EXAM PREPARATION GUIDE

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

CIT 480: Securing Computer Systems. Putting It All Together

What is GDPR? Editorial: The Guardian: August 7th, EU Charter of Fundamental Rights, 2000

enter into application on 25 May 2018

Managing SaaS risks for cloud customers

GDPR Let s get operational

THE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Data Warehouse Risk Assessment (GDPR)

GDPR: Is it just another regulation or a great opportunity for operational excellence? Athens, February 2018

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Eco Web Hosting Security and Data Processing Agreement

Altius IT Policy Collection

Case Study Vitality Justin Skinner Group Chief Risk Officer

Rules for Commissioned Processing. (DDV Declaration of Conformity)

WEBSITE PRIVACY POLICY

Latest version, please translate and adapt accordingly!

Protecting your data. EY s approach to data privacy and information security

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Guide to Cyber Security Compliance with GDPR

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

E-guide Getting your CISSP Certification

Website privacy policy

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Helping you to be GDPR compliant

Our Privacy Statement

Privacy Policy. I. How your information is used. Registration and account information. March 3,

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

Privacy and Data Protection Policy

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

The Role of the Data Protection Officer

Transcription:

Information Security How to be GDPR compliant? CREOBIS 08/06/2017 1 Alain Cieslik

What Is the Difference Between Security and Privacy? Security: The primary goal of InfoSec is to protect confidentiality, integrity and availability of protected information Confidentiality (ISO 27000) Property that information is not made available or disclosed to unauthorized individuals, entities or processes Integrity (ISO 27000) Property of protecting the accuracy and completeness of assets ICT Control Availability (ISO 27000) Property of being accessible and usable upon demand by an authorized entity Source: https://www.cocc.edu/its/infosec/concepts/cia-triad/ 2

What Is the Difference Between Security and Privacy? Privacy: is the rights of an individual to trust that others will appropriately and respectfully use, store, share and dispose of his/her associated personal and sensitive information within the context, and according to the purposes, for which it was collected or derived. Security is a process is action is the strategy is a state of being free ICT from Control danger Privacy is a consequence is a result of successful actions is the outcome is a state of being free from unsanctioned intrusion Source: ISACA Privacy principles and program management guide 3

What Is Risk with Respect To Information Security? Security controls or countermeasures are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets ICT Control 1/06/2017 Asset (ISO 27000) Anything that has value to the organization Source: ISACA Privacy principles and program management guide 4

What Is Risk With Respect To GDPR? Recital 75: The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymisation, or any other significant economic or social disadvantage; ICT Control 1/06/2017 5

I. How privacy risks can be evaluated? 6

I. How to evaluate privacy risks The privacy risk level is estimated in terms of severity and likelihood by doing a Privacy Impact Assessment PIA vs DPIA A Privacy Impact Assessment (PIA) is a questionnaire to identify and help reduce privacy risk A Data Protection Impact Assessment (DPIA) is a specific type of PIA that is described in the EU GDPR and comes with unique obligations A compliance approach is implemented by carrying out a PIA is based on the respect of the following principles Source: https://iapp.org/media/pdf/resource_center/onetrust-pia-dpia-ultimate-handbook.pdf 7

I. How to evaluate privacy risks PIA Manual 1 -Methodology(how to carry out a PIA) https://www.cnil.fr/sites/default/files/typo/document/cnil-pia-1-methodology.pdf PIA Manual 2 -Tools (templates and knowledge bases) https://www.cnil.fr/sites/default/files/typo/document/cnil-pia-1-methodology.pdf 8

I. How to evaluate privacy risks In summary, to comply with GDPR, it is necessary to: 1. Context: Define and describe the context of the processing of personal data under consideration and its stakes; 2. Controls: Identify existing or planned controls 3. Risks: Assess privacy risks to ensure they are properly treated; 4. Decisions: make the decision to validate the manner in which it is planned to comply with privacy principles and treat the risks,v * The current CNIL Approach is still based on the French regulation and not 100% GDPR oriented at legal point of view. 9

I. How to evaluate privacy risks CNIL Approach ICT Control 1/06/2017 10

I. Evaluer le niveau de sécurité requis par le GDPR CNIL Approach ICT Control Risk Id Risk description Probability Impact 1 Listening unprotected data used by 6/1/2017 mobile application John Smith 01/08/2017 11

I. How to evaluate privacy risks What can be done to mitigate risks? Define Security Controls that Reduce the impact Reduce the probability controls 12

I. How to evaluate privacy risks CNIL Approach Task Id Non conformity issue detected 1/06/2017 1 Data inventory Describe data process by the application XYZ 2 Information Security Implement HTTPS for each communication Security controls Assigned to Due date Status John Smith 01/08/2017 Not Started John Doe 01/07/2017 Not Started 13

II. Information security 14

II. Information security Different type of security controls ICT Control 1/06/2017 15

II. Information security Protecting the personal information during the data full lifecylce Create Store Use Share Backup Destroy Information security addresses the protection goals confidentiality, integrity, availability during the full data lifecycle. All of these goals are important also from a privacy and data protection perspective that specifically requires that unauthorized access and processing, manipulation, loss, destruction and damage are prevented. 16

II. Information Security Defense in depth is an information assurance concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Least privilege principle: A security principle in which a person or a process is given only the minimum level of access rights (permissions) that is necessary to complete an assigned operation Separation of duties: A security principle in which an organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals 17

II. Information Security Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it. A digital signature is a mathematical scheme for demonstrating the authenticity of digital messages or documents. A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message was not altered in transit (integrity). Source: https://en.wikipedia.org/wiki/digital_signature 18

III. Privacy by design 19

III. Privacy by design Pseudonymity Unobservability SECURITY CONTOLS Confidentiality Personal Data Anonymity Unlinkability Security Controls Authentication Authorization Auditing Non-repudiation Encryption Hashing File Signature Secure Architecture Integrity Availability Privacy Controls Unobservability Anonymisation Pseudonimisation Privacy Design technics Database Design technics 20

III. Privacy by design Anonymization is a type of information sanitization whose intent is privacy protection. It is the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous. Pseudonymizationis a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. 21

III. Privacy by design The 7 Foundational Principles 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality Positive-Sum, not Zero-Sum 5. End-to-End Security Full Lifecycle Protection 6. Visibility and Transparency Keep it Open 7. Respect for User Privacy Keep it User-Centric Source: https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf 22

III. Privacy by design The principle Privacy/data protection by design is based on the insight that building in privacy features from the beginning of the design process is preferable over the attempt to adapt a product or service at a later stage. The principle Privacy/data protection by default means that in the default setting the user is already protected against privacy risks. Privacy and Data protection by design https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design Privacy by design in big data https://www.enisa.europa.eu/publications/big-data-protection 23

IV. Example of GDPR Accountability 24

IV. Example of GDPR Accountability Privacy By default: No data collection Consent lifecycle Privacy By Default Consent given Data collection Consent Remove No data collection Consent given Data collection System Smartphone No data collection Consent: Geolocation permission Collect Geolocation info Withdraw Consent No data collection Consent: Geolocation permission Collect Geolocation info Consent given Consent removed Consent given Accountability 01/01/2017 08:00 Legitimate process 01/02/2017 08:00 01/03/2017 08:00 Legitimate process 25

IV. Example of GDPR Accountability Consent given: Data collection is allowed Consent lifecycle Privacy By Default Consent given Data collection Consent Remove No data collection Consent given Data collection System Smartphone No data collection Consent: Geolocation permission Collect Geolocation info Withdraw Consent No data collection Consent: Geolocation permission Collect Geolocation info Consent given Consent removed Consent given Accountability 01/01/2017 08:00 Legitimate process 01/02/2017 08:00 01/03/2017 08:00 Legitimate process 26

IV. Example of GDPR Accountability Consent withdrawn: Data collection is not allowed Consent lifecycle Privacy By Default Consent given Data collection Consent Remove No data collection Consent given Data collection System Smartphone No data collection Consent: Geolocation permission Collect Geolocation info Withdraw Consent No data collection Consent: Geolocation permission Collect Geolocation info Consent given Consent removed Consent given Accountability 01/01/2017 08:00 Legitimate process 01/02/2017 08:00 01/03/2017 08:00 Legitimate process 27

IV. Example of GDPR Accountability Consent given: Data collection is allowed Consent lifecycle Privacy By Default Consent given Data collection Consent Remove No data collection Consent given Data collection System Smartphone No data collection Consent: Geolocation permission Collect Geolocation info Withdraw Consent No data collection Consent: Geolocation permission Collect Geolocation info Consent given Consent removed Consent given Accountability 01/01/2017 08:00 Legitimate process 01/02/2017 08:00 01/03/2017 08:00 Legitimate process 28

V. Data breach Extract from the Programme in European Data Protection (GDPR) Speaker: Jöelle Jouret - 18/05/2017 Source: www.solvay.edu/gdpr 29

V. Data breach 1. PREPARING FOR A CYBER SECURITY INCIDENT 2. DETECTING AND IDENTIFYING POTENTIAL CYBER SECURITY INCIDENTS 3. HANDLING AN ACTUAL INCIDENT: CONTAIN, ERADICATE AND RECOVER 4. COMMUNICATION DURING A CYBER SECURITY INCIDENT 5. INCIDENT FOLLOW-UP AND CLOSURE: LEARN FROM EACH INCIDENT! Source: CYBER SECURITY INCIDENT MANAGEMENT GUIDE 30

V. Data breach Extract from the Programme in European Data Protection (GDPR) Speaker: Jöelle Jouret - 18/05/2017 Source: www.solvay.edu/gdpr What kind of procedures do you need? Internal procedures to report and to record all breaches Procedures to Notify to the DPA within 72h data breaches that present a risk for the rights of the DS Communicate a data breach to the public, if requested (= that present a high risk for the rights of the DS) What kind or form could be helpful? Internal forms to report and record breaches Internal form helping for the communication to the public External forms (from the DPA) to notify 31

V. Data breach Extract from the Programme in European Data Protection (GDPR) Speaker: Jöelle Jouret - 18/05/2017 Source: www.solvay.edu/gdpr Internal form to report and to record Example 32

V. Data breach Extract from the Programme in European Data Protection (GDPR) Speaker: Jöelle Jouret - 18/05/2017 Source: www.solvay.edu/gdpr Internal form to report and to record Example ICT Control 1/06/2017 33

V. Data breach Internal form to report and to record Example Extract from the Programme in European Data Protection (GDPR) Speaker: Jöelle Jouret - 18/05/2017 Source: www.solvay.edu/gdpr ICT Control 1/06/2017 34

Programme in European Data Protection Solvay.edu/gdpr 5 days education Starting again in September 35

Call: +322 340 3200 email: ac@ictc.eu Active since 1999, ICT CONTROL NV-SA is connected to SOLVAY BRUSSELS SCHOOL OF ECONOMICS AND MANAGEMENT, ISACA international 36

Call: +322 340 3200 email: xv@ictc.eu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback