Processing Cyber Threat Data Through the GDPR Regulatory Lens: for Operational Compliance with GDPR

Similar documents
WHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

GDPR: A technical perspective from Arkivum

Technical Requirements of the GDPR

EU General Data Protection Regulation (GDPR) Achieving compliance

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

Our agenda. The basics

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Data Management and Security in the GDPR Era

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

Cybersecurity Considerations for GDPR

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

Data Protection Policy

Emergency Compliance DG Special Case DAMA INDIANA

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Google Cloud & the General Data Protection Regulation (GDPR)

The GDPR Are you ready?

Data Governance for GDPR Compliance: Principles, Processes, and Practices

ZIMBRA & THE IMPACT OF GDPR

THE GDPR PCLOUD'S ROAD TO FULL COMPLIANCE

Making Privacy Operational

IEEE GDPR Implementation & NTC

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

Eight Minute Expert GDPR

Wonde may collect personal information directly from You when You:

How the GDPR will impact your software delivery processes

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Islam21c.com Data Protection and Privacy Policy

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

General Data Protection Regulation (GDPR) The impact of doing business in Asia

OBTAINING CONSENT IN PREPARATION FOR GDPR

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Arkadin Data protection & privacy white paper. Version May 2018

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

Countdown to GDPR. Impact on the Security Ecosystem and How to Prepare

EY s data privacy service offering. How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world

Data Warehouse Risk Assessment (GDPR)

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

Contract Services Europe

PRIVACY NOTICE (TIER 4)

What is GDPR? Editorial: The Guardian: August 7th, EU Charter of Fundamental Rights, 2000

Understand & Prepare for EU GDPR Requirements

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

General Data Protection Regulation (GDPR) NEW RULES

GDPR & FOSS. Marc Jones CIPP/US, CISSP Compliance Engineer & In-House Counsel

A practical guide to using ScheduleOnce in a GDPR compliant manner

GDPR: A GUIDE TO READINESS

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

the processing of personal data relating to him or her.

The GDPR: The catalyst for customer July 2017

GDPR is here to stay. How prepared are you?

Overview of Akamai s Personal Data Processing Activities and Role

Embedding Privacy by Design

A Practical Look into GDPR for IT

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Getting personal with your customers and GDPR

Importance of the Data Management process in setting up the GDPR within a company CREOBIS

EXAM PREPARATION GUIDE

GDPR and the Privacy Shield

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

FileFacets for GDPR. Solution Overview for Compliance. Copyright 2017 FileFacets Corporation. All rights reserved

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

The Simple Guide to GDPR Data Protection: Considerations for and File Sharing

INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS) AND HANDLING OF PERSONAL DATA

Requirements for a Managed System

GENERAL DATA PROTECTION REGULATION (GDPR)

General Data Protection Regulation (GDPR)

It is the policy of DMNS Networks PTE LTD (the Company ) to protect the privacy of the users of our Website and Services.

Eight Minute Expert GDPR. Login. Password

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

GDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.

Getting ready for GDPR

Helping you to be GDPR compliant

Privacy Requirements Scoping

Data Protection Policy

PS Mailing Services Ltd Data Protection Policy May 2018

The types of personal information we collect and hold

Link Exhibitions Privacy Policy

Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 2

Accelerate GDPR compliance with the Microsoft Cloud

GDPR compliance. GDPR preparedness with OpenText InfoArchive. White paper

General Data Protection Regulation for ecommerce. Reach Digital - 18 december 2017

Privacy Notice Alumni

1.7 The Policy sets out the manner by which the University will respond to Subject Access Requests.

EY s data privacy service offering

Information leaflet about processing of personal data (

Angela McKay Director, Government Security Policy and Strategy Microsoft

Meeting GDPR Requirements with GoAnywhere MFT

Transcription:

Processing Cyber Threat Data Through the GDPR Regulatory Lens: for Operational Compliance with GDPR and Improved Privacy Risk Management John Sabo, CISSP Chair OASIS IDTrust Member Section Chair, OASIS PMRM Technical Committee john.sabo711@yahoo.com

GDPR/Privacy Engineering Tutorial Eight-part online workshop tutorial recorded at the KuppingerCole European Identity and Cloud Conference 2017 in Munich Online on the OASIS YouTube Channel: OASIS Open Standards https://www.youtube.com/user/oasisopen/ playlists 2

Privacy Principles GDPR Article 5 Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Security confidentiality, integrity, availability and resilience Consent - GDPR Article 7 Controller shall be able to demonstrate that the data subject has consented to processing of personal data. The request for consent shall be presented in a manner which is clearly distinguishable from other matters intelligible easily accessible clear and plain language. Data subject shall have the right to withdraw consent at any time. It shall be as easy to withdraw as to give consent. 3

GDPR - Personal Data Any information relating to an identified or identifiable natural person. Specific references to: o identification number; location data; online identifier One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. GDPR New Regulatory Concepts Large administrative penalties - up to 4% of annual turnover Global Scope (directly impacts non-eu organizations) Both Controller and Processor Responsibilities (cloud implications) Processors must have documented processing instructions Rights of Rectification, Erasure, and Restricted Processing Pseudonymisation (separately maintained additional information) Data Protection by Design and Default (design + implementation) Granular Consent and Withdrawal of Consent 4

GDPR as Catalyst Pre-GDPR? 1 Primary focus on policy regulators lawyers 2 Security-centric 3 Limited understanding of technical implementations and inter-dependencies 4 Traditional privacy risk management PIAs Post-GDPR? 1 Multi-stakeholder focus 2 Holistic data protection approach 3 Deep understanding of technical implementation and inter-dependencies 4 Proactive risk management data protection by design and default 5

How Can the OASIS PMRM Help You Meet the Letter and Spirit of the GDPR in Cyber Security Systems? PMRM V1.0 CS02 Privacy Management Reference Model and Methodology An analytic tool:! Enables the structured analysis of use cases in which Personal Data ( or PII ) are used, generated, communicated, processed, stored and erased! Shows the linkages among PII, data flows, data protection [including security] policies, privacy controls, privacy-enabling Services/Functionality/Technical Mechanisms] and Risk Management! Supports any set of privacy standards and policies! Supports Data Protection by Design requirements and compliance across policy and system boundaries! Supports all stakeholders http://docs.oasis-open.org/pmrm/pmrm/v1.0/cs02/pmrm-v1.0-cs02.html 6

Data Subject Regulator GDPR Principles/ Mandates Data Protection Officer Business Owner Privacy Engineer- Generalist Privacy Engineer Specialist Stakeholders Implementing Mechanisms/ Code Iterative Risk Analysis Privacy Management Analysis is complicated - Multiple Stakeholders - and Roles - Policies, Procedures - Technical Implementation - Risk Management - SDLC Management - Iterative risk analysis Use Case High Level Analysis Software Engineer Services and Functionality Detailed Analysis Risk Officer Auditor Control Requirements 7

PMRM Methodology High Level Privacy Use Case Analysis Services/Applications Privacy Requirements Impact/Other Assessments Privacy Management Analysis Detailed Privacy Use Case Analysis Domains and Owners Risks - Responsibilities Data Flows and Touch Points Systems and Subsystems ] Actors PI in Use Case Systems System 1 Incoming/Internally Generated/ Outgoing System n Incoming/Internally Generated/ Outgoing 8

Operational Privacy Control Requirements Inherited Internal Exported Services Required for Operationalized Controls Privacy Management Analysis Agreement Usage Validation Certification Enforcement Security Interaction Access Technical and Process Functionality and Mechanisms Risk Assessment Iterative Process 9

Key Actions for GDPR Compliance Mike Small, Senior Analyst 10

GDPR Key Actions Discovery Discover and document all the PII you hold. Check that it is necessary and minimum. Check it is correct and up to date. Models for consent and control Control Access Control at data field level Control of aggregation Data Subject access requests Right to be forgotten and return of data Proof that data only used for consented purposes Consent Processes for freely given, informed, unambiguous, clear statements of affirmative actions Per purpose and may be revoked at any point of time 11

GDPR Key Actions Cloud Assure Compliance when data held in cloud services. Control over PII in cloud Certification of Cloud Service Providers Data Protection Data Protection Officers are required DPIAs (Data Protection Impact Assessment) under certain circumstances Privacy by default and design Data Breach Make sure you have the right procedures to detect, report and investigate a breach. Communicate to data subjects in clear and plain language. 12

PMRM Services 13

Additional Resources OASIS PMRM Technical Committee https://www.oasis-open.org/committees/tc_home.php? wg_abbrev=pmrm Privacy Engineering GDPR OASIS Workshop Presentation Slides and PMRM Technical Committee Documents https://www.oasis-open.org/committees/documents.php? wg_abbrev=pmrm&show_descriptions=yes OASIS Privacy Management Reference Model and Methodology (PMRM) https://docs.oasis-open.org/pmrm/pmrm/v1.0/cs02/pmrmv1.0-cs02.pdf OASIS Privacy by Design Documentation for Software Engineers (PbD SE) http://docs.oasis-open.org/pbd-se/pbd-se/v1.0/csd01/pbdse-v1.0-csd01.pdf 14

Overview of Use Case Use Case: ImproveTheNeighbourhood Responsible Council ImproveTheNeighbourhood Digital Platform

PMRM PMA Analysis PMRM tasks 1 to 18 Task #1 - Use Case Description Task #2 - Use Case Inventory Task #3 - Privacy Policy Conformance Criteria Task #4 - Assessment Preparation Task #5 - Identify Participants Task #6 - Identify Systems and Business Processes Task #7 - Identify Domains and Owners Task #8 - Identify Roles and Responsibilities within a Domain Task #9 - Identify Touch Points Task #10 - Identify Data Flows Task #11 - Identify Incoming PI Task #12 - Identify Internally Generated PI Task #13 - Identify Outgoing PI Task #14 - Specify Inherited Privacy Controls Task #15 - Specify Internal Privacy Controls Task #16 - Specify Exported Privacy Controls Task #17 - Identify the Services and Functions necessary to support operation of identified Privacy Controls Task #18 - Identify the Mechanisms that Implement the Identified Services and Functions

PMRM PMA Analysis Responsibilities Table Stake-holders/Lead Use Case Description Systems Participants PI/PII Domains Legal/Regs/ Policies Data Flows/Touch points Systems Privacy Controls Services - Technical Functions CPO x x x x x x IT Architect x x x x Business Analyst x x x x x Team Privacy Champion x x x x x Senior Developer x x x x Line of Business Owner x x x x Legal Department x x x CIO x x x Data Center Director x x x

PMRM PMA Analysis Iterative steps with stakeholders Product Owner Architect Developer Business Analyst

Task #5 - Identify Participants Task #6 - Identify Systems Task #7 - Identify Domains Task #9 - Identify Touch Points Citizen Fieldworker VBDB Web App VBDB Fieldworker App Citizen VBDB Platform Councils VBDB Mobile App - VBDB System VBDB Fieldworker App - VBDB System Task #10 - Identify Data Flows Task #11 - Identify Incoming PI Task #12 - Internally Gen. PI Task #13 - Identify Outgoing PI Picture Email address PMA Interview with Product Owner

Task #5 - Identify Participants Task #6 - Identify Systems Task #7 - Identify Domains Task #9 - Identify Touch Points Citizen Fieldworker Backoffice Employee Customer Support Employee VBDB Web App VBDB Fieldworker App VBDB Web App VBDB Mail VBDB System CRMOnline Case Management System Citizen VBDB Platform Councils: Council Type 1 Council Type 2 Council Type 3 Council Type 4 VBDB Mobile App - VBDB System VBDB Fieldworker App - VBDB System VBDB Web App - VBDB System VBDB System - Case Management System VBDB System - CRMOnline VBDB System - Mail system Task #10 - Identify Data Flows Task #11 - Identify Incoming PI Task #12 - Internally Gen. PI Task #13 - Identify Outgoing PI Citizen - VBDB Platform Council Type 2 - VBDB Platform Personalized interests Picture Email address PMA Interview with Architect

Task #5 - Identify Participants Task #6 - Identify Systems Task #7 - Identify Domains Task #9 - Identify Touch Points Citizen Fieldworker Backoffice Employee Customer Support Employee VBDB Web App VBDB Fieldworker App VBDB Web App VBDB Mail VBDB System CRMOnline Case Management System MailChimp ActiveMQ Mule Postfix Postmark ArgisOnline ArgisPro Citizen VBDB Platform Councils: Council Type 1 Council Type 2 Council Type 3 Council Type 4 Rocket Science Group ESRI Wildbit LeaseWeb OVH VBDB Mobile App - VBDB System VBDB Fieldworker App - VBDB System VBDB Web App - VBDB System VBDB System - Case Management System VBDB System - CRMOnline VBDB System - Mail system Task #10 - Identify Data Flows Task #11 - Identify Incoming PI Task #12 - Internally Gen. PI Task #13 - Identify Outgoing PI Citizen - VBDB Platform Council Type 2 - VBDB Platform Personalized interests Picture Email address PMA Interview with Developer

Task #5 - Identify Participants Task #6 - Identify Systems Task #7 - Identify Domains Task #9 - Identify Touch Points Citizen Fieldworker Backoffice Employee Customer Support Employee VBDB Web App VBDB Fieldworker App VBDB Web App VBDB Mail VBDB System CRMOnline Case Management System MailChimp ActiveMQ Mule Postfix Postmark ArgisOnline ArgisPro Melddesk DMS GBA Workflow Engine Personal Internet Page Citizen VBDB Platform Councils: Council Type 1 Council Type 2 Council Type 3 Council Type 4 Rocket Science Group ESRI Wildbit LeaseWeb OVH VBDB Mobile App - VBDB System VBDB Fieldworker App - VBDB System VBDB Web App - VBDB System VBDB System - Case Management System VBDB System - CRMOnline VBDB System - Mail system Task #10 - Identify Data Flows Task #11 - Identify Incoming PI Task #12 - Internally Gen. PI Task #13 - Identify Outgoing PI Citizen - VBDB Platform Council Type 2 - VBDB Platform PMA Interview with Business Analyst Personalized interests Picture Email address First name Last name Gender Home Address Phone number Screen name Time Date Geo-tag information Picture metadata IP address Connection specific data: device type, browser, toolkit,etc.

PMRM PMA Analysis - Diagram

Architecture of PMRM PMA tool

Architecture of PMRM PMA tool

Small example: outgoing PI Thinking about the CTI infrastructure & GDPR Using the visual representations Outgoing PI example in shared thread information

Basic TAXII setup

Value of tool

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback