EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Similar documents
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

NYDFS Cybersecurity Regulations

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

EU General Data Protection Regulation (GDPR) Achieving compliance

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

General Data Protection Regulation (GDPR)

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

All you need to know and do to comply with the EU General Data Protection Regulation

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

GDPR COMPLIANCE REPORT

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Accelerate GDPR compliance with the Microsoft Cloud

Cybersecurity requirements for financial services companies

Cybersecurity Auditing in an Unsecure World

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Martijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

Data Protection Policy

Data Protection Policy

Islam21c.com Data Protection and Privacy Policy

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

PS Mailing Services Ltd Data Protection Policy May 2018

What It Takes to be a CISO in 2017

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Cybersecurity Considerations for GDPR

Governance and Compliance Learning from the Private Sector. David Coverdale

Data Management and Security in the GDPR Era

Fabrizio Patriarca. Come creare valore dalla GDPR

Technical Requirements of the GDPR

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

The GDPR Are you ready?

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

EventLog Analyzer. All you need to know and do to comply with the EU General Data Protection Regulation

Data Protection Policy

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

MNsure Privacy Program Strategic Plan FY

Data Protection and GDPR

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

A company built on security

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

GDPR. What is GDPR? GDPR is extraterritorial, meaning it applies to any company, processing EU resident data, irrespective of their location.

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

How WhereScape Data Automation Ensures You Are GDPR Compliant

Charting the Course to GDPR: Setting Sail

Creative Funding Solutions Limited Data Protection Policy

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Oracle Data Cloud ( ODC ) Inbound Security Policies

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Best Practices in Securing a Multicloud World

ADMA Briefing Summary March

Checklist: Credit Union Information Security and Privacy Policies

SECURITY & PRIVACY DOCUMENTATION

ADIENT VENDOR SECURITY STANDARD

CAN MICROSOFT HELP MEET THE GDPR

GDPR: An Opportunity to Transform Your Security Operations

Information Technology Branch Organization of Cyber Security Technical Standard

locuz.com SOC Services

Cyber Risks in the Boardroom Conference

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Version 1/2018. GDPR Processor Security Controls

General Data Protection Regulation (GDPR)

GDPR: A technical perspective from Arkivum

Data Processing Agreement DPA

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Motorola Mobility Binding Corporate Rules (BCRs)

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

NY DFS Cybersecurity Regulations August 8, 2017

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Data Security and Privacy Principles IBM Cloud Services

MITIGATE CYBER ATTACK RISK

BHConsulting. Your trusted cybersecurity partner

Breach Notification Form

Certified Information Security Manager (CISM) Course Overview

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

GDPR Compliance. Clauses

Altius IT Policy Collection Compliance and Standards Matrix

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Avanade s Approach to Client Data Protection

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

The Common Controls Framework BY ADOBE

The Role of the Data Protection Officer

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Embedding GDPR into the SDLC

Security and Privacy Governance Program Guidelines

Requirements for a Managed System

Transcription:

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

MEET THE EXPERTS DAVID O LEARY Director, Forsythe Security Solutions THOMAS ECK Director, Forsythe Security Solutions ALEX HANWAY Product Marketing Manager, Gemalto

IN TODAY S DIGITAL WORLD, WE ARE ALL DATA SUBJECTS Critical aspects of our lives are determined by the data that is held about us Threats are increasing as technologies distribute sensitive data farther across locations, devices, and repositories

CYBERCRIME IS A GROWTH INDUSTRY

EU GDPR AND NY DATA PROTECTION AND PRIVACY REQUIREMENTS ARE USHERING IN A NEW ERA OF ACCOUNTABILITY

Poll Question: HOW FAR ALONG DO YOU THINK YOUR ORGANIZATION IS IN ITS COMPLIANCE PLAN? a) Beginning stages b) Well underway c) Fully compliant d) Not sure

EU GDPR MANDATES Fines Companies that violate certain provisions such as the basic processing principles or the rules relating to cross-border data transfers may face fines amounting to four percent of the company s annual gross revenue, and up to two percent for violations such as failing to meet the breach notification rule. Right to be Forgotten A right to erasure, also known as the right to be forgotten, gives a data subject the right to order a data controller/organization to erase any of their personal data in certain situations. Data controllers will be required to erase personal data without undue delay when the data is no longer necessary in relation to the purposes for which it was gathered or processed. Data Protection Officer (DPO) Companies whose core activities involve large-scale processing of special categories of data information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, health or sexual orientation need to designate a data protection officer. Companies who collect some of this information strictly for internal human resources purposes may also be subject to this requirement. Breach Notification A single data breach notification requirement is applicable across the EU. The rule requires data controllers to notify the appropriate supervisory authority of a personal data breach within 72 hours of learning about it.

NY CYBERSECURITY MANDATES Program and Policy Establishment and adoption of a cybersecurity policy and program, including adequate funding and staffing, a CISO, cybersecurity awareness training, limitations on data retention, and periodic reporting to the most senior governing body of the organization. Security Controls Risk-based minimum standards for technology systems including access controls such as multifactor authentication, data protection (including encryption or an alternate CISO-approved compensating control), and vulnerability assessment/penetration testing. Data Breach Response Adherence to minimum standards for addressing data breaches, including incident response plans, the preservation of data for investigations, and notice to DFS of material events within 72 hours. Additionally, organizations need to maintain audit trails for reconstruction of financial transactions, and cybersecurity incidents. Maintaining Accountability Identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance. Additionally, organizations need to implement written policies and procedures designed to ensure the privacy and security of information systems, and sensitive data accessible to third-party providers.

3 KEYS TO SUCCESS

ONE DATA-CENTRIC SECURITY The development of a datacentric security program is invaluable to all data protection and data privacy efforts

Determine where and what type of data is stored DATA DISCOVERY Continuous process to provide visibility, outline risk, and validate employee role assignment Confirm awareness level and policy compliance as well as enhancement

Policy Data handling procedures Report/detect/protect IR /forensics Risk-based approach CLASSIFICATION Identify business owners

Consider SSL decryption at gateway points of access Data-in-motion ENCRYPTION STRATEGIES Data-at-rest Data-in-use

Directory unification Access management Federation privileged access Access governance and authentication IDENTITY MANAGEMENT

TWO INCIDENT RESPONSE The GDPR and NY requirements contain 72-hour data-breach notification mandates

Poll Question: IS YOUR ORGANIZATION READY TO RESPOND TO INCIDENTS WITHIN STRICT TIMELINES? a) Yes b) No c) Not sure

QUESTIONS TO CONSIDER 1 2 3 4 5 Are employees aware of what constitutes an incident to begin with, and how to report and manage an incident? Have you optimized the tools you re using today to protect against and detect incidents? Has your program been updated and tested to support today s cyber threats and compliance with breach notification requirements? Do you have the tools and relationships in place to accelerate your response to a serious security incident for containment and public management? Does your plan include considerations for retaining forensic and PR firms that directly align to your cybersecurity insurance policy?

THREE THIRD PARTY-RISK Third parties can present your greatest area of risk exposure

3 RD PARTY RISK PROGRAM ELEMENTS Map your data. Understand which third parties have access to data, what categories of data they have, and what they are doing with it. Make sure you collect only the minimum amount of personal data required for the product or service, and review legal grounds for collection and processing. Ensure you have appropriate budget and resources allocated for completing assessments of third parties, and for remediation projects. Review your contracts to ensure they are compliant with both regulatory mandates (GDPR contains requirements for contracts with data processors, as well as between data controllers), and with your own security policies. Complete assessments of all third parties that have access to, handle or touch your client/personal data to ascertain their awareness of specific requirements, and to ensure that they have appropriate technical and organizational measures in place to comply. Ensure third parties are scored based on risk-assessment results and other due diligence. For high-risk third parties, identify audit partners for the assessment of processes, and set the scope of remediation programs and ongoing monitoring requirements.

PEOPLE Adhere to regulation-specific staffing requirements, such as GDPR s DPO, and NY s CISO (drives accountability) Education & awareness Changing behaviors around the collection and use of data Establishing appropriate consent controls Ensure suitable technical (security analysts, IR team) & non-technical (business leadership, legal, PR) staff is in place and is trained appropriately PROCESS Perform risk assessment (utilizing framework like NIST, ISO, etc.) Identify and manage collection of sensitive data Set processing/dissemination rules Ensure means to address inquiries and adhere to 72-hour notification req s Establish data lifecycle management (inventory, classify, track the movement of, and disposal of, data) Set IR processes (preparation, detection/ reporting, triage/analysis, containment/ neutralization and post-incident activity) Develop third-party risk program TECHNOLOGY Visibility (identify data and its location: endpoint, DB/shares, cloud, structured/unstructured) Analytics (when, where, and how data is moving) Data protection tools (discovery, classification, DLP, encryption, IAM, CASB, and gateway controls) Detection tools (IDS/IPS, NGFW, UEBA) Containment tools: Endpoint Detection and Response, and Forensics tools Third-party risk and security scoring tools

WE RE ALL GOING TO HAVE TO CHANGE THE WAY WE THINK ABOUT DATA PROTECTION. Elizabeth Denham, UK Information Commissioner

DAVID O'LEARY doleary@forsythe.com QUESTIONS THOMAS ECK teck@forsythe.com Or contact your Forsythe Account Manager

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback