(2017) GDPR – What Does It Mean For The Mainframe v0.2
2 likes773 views
The document discusses the implications of the General Data Protection Regulation (GDPR) on mainframe systems, emphasizing the need for compliance among businesses that handle personal data of EU citizens. It addresses common misconceptions regarding GDPR and outlines seven critical steps for meeting technical requirements, focusing on data discovery, access control, encryption, and security certifications. Additionally, it highlights the urgency for businesses to prepare for GDPR enforcement, stressing that many organizations are unprepared.
(2017) GDPR – What Does It Mean For The Mainframe v0.2
- 2. Who am I? A quick introduction… RUI MIGUEL FEIO • Senior Technical Lead at RSM Partners • Based in the UK but travels all over the world • 18 years experience working with mainframes • Started with IBM as an MVS Sys Programmer • Specialist in mainframe security • Experience in other platforms
- 14. • GDPR is composed of 11 chapters and 99 articles: – Chapter 1 – General provisions – Chapter 2 – Principles – Chapter 3 – Rights of the data subject – Chapter 4 – Controller and processor – Chapter 5 – Transfers of personal data to third countries or international organisations – Chapter 6 – Independent supervisory authorities – Chapter 7 – Cooperation and consistency – Chapter 8 – Remedies, liability and penalties – Chapter 9 – Provisions relating to specific processing situations – Chapter 10 – Delegated acts and implementing acts – Chapter 11 – Final provisions GDPR Regulation
- 15. • General Data Protection Regulation to be enforced on 25 May 2018 • This regulation will impact any business, whether based in the EU or not, that holds the personal data of EU citizens. • GDPR is driven by two serious threats: – Reputational damage – Monetary fines (up to €20m max or 4% of total worldwide annual turnover, whichever is higher) • Mandatory for businesses of over 250 employees to appoint a Data Protection Officer (DPO). • GDPR has several rules such as ‘the right to be forgotten’ GDPR Overview http://www.eugdpr.org/
- 17. • 1 in 4 companies in the UK have stopped preparing for GDPR • “If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit.” * • 84% of financial services firms are not prepared for GDPR** The Brexit and GDPR * http://www.eugdpr.org/gdpr-faqs.html ** 2016 Egress article
- 19. • Most mainframe sites have not started to prepare for GDPR! • Main reasons are: – Belief that it only applies to countries of the European Union – Mainframe is unhackable so there’s nothing to be done – Mainframe meets all the GDPR requirements by default • Funny enough in some cases the GDPR compliance box has been ticked without the mainframe technical teams being even consulted!! Current Status
- 20. • How much customer data do you store on the mainframe? • What type of data you are collecting? • How much of that data relates to EU citizens or companies? • How data is processed, managed, stored and protected? • Which applications and processes use the data? • Who has got access to it? • Is the data properly classified? Do You Know?
- 26. • 7 Steps to meet the GDPR technical requirements: – # 1 - Data Discovery & Detection: • Identify, document and classify the data • Where is it used, processed and stored? – # 2 - Access Control & Restriction: • Access to Data must be restricted • Access control of applications, processes and databases needs to be reviewed Mainframe Technical Perspective (1)
- 27. – # 3 - End-point-protection: • Tapes and other end-point-devices need to be controlled and protected. • Consider this: – Can the data be accessed by mobile devices? – Can the data be downloaded to the local terminal and transferred into a USB memory stick? – # 4 - Pseudonymisation and Encryption: • Data should be encrypted and anonymised both at “rest” and ”in transit” Mainframe Technical Perspective (2)
- 28. – # 5 - Backup and Recovery: • Think of CIA: Confidentiality, Integrity and Availability – # 6 - Anti-virus & Malware detection: • Does not apply to the mainframe (until it does) • Think of alerting and monitoring – # 7 - Vulnerability scanning and Penetration testing: • Consider undertaking these tests at a reasonable frequency to keep measuring your security effectiveness Mainframe Technical Perspective (3)
- 32. • Some examples of products that may help with GDPR: – IBM zSecure (or Vanguard’s equivalent) – IBM Multi-Factor Authentication for z/OS – IBM Security Identity Governance and Intelligence – RSM Exception Reporter – RSM Enterprise Connector – RSM zDetect – CA Privileged Access Manager – CA Test Data Manager – CA Data Content Discovery Mainframe Technical Software
- 36. Questions?