GDPR in practice
Download as PPTX, PDF3 likes888 views
The document discusses GDPR compliance and the importance of implementing robust security measures, including pseudonymisation, encryption, and breach notification procedures. It outlines the responsibilities of data controllers and processors and emphasizes the need for continuous monitoring, employee training, and risk management. Furthermore, it highlights the role of User Entity Behavior Analytics (UEBA) in detecting anomalies and facilitating timely breach reporting within the stipulated 72-hour notification period.
GDPR in practice
- 1. Analyze. Detect. Protect. Jamie Graves, CEO j.graves@zonefox.com @zonefox @DrJamieGraves GDPR In Practice
- 2. ZoneFox UEBA ★ User Entity Behaviour Analytics (UEBA) ★ Detects and alerts on human behaviour ○ Rules - for the known (compliance) ○ Machine Learning – for the unknown
- 3. Agenda • A refresher on GDPR • Some Activities to get you GDPR ready • Where’s my data? • Data Breach Notification • UEBA • 72 hours…
- 4. Background • The GDPR states clearly in Article 32 that as of May 2018: – “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: • The pseudonymisation and encryption of personal data; • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”"
- 5. Effect • Increased fines - 4% of global turnover or €20,000,000 • Opt-in consent - Clear, no opt-out, use data only as agreed • Breach notification - 72 hours to regulators, users “without delay” • Territorial scope - All organizations with data on EU individuals • Joint liability - Data controllers and processors • Right to removal - The users are in charge • Removes ambiguity - 28 laws become one • Data transfer - Data keeps privacy rights as it moves globally • Common enforcement - Authorities will be strict • Collective redress - Class action lawsuits from individuals • 25th May 2018
- 6. The Challenge • Goal: By 1 May 18 - Ensure corporate security polices, corporate security procedures meet minimum data protection standards under the GDPR. – Conduct GDPR gap analysis on corporate security polices & corporate security procedures – Construct roadmap for to meet minimum data protection requirements under GDPR
- 7. The Basics • Fundamental Information Security Principles – Policies – People – Processes • Ensuring – Board Buy-in – Continuous Monitoring – Risk-based methodology – The appropriate technologies to mitigate risk – Employee Training and Awareness – CISO in charge of security – Conduct Threat Assessments – Necessary skills are covered – Incident Response
- 8. Implementation Activities/Timeline • Review of PII in Organisation • Board Buy-in • Review - Analysis of Existing Capabilities – Legal; data privacy and use criteria, permissions – Operational; where is PII data at the moment? – Policy; what are existing policies in relation to date use, • Gap Identification • Planning – Breach Response – Reporting for accountability – Transparency Requirements – Vendor Selection – Education – Data Tracking • Execution – Risk Mitigation – Continuous Monitoring
- 9. Data Breach Notification • On being informed of a breach you must: – Understand the scope of the breach – is PII involved? • If PII is involved, – A plan must be developed and delivered to the regulator on how to remedy thebreach – All affected parties MUST be informed • All within 72 hours.
- 10. Achieving Rapid Breach Notification • Tracking and monitoring user access to PII – The form of insight is at the source – the data layer itself • UEBA technologies can help – User – Entity – Behaviour – Analytics • Earlier Breach notification & Complementary Forensic Investigation
- 11. Covering the Basics – Some Examples • Know your assets • Enforce separation of duties and least privilege • Clearly Document and consistently enforce policies and controls • Implement strict password and account management policies and practices • Incorporate insider threat awareness into periodic security training • Define explicit security agreements for any cloud services • Institutionalise system change controls
- 12. • Rules alone cannot catch everything • Machine Learning – NOT A.I. – Well known Statistical Techniques applied to data that is • Clean • Consistent • Concise Machine Learning for Early Insights
- 13. Building a Baseline of behaviour • Establish a baseline of normal network device behaviour • Monitor and control remote access from all end points, including mobile devices • Use a log correlation engine and SIEM to log, monitor, and audit employee actions • Strong integration between IT and HR or other necessary functions
- 14. UEBA 101 • Record user activity; Ideally actual activity at the endpoint. • Build a profile for a user over a period of time. • Compare a user’s new activity to their previous activity. • Use peer groups to reduce false positives.
- 15. How does it work? Statistically relevant outlier a.k.a Bad Guy
- 16. Forensics • Forensic/Incident response required to drill into background/causes • Need to quickly and accurately identify PII involved • Need for logging, auditing and retention of traces of information relating to – Data Movement – Data CRUD activities
- 19. Argyle house, Edinburgh, EH3 9DR, Scotland +44 (0) 845 388 4999 info@zonefox.com @zonefox zonefox.com Thanks for listening