The GDPR is a huge piece of legislation. Where does an organization start? We brought together a team of privacy, compliance, and technology experts to list the key questions any company should think about in relation to GDPR compliance. For many organizations, the questions are: “Where to start?” and “Where do we prioritize?” Business leaders and security executives should take a critical look at their existing data security programs and then ask the 10 questions below. Account managers and pre-sales engineers should use these discovery questions in conversations about GDPR with customers.
1. Is there a culture of data security and awareness in our organization?
It’s essential that all people from executives to users, administrators, and developers be trained, certied, and ready to foster a culture of data security and privacy by design within the organization. In many circumstances, preparing for the new regulation requires the appointment of a data protection officer, who is responsible for organizational compliance and communication with supervisory authorities. This new role and executive sponsorship are essential to positive culture change in an organization
2. Do we know what privacy-related data we collect and where it is stored?
An overriding principle of the GDPR is data minimization—only collect the data that is required to provide goods or services. By understanding what data an organization collects, the organization is able to better focus its compliance rather than applying a blanket, costly approach. Secondly, you can’t ensure the protection of data if you don’t know the key repositories, applications, and business processes. Many data loss prevention programs fail because of this very issue. Data is everywhere today, and it is increasingly stored on mobile devices and cloud systems, creating more potential exposure to attack or misuse. A key consideration should be to implement a continuous data discovery, inventory, and classification program that involves a cross functional team of business data owners, security operations team members, and data security professionals.
3. Do we employ encryption for data protection?
Encryption is a key mitigation factor for accidental and malicious data loss incidents and should be employed where possible to protect data at rest or in motion, particularly on mobile devices such as laptops, as well as data uploaded to cloud services.
4. Is a data security project currently in place or is one planned for this year?
Establishing a data security program that includes host- and network-based control policy enforcement points is essential to prevent or detect accidental data loss or malicious data theft incidents. With the regulation into force and the complicated nature of implementing effective data security controls, organizations should allocate necessary resources as soon as possible.
5. Do we have an existing in-house application security program?
Many enterprises develop a significant number of their business applications in house. These applications are often internet-accessible and house private customer data. According to Verizon’s 2016 Data Breach Investigations Report,2 web application attacks represent the highest incident classification pattern. As many organizations are implementing continuous DevOps, it is ever more important to build in a secure-by-design approach. Some key security controls to consider include secure coding practices and training for developers, application log collection, regular penetration testing, and perimeter network intrusion prevention systems.
6. Do we know where all of our databases are located and the types of data they store?
Databases often house the crown jewels of an organization—particularly customer-related data. However, too many organizations deploy only basic security controls, do not patch regularly because of application downtime, and rely on administrators for activity monitoring. Additionally, many databases are deployed for testing and development; production data in these creates another risk for sensitive data exposure. For GDPR readiness, you should consider key actions such as discovery of on-premise and hosted databases, review of database security procedures, deployment of additional protection against vulnerability exploitation attacks, and creation of specific database breach use cases in security operations. For third-party hosted databases, a review of contracts with the hosting companies and assessment of their security posture is recommended.
7. How do we account for cloud software-as-aservice applications that house private data?
Used by almost every organization, cloud applications range from business apps like Salesforce to cloud storage services like Box. While the cloud provider has responsibility for infrastructure security, the organization is still responsible for protecting data and monitoring user activity. Two key GDPR-related security controls to consider here are Cloud Access Security Brokers (CASBs) and employment of user behavior analytics that can help control access as well as identify and respond to unusual account activity.
8. How are we controlling privileges and privileged user activity, particularly with cloud services?
According to Verizon’s 2016 Data Breach Investigations Report,3 privilege abuse is the top-reported type of insider threat. Insider actions are among the most difficult to detect, with the average organization taking months to discover such incidents. Additionally, cloud services are presenting an increasing attack surface: reducing, controlling, and monitoring privileged user activity is a key consideration for GDPR compliance and data protection in general.
9. What is the status of our advanced malware protection plans?
Verizon’s 2016 Data Breach Investigations Report4 found that almost 60% of malware incidents involved malware designed to steal or export data. Spear phishing is the most common way of delivering malware that gives an attacker persistent access to a system. Once inside the network, an attacker using this approach employs stolen credentials to access sensitive systems and encrypted channels to exfiltrate data. In addition to advanced malware protection at the endpoint, consider protection solutions that can inspect HTTPS as the most common exfiltration channel.
10. Does Security Operations have pre-planned data breach detection use cases?
GDPR requires that an organization report a data breach within 72 hours. This implies the capability to identify a breach in that time frame. The recent SANS 2017 Incident Response Survey5 found that just about 84% of organizations had at least one dedicated incident response team member, but only 53% of organizations considered themselves in a mature or maturing state for incident response. However, even in mature security operations centers, data breach incidents are difficult to identify, investigate, and respond to, especially at speed. A key consideration for GDPR readiness is to consolidate security data in a SIEM and employ user entity behavior analytics (UEBA) to identify anomalous behavior