What is ‘privacy by design’?

What is ‘privacy by design’?

Privacy by design is a voluntary approach to projects that promotes privacy and data protection compliance, and helps you comply with the Data Protection Act 1998 (DPA).

The Information Commissioner’s Office (ICO) encourages organisations to seriously consider privacy and data protection throughout a project lifecycle, including when:

  • Building new IT systems to store or access personal data;
  • Needing to comply to regulatory or contractual requirements;
  • Developing internal policies or strategies with privacy implications;
  • Collaborating with an external party that involves data sharing; or
  • Existing data is used for new purposes.

Privacy by design and the GDPR

The upcoming EU General Data Protection Regulation (GDPR) will supersede the DPA. Article 25 of the GDPR, “[d]ata protection by design and default”, requires you to “implement appropriate technical and organisational measures” throughout your data processing project. As such, data must be considered at the design stage of any project, during which you must process and store as little data as possible, for as short a time as possible.

Under the GDPR, you are required to document your data processing activities. One way to do this is to map your organisation’s data flows. This method also enables you to assess the risks in your data processing activities and identify where controls are required, for example, assessing privacy and data security risks.

Organisations need to be aware of the personal data that they are processing, and that this data is being processed in compliance with the law. Organisations can often process significantly more data than they realise, so it is vital that they perform mapping exercises to keep track of them all.

Data flow mapping may seem daunting, but you can simplify the process with the Data Flow Mapping Tool.

The tool gives you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred.

IT Governance free green paper ‘Conducting a data flow mapping exercise under the GDPR’ will help you understand how to effectively map your data in compliance with the GDPR.

Steps to GDPR Compliance


Leave a Comment

Six Essential Data Protection and Privacy Requirements Under GDPR

gdpr
By Leighton Johnson, CISA, CISM, CIFI, CISSP

With the advent of the European Union (EU) deadline for General Data Protection Regulation (GDPR) (EU 2016/679 regulation) coming up on 25 May 2018, many organizations are addressing their data gathering, protection and retention needs concerning the privacy of their data for EU citizens and residents. This regulation has many parts, as ISACA has described in many of its recent publications and events, but all of the efforts revolve around the protection and retention of the EU participants’ personal information. The 6 main areas for data protection defined in this regulation are:

  1. Data security controls need to be, by default, active at all times. Allowing security controls to be optional is not recommended or even suggested. “Always on” is the mantra for protection.
  2. These controls and the protection they provide must be embedded inside all applications. The GDPR view is that privacy is an essential part of functionality, the security of the system and its processing activities.
  3. Along with embedding the data protection controls in applications, the system must maintain data privacy across the entire processing effort for the affected data. This end-to-end need for protection includes collection efforts, retention requirements and even the new “right to be forgotten” requirement, wherein the customer has the right to request removal of their data from an organization’s storage.
  4. Complete data protection and privacy adds full-functional security and business requirements to any processing system in this framework for data privacy. It provides that business requirements and data protection requirements be equally important during the business process.
  5. The primary requirement for protection within the GDPR framework demands the security and privacy controls implemented are proactive rather than reactive. As its principal goal, the system needs to prevent issues, releases and successful attacks. The system is to keep privacy events from occurring in the first place.
  6. With all of these areas needed under GDPR, the most important point for organizations to understand about GDPR is transparency. The EU wants full disclosure of an organization’s efforts, documentation, reviews, assessments and results available for independent third-party review at any point. The goal is to ensure privacy managed by these companies is not dependent upon technology or business practices. It needs to be provable to outside parties and, therefore, acceptable. The EU has purposely placed some strong fine structures and responses into this regulation to ensure compliance.

Having reviewed various organizational efforts in preparation for GDPR implementation, it has been found that it is good practice to look at these 6 areas for all the collected and retained data, not just EU-based data. This zero-tolerance approach to data breaches is purposely designed to be stringent and strong. Good luck to all in meeting and maintaining the data privacy and security requirements of GDPR.

Steps to EU GDPR compliance

 


Leave a Comment

Pinpoint your current cyber security gaps

A comprehensive information security management system (as defined by the requirements contained in ISO 27001) details the steps required for the effective management of information security (and cyber security) risks.

An ISO 27001 gap analysis is a sensible starting point for assessing the gaps in your information security regime.

Even if you aren’t considering certification to ISO 27001, an in-person gap analysis against the requirements of a leading information security standard offers the following benefits:

 

  • A high-level review of the efficacy of your policies, procedures, processes and controls
  • Interviews with key managers
  • Assistance defining the scope of a proposed information security management system (ISMS)
  • A detailed compliance status report against the clauses and controls described in ISO 27001

 

Description

Our ISO27001 Gap Analysis will provide you with an informed assessment of:

  • Your compliance gaps against ISO 27001
  • The proposed scope of your information security management system (ISMS)
  • Your internal resource requirements; and
  • The potential timeline to achieve certification readiness.

 

What to expect:

An ISO 27001 specialist will interview key managers and perform an analysis of your existing information security arrangements and documentation.

Following this, you will receive a gap analysis report collating the findings of these investigations. The report will detail areas of compliance and areas requiring improvement, and provide further recommendations for the proposed ISO 27001 compliance project.

 

The report includes:

  • The overall state and maturity of your information security arrangements
  • The specific gaps between these arrangements and the requirements of ISO 27001
  • Options for the scope of an ISMS, and how they help to meet your business and strategic objectives
  • An outline action plan and indications of the level of internal management effort required to implement an ISO 27001 ISMS; and
  • A compliance status report (red/amber/green) against the management system clauses (clause-by-clause), as well as the information security controls (control-by-control) described in ISO 27001:2013.

 

Please contact us for further information or to speak to an infosec expert.


Leave a Comment

Top 5 Programming Languages In 2018

English: A selection of programming language t...

English: A selection of programming language textbooks on a shelf. Levels and colors adjusted in the GIMP. Français : Une étagère en bois de houx naturel lacqué : Prgrammé en java pour avoir l’AIR réel. Ainsi que quelques livres (Photo credit: Wikipedia)

Top 5 Programming Languages In 2018

Programming world is rising exponentially with every passing year. With over 600 unique programming languages. The main question which comes to everyone’s thought is which language is most appropriate given the current and future market needs.

Let’s see which programming languages are popular enough today to deserve your attention:

1. Java:
There is no doubt that Java is keeping its place as the most popular language from long time. It is still the most favored language for building the backends for modern applications.

2. Python:
One of the main reasons as to why python became so common is the tons of frameworks available for actually anything ranging from web applications to text mining.

3. JavaScript:
Every web browser supports JavaScript, it’s used by over 80% of developers and by 95% of all websites. With the ability of node.js, even the backend can also be developed using JavaScript.

4. C++:
This language is regularly used for application software, game development, drivers, client-server apps and embedded firmware. According to Coding Dojo, C++ continues in use in several legacy systems at large enterprises,

5. C#:
An object-oriented language from Microsoft designed to run on the .NET platform, This language is designed for use in developing software and it is also massively used in video game development.


Leave a Comment

From CIA to APT: An Introduction to Cyber Security


By Edward Amoroso

Most introductory books on cyber security are either too technical for popular readers, or too casual for professional ones. This book, in contrast, is intended to reside somewhere in the middle. That is, while concepts are explained in a friendly manner for any educated adult, the book also necessarily includes network diagrams with the obligatory references to clouds, servers, and packets.

But don’t let this scare you. Anyone with an ounce of determination can get through every page of this book, and will come out better informed, not only on cyber security, but also on computing, networking, and software. While it is true that college students will find the material particularly accessible, any adult with the desire to learn will find this book part of an exciting new journey.

A great irony is that the dizzying assortment of articles, posts, and books currently available on cyber security makes it difficult to navigate the topic. Furthermore, with so much information coming from writers with questionable backgrounds in cyber security, separating the wheat from the chaff has become an almost impossible task for most readers, experienced or otherwise.

This book is written specifically to address that problem. That is, we set out to create an accessible but technically accurate work on cyber security that would not insult the intelligence of our readers. We avoid the temptation to navigate away from the technical issues, choosing instead to steer toward the detailed concepts in the hopes that our readers will develop new understanding and insights.

The material here provides a technical grounding that is commensurate with what you might receive in a college course on the topic. If you are an engineer, developer, or student, then you are certainly in the right place. On the other hand, if you work in management, executive leadership, or some other non-technical role, then this is exactly the technical grounding in cyber that you’ve been looking for.

Anyone who has not been sleeping in a cave the past few years knows the consequences of misguided decision-making in cyber security. Business leaders colliding with this complex issue will find their intellectual property gone and their services blocked by hackers. Government and political leaders who misstep in this area will find their careers, programs, and campaigns ruined.

Consider this: Target, Home Depot, and Sony have seen massive attacks on their infrastructure, and most citizens, including our leaders, have no idea how or why this occurred. Similarly, we watched data leaks from the US Office of Personnel Management and the Democratic National Committee, and most people have only a vague sense of how such cyber attacks were accomplished.

Perhaps more disturbingly, decision-makers in our society have no idea how to reduce this risk. Because they typically have zero technical understanding, they are forced to suggest simple, trite measures they can understand like awareness, penalties, and compliance. Our approach here is to demonstrate that cyber security attacks are best avoided through improved technology and architecture.

Written from the perspective of the professional cyber security executive, long-time academic, and industry analyst (Edward Amoroso), and the graduate computer science student, software developer, and occasional hacker (Matthew Amoroso), this book provides a concise technical introduction to cyber security that keeps things as straightforward as possible, but without veering into silly analogies.

One brief warning to expert readers: At times, we have decided to take out our scissors and trim some of the more confusing details of a given cyber security issue. We’ve tried in these cases to smoothen the edges to make complex concepts more accessible, hopefully without changing the essence of the technology. This is a difficult task, we discovered, and we hope only fat was removed and never bone.

In the end, our hope is that this short book will help you become more technically equipped to navigate the mine fields of misleading and incorrect cyber security information found across the Internet and on television. It is our hope that you will be in a better position to make informed decisions about anything of consequence that might be affected by the growing potential for cyber attacks.

If you successfully complete this book, you will no longer have to shrug when asked about cyber security. Rather, you will be able to lean in and offer an informed opinion based on an introductory grounding in the fundamental aspects of cyber security technology. Our goal is to expand your understanding and make you a more informed and educated adult.

We are pleased that you’ll be spending time with our material. To not lose any momentum, proceed ahead and continue your reading right now with the first chapter on cyber threats.

This book is available for download today on Amazon.com!

 


Leave a Comment

4 reasons you should get a cyber security qualification

The dramatic rise in cyber attacks over the past few years has caught most businesses off guard. Their cyber security departments are severely understaffed, causing them to look desperately for qualified professionals to help tackle the threat.

There has never been a better time to get into cyber security, so if you’re looking to enter the field, or further your career in it, you could benefit massively from gaining a relevant qualification. Here are four reasons why:

  1. Cyber security professionals are well paid

Money isn’t everything when it comes to choosing your career, but it’s obviously a big factor for many people. We mentioned recently that people with a CISM®PCIor GDPR qualification could earn £60,000 or more a year.

Of these, the CISM (Certified Information Security Manager) qualification is the most versatile. It’s the globally accepted standard of achievement among information security, information systems audit and IT governance professionals.

According to ITJobsWatch, people with a CISM qualification earn £64,000 a year on average. This figure has grown by more than 9% in the past two years.

  1. There’s a high level of job security

The shortage of qualified cyber security professionals means that those in the field are less likely to be replaced or made redundant. Their skills are hard to find elsewhere, and the more someone gets to know the company, the more valuable they will become.

Additionally, because almost every organisation currently needs cyber security professionals, those with the relevant qualifications are more likely to find a position in a location or company that suits them.

  1. There’s room for career growth

For the same reason that cyber security is a safe career, it’s also one that offers plenty of room for growth. Qualifications plus experience is a powerful combination that can help you move into more senior positions.

As you gain experience, you’ll also get the opportunity to earn more advanced qualifications. For example, you must have at least three years’ experience in IT governance to be eligible for a Certified in Risk and Information Systems Control (CRISC) qualification, and five years’ experience to be eligible for a Certified in the Governance of Enterprise IT (CGEIT®) qualification.

  1. The work is rewarding

Cyber security is still a relatively young field, making it an exciting and prosperous place. The threats that organisations face are constantly evolving, so you’ll always have new challenges. Plus, you know that your hard work is for a good cause: to stop cyber criminals and keep your organisation safe.

What qualifications do I need?

The qualifications you need will depend on the career path you choose. If you’re interested in governance, risk management, and compliance, for instance, a CGEIT qualification is essential. If you’re interested in information security, you’ll need a CRISC qualification.

We’re currently running promotions on our CRISC, CGEIT, CISA and CISM training courses. If you book before 22 December, you’ll receive a 10% discount on the courses and a 5% discount on all reading materials.

Find out more about our:



Leave a Comment

Security in the Digital World

Cyberspace, the Internet, the digital world – call it what you will – is always developing. But so are the threats and risks that come with it.

It doesn’t matter if you are working in the most mature enterprise environment, unemployed, retired, or still at school, whether you often have a smartphone in your hand or only use an e-reader: You are still at risk and the threats will try to target you.

Protect yourself from increasing cyber threats and risks with our latest title, Security in the Digital World, now available to pre-order.

Security in the Digital World

This must-have guide features simple explanations, examples, and advice to help you be security aware online in the digital age. Learn how to:

  • Keep your information secure
  • Put the necessary controls on your home network, protecting your family from cyber crime
  • Prevent identity theft when shopping online or using contactless debit cards
  • Keep your children safe when using the Internet

Look inside this book >>


Leave a Comment

How ISO 27001 can help to achieve GDPR compliance

gdpr

By Julia Dutton

Organizations have until 25 May 2018 to comply with the EU General Data Protection Regulation (GDPR).

Those who have studied the Regulation will be aware that there are many references to certification schemes, seals and marks. The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organisation is actively managing its data security in line with international best practice.

Managing people, processes and technology

ISO 27001 is the international best practice standard for information security, and is a certifiable standard that is broad-based and encompasses the three essential aspects of a comprehensive information security regime: people, processes and technology.  By implementing measures to protect information using this three-pronged approach, the company is able to defend itself from not only technology-based risks, but other, more common threats, such as poorly informed staff or ineffective procedures.

By implementing ISO 27001, your organisation will be deploying an ISMS (information security management system): a system that is supported by top leadership, incorporated into your organisation’s culture and strategy, and which is constantly monitored, updated and reviewed.  Using a process of continual improvement, your organisation will be able to ensure that the ISMS adapts to changes – both in the environment and inside the organisation – to continually identify and reduce risks.

What does the GDPR say?

The GDPR states clearly in Article 32 that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

Let’s look at these items separately:

Encryption of data is recommended by ISO 27001 as one of the measures that can and should be taken to reduce the identified risks.  ISO 27001:2013 outlines 114 controls that can be used to reduce information security risks.  Since the controls an organisation implements are based on the outcomes of an ISO 27001-compliant risk assessment, the organisation will be able to identify which assets are at risk and require encryption to adequately protect them.

One of ISO 27001’s core tenets is the importance of ensuring the ongoing confidentiality, integrity and availability of information.  Not only is confidentiality important, but the integrity and availability of such data is critical as well. If the data is available but in a format that is not usable because of a system disruption, then the integrity of that data has been compromised; if the data is protected but inaccessible to those who need to use it as part of their jobs, then the availability of that data has been compromised.

Risk assessment

ISO 27001 mandates that organisations conduct a thorough risk assessment by identifying threats and vulnerabilities that can affect an organisation’s information assets, and to take steps to assure the confidentiality, availability and integrity (CIA) of that data. The GDPR specifically requires a risk assessment to ensure an organisation has identified risks that can impact personal data.

Business continuity

ISO 27001 addresses the importance of business continuity management, whereby it provides a set of controls that will assist the organisation to protect the availability of information in case of an incident and protect critical business processes from the effects of major disasters to ensure their timely resumption.

Testing and assessments

Lastly, organisations that opt for certification to ISO 27001 will have their ISMSs independently assessed and audited by an accredited certification body to ensure that the management system meets the requirements of the Standard. Companies need to regularly review their ISMS and conduct the necessary assessments as prescribed by the Standard in order to ensure it continues protecting the company’s information. Achieving accredited certification to ISO 27001 delivers an independent, expert assessment of whether you have implemented adequate measures to protect your data.

The requirements to achieve compliance with ISO 27001 of course do not stop there.  Being a broad standard, it covers many other elements, including the importance of staff awareness training and leadership support.  ISO 27001 has already been adopted by thousands of organisations globally, and, given the current rate and severity of data breaches, it is also one of the fastest growing management system standards today.

Related articles:

Read more about ISO 27001 and the GDPR >>>>
GDPR Documentation Toolkit and gap assessment tool >>>>
Understanding the GDPR: General Data Protection Regulation >>>>

 


Leave a Comment

Breach highlights the need for a cyber health check

Cyber Health Check

 

Deloitte breach highlights the need for a cyber health check

Javier Brias

Deloitte, one of the world’s biggest accounting organizations, recently suffered a data breach that compromised confidential emails and plans of some of its blue-chip clients, according to the Guardian.

The hackers also had potential access to usernames, passwords, IP addresses, architectural designs and health information.

Deloitte has confirmed it was breached but said that only a small number of clients were affected.

This breach is even more unfortunate because Deloitte offers clients advice on how to manage risks posed by cyber attacks. Its Cyber Intelligence Centre states that it can “integrate state-of-the-art technology with industry insight to provide round-the-clock business-focused operational security.”

The problem with a solutions-based approach

The fact that Deloitte is a global consultant with interests in cyber security proves that no one is safe from a cyber attack.

In today’s cyber security market, technology vendors tend to focus on specific solutions, such as endpoint security, next-gen firewalls with IDS/IPS, email and web filtering, data loss prevention and identity access management. The problem is that mixing and matching solutions can cause interoperability gaps to materialise.

To understand the complexities of today’s IT infrastructure, companies need to have a strategic plan that takes a global view of the technological landscape and identifies the possible vulnerability points.

How Cyber Health Check fills the gaps

Our independent, three-phase Cyber Health Check service combines on-site consultancy and audit, remote vulnerability assessments and an online staff survey to identify your current cyber risks in the three key exposure areas of people, processes and technology.

This service will provide you with a concise report describing your current cyber risk status and critical exposures, and will draw on best practice – such as ISO 27001, 10 Steps to Cyber Security and Cyber Essentials – to provide recommendations for reducing your cyber and compliance risks. The report also provides feedback on basic cyber hygiene, cyber governance framework, policies and procedures, and technical controls.

The Cyber Health Check service identifies your actual cyber risks, assesses your responses to those risks and analyses your risk exposure. The result is a best-practice action plan to mitigate those risks effectively and in line with your business objectives.

For more information, visit our Cyber Health Check page.

Contact us for more information


Leave a Comment

Conducting an asset-based risk assessment in ISO 27001:2013

Conducting an asset-based risk assessment in ISO 27001:2013 – Vigilant Software

The nature of ISO27001 is that it is heavily focused on risk-based planning. This is to ensure that the identified information risks are appropriately managed according to the threats and the nature of the threats. While asset-based risk assessments are still widely regarded as best practice, and present a robust methodology for conducting risk assessments, it is no longer a requirement under ISO 27001:2013.  ISO 27001:2013 leaves it to the organisation to choose the relevant risk assessment methodology, i.e. ISO 27005, or ISO/IEC 31010.

It is commonly believed that an asset-based information security risk assessment provides a thorough and comprehensive approach to conducting a risk assessment, and this article will look at the steps to follow when conducting this type of risk assessment.

Where do you start when you embark on an asset-based information security risk assessment?

The first step would be to produce an asset register, which can be done through a series of interviews with asset owners. The ‘asset owner’ is an individual or entity that has responsibility for controlling the production, development, maintenance, use and security of an information asset.

Note: In the new standard, ISO 27001:2013, there is a stronger emphasis on the role of the ‘risk owner’, which pushes up the responsibility for the risks to a higher level within the organisation. However, since the approach we are following is an asset-based methodology, the asset owner would be the logical point to start in order to compile an asset register.

Once the asset register has been compiled, the next step is to identify any potential threats and vulnerabilities that could pose risks to those assets. A vulnerability / weakness of an asset or control can be defined as one that can be exploited by one or more threats.

Risk assessment & impact determination

Once the threats and vulnerabilities have been identified, then an analysis of the risks should be undertaken, to establish the impact level of the risks.  The impact value needs to take into consideration how the Confidentiality, Integrity and Availability of data can be affected by each of the risks.

It should also consider the business, legal, contractual and regulatory implications of risks, including the cost of the replacement of the asset, the potential loss of income, fines and reputational damage.

ISO 27005 presents a structured, systematic and rigorous process of analysing risks, and for creating the risk treatment plan, and includes a list of known threats and vulnerabilities that can be used for establishing the risks your information assets are exposed to.

vsRisk comes with an optional, pre-populated asset library.  Organisational roles are pre-assigned to each asset group, and the corresponding potential threats / risks are pre-applied to each asset. vsRisk also pre-assigns the relevant controls from Annex A to each threat. See sample below. View options to purchase vsRisk now.

Sample risk assessment

vsRisk™ provides key benefits for anyone undertaking an asset-based risk assessment.

By providing a simple framework and process to follow, vsRisk minimises the manual hassle and complexity of carrying out an information security risk assessment, saving the risk assessor time and resources. In addition, once the assessment has been completed, the risk assessments can be repeated easily in a standard format year after year.  The tool generates a set of 6 reports that can be exported and edited,  presented to management and audit teams, and includes pre-populated databases of threats and vulnerabilities as well as 7 different control sets that can be applied to treat the risks.


Leave a Comment

10 most clicked phishing email subject lines

10 most clicked phishing email subject lines

Ironically, the most successful phishing emails of Q3 2017 told recipients that they had been victims of a data breach.

This finding comes from a report from KnowBe4 that investigated the most effective phishing email subject lines. The report looked at tens of thousands of emails from simulated and custom phishing tests, and discovered that the most clicked subject line was ‘Official Data Breach Notification’.

Phishing subject lines

The top ten most clicked subject lines were:

  1. Official Data Breach Notification
  2. UPS Label Delivery 1ZBE312TNY00015011
  3. IT Reminder: Your Password Expires in Less Than 24 Hours
  4. Change of Password Required Immediately
  5. Please Read Important from Human Resources
  6. All Employees: Update your Healthcare Info
  7. Revised Vacation & Sick Time Policy
  8. Quick company survey
  9. A Delivery Attempt was made
  10. Email Account Updates

KnowBe4 also evaluated phishing email subject lines specifically from social networks. The most clicked subject lines were messages ostensibly from LinkedIn. This is worrying for organisations, as many people link their work email address to their LinkedIn account, and a successful phishing attack could expose the company to a data breach or further phishing emails.

Other common social media phishing emails claimed that someone had attempted to log in to their accounts, that they’d been tagged in a photo or that they’d received free pizza.

“Nearly impossible” for technology to protect you

Commenting on the study, KnowBe4’s chief evangelist and strategy officer, Perry Carpenter, said: “The level of sophistication hackers are now using makes it nearly impossible for a piece of technology to keep an organization protected against social engineering threats. Phishing attacks are smart, personalized and timed to match topical news cycles. Businesses have a responsibility to their employees, their shareholders and their clients to prevent phishing schemes.”

You can take action against targeted phishing attacks by enrolling your staff on ITG Phishing Staff Awareness Course.

This online course shows your staff how phishing works, what to look out for and how to respond when they receive a malicious message. It’s ideal for all employees who use the Internet or email in their day-to-day duties and, as such, it’s delivered in simple terms that everyone in your organisation can understand.

Find out more about our Phishing Staff Awareness Course >>


Leave a Comment

GDPR essentials and how to achieve compliance

gdpr

The GDPR will replace these with a pan-European regulatory framework effective from 25 May 2018.  The GDPR applies to all EU organizations – whether commercial business or public authority – that collect, store or process the personal data (PII) of EU individuals.

Organizations based outside the EU that monitor or offer goods and services to individuals in the EU will have to observe the new European rules and adhere to the same level of protection of personal data. This potentially includes organizations everywhere in the world, regardless of how difficult it may be to enforce the Regulation. Compliance consultant must know the following 9 tenants of the GDPR.

 

  • Supervisory Authority – A one-stop shop provision means that organizations will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU.

 

  • Breach Disclosure – Organizations must disclose and document the causes of breaches, effects of breaches, and actions taken to address them.

 

  • Processor must be able to provide “sufficient guarantees to implement appropriate technical and organizational measures” to ensure that processing will comply with the GDPR and that data subjects’ rights are protected. This requirement flows down the supply chain, so a processor cannot subcontract work to a second processor without the controller’s explicit authorization. If requested by subject you must cease processing and using his or her data for some limited period of time.

 

  • Data Consent – The Regulation imposes stricter requirements on obtaining valid consent from individuals to justify the processing of their personal data. Consent must be “freely given, specific, informed and unambiguous indication of the individual’s wishes”. The organization must also keep records so it can demonstrate that consent has been given by the relevant individual. Data can only be used for the purposes that data subject originally explicitly consented. You must obtain and document consent for only one specific purpose at a time.

 

  • Right to be forgotten – Individuals have a right to require the data controller to erase all personal data held about them in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected. If requested by subject, you must erase their data on premises, in apps and on devices.

 

  • Data portability – Individuals will have the right to transfer personal data from one data controller to another where processing is based on consent or necessity for the performance of a contract, or where processing is carried out by automated means

 

  • Documentation – The Regulation requires quite a bit of documentation. In addition to the explicit and implicit requirements for specific records (especially including proof of consent from data subjects), you should also ensure that you have documented how you comply with the GDPR so that you have some evidence to support your claims if the supervisory authority has any cause to investigate.

 

  • Fines – Major noncompliance of the law will be punishable by fines of up to either 4% or €20 million of group annual worldwide turnover.

 

Data protection by design – Organization must ensure data security and data privacy across cloud and endpoints as well as design their system and processes that protects from unauthorized data access and malware.  Specifically, organizations must take appropriate technical and organizational measures before data processing begin to ensure that it meets the requirements of the Regulation. Data privacy risks must be properly assessed, and controllers may use adherence to approved codes of conduct or management system certifications, such as ISO 27001, to demonstrate their compliance.

 

How to improve information security under the GDPR

Although many businesses understand the importance of implementing the right procedures for detection, report and investigate a data breach, but not many are aware of how to go about this effectively, especially during implementation phase.

 

Seven steps that can help you prevent a data breach:

  1. Find out where your personal information resides and prioritize your data.
  2. Identify all the risks that could cause a breach of your personal data.
  3. Apply the most appropriate measures (controls) to mitigate those risks.
  4. Implement the necessary policies and procedures to support the controls.
  5. Conduct regular tests and audits to make sure the controls are working as intended.
  6. Review, report and update your plans regularly.
  7. Implement comprehensive and robust ISMS.

 

ISO 27001, the international information security standard, can help you achieve all of the above and protect all your other confidential company information, too. To achieve GDPR compliance, feel free to contact us for more detail on implementation.

Related articles on GDPR and ISO 27k

The GDPR and Personal Data…HELP! from Cloud Security Alliance

Leave a Comment

Data flow mapping under the EU GDPR

As part of an EU General Data Protection Regulation (GDPR) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing a data protection impact assessment (DPIA), which is mandatory for certain types of processing.

The key elements of data mapping

To effectively map your data, you need to understand the information flow, describe it and identify its key elements.

1. Understand the information flow

An information flow is a transfer of information from one location to another, for example:

  • From inside to outside the European Union; or
  • From suppliers and sub-suppliers through to customers.

2. Describe the information flow

  • Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise what data is collected.
  • Make sure the people who will be using the information are consulted on the practical implications.
  • Consider the potential future uses of the information collected, even if it is not immediately necessary.

3. Identify its key elements

Data items

  • What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?

Formats

  • In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?

Transfer method

  • How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?

Location

  • What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?

Accountability

  • Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.

Access

  • Who has access to the data in question?

 

The key challenges of data mapping

  • Identifying personal data Personal data can reside in a number of locations and be stored in a number of formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format.
  • Identifying appropriate technical and organizational safeguards The second challenge is likely to be identifying the appropriate technology – and the policy and procedures for its use – to protect information while also determining who controls access to it.
  • Understanding legal and regulatory obligations Your final challenge is determining what your organisation’s legal and regulatory obligations are. As well as the GDPR, this can include other compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.Once you’ve completed these three challenges, you’ll be in a position to move forward, gaining the trust and confidence of your key stakeholders.

 

Data flow mapping

To help you gather the above information and consolidate it into one area, Vigilant Software, a subsidiary of IT Governance, has developed a data flow mapping tool with a specific focus on the GDPR.

 

Order Today

 


Leave a Comment

Information Security Certifications and Salaries

Is this a good time to be in the field of InfoSec, (ISC)2 report shows the skills shortage is getting worse.

 

Over the next five years, the number of unfilled cybersecurity jobs will rise to a whopping 1.8 million, a 20% increase from 2015 estimates, according to a new (ISC)2 survey released. Cybersecurity Faces 1.8 Million Worker Shortfall By 2022

 

Start learning InfoSec basic:

When planning to take on this career, at early stage of this career you may get as much practical experience as possible and achieve industry-standard qualifications offered by such as Microsoft, CISCO, Checkpoint, Symantec and HP. Also vendor-independent learning path A+, Network+, and Security+ qualifications are recommended.

When evaluating prospective InfoSec candidates, employers frequently look to certification as one of the measure of excellence in continuing education and commitment to learning. Below are the 7 most sought out InfoSec certifications.

 

InfoSec Salaries review:

Security Analyst Salaries in the United States
Information Security Analyst Salary Range
IT Security Certifications Salary Guide
Top Cyber Security Salaries In U.S. Metros Hit $380,000

 


Leave a Comment

ISO27001 Gap Analysis

 

A specialist, in-person review of your current information security posture against the requirements of ISO/IEC 27001:2013.

Get the true picture of your ISO 27001 compliance gap, and receive expert advice on how to scope your project and establish your project resource requirements.

What to expect:

An ISO 27001 specialist will interview key stakeholders  and perform an analysis of your existing information security arrangements and documentation.

Following this, you will receive a gap analysis report collating the findings of these investigations. The report will detail areas of compliance and areas requiring improvement, and provide further recommendations for the proposed ISO 27001 compliance project.

The report includes:

  • The overall state and maturity of your information security arrangements
  • The specific gaps between these arrangements and the requirements of ISO 27001
  • ISO 27001 2013 requirements
  • ISO 27002 2013 controls, categories and domains
  • Compliance report by ISO 27001 requirements
  • Compliance report by control ISO 27002 2013
  • Compliance report by category ISO 27002 2013
  • Compliance report by domain ISO 27002 2013

DISC gap assessment includes three or six level rating (CMMI) matrix of your choice for each control, category and domain.

Start your ISMS project with ISO27001 2013 Documentation Toolkit

ISO/IEC 27001 2005 to 2013 Gap Analysis Tool (Download)

Download ISO27000 family of information security standards today!

• ISO27001 2013 ISMS Requirement (Download now)

• ISO27002 2013 Code of Practice for ISM (Download now)

Contact us for further information or visit DISC site for our ISO27k services


Leave a Comment