Continuous GDPR compliance

Organisations are very much aware of the deadline of 25 May 2018 to become GDPR compliant. But let us not forget that 25 May is not just the end of the period to become compliant. Even more, it is the start of an era where organisations are to be GDPR compliant continuously.

So, as organisations are working to update their privacy statements, improve consent (e.g. opt-in vs opt-out), document records of processing, determine retention schedules and remove old personal data, determine person’s (data subject) rights to be adhered to, and more, organisations should consider two perspectives:

  1. Manage the complete life cycle of personal data in the organisation
  2. Demonstrate GDPR compliance continuously

 

Manage the complete life cycle of personal data

A good starting point to understand an organisation’s handling of personal data, is to consider the ‘types’ of persons about who data is being ollected. For instance, in a B2C organisation, such consists at least of Customers and Staff. But let us not forget personal data related to various types of Business Partners, these could also concern personal data.

For each ‘type’ of personal data, e.g. Customers and Staff, you can follow the related data flow in the organisation, that from a privacy-perspective is to be managed continuously, from entry of personal data into the organisation, till the moment of removal of such data.

Personal data life cycle 2

 

Demonstrate GDPR compliance continuously

As mentioned, GDPR compliance is to be managed continuously, including the accompanying accountability. An organisation is to be able to demonstrate protecting personal data, just like organisations are to be demonstrable in control for financial reporting to be compliant with SOx.

To support both business and compliance, it would be very useful if privacy controls are designed based on the following:

  • actions are triggered spontaneously in the flow or regular business activities, i.e. as part of third party contracting, adequate on-boarding questionnaires and template documents are available
  • activities are well-understood, for regular activities you should not need a lawyer to interpret requirements. Otherwise, errors and omissions are likely to occur, resulting in non-compliances
  • tasks are performed scalable, e.g. self service for data subject requests
  • privacy knowledge is provided based on need, so staff actually reaches out to read and understand, i.e. data retention schedules for relevant HR staff

The privacy controls consist of the components People, Processes and Technology. Using these components, an organisation needs to set-up its Privacy Management Framework. This framework consists of Governance, Policy, Guidelines, Processes and Controls, Registries, and TrainingPPT privacy

The detailed elements of the framework need to be identified, fit for the organisation and fit for purpose, be designed, and rolled-out. Below, each of these framework elements is highlighted, and an example framework is provided.

Governance
To remain GDPR compliant over time, people in the organisation that handle personal data need to take on their role. And as a fundament, an organisation is to carry a culture from leadership to operational staff, that drives both privacy and being demonstrable in control.
Consequently, specific individuals need to own accountability for specific personal data, guidelines, processes, controls and registries. Privacy is not something for the DPO alone, but for all people in the organisation, especially leadership who sets the tone.

Policy
To be consistent and consequent, an organisation documents its privacy direction in a privacy policy, stating what privacy means to the organisation. For example, personal data can only be accessed based on need to know, personal data is not sold to third parties, etc.

Guidelines
Where process and controls owners need supporting information, e.g. retention schedules, such information is to be made available in privacy guidelines. Guidelines should not exist just because they are nice to have, their purpose is that specific persons receive needed guidance.

Processes and Controls
To ensure effectiveness and support efficiency, privacy processes and controls should be aligned with business needs, e.g. processes and controls should not be designed based on clauses of the GDPR, but on data sets to be managed, and considering normal workflows in the organisation. Such also supports that privacy tasks are triggered ‘spontaneously’.
So, for various processes, there is no specific privacy process, but privacy adjustments to current processes, e.g. user access control and third party services management.

From a privacy management framework perspective, the processes and controls are the basis. Next, supporting are guidelines, registries, and training.

Processes include various controls. An organisation can define which controls are key to demonstrate GDPR compliance and require explicit compliance monitoring.

Also, one should consider which controls need automation, e.g.

  • data subject requests could be implemented based on self service, to ensure scalability
  • encryption of data (personal data in databases, personal data in emails)
  • inventory of personal data, especially non-transactional data

Registries
As mentioned, GDPR is about being demonstrable in control of privacy. Therefore, an organisation needs to determine which registries are needed, to ensure being able to demonstrate compliance. For instance, such registries concern the records of processing, and third party services being used a processors.

Training
Training is a continuous effort, to be recurring for new staff and staff in changed roles, and also as refreshers since awareness degrades over time.

 

Example privacy management framework

Using the above-mentioned concepts, below a partial overview is presented of a practical privacy management framework:

Framework groot

So, do you have all privacy-supporting processes in place, and are they triggered ‘spontaneously’? Are you ready for to continuously demonstrate being GDPR compliant? The effort to remain GDPR compliant starts per 25 May 2018.

Culture impacts security !

Despite having the greatest security technologies in the world, a fool with a tool is still a fool. But what defines a fool? Let us for once step beyond knowledge and experience, because even with great knowledge and experience, one can be a fool ;-(

In an earlier blog, I already wrote about causes and effects, with as as sequence culture, governance, processes, and IT infrastructure, whilst securing an organisation, its services, and its data.  Organisations can be large and small, and with tight and abundant security budgets. Still, culture can be an enabler, and a disabler.

We like seeing innovative and flexible teams that bring security to the next level. And what do such teams need, to be in such a flow? TRUST!

Just read the quote from Neale Donald Walsch below:

Walsch

And this concept of fear and love also applies to the workspace. Consider what are the motivators in your organisation:

  • fear, punishment for failure, shame, bossy bosses, or
  • love, being connected, accepting errors and mistakes, and sharing the learnings of failure

Fear causes staff to avoid, e.g. not be creative, not try, hide mistakes, and hinders an organisation to learn. And as s a contrary, love or in business terms being connected, stimulates being a learning organisation, where people share, are creative and try new things.

screenshot

Please take a moment and estimate a rating, let us presume that working with 100% fear in mind rates as a 1, and with 100% love in mind as a 10. How do you rate:

  • yourself
  • your team
  • your organisation

It is up to you to determine what rate defines a fool. But I do guess you do agree with a low score …

And as a  homework from this blog, how does your rate impact security in your organisation. Also, if you rate high, how can you maintain that score over time. And if you score low, what do you and others need to do, to become a more creative, learning, and security organisation?

Product security needs a holistic approach

How do you secure a webshop, an electronic car, an office management system? Securing an IT-enabled product requires you to consider many topics, and missing one topic could already result in a security flaw of that product.

Let us presume that you have a webshop that sells books. What security measures do you need, to protect the data about the books that you sell, their availability and prices, as well as your customers’ transactions?

Software developers will think about security in  source code and application logic, whilst system and network administrators will think of the IT infrastructure on which the application will run. Who has the holistic view of all relevant security measures that should be in place?
Realising an eCommerce webshop, are your IT processes well-equipped to be online, or are they only a fit for internal office automation? Being online implies being operational 24/7 and considering to be 24/7 under attack, is that also your requirement?
Also, what does creating an online webshop imply for your business processes? How do business processes support the protection of your webshop data? How do you ensure to not only have a selling webshop, but also to mitigate risks that are accompanied with having an eCommerce webshop, consider e.g. online fraud?

Naturally, the clean approach is to determine requirements for a product, applying the following steps:

  • evaluate business sensitivity of the product
  • determine potential risks, including likelihood and impact
  • set security requirements to manage relevant risks from happening

Practically, for every IT-enabled product, security requirements consist of both manual and automated processes, as well as business-specific and generic functionality. Applying these two dimensions, the following topics are to be covered:

basic_quadrants
So, you should address the four topics:

  • administrative business process controls
  • Application controls
  • IT infrastructure controls
  • IT management process controls

And once you go in-depth, you will recognise that each of these four topics has its sub-topics to be considered:

Quadrant_details

This model can help you to effectively and efficiently set product security requirements, build an IT-enabled product, and also assess the risks of an IT-enabled product.

As your homework, I recommend applying this model to assess the security of a product in your organisation, for instance your newest website. It will be interesting to evaluate if all (sub) topics are covered, and if missing a (sub) topic causes risks to the website that you assess.

Where do you start to improve your security? With the cause or the effect ?

As organisations identify security improvements to better protect their assets, they also realise that scarce resources can only be used once; to improve performance, or to reduce risk. Although sometimes you are lucky, and both can be done at the same time.

And do you also explicitly consider to use your resources to stop the incident or to solve the problem, resp. to focus on the short term, or on the long term.
culture - governance - processes - technology

Every time you determine that a security weakness exists in technology, please do consider what is the root cause of the weakness that you want to mitigate:

  • Technology – Were technology configuration settings, or even worse, technology choices, the cause of a security weakness?
  • Process – Was a process missing that could have avoided the technology weakness, or was a process not operating effectively?
  • Governance – Was management aware of the flaw, and not adequately responding to the issue?
  • Culture – Was the focus of the organisation merely on performance improvements, and only limitedly on risk management?

For example, Consider an identified missing and relevant security patch. In this case, obviously, you can improve by implementing the missing patch. And please, if you observe such a weakness, take a moment to also consider the real cause. So, do answer the question: Why is this patch not implemented?
Was it a flaw in the patch management process? Who decided about the patch management process, and who were informed about issues with regard to the patch management process, was the reporting adequate? And did management respond to identified security patching issues?
Was the cause of the missing patch that performance was valued over risk, or worse, is the organisation unconsciously increasing its risk profile?    

So, once you notice a security weakness in technology, do determine its cause at a higher level: process, governance, and even culture.

And the homework of this week, do consider a number of known security weaknesses in technology. Deduce what are the likely causes in governance and culture. Do you recognise a pattern?

Let this homework bring you to a higher level!

Security in historical perspective

Once you consider security in a historical perspective, it is easy to recognise that several security approaches evolved over time to protect information and IT against external and internal threats. And your security likely needs all of them.

history security

  • In the beginning, up to the eighties, security was merely an add-on. IT in business consisted out of stand-only systems, and terminal services enabled local and remote access. To protect IT, point solutions could be acquired, for instance, RACF or ACF2 acquired to protect data and systems at mainframes.
  • In the nineties, IT became more connected, and it became normal to have an organisation-wide security control framework, during that period the Code of Practise for Information Security was established. This Code of Practise consisted of good practises that could be useful to secure any organisation. Nowadays, organisations more and more have their own IT control framework. Still, we live in a time that measuring compliance with such a framework is a learning experience.
  • During the years zero, as computer networks became common, and Internet web sites started to be used for business purposes, IT infrastructures became more complex. At the same time, organisations became aware that 100% security is not achievable, and that risks are to be taken. So, based on the sensitivity of IT (Internet) services, security measures are selected, whilst accepting residual IT and therewith business risks.
  • And we all learned. Consider the mind shift of the years ten: Once you really accept that preventive security measures are not sufficiently effective, you want to know if preventive security measures fail. Therefore, timely detection of a security violation, attack, or hack is wanted, followed by a swift response to handle an actual security incident.
  • So far the past, and what is ahead in the twenties ? We know that IT-based attacks are here to stay, and that attacks come not just from script kiddies, but also from criminal organisations, and even from nation states. We are aware that the quality of security measures needs to constantly evolve, balancing business and IT risks with developing threats and vulnerabilities. Organisations should apply agility and velocity, to adapt to the reality of developing Values at Risk.

 

And what is your homework after learning about security in a historical perspective. Please do consider that ‘older corporates‘ have growing pains to timely move forward and to timely adopt new security perspectives. Many organisations are still in pain to learn about the reality of attack chains, about hackers gaining access to organisation’s networks, and exfiltrating data. These organisations do often not face reality too late. Please, cease the moment and move forward!

Also, newer (eCommerce) organisations can have homework, already being modern and be be highly agile. These newer organisations can have skipped some security stages, for instance have a need to improve their IT compliance framework, or implement security monitoring, to protect data and systems, and therewith support security hygiene.

 

Please do consider your homework for this week. Assess what is the security maturity of your organisation. Did you learn from all decennia of security developments. Please consider if you realised adequate security, taking into account your desired and current maturity for each of the five perspectives that we learned about.

Enjoy your homework!

Hello world!

Hello World!

It has been 25 years since I started helping organisations to manage their IT risks, and therewith to help these organizations to protect both their own as well as their customer’s data. Now, as I regularly receive requests to share some of my ideas, it feels like time to start a blog. And the time feels right, considering that data breaches, privacy issues and security threats in general are almost daily in the news, and become relevant to everyone.

It is time to consider security as a topic that is relevant for all people, both in business and in private life, with as a minimum the role we all have as end-users, and that is to consciously maintain security awareness and act accordingly, remembering not to click at email links, patch applications timely, protect your devices, and of course keep your passwords confidential.

Protecting data and systems feels like protecting ourselves against bad weather conditions. The attack surface for data and systems often is (un)predictable, just like the weather. And also we have to be aware of climate change with regard to security, just like long term changes in weather conditions. Already, we can see a more extreme security climate arriving. During my 25 years in the field of security and risk management, it did not become easier to stay dry.

Being aware of climate change, organisations have a need to focus more of their time and effort on protection of their assets. And whilst doing so, they should understand the values that they need to protect, being aware of the value of their assets from both their own perspective and the perspective of (potential) attackers.

screenshot

In the past, we saw organisations implementing good practises, and there was a sense that such was good, and also good enough. Now, we understand that good practises (e.g. Code of Practise for Information Security) are useful, but insufficiently cover measures to be taken in a more extreme climate. Consider for instance spear phishing, hacks of cars and planes, fraudulent transactions, and destruction of services, data, and systems.

Organizations should not just focus on preventive security measures, but also increase their efforts to timely detect attacks, and to swiftly respond to these attacks.

In the end, organisations have to understand their business and IT risks, and they have to manage these risks using adequate protective measures. Coming blogs will cover all kinds of related topics, such as audit, risk management, compliance and monitoring, control frameworks, and cyber defense, that operate in coherence, to protect organisations against IT risks.

More to follow!