establishing a risk-centered cybersecurity grc ...€¢ storage & transit (encryption of data)...
TRANSCRIPT
Establishing a Risk-Centered Program in the Age of GDPR
02/2018
Diana Candela C|EH, C|NDA, E|CSA, L|PT, ITIL, CSSGB, NIMSIT Risk & Compliance Program Manager IT Data Privacy LeadCybersecurity GRC (Governance Risk Compliance)AGCO Corporation
WHO WE AREWelcome to the world of AGCO.
We are a global leader in the design, manufacture and distribution of high-tech solutions for farmers feeding
the world.
Our mission is profitable growth through superior customer service, innovation, quality and commitment.
We work tirelessly to help make today's farms more productive and more profitable. As the world of
agriculture changes, so do we.
We are AGCO.
2
DISCLAIMER:The views and opinions expressed in this presentation are those of the author and do not necessarily reflect
the official policy or position of AGCO
GDPRAt a Glance
3
Enhanced Rights for Individuals
IncreasedSanctions
DPO’s
Explicit InformedConsent
Privacy by Design
Increased Transparency
Privacy Impact
Assessments
4
StandardRisk Mgmt. Program
Getting Started
Discovery WorkshopPrivacy
Team/Program
Strategic Priorities Assessment
Unknown Risks
Data Inventory & Mapping
Specific Issues
Privacy Risk AssessmentAssessing
Compliance
PIA Program Development
Continuous Improvement
Risk Management Program Maturity
5
Personally Identifiable Data must be processed
fairly and lawfully.(Understand what PII is)
Data must be accurate and kept up to date.
(Implement process)
For specified, explicit and legitimate purposes.
(What and Why?)
Kept no longer than is necessary.
(Data Retention, Anonymization, Deletion)
Adequate, relevant and minimum necessary.
(Minimalize where possible)
The Organization is responsible and liable to ensure and demonstrate
compliance.(Risk must be Accepted)
Things to remember
1. Data Collection and the life cycle from collection to destruction
2. Data Transfer; access, internally, externally, or globally
3. Defining “Data”4. Understanding “Personal Data”
Create a Checklist Hand-out to make things easy
GDPR – Six Key Principles for processing Regulated Data
6
Core Principles of Privacy by Design
Proactive not Reactive
Preventative not
Remedial
Privacy embedded into design
Full functionality
End-to-end Security
Full Lifecycle
Protection
Individual & User Centric
Potential Privacy
problems are identified at
an early stage;
addressing them early
will often be simpler and less costly.
7
Govern Identify Act Analyze Secure
Case Management Data Discovery Data Security ActivityMonitoring
Network Security
ControlsManagement
Data Mapping and Modelling
Data Maintenance Omni-channelManagement
Application Security
Privacy Compliance
Systems
Consent Management
Breach Response Archive Management
IT infrastructureSecurity
Training Consent Maintenance
Inventory
Required Technology Capabilities
8
Applying Privacy by Design
Simplicity over flexibility Usability over restriction Defense in depth
Open design Secure coding practices Black box and White box testing
Complete mediation Least privilege Audit trails
Architecture Principles
Implementation Principles
Operation & Configuration Principles
9
DevOps Lifecycle
Continuous Improvement, Innovation & Feedback
Plan & Measure Develop & Test Release & Deploy
Monitor & Optimize
Lifecycle and Service Management Integration
Ecosystem
Best P
ractice
Customers Business Units Dev/Test Ops/Prod
10
Lifecycle of Regulated Data
Are you gathering sufficient data for the purpose; are you gathering too much or irrelevant that a for the purpose? Can you identify ways to minimize the data you gather?
What is the purpose? Have you specified the purpose to the individuals? Do they have full knowledge and understanding what happens to their data once it’s passed to/through our organization?
Do you have a procedure in place for auditing the data you hold and updating it where necessary?
Do you have appropriate physical and technical security measures in place to keep the data safe and secure? Is access to the data in our organization restricted to only those who process it? Do you have an off-site back-up facility? Where is it located? Do you hold data in the Cloud, and if so where is the Cloud Provider located?
Do you have measures in place to ensure you do not hold data for longer than is necessary for the specific purpose? Do you have/know the Data Retention Policy?
Is your system of storing and filing suitable or easily identifying all data you hold so you can respond fully to individual requests, and within statutory deadlines where applicable?
Legal + GRC
Individuals right to:• Access their personal
data• Correct errors in their
personal data• Erase their personal
data• Object to processing of
their personal data• Export their personal
data
The Organization will need to:
• Protect personal data (appropriate security)• Notify authorities of
personal data breaches• Obtain appropriate
consentsfor processing data
• Keep records detailing data processing
The Organization is required to:
• Provide clear notice ofdata collection
• Outline processingpurposes and use
cases• Define data retentionand deletion policies
The Organization will need to:
• Train staff on Privacy & Security
• Audit and update datapolicies
• Designate a Data Protection
Officer (DPO)• Manage compliant
vendor contracts
11
Key Changes needed to process Regulated Data
Systems must have the capability/features to
meet these requirements
Know where regulated data is to place
reasonably appropriate controls
Have a Data Governance process
for data classification and retention
Risk Assessments, Data Privacy Impact
Assessments (DPIA) & Vendor Risk Mgmt.
DPIA is requiredwhen data
processing is likely to result in
high risk to individuals, for
example:
• where a newtechnology is being deployed;
• where a profilingoperation is likely to significantly affect individuals;
• where there is processing on a large scale of Regulated Data.
12
Challenges
Business• Enabling User privacy
rights• Ensuring Compliance• Unexpected costs• Meeting business
needs and expectations
Operational• Authentication issues• Authorization issues• Process changes• New process
introduction• Support issues
Technical• New Tech Stack?• Reliance on
technology• Maintenance and
updates• Managing large
amounts of regulated data
13
Go from complex Legal fine print to transparent disclosures
Disclose all indented and potential future uses of consumer data in simple language at the point of data collection
Incorporate store/do not store and use/do not use checkbox options on forms next to regulated data fields
Train your teams to answer Privacy & Security questions not just product/service questions
14
Integrate Data Quality as a Design discipline in all processes
What data needs to be captured & stored vs. what can be processed in real time without storing
Store data showing customer actions separately from data showing what triggered the action (the actual user behavior)
Preemptively outline risks and intended course of action in the event of a crisis/breach
15
Breach Management: Do you have what it takes?
DetectIncident
NotifyOwner(s)
Quarantine
ContainRestric
ted Data?
High Risk?
Report
Recover
Sensor Data
Whitelist?
Mandatory Breach Notification: 72 hours
16
Information Security ModelModel Terms & Glossary
Capability: Defines “what” information security process areas or disciplines.
Coverage: Defines the “amount” of control and timeline coverage should be applied.
Control: Managing obligations to the business, stakeholders, customers and demonstrating it.
Maturing to Proactive Posture
Capability: Process Discovery and Re-engineering to support Information Security program alignment with business and security requirements.
Coverage: Integrate required regulations and observe areas for control enhancement.
Control: Risk & Compliance based categorization and priority of Information assets and processes.
The Degree & Complexity of controls
are driven by the Organization’s risk
appetite and applicable
compliance requirements.
17
Information Security Program
Security IT Operations
Incident Response
Training & Awareness
Risk Management
Compliance & Audit
Security Architecture
IT GovernanceSecurity Process
IdentifyRisk
ImplementControls
Assess/Audit
(Simplify)
Risk-based, Data-driven decisions
18
Taking action: doing what you’ve plannedDISCOVER AND DOCUMENTIdentify what type of Regulated Data your application(s)/system(s) process, where it resides and where it goes to.
PROTECTImplement and test security controls toprevent, detect and respond to vulnerabilities and Data Breaches.
REVIEWAnalyze your Regulated Data, stay Compliant and regularly review risk to maintain risk at an acceptable level.
CONTROL (ACCESS MANAGEMENT)Manage and keep records/logs of how Regulated Data is used and accessed and by who.
REPORTApplication(s)/systems(s) should be monitored for potential Data Breaches.Have & test a process to notify the rightteam if/when a Breach occurs.
Put procedures in place to effectively detect, report and
investigate a personal data breach.
Complete Visibility
Reduce Attack Surface
Prevent Known Threats
Prevent Unknown Threats
19
Key Concepts
Systems need to offer or support visibility into all
traffic – across the network, endpoint
and thecloud – classified
by application, user and content
Systems are everywhere! In-
house, SaaS, IaaS, PaaS, IoT: multiple avenues
available to infiltrate an
Organization and exfiltrate
Regulated Data
Many data breaches result from known threats, such as
information-stealingmalware and
application exploits. Systems must be
able to restrict access to regulated
files or content
Have a multi-method approach to block core techniques
used by zero-day exploits & identify
and block unknown malware from compromising
endpoints
You can’t stop or protect against
what you can’t see.
Only enable allowed apps and users. Deny
everything else.
Management of all application types.
Vulnerability Management: Scan and
Patch/Fix.
Next-Gen protection. Security Incident
Notification & Management Procedures.
Security and Privacy should be seen as a business differentiation strategy
Strategy Pattern Examples
Minimization Amount of processed regulated data restricted to the minimal amount possible
• Select before you collect• Anonymization / pseudonyms
Hide Regulated data, and their interrelationships, hidden from plan view
• Storage & transit (encryption of data)• Hide traffic patterns• Attribute based credentials• Anonymization / pseudonyms
Separate Regulated data processed in a distributed fashion, in separate compartments whenever possible
• Multiple options available for compartmentalization
Aggregate Regulated data processed at highest level of aggregation with least possible detail in which it is (still useful)
• Aggregation over time• Dynamic location granularity (location based services)
Inform Transparency • Platform for privacy preferences• Data Breach notification
Control Users (Data subjects) provided use over processing of their personal (regulated) data
• User centric Identity Management• End-to-end encryption support
Enforce Privacy policy compatible with Legal requirements to be enforced
• Access control• Sticky policies and privacy rights management
Demonstrate Demonstrate compliance with privacy policy and any applicable legal requirements
• Privacy Management Systems• Use of logging and auditing
20
Strategy Approach Cheat Sheet
21
Talk to experts: When/Why to engage LegalHave a Binding Corporate Rules (BCR) Compliance Management procedure that defines the responsibilities and actions for personnel involved in the implementation of IT systems and infrastructure.
The procedure should include requirements related to: Implementation of new systems; and Implementation of changes in IT infrastructure
Applicable to all employees, affiliates and third-parties responsible for the implementation of IT systems and infrastructure.
1Identification of system holding personal data
2Hosted
systems and clouds
3Sharing data
with third parties
4Data collection and processing
on Corporate websites
Key Things to Remember
You may need Code Changes.
Website security assessment are needed (unless already in place).
When in doubt, contact Legal.
Consent is explicit and must be obtained.
Mandatory 72-hour data breach reporting.
You must be able to demonstrate, compliance.
“If you can’t provide evidence, you didn’t do it”.
22
EU Members: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland,France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands,
Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK.
What you didn’t get to must be communicated, the Risk must be Accepted or plans for mitigation should be considered