GDPRWHITE PAPER

www.cybersmart.co.uk

CONTENT

Introduction

What is GDPR?

Other information security standards

Route to compliance

Getting clients GDPR ready

How CyberSmart can help

0 3

www.cybersmart.co.uk

4

5

6

7

9

1 0

INTRODUCTION

Our mission is to secure organisations worldwide against globalcybersecurity threats and assist them in achieving recognisedcybersecurity standards. We believe cyber protection and informationsecurity compliance should be available to everyone regardless ofbudget or know-how. CyberSmart was born out of the realisation that the greatestobstacles for small and medium-sized enterprises (SMEs) tobecoming cyber safe were the lack of resources, such as technicalknowledge, funding or availability of key people. Our team, made upof seasoned cybersecurity specialists, compliance experts andexperienced software developers, created a platform which can beused without prior technical knowledge and that is both more cost-effective and more secure than traditional solutions. UsingCyberSmart to implement the government’s cybersecurity standardsensures that an organisation is protected from the vast majority ofcyber attacks.  This whitepaper explains how the General Data Protection Regulation2018 (GDPR) relates to the various government standards for cyberprotection. It covers what organisations need to do to best protecttheir business and safeguard their data and that of their customers.

www.cybersmart.co.uk

0 4

WHAT IS GDPR?

The GDPR is Europe’s framework for data protection laws. It is themost significant change to the data privacy and data protectionregulation in 20 years.  It is far-reaching, in that it requires activeparticipation from every department throughout an organisation. Itreplaces the previous Data Protection Act (1998); it introduces biggerfines for non-compliance and gives individuals greater rights over theuse of their data. It also standardises data protection rules throughoutthe EU. It is important to note that GDPR is not just about Cyber Security, ITand technical controls. Whilst these are all vital elements, they formonly a small part of the overall GDPR programme; the majority relatesto processes concerning the privacy of individuals. It should not be presumed that a company’s IT team, suppliers orproviders will deal with this in isolation. Organisations need toevaluate their current privacy and security position, develop a plan forGDPR readiness and ensure ongoing processes are in place tomaintain compliance. GDPR is less about putting a raft of new policiesin place, more a change of organisational culture around how personaldata is acquired, managed, shared and retained. It should result inprivacy by design. How does Brexit affect GDPR? The UK leaving the European Union will not affect the need toembrace GDPR. GDPR replaced the current UK Data Protection Act(1998) and became legislation in the UK from 25th May 2018. As the lawis designed to protect the interests of citizens and enforce greaterresponsibilities onto organisations to protect people’s data, this islikely to remain UK law for the foreseeable future. What GDPR means to individuals GDPR empowers individuals across all organisations in all sectors withthe right to be informed, access data, rectify errors, erase information,restrict processing, invoke data portability, object to data usage, aswell as conferring rights relating to automated decision making andprofiling. It also allows individuals to have a better understanding with regardto the control and use of their personal identifiable information (PII)and what organisations are obligated to do with that information.Because individuals have more transparency, traceability andownership of their own data, GDPR is generally seen as positive.

www.cybersmart.co.uk

0 5

OTHER INFORMATIONSECURITY STANDARDS

Cyber Essentials Established in 2014, the purpose of this standard is to embedessential cybersecurity practices throughout an organisation. Thestandard is focused on the technical elements of the business andprotects it from 99.3% of cyber-attacks (University of Lancasterresearch). Whilst highly effective, Cyber Essentials has twolimitations: firstly, the standard does not protect againstsophisticated, targeted attacks and secondly, it is traditionallyimplemented as an annual review. The best use case for this standardis to implement it as a first line of defence, i.e. perimeter securitybefore other standards are considered. Cyber Essentials Plus Cyber Essentials Plus is the audited version of the Cyber Essentialsstandard. The implementation needs to be assessed on site by aqualified Cyber Essentials Plus auditor. The added rigour of this auditcreates additional trust in the standard.  Once Cyber Essentials iswell-established, it is likely that Cyber Essentials Plus will increasinglybecome mandatory. IASME Self-Governance This standard goes beyond Cyber Essentials and can be regarded asan ‘SME-friendly’ version of ISO 27001. In conjunction with thegovernment, IASME developed this standard in order to create aneasily adaptable and affordable alternative to ISO 27001. It takes arisk-based approach, going beyond Cyber Essentials to includeprocesses, people and technology. All IASME Governancecertifications include GDPR Readiness. ISO 27001 ISO 27001 is an international information security standard. Itincludes some 114 controls in 14 groups and 35 control objectives. Thestandard is frequently implemented by corporations or businessesdealing with sensitive data and needing the highest level ofinformation assurance. An organisation is required to includerelevant laws and to meet GDPR requirements in their InformationSecurity Management System (ISMS).

0 6

www.cybersmart.co.uk

There are many different routes to GDPR compliance. We havedesigned CyberSmart’s approach to be SME friendly with no needfor expensive consultants, timely and lengthy implementationprojects or complicated processes. There are three government-backed standards specifically designed for SMEs to add morestructure and rigour to their information security and to takethem from having minimal controls in place to operating with acomprehensive ISMS. The ideal start is Cyber Essentials, a fundamental baseline, forthree important reasons:

It is proven to prevent the vast majority of all internet-basedattacks.It contains prescriptive, simple and effective measures (e.g. toimprove technical controls and enhance processes). Cyber Essentials was designed for SMEs; hence itsimplementation can be completed in a short period of timewithout undue burden 

The next standard along the compliance path is Cyber EssentialsPlus. This certification not only builds upon the foundation ofCyber Essentials but goes further by adding more technicalcontrols and checks (e.g. vulnerability tests and IP scans). By usinggovernment endorsed in-depth analysis software on the network,hidden vulnerabilities and non-conformities can be identified andaddressed in order to establish a more transparent andcomprehensive ISMS. Part of this certification involves a sector-specific auditorspending some time onsite to ensure that the foundations areproperly secure and to provide help setting up boundaries andpermissions enforced by technical controls. They also helpoptimise existing infrastructure and network controls specificallywith information security and GDPR in mind. Cyber Essentials Plusis nationally recognised and is the natural progression whenmoving towards GDPR compliance.

0 7

www.cybersmart.co.uk

ROUTE TO COMPLIANCE

0 8

www.cybersmart.co.uk

Once Cyber Essentials and Cyber Essentials Plus certificationshave been achieved, the next step is either the  IASME(Information Assurance for SMEs) Self-Governance  or theaudited  IASME GOLD  qualification. This is often referred to as a‘mini ISO’. ISO 27001 can take several months to implement andrequires a significant commitment of people and resources. Eitherof these IASME qualifications augments product, website and ITnetwork security with improvements to informational andorganisational security as well as cultural behaviour change. These certifications build on the advanced IT controls which theCE and CE Plus standards helped set up.  They also add the GDPRdisciplines and measures that, if missing, need to be put in placeto get ‘GDPR ready’. These added information security controlswill address the most frequently asked questions about where,when, what and why personal identifiable information is storedand processed. For organisations that choose the right method and allocate theappropriate resources, these standards can be readily achieved.

GETTING CLIENTS GDPRREADYGetting GDPR ready requires both commitment and change ofmindset and will take time and resources to effect the change. Thereare two different approaches to getting GDPR ready.  Bottom-up (unstructured / ad-hoc)  This approach involves creating new policies and procedures fromscratch, replacing existing controls and processes from the bottom-up. This is where Cyber Essentials provides a vital foundation ofsecurity measures on which to build.    Having defined the project team, a gap analysis is performed and anaction plan is created to develop a clear roadmap for GDPR. Thebenefit of this method is that it is thorough, picking up all the details,some of which might have been overlooked.  It creates a step-by-stepaction log which is measurable and provides all the evidence that iscore to the GDPR philosophy. We recommend this approach for SMEs. Top down (structured / waterfall) This method is for the more technically sophisticated companies andlarger organisations. It involves starting from the top with moreformal plans and then adapting existing controls, policies andprocedures to meet the GDPR requirements. Part of an organisationbecoming GDPR compliant typically involves a toolkit (thatCyberSmart can provide as part of its IASME and GDPR module),where key documents are provided in a compliant template format,ready for adoption.  This approach is more complex and should be approached with carebecause it involves modifying live and interdependent businessprocesses.  However, for complex or very large organisations thismight be the only feasible approach to become GDPR compliant.

0 9

www.cybersmart.co.uk

HOW CYBERSMART CANHELPCyberSmart provides all the support and resources needed to get anorganisation of any size or sector certified to standards includingCyber Essentials, Cyber Essentials Plus, IASME Self-Governance &IASME Self-Governance with GDPR Readiness. The CyberSmartplatform achieves this in the quickest, most cost-effective way.  The entire process can be divided into four parts. Our cloud-baseddashboard is designed with user experience in mind, with everythingstreamlined to ensure clean and effortless certifications. Step 1: We identify Scanning for vulnerabilities, our software enables you to identify allissues which are not in line with the Government’s Cyber Essentialsscheme. We use technology to automate the search for weaknesses inyour system, so you don’t need any prior technical knowledge. Wesupport Windows, Mac, iOS and Android.  Step 2: We fix With a list of all devices and their respective vulnerabilities, theadministrator can either manually attend to each machine or, can fixissues with one click in the dashboard. For administrators with limitedcybersecurity know-how, the platform is written in plain English, withauto-populating questions. It offers step-by-step guides and real-timeonline customer support. Alternatively, the software can beconfigured to automatically fix issues. Our technology ensures goodsecurity practices stay in place after certification.

1 0

www.cybersmart.co.uk

Step 3: We certify

Being secure is vital. However, it can be equally important todemonstrate to clients, suppliers and partners that data protection istaken seriously and to show that they are in safe hands. Not only doesthe software instil trust, but because it demonstrates compliance withgovernment standards, it can also limit liability in case of a breach.Organisations receive official certifications directly within theplatform. Step 4: We protect Data security should not be a one-off exercise but an ongoing process.Security threats change constantly. For that reason, the software iskept passively running in the background, which allows it to providereal-time threat information and security updates. Administrators getweekly security bulletins so they always know the state of theirsystems. In addition to the platform, CyberSmart has extensive domainexpertise.  This enables it to provide hands-on guidance for planningand implementing GDPR compliant processes.  Organisations benefitfrom years of best practice through the provision of the GDPR policytoolkit. They also gain access to the skills and resources that haveguided many organisations to become GDPR ready.  While the challenge of becoming GDPR compliant may seemdaunting, the journey can be made much easier and quicker with thesupport of CyberSmart’s software platform, policy toolkit and wealth ofexpertise.

1 1

www.cybersmart.co.uk

CYBERSMART EXPERTISE IS WITH YOUEVERY STEP OF THE WAY

Get in touch

145 City Road 7th Floor London

EC1V 1AW

020 7993 6990 hello@cybersmart.co.uk

www.cybersmart.co.uk

V3.0V3.0 - JUNE 2019