Building a program for GDPR compliance: Can you answer these key questions?January 4, 2018 10:49 am
by Reggie Best, CPO, Lumeta Corporation
Full article can be seen here: https://www.helpnetsecurity.com/2018/01/04/building-program-gdpr-compliance/
The clock is ticking and the General Data Protection Regulation (GDPR) will start to be enforced in May. Now is a critical time for organizations to plan, budget and make any remaining changes needed to meet its guidelines.
Failure to comply with GDPR standards will result in hefty non-compliance fines, and even U.S. organizations could be affected. Remember: GDPR guidelines will affect any organization handling personal data of individuals no matter where they are located, meaning even U.S. companies that process the personal data of individuals residing in the EU will have to comply.
GDPR is emerging as a board-level issue for many U.S. organizations and the pressure is on cybersecurity professionals to ensure the necessary steps are being taken to protect the personally identifiable information (PII) of EU residents. Unfortunately, network complexity is causing real challenges. It can be difficult to gain full control and visibility of the network since today’s data resides across physical, virtual and cloud networks, as well as on endpoints like smartphones, tablets and notebooks.
To make matters even more tricky, to comply with GDPR companies will need to be able to answer where all PII is being stored, with whom it’s being shared, how the organization is protecting it and what they’re using it for.
To realistically achieve GDPR compliance in time for the May 25, 2018 deadline, organizations should first ask themselves the following questions:
How confident are you in identifying and securing every single related asset that stores or processes sensitive user data? For instance, have your cybersecurity professionals located all rogue or shadow IT infrastructure? Have you determined what data is being held, where, and why? Who’s accessing that data currently and who should have future access?
Can you truly see in real-time or is our “continuous” monitoring actually just periodic polling? For instance, is your IT team tracking cloud apps or virtual machines (VMs) each time they join or leave your network? Are all ports and endpoints known in real-time? How are you managing IoTtechnologies?
Do you know your entire extended network across suppliers, customers, consultants and other organizations you interact with? For instance, do any trusted network assets show up on attacker lists? Are there any active devices on your network using known Trojan or malware ports? Can known threat or malware IP address space be reached from within your network?
Once these crucial questions have been evaluated, organizations and their cybersecurity professionals can incorporate them into their compliance program by leveraging the following key technology best practices:
Data processing and storage assessment: By identifying any EU-based PII, evaluating all access rights and additional security measures, and assessing current and future risk to the data, organizations can guarantee the identification of all their assets at all times, even when processing. They’ll also be able to better assess their data segmentation policies.
To identify any new network assets, cybersecurity professionals should make sure correct patch level and endpoint protection is in place. They should also identify whether those assets are changing any network topology, and monitor them from a single, cohesive pane.
Breach prevention program implementation: When organizations are able to restrict access to PII, define, document and implement data security controls, and continuously evaluate the inevitable changes to PII and access, they’re able to discover all new assets or changes in real-time and properly test and execute network segmentation. To identify any unauthorized network paths in real-time, cybersecurity professionals should ensure segmentation for protecting access to PII, and continually identify any segmentation violations across their GDPR environment.
Monitoring, detection and response execution: To achieve GDPR compliance, organizations must have real-time visibility across all of their networks, devices and endpoints, including any VMs. They also need to be able to instantly detect any suspicious network behavior and get a faster picture of the network and security context surrounding the malicious activity in the event of a necessary remediation effort. Continual network monitoring, threat detection and incident response plans can enable compliance and allow cybersecurity professionals to identify any behaviors that could be indicators of active breach activity.
A recent PwC survey found that more than half of U.S. companies are concerned about GDPR regulations due to their processing and collection of EU customer data, with 77 percent of them planning to spend $1 million or more on ensuring their ability to meet GDPR standards.
Rather than falling victim to GDPR-induced panic or destroying entire IT budgets, organizations should focus first and foremost on implementing continuous, real-time network visibility. By monitoring all network activity, devices and endpoints – including VMs in the darkest corners of an infrastructure – organizations can achieve GDPR compliance and, even more importantly, they can accurately identify potential malicious network activity and gain the context and intelligence to detect and stop threats before a breach ever occurs.