In a previous article, I reviewed several critical GDPR requirements. In this article, I want to discuss the Data Protection mandate.
Data Protection is Your Responsibility
GDPR requires organizations to implement “appropriate” technical and organizational measures to protect data and detect data breaches. Instead of defining acceptable security controls, GDPR uses this tricky term to put the burden on you. It is tricky because it will be defined after the breach, so you need to be able to competently defend your security strategy (Article 30.1.g) should you experience a breach.
Data Protection Checklist
To get started protecting data, I suggest a thorough review of the SANS 20 Critical Security Controls for your organization. In the event of a breach, being able to map your security posture to a well-respected framework will help. In this article, I will limit my list to those items which tie directly back to GDPR requirements.
Step 1: Inventory of Authorized and Unauthorized Devices
Step 2: Inventory of Authorized and Unauthorized Software
The steps above are critical for maintaining control of your network. In the context of GDPR, you are required, under Article 30, to “maintain a record of processing activities under your responsibility.” If your organization is processing “personal information” protected by GDPR, you need to be able to map the entire process with an understanding of what systems and applications access, process or store data. Unauthorized systems, devices, or software with access to this data can spell big trouble.
Step 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
In light of the GDPR Article 32 requirements, your systems that touch personal information “shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” Before you deploy your first system, you need to establish a secure baseline (configuration) for all systems/devices that access this data. If you have existing systems accessing the data, you need to update these systems to match your documented secure configuration(s).
Step 4: Continuous Vulnerability Assessment and Remediation
Effective security is a continual process. Continuous vulnerability testing and remediation is a critical process that regularly looks for vulnerabilities in your systems. As new vulnerabilities in existing systems are discovered, regularly performing vulnerability assessments minimizes these risks.
Step 5: Malware Defenses
Antivirus is a good foundational-level practice. It is designed to stop threats that match a known signature. Unfortunately, that simply isn’t good enough under GDPR. Since you are required to protect the data, you need to look for an advanced endpoint protection solution.
Step 6: Maintenance, Monitoring, and Analyst of Audit Logs
Article 30, referenced earlier, also requires that you “maintain a record of processing activities.” Now that you have identified the systems that touch the data, you need to aggregate and correlate the log data to look for problems. A SIEM is core to your ability to monitor anomalous user and system activity from workstations, servers, firewalls, switches, cloud systems, and other connected systems/devices. If you store data in the cloud, you must be sure to select a solution that can ingest these logs as well.
Step 7: Data Protection
In addition to the solutions mentioned above, I recommend you use a traffic inspection solution such as a Network IDS to look for traffic anomalies (protected data being sent in clear text and possible data exfiltration).
Step 8: Boundary Defense
Ensure you have an appropriately secure firewall solution, which provides stateful packet inspection, along with additional security features that protect your network from common threats such as those found while browsing.
Step 9: Conduct Regular Risk Assessments
Article 35 requires organizations to conduct a data protection impact assessment (DPIA) that considers the requirements of GDPR and measures against the “appropriate technical and organizational measures.”
Step 10: Develop an Incident Response Plan
Hope for the best, but plan for the worst. You need to have a documented Incident Response Plan that includes a Communication Plan: know who to communicate with, what to say, and what forms or information need to be provided. If you wait until you have a problem, you will find that the 72 hours mandated in Article 33 will not be enough time.
Step 11: Utilize a Capable Team to Manage your Security
Regardless of the size of your organization, this can be a monumental undertaking. Don’t make the mistake of thinking this is a simple one-time fix. You need to have a capable, competent team managing your security, performing the continuous vulnerability scans, regular assessments and keeping you advised through the process. While larger organizations can certainly afford to buy the tools, hire, and train the team, even they realize the most cost-effective solution is to partner with a qualified cybersecurity firm.
If you need help with any of the above or would like to speak with one of our security experts about your organization, please contact us below.