In my my last blog on the EU GDPR, I talked about the stiff crippling penalties (a whopping 4% of an enterprise’s global revenue) associated with non-compliance of any multinational company controlling the personal data of an EU citizen, in the event of a breach. Now I expect anyone reading this is on the wake-up call status, and recognizes this is not a ‘nice to have’ option. It’s a ‘must do’ action. As well as adopting advanced security analytics.
Organizations need to be ready for EU GDPR
Recognizing that fact, I’ve assembled a few thoughts about how organizations need to align themselves to assure they are ready to go when the EU GDPR mandate comes into effect on May 25, 2018. As this deadline approaches, those who have not already begun their transition plan are now starting to do so now. A number of the areas this planning needs to address include:
GDPR Preparation Category
Assess legal obligations of GDPR
|Understand the requirements as they relate to your organization in regards to collecting, processing and storing data, as well as the special categories within the legislation.|
|Designate executive sponsor and technical lead. Determine requirements (internal or outsource) for a GDPR Data Protection Officer.|
Data audit, inventory and classification
|Identify relevant EU personal data along with data flows and any systems that interface with the data, whether internal, third party or backup. Document every aspect of this data discovery, including research, findings, decisions and actions.|
Risk and gap analysis within GDPR mandate
|First, determine if data falls under a GDPR special category. Then, classify who has access to different types of data, who shares the data, and what applications process the data. Assess risks based on private data varieties, volume and processing systems. Identify gaps in processes or technology capabilities that ensure data processing integrity.|
Security access and activity logging for anomalous behavior
|Apply security measures to production data containing core assets, and then extend those measures to back-ups and other repositories. Implement and maintain monitoring of all access and activity of GDPR related systems, with special visibility on private data access and activity across all silos and domains with a risk-based approach, to ensure holistic global security.|
Controls alignment with GDPR
|Investigate any other risks to data not included in previous assessments and established security solution approaches. Identify existing control sets within the organizational environment that align with compliance requirements. Identify security technology gaps, especially with the SOTA* requirement, and plan for technology adjustments and adoptions in a measured phased approach. While technology consulting partners may be required. Furthermore reassess and adjust solution strategy on a regular basis, to assure security capabilities remain in sync with evolving challenges and requirements.|
Acquire full budget and organizational support
|With CISOs often sitting a couple of levels below the C-level decision makers, and sometimes reporting into the CIO, there can be inherent resistance to the proposals that will be presented to make an organization compliant. Too often security initiatives are perceived a cost center, not as protecting value. Therefore not contributing to the bottom line. But this initiative should be seen as a competitive advantage. Short-changing the budget on the EU GDPR mandate fulfillment could very well represent a threat to the organization’s survival.|
* SOTA is “state-of-the-art”, and my first EU GDPR blog was on this topic. Check it out if you haven’t already.
Benefits of organizations adopting an advanced security analytics plan
So much focus of my blogs on EU GDPR has been about the dire consequences, stiff penalties, and rigid requirements of fulfillment. Yet there’s good news too. And should be shared with the C-level decision makers for what might represent a seismic upgrade in their organization’s security capabilities. So if the organization adopts an advanced security analytics solution to address “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services” (one of the four core GDPR principles), benefits an organization might realize can include:
- SOTA-empowered security capabilities and quality. The mature capabilities of advanced security analytics, leveraging mature machine learning algorithms, empower holistic risk-based monitoring across a range of on-premises, cloud and hybrid environments, risk scoring the gray areas of unknowns, and minimizing false positives.
- Comprehensive shadow IT management. It seems as though IT groups within organizations no longer need to face the significant risk of unknown, unmanaged and ungoverned data being accessed through shadow IT solutions by employees in unsanctioned cloud services that can put the entire organization in jeopardy with their use. As a result comprehensive risk-scored access and holistic activity monitoring across all silos ensures control of shadow IT activity.
- Role-based access controls and data masking. While next-generation capabilities define new roles with access controls for data and actions. Surely data masking through workflow, for incident management, ties into role-based access controls. Additionally it enables a tiered hierarchy for access and visibility to meet EU privacy and GDPR regulations.
- Optimized, discovery, monitoring and visibility in four core GDPR compliance areas. By addressing administrator controls and separation of duties, access control, data loss prevention and user activity monitoring, this solution provides the baseline ability to view the full context of a user’s access and activities, both legitimate and anomalous. Additionally, the SOTA and mature solution also includes advanced security analytics for hybrid environments, providing a combined 360-degree view for identity, and risk-scored behavior anomalies, driven by machine learning.
- Improved productivity and cost savings. Especially relevant, extending beyond the benefits of GDPR compliance, the solution adds value to the organization’s bottom line. Consequently by having holistic visibility across all an organization’s environments, users and devices, SOC teams’ efficiencies are maximized, delivering cost savings. In addition, as enterprises migrate to cloud applications, the expanding platforms without adoption of additional solutions helps minimize costs.
Most of all the enterprise’s environment will be safer and holistically monitored on a cost effective basis. Hence a win-win for the adopting organization.
If you want to learn more about the EU GDPR, check out our white paper on the topic: Advanced Security Analytics Applications in EU GDPR.
Leslie K. Lambert
Chief Security and Strategy Officer, Gurucul