GDPR - An IT Security Perspective

GDPR

An IT Security Perspective

Dominik Altermatt
by Dominik Altermatt
on May 10, 2018
time to read: 6 minutes

Keypoints

  • Protection of personal data should be embraced
  • The new regulation leaves many questions about its implementation unanswered
  • IT security companies can use the momentum to their advantage
  • Recognized standards simplify IT security management

A few weeks before the European Union’s new General Data Protection Regulation comes into effect, you can feel the commotion building.

There are cogent arguments for both the utility and absurdity of the new regulation. On the one hand, the statutory regulation governing the protection of private individuals’ data certainly seems desirable and sensible; on the other hand, it lacks a sense of proportionality and is already being spoken of as a toothless tiger or a job stimulus package for lawyers. There is further criticism that the regulation falls short in protecting citizens’ privacy from the state, while others see the GDPR as a geo-strategic weapon in the ongoing trade war with the USA. That’s certainly the impression from Facebook’s recent decision to move a large amount of user data from Ireland to the USA so that the data repository falls under US law.

The fact remains that laws in most European countries already required them to treat individuals’ data carefully – even before the data protection laws were revised.

IT security and the GDPR

But if you’re responsible for IT security in your company, you can take advantage of the current momentum to sell IT security projects to management with new reasoning, or even to put an entire IT security management function in place. The GDPR calls for, among other things, and in simplified terms, appropriate IT security measures to be in place. So it certainly makes sense to not only identify personal data as assets and protect it as such, but to also include the data and assets of the entire company.

The scope and form of IT security management varies greatly according to the size and sector of the company in question. And that means there are no detailed formulas for getting such a project up and running, which is why the motto security is a process, not a product definitely makes sense. Because when it comes to justifying costs for products and labor to management, you also need to be able to justify each line item.

So it’s a good idea to begin with a top-down approach. What are the company’s business processes, and which of these are important? Where are the IT-related risks? Which systems or processes are affected? How exactly should systems be protected? And so on.

Fortunately, you don’t have to reinvent the wheel here; there are numerous resources for creating or improving your own IT security concept. Here are three that can offer inspiration.

NIST – Cyber Security Framework

The US-based National Institute of Standards and Technology (NIST) recently published a free, revised version of its Cyber Security Framework.

The structure of the NIST Framework is simple and intuitive. The five core categories offer a structure that can be easily adopted:

  1. Identify – What should be protected and why?
  2. Protect – How will it be protected?
  3. Detect – How are attacks or misconduct identified?
  4. Response – How does the company respond to incidents?
  5. Recover – How is the integrity (of data and systems) restored following an attack?

These five core categories break down into sub-categories, and for each NIST control item you can find references to a range of other recognized standards (CIS, ISO2700, COBIT, etc.).

NIST itself comes with a huge catalog of controls. You can then select those which are most relevant to your company. If you plan to follow the NIST method, there are various sites that can help with the process.

ISO 27000 – Information Security Management Systems

The ISO/IEC 27000 family is a set of standards from the International Organization for Standardization. The best-known standard is ISO Standard 27001 – Information Security Management System, which describes how to implement and operate information security management systems. Texts can be downloaded from the ISO website for a small fee.

We recommend the iso27001security.com website, which offers numerous asset inventory templates for data classification according to specific security guidelines and many other topics. Anyone wishing to get started in this field will find a good foundation here.

CIS – Center for Internet Security

NIST and ISO standards primarily describe management of IT security. However, merely defining IT security doesn’t make systems secure. Once you start looking at the actual, effective protection of systems, you enter a new sphere where technical knowledge is paramount. The way in which IT products are protected at the technical level is often determined by the understanding of the specialists responsible.

The Center for Internet Security offers a considerable range of hardening guides for various software products and operating systems. The guides are logically structured, and some are available for free.

Meanwhile, the CIS Critical Controls offer a somewhat simpler introduction IT security management. They are condensed into 20 points and are a better start for smaller companies than the extensive NIST and ISO 27000 controls.

Conclusion

Right now the whole issue of the GDPR is still chaotic, and the actual impact and effects remain unknown. Companies are looking anxiously to May 25, 2018 when the regulation comes into effect, with the first test cases presumably following soon after.

IT security staff should remain calm and even use the hype as an opportunity for improving the state of their IT security, citing the GDPR as an argument in favor of their projects.

Anyone requiring assistance or even a starting point for efficient, structured IT security management can find a good foundation in the three sources mentioned. You can use the NIST core categories to create a structure and build on it with input from ISO and CIS. But for smaller companies, the CIS Critical Controls represent a better starting point.

About the Author

Dominik Altermatt

Dominik Altermatt is working since 2003 in the IT business and was responsible for Data Leakage Prevention at a Swiss bank for many years. Besides traditional penetration testing he is also focusing on the introduction and improvement of IT security management processes. (ORCID 0000-0003-4575-4597)

Links

You have to provide GDPR conformity?

Our experts will get in contact with you!

×
TIBER-EU Framework

TIBER-EU Framework

Dominik Altermatt

You want more?

Further articles available here

You have to provide GDPR conformity?

Our experts will get in contact with you!

You want more?

Further articles available here