There are cogent arguments for both the utility and absurdity of the new regulation. On the one hand, the statutory regulation governing the protection of private individuals’ data certainly seems desirable and sensible; on the other hand, it lacks a sense of proportionality and is already being spoken of as a toothless tiger or a job stimulus package for lawyers. There is further criticism that the regulation falls short in protecting citizens’ privacy from the state, while others see the GDPR as a geo-strategic weapon in the ongoing trade war with the USA. That’s certainly the impression from Facebook’s recent decision to move a large amount of user data from Ireland to the USA so that the data repository falls under US law.
The fact remains that laws in most European countries already required them to treat individuals’ data carefully – even before the data protection laws were revised.
But if you’re responsible for IT security in your company, you can take advantage of the current momentum to sell IT security projects to management with new reasoning, or even to put an entire IT security management function in place. The GDPR calls for, among other things, and in simplified terms, appropriate IT security measures to be in place. So it certainly makes sense to not only identify personal data as assets and protect it as such, but to also include the data and assets of the entire company.
The scope and form of IT security management varies greatly according to the size and sector of the company in question. And that means there are no detailed formulas for getting such a project up and running, which is why the motto security is a process, not a product definitely makes sense. Because when it comes to justifying costs for products and labor to management, you also need to be able to justify each line item.
So it’s a good idea to begin with a top-down approach. What are the company’s business processes, and which of these are important? Where are the IT-related risks? Which systems or processes are affected? How exactly should systems be protected? And so on.
Fortunately, you don’t have to reinvent the wheel here; there are numerous resources for creating or improving your own IT security concept. Here are three that can offer inspiration.
The US-based National Institute of Standards and Technology (NIST) recently published a free, revised version of its Cyber Security Framework.
The structure of the NIST Framework is simple and intuitive. The five core categories offer a structure that can be easily adopted:
These five core categories break down into sub-categories, and for each NIST control item you can find references to a range of other recognized standards (CIS, ISO2700, COBIT, etc.).
NIST itself comes with a huge catalog of controls. You can then select those which are most relevant to your company. If you plan to follow the NIST method, there are various sites that can help with the process.
The ISO/IEC 27000 family is a set of standards from the International Organization for Standardization. The best-known standard is ISO Standard 27001 – Information Security Management System, which describes how to implement and operate information security management systems. Texts can be downloaded from the ISO website for a small fee.
We recommend the iso27001security.com website, which offers numerous asset inventory templates for data classification according to specific security guidelines and many other topics. Anyone wishing to get started in this field will find a good foundation here.
NIST and ISO standards primarily describe management of IT security. However, merely defining IT security doesn’t make systems secure. Once you start looking at the actual, effective protection of systems, you enter a new sphere where technical knowledge is paramount. The way in which IT products are protected at the technical level is often determined by the understanding of the specialists responsible.
The Center for Internet Security offers a considerable range of hardening guides for various software products and operating systems. The guides are logically structured, and some are available for free.
Meanwhile, the CIS Critical Controls offer a somewhat simpler introduction IT security management. They are condensed into 20 points and are a better start for smaller companies than the extensive NIST and ISO 27000 controls.
Right now the whole issue of the GDPR is still chaotic, and the actual impact and effects remain unknown. Companies are looking anxiously to May 25, 2018 when the regulation comes into effect, with the first test cases presumably following soon after.
IT security staff should remain calm and even use the hype as an opportunity for improving the state of their IT security, citing the GDPR as an argument in favor of their projects.
Anyone requiring assistance or even a starting point for efficient, structured IT security management can find a good foundation in the three sources mentioned. You can use the NIST core categories to create a structure and build on it with input from ISO and CIS. But for smaller companies, the CIS Critical Controls represent a better starting point.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here