complying with new data security and privacy requirements ... · complying with new data security...

Complying with New Data Security and Privacy

Requirements for Cloud Computing

October 2018

2© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018

Malu recently joined Capgemini, a global leader in consulting, technology services and digital transformation. She brings 25 years of digital transformation and risk management leadership

experience across Fortune 100’s.

Malu is a forever learner always staying current in the latest innovations on technology and their business applications.

Speaker Bio

Malu Septien Milan

GRC Lead ArchitectGo-to-Market

Capgemini North America

Photo

3© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018Securing Cloud Transformation Through Advanced Monitoring | October 2018

Presentation Overview

Implement a practical approach to global regulatory compliance readiness

Achieve a unified operational execution plan to avoid fines

Through this presentation you will gain knowledge on how to:

Deliver cybersecurity training for your employees to proactively reduce risk

Stay ahead of regulatory requirements


The cloud’s threat landscape has brought about new regulations


ThankYou

What is GDPR?The basics

The General Data Protection Regulation (GDPR) is a new law which establishes a single set of rules for every EU Member State to protect personal data. It builds upon and updates the current EU data protection framework.

Effective date & Fines

25 May 2018 & 4% Net Revenue or 20M Euros

COMPANIES PROCESSING PERSONAL DATA MUST CONTINUE TO ENSURE THEY HAVE PROPER CONTROLS OVER THE PROCESSING AND SECURITY OF PERSONAL DATA , ACCORDING TO THE DATA PROTECTION PRINCIPLES IN THE GDPR.

THEY MUST CONTINUE TO CONTROL HOW PERSONAL DATA IS STORED, KEPT UP TO DATE, ACCESSED, TRANSFERRED AND DELETED.

Personal data is widely defined to mean any information relating to an identified or identifiable individual (known as a “data subject” under the GDPR). Personal data may include name, physical address, email address, identification number, location data, online identifier, credit card number, or health information.


What does GDPR change for your company?

Establishing more comprehensive data protection standards (e.g. companies must build privacy into projects, products and systems that will process personal data);

Requiring companies to keep detailed internal records of their processing activities;

Strengthening the enforcement powers of supervisory authorities and giving them the right to impose substantial fines;

Requiring companies to notify the relevant supervisory authority about serious personal data breaches within 72 hours and to notify affected individuals if there is a high risk of harm to them as a result of the breach.

1

2

3

4

PLUS A NEW DIRECTIVES IN FORCE: EU NIS Directive, NIS 800-171 Cybersecurity Foundational Requirements to GDPR Successful Mitigation


Compliance, Privacy, and GRC Primer…the clock is ticking

© Capgemini 2018. All nghts reserved I 18

.....

-


Stay ahead of regulatory requirements 1. Implement a routine self

assessment process against current regulation.

2. Partner with a trusted company to help you through the journey.

3. Enroll in regulatory compliance bodies around the world to stay ahead of regulation and fines enforced to corporations.

4. Drive learning into the organization

5. Embrace the rapid change in GRC regulation as a result of rapid cloud and digital transformation

6. Reach out to our experts to help you with next steps

7. Win our raffle!


Create your Roadmap to Cloud GRC to beat the odds following our practical advise

?

Source: 2018 cloud security report – Crowd Research Partners

Visibility into infrastructure

security vulnerabilities is

step 1

Difficulty Complying to Regulation

Which Security Policies Apply

Security and privacy not being able to keep up

with pace of changes in applications

Cloud GRC Challenges

Implement a practical approach to global regulatory compliance readiness


ThankYou

Start with a GRCself-assessmentacross GDPR controls

Sample Customer GDPR Self-Assessment 10/11/2018


Establish building blocks of GDPR and privacy compliance

GDPR ProgramData Protection Register management, Awareness & Change management,

Program coordination and follow-up (incl KPI’s, Risk and reporting), DPO Organization & Tooling, Processor and third party management, GDPR organization, methodology and

procedures

Data DiscoveryData discovery services Consent & Individual’s

Rights ManagementConsent management,

Individual’s rights management

PseudonymizingPseudonymizing Services

Data LifecycleData retention and data disposal

Data ProtectionIdentity Access Management &

Identity as a Service,Data & Database Security

GDPR Assessment Program Scoping, Detailed process diagnosis and action plan, Data Protection Impact Assessment1

2

3

4

56

7

GDPR AssuranceData Breach Simulation, GDPR compliance tracking, Application security & privacy testing

Breach Management & ReportingSecurity Operations Center as a Service, Data Leak Prevention as a Service

8

9


Simplify to what you can measure & respond to first given your risk exposure assessment results

Concurrent AuditServices (CAS)

Duplicate Payment Review (Historical & Ongoing)

Vendor Overpayment Audits

Continuous TransactionMonitoring

Revenue Assurance

DPO Appointment

Continuous Control Monitoring

Financial Controls

IT Controls

IT Risk & Compliance services

Integrated IT Risk Management

Third Party Risk Management

IT General Controls assessment

VAPT and Application code Review

SOC for Cybersecurity

SAP Security

IT Service Continuity

ISO 27001:2013 implementation

Regulatory compliance services

SOX/SOC 1 Assessments

SOC 2/3 Assessments

Data Privacy Assessments (GDPR, CAPR etc)

Data Privacy Continuous Monitoring

PCI Compliance Management

EU NIS Directive, CIS V7, ISO 27001 etc

Application access controls &SoD analysis

User Account Management

Access Rights Management

Privileged Account Management

Segregation of Duties (SOD) Analysis


Drive employee awareness through tailored training

Deliver effective and efficient cybersecurity training for your employees to proactively reduce risk

– https:/ / info.wombatsecurity.com/capgemini-register-training

Focus on changing employee behavior…not simply training

1. Assessing – Where there are weaknesses

2. Educating –Addressing areas of weakness

3. Reinforcing – Practicing/ reminding of what just

learned

4. Measuring and Repeating


Apply learning

science principles

• Present concepts and procedures together

• Bite-sized lessons

• Story-based environment

• Provide immediate feedback

• Learn by doing

• Use conversational tone

• Collect valuable data

• Create teachable moments

reserved.


Continuous training methodology supporting

continuous GRC readiness

Analyze

and

Repeat

.

Simulated attacks and knowledge

assessments

Interactive training modules and

games

Attack reporting, posters, and

videos

Detailed reports show

progress


Integrated 72 hour Breach Notification and Completeness

Infrastructure & Applications Cybersecurity

Vendor Privacy Regulation Controls

Security and privacy by design require a DMAIC Approach

Real time Consent Management

Partners

Consumers

Customers

Employees

Contractors

Things

Applications

Address your weakest areas first DMAIC Approach

1.Define the problem areas

against specific controls in specific regulation

2.Measure Gaps

3.Analyze Remediation Options

4.Implement Remediation

5.Control Plan: Ongoing

monitoring of effectiveness

Achieve a unified operational execution plan to avoid fines


Simple GRCreadiness plan

360º

Secure-Cyber Foundations

Privacy& GRC Program

EmployeeReadiness


GDPR Compliance Approach End to End View

Roadmap

GDPR Assessment

Baseline

Compliance

Document

Compliance

Maturity

Strategic

RoadmapPrivate Data

Protection

Discovery Privacy

MaturityDPIA

Protect

Data

Protection

Consent

ManagementData Lifecycle

Monitor

Breach Management

& ReportingPolicy

Manage: GDPR Program

Privacy Architecture

Privacy by Design

Data Classification

PbD Risk

Privacy Policy

Education & Awareness

Risk Assessment

GDPR Assurance

Data Classification

Privacy Policy

Risk Assessment

Privacy Architecture

Risk Management Program

Compliance Tracking

Data Request Response Program

Breach & Incident Response Program

DPIA Program

Security RM and Privacy Maturity

Data Privacy Controls

99 Articles & Integrated Controls

Organizational Awareness &

Readiness

Business Processes & Consent

Management

RM Index

Data RM Index

Remediate CIS Basics

Privacy PM Tools

Consent Workflows

Policy Management

Data Subjects Rights

Capgemini Confidential–CybersecuritiyCapabilitiesPresentat

©Capgemini 2018.Allrightsreserved | 18


Security and Privacy in The Cloud requires even closer collaboration between Infrastructure, Applications, Business and Legal

Data

Cloud Risk Management Platform

Governance & Training

Security Scorecards

GDPR Execution Platform

DevOps Security Risk ScoringITIL Integration (CMDB)

GRC automation as competitive advantage

Company X


ThankYou

Problem: GRC security and privacy complexity raised

Solution: Must be tailored to your needs and measured GRC Readiness to avoid boiling the ocean

Questions?

[email protected]

In Summary

mailto:[email protected]

A global leader in consulting, technology services and digital transformation,Capgemini is at the forefront of innovation to address the entire breadth of clients’opportunities in the evolving world of cloud, digital and platforms. Building on itsstrong 50-year heritage and deep industry-specific expertise, Capgemini enablesorganizations to realize their business ambitions through an array of services fromstrategy to operations. Capgemini is driven by the conviction that the businessvalue of technology comes from and through people. It is a multicultural companyof 200,000 team members in over 40 countries. The Group reported 2017 globalrevenues of EUR 12.8 billion.

About Capgemini

Learn more about us at

www.capgemini.com

This message contains information that may be privileged or confidential and is the property of the Capgemini Group.

Copyright © 2018 Capgemini. All rights reserved.

People matter, results count.

http://www.linkedin.com/company/capgemini

http://www.slideshare.net/capgemini

http://www.twitter.com/capgemini

http://www.youtube.com/capgeminimedia

http://www.facebook.com/capgemini

http://www.capgemini.com/about/how-we-work/the-collaborative-business-experiencetm

http://www.capgemini.com/about/how-we-work/rightshorer

complying with new data security and privacy requirements ... · complying with new data security...

Documents