Establishing a Risk-Centered Program in the Age of GDPR

02/2018

Diana Candela C|EH, C|NDA, E|CSA, L|PT, ITIL, CSSGB, NIMSIT Risk & Compliance Program Manager IT Data Privacy LeadCybersecurity GRC (Governance Risk Compliance)AGCO Corporation

WHO WE AREWelcome to the world of AGCO.

We are a global leader in the design, manufacture and distribution of high-tech solutions for farmers feeding

the world.

Our mission is profitable growth through superior customer service, innovation, quality and commitment.

We work tirelessly to help make today's farms more productive and more profitable. As the world of

agriculture changes, so do we.

We are AGCO.

2

DISCLAIMER:The views and opinions expressed in this presentation are those of the author and do not necessarily reflect

the official policy or position of AGCO

GDPRAt a Glance

3

Enhanced Rights for Individuals

IncreasedSanctions

DPO’s

Explicit InformedConsent

Privacy by Design

Increased Transparency

Privacy Impact

Assessments

4

StandardRisk Mgmt. Program

Getting Started

Discovery WorkshopPrivacy

Team/Program

Strategic Priorities Assessment

Unknown Risks

Data Inventory & Mapping

Specific Issues

Privacy Risk AssessmentAssessing

Compliance

PIA Program Development

Continuous Improvement

Risk Management Program Maturity

5

Personally Identifiable Data must be processed

fairly and lawfully.(Understand what PII is)

Data must be accurate and kept up to date.

(Implement process)

For specified, explicit and legitimate purposes.

(What and Why?)

Kept no longer than is necessary.

(Data Retention, Anonymization, Deletion)

Adequate, relevant and minimum necessary.

(Minimalize where possible)

The Organization is responsible and liable to ensure and demonstrate

compliance.(Risk must be Accepted)

Things to remember

1. Data Collection and the life cycle from collection to destruction

2. Data Transfer; access, internally, externally, or globally

3. Defining “Data”4. Understanding “Personal Data”

Create a Checklist Hand-out to make things easy

GDPR – Six Key Principles for processing Regulated Data

6

Core Principles of Privacy by Design

Proactive not Reactive

Preventative not

Remedial

Privacy embedded into design

Full functionality

End-to-end Security

Full Lifecycle

Protection

Individual & User Centric

Potential Privacy

problems are identified at

an early stage;

addressing them early

will often be simpler and less costly.

7

Govern Identify Act Analyze Secure

Case Management Data Discovery Data Security ActivityMonitoring

Network Security

ControlsManagement

Data Mapping and Modelling

Data Maintenance Omni-channelManagement

Application Security

Privacy Compliance

Systems

Consent Management

Breach Response Archive Management

IT infrastructureSecurity

Training Consent Maintenance

Inventory

Required Technology Capabilities

8

Applying Privacy by Design

Simplicity over flexibility Usability over restriction Defense in depth

Open design Secure coding practices Black box and White box testing

Complete mediation Least privilege Audit trails

Architecture Principles

Implementation Principles

Operation & Configuration Principles

9

DevOps Lifecycle

Continuous Improvement, Innovation & Feedback

Plan & Measure Develop & Test Release & Deploy

Monitor & Optimize

Lifecycle and Service Management Integration

Ecosystem

Best P

ractice

Customers Business Units Dev/Test Ops/Prod

10

Lifecycle of Regulated Data

Are you gathering sufficient data for the purpose; are you gathering too much or irrelevant that a for the purpose? Can you identify ways to minimize the data you gather?

What is the purpose? Have you specified the purpose to the individuals? Do they have full knowledge and understanding what happens to their data once it’s passed to/through our organization?

Do you have a procedure in place for auditing the data you hold and updating it where necessary?

Do you have appropriate physical and technical security measures in place to keep the data safe and secure? Is access to the data in our organization restricted to only those who process it? Do you have an off-site back-up facility? Where is it located? Do you hold data in the Cloud, and if so where is the Cloud Provider located?

Do you have measures in place to ensure you do not hold data for longer than is necessary for the specific purpose? Do you have/know the Data Retention Policy?

Is your system of storing and filing suitable or easily identifying all data you hold so you can respond fully to individual requests, and within statutory deadlines where applicable?

Legal + GRC

Individuals right to:• Access their personal

data• Correct errors in their

personal data• Erase their personal

data• Object to processing of

their personal data• Export their personal

data

The Organization will need to:

• Protect personal data (appropriate security)• Notify authorities of

personal data breaches• Obtain appropriate

consentsfor processing data

• Keep records detailing data processing

The Organization is required to:

• Provide clear notice ofdata collection

• Outline processingpurposes and use

cases• Define data retentionand deletion policies

The Organization will need to:

• Train staff on Privacy & Security

• Audit and update datapolicies

• Designate a Data Protection

Officer (DPO)• Manage compliant

vendor contracts

11

Key Changes needed to process Regulated Data

Systems must have the capability/features to

meet these requirements

Know where regulated data is to place

reasonably appropriate controls

Have a Data Governance process

for data classification and retention

Risk Assessments, Data Privacy Impact

Assessments (DPIA) & Vendor Risk Mgmt.

DPIA is requiredwhen data

processing is likely to result in

high risk to individuals, for

example:

• where a newtechnology is being deployed;

• where a profilingoperation is likely to significantly affect individuals;

• where there is processing on a large scale of Regulated Data.

12

Challenges

Business• Enabling User privacy

rights• Ensuring Compliance• Unexpected costs• Meeting business

needs and expectations

Operational• Authentication issues• Authorization issues• Process changes• New process

introduction• Support issues

Technical• New Tech Stack?• Reliance on

technology• Maintenance and

updates• Managing large

amounts of regulated data

13

Go from complex Legal fine print to transparent disclosures

Disclose all indented and potential future uses of consumer data in simple language at the point of data collection

Incorporate store/do not store and use/do not use checkbox options on forms next to regulated data fields

Train your teams to answer Privacy & Security questions not just product/service questions

14

Integrate Data Quality as a Design discipline in all processes

What data needs to be captured & stored vs. what can be processed in real time without storing

Store data showing customer actions separately from data showing what triggered the action (the actual user behavior)

Preemptively outline risks and intended course of action in the event of a crisis/breach

15

Breach Management: Do you have what it takes?

DetectIncident

NotifyOwner(s)

Quarantine

ContainRestric

ted Data?

High Risk?

Report

Recover

Sensor Data

Whitelist?

Mandatory Breach Notification: 72 hours

16

Information Security ModelModel Terms & Glossary

Capability: Defines “what” information security process areas or disciplines.

Coverage: Defines the “amount” of control and timeline coverage should be applied.

Control: Managing obligations to the business, stakeholders, customers and demonstrating it.

Maturing to Proactive Posture

Capability: Process Discovery and Re-engineering to support Information Security program alignment with business and security requirements.

Coverage: Integrate required regulations and observe areas for control enhancement.

Control: Risk & Compliance based categorization and priority of Information assets and processes.

The Degree & Complexity of controls

are driven by the Organization’s risk

appetite and applicable

compliance requirements.

17

Information Security Program

Security IT Operations

Incident Response

Training & Awareness

Risk Management

Compliance & Audit

Security Architecture

IT GovernanceSecurity Process

IdentifyRisk

ImplementControls

Assess/Audit

(Simplify)

Risk-based, Data-driven decisions

18

Taking action: doing what you’ve plannedDISCOVER AND DOCUMENTIdentify what type of Regulated Data your application(s)/system(s) process, where it resides and where it goes to.

PROTECTImplement and test security controls toprevent, detect and respond to vulnerabilities and Data Breaches.

REVIEWAnalyze your Regulated Data, stay Compliant and regularly review risk to maintain risk at an acceptable level.

CONTROL (ACCESS MANAGEMENT)Manage and keep records/logs of how Regulated Data is used and accessed and by who.

REPORTApplication(s)/systems(s) should be monitored for potential Data Breaches.Have & test a process to notify the rightteam if/when a Breach occurs.

Put procedures in place to effectively detect, report and

investigate a personal data breach.

Complete Visibility

Reduce Attack Surface

Prevent Known Threats

Prevent Unknown Threats

19

Key Concepts

Systems need to offer or support visibility into all

traffic – across the network, endpoint

and thecloud – classified

by application, user and content

Systems are everywhere! In-

house, SaaS, IaaS, PaaS, IoT: multiple avenues

available to infiltrate an

Organization and exfiltrate

Regulated Data

Many data breaches result from known threats, such as

information-stealingmalware and

application exploits. Systems must be

able to restrict access to regulated

files or content

Have a multi-method approach to block core techniques

used by zero-day exploits & identify

and block unknown malware from compromising

endpoints

You can’t stop or protect against

what you can’t see.

Only enable allowed apps and users. Deny

everything else.

Management of all application types.

Vulnerability Management: Scan and

Patch/Fix.

Next-Gen protection. Security Incident

Notification & Management Procedures.

Security and Privacy should be seen as a business differentiation strategy

Strategy Pattern Examples

Minimization Amount of processed regulated data restricted to the minimal amount possible

• Select before you collect• Anonymization / pseudonyms

Hide Regulated data, and their interrelationships, hidden from plan view

• Storage & transit (encryption of data)• Hide traffic patterns• Attribute based credentials• Anonymization / pseudonyms

Separate Regulated data processed in a distributed fashion, in separate compartments whenever possible

• Multiple options available for compartmentalization

Aggregate Regulated data processed at highest level of aggregation with least possible detail in which it is (still useful)

• Aggregation over time• Dynamic location granularity (location based services)

Inform Transparency • Platform for privacy preferences• Data Breach notification

Control Users (Data subjects) provided use over processing of their personal (regulated) data

• User centric Identity Management• End-to-end encryption support

Enforce Privacy policy compatible with Legal requirements to be enforced

• Access control• Sticky policies and privacy rights management

Demonstrate Demonstrate compliance with privacy policy and any applicable legal requirements

• Privacy Management Systems• Use of logging and auditing

20

Strategy Approach Cheat Sheet

21

Talk to experts: When/Why to engage LegalHave a Binding Corporate Rules (BCR) Compliance Management procedure that defines the responsibilities and actions for personnel involved in the implementation of IT systems and infrastructure.

The procedure should include requirements related to: Implementation of new systems; and Implementation of changes in IT infrastructure

Applicable to all employees, affiliates and third-parties responsible for the implementation of IT systems and infrastructure.

1Identification of system holding personal data

2Hosted

systems and clouds

3Sharing data

with third parties

4Data collection and processing

on Corporate websites

Key Things to Remember

You may need Code Changes.

Website security assessment are needed (unless already in place).

When in doubt, contact Legal.

Consent is explicit and must be obtained.

Mandatory 72-hour data breach reporting.

You must be able to demonstrate, compliance.

“If you can’t provide evidence, you didn’t do it”.

22

EU Members: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland,France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands,

Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK.

What you didn’t get to must be communicated, the Risk must be Accepted or plans for mitigation should be considered

23

Summary: Confirm Capabilities

9www.AGCOcorp.com

Q & ADISCLAIMER:

The views and opinions expressed in this presentation are those of the author and do not necessarily reflect the official

policy or position of AGCO