the rsa archer suite & gdpr - etda · 2018-05-18 · engage your legal and compliance teams....
TRANSCRIPT
1
THE RSA® ARCHER®
SUITE & GDPR
Are we ready for GDPR?
@RSAsecurity
@RSA_Archer
2
STEP #1Engage your legal and compliance teams.
This is a significant compliance initiative and requires
interpretation and counsel…
3
CURRENT SITUATION
GDPR IN A NUTSHELL
4
The basics
The General Data Protection Regulation (GDPR) is a new law which establishes a single set of rules for every EU Member State to protect personal data. It builds upon and updates the current EU data protection framework.
Effective date
It will come into force on 25 May 2018.
WHAT IS GDPR?C O M PA N I E S P R O C E S S I N G P E R S O N A L D ATA M U S T C O N T I N U E TO E N S U R E T H E Y H AV E P R O P E R C O N T R O L S O V E R T H E P R O C E S S I N G A N D S E C U R I T Y O F P E R S O N A L D ATA , A C C O R D I N G TO T H E D ATA P R O T E C T I O N P R I N C I P L E S I N T H E G D P R .
T H E Y M U S T C O N T I N U E TO C O N T R O L H O W D ATA I S S TO R E D , K E P T U P TO D AT E , A C C E S S E D , T R A N S F E R R E D A N D D E L E T E D .
Personal data is widely defined to mean any information relating to an identified or identifiable
individual (known as a “data subject” under the GDPR). Personal data may include name, physical
address, email address, identification number, location data, online identifier, credit card number, or
health information.
5
WHAT DOES IT CHANGE?
Establishing more comprehensive data protection standards (e.g. companies must build
privacy into projects, products and systems that will process personal data);
Requiring companies to keep detailed internal records of their processing activities;
Strengthening the enforcement powers of supervisory authorities and giving them the right to impose substantial fines;
Requiring companies to notify the relevant supervisory authority about serious personal data
breaches within 72 hours and to notify affected individuals if there is a high risk of harm to
them as a result of the breach.
1
2
3
4
The GDPR goes beyond current EU law by:
6
Comply with requests from
individuals to stop using their
personal data for marketing
Tell individuals how
their personal data will
be used
Make sure staff are appropriately trained in the care and handling of personal data
Keep personal data secure
Notify regulators and/or
affected individuals in the
event of a serious data
breach (usually within 72
hours)
Grant individuals access to correct
or erase their personal data upon
request
Limit transfers of personal data out of the European Economic Area to only those that comply with EU international data transfer rules
Put data processing agreements in place to ensure third party vendors follow the same protective rules
Build privacy compliance into product, software and services design, processing tools and system development
1
4
7 8
32
5 6
9
COMPANIES MUST ALSO…
7
Fines are calculated on the type of obligation that has been breached, the seriousness of
that breach, its effect on individuals and the behavior of the company.
OR
10 million Euros or
2% of total global annual turnover (whichever is greater)
If a company fails to comply with the GDPR, an EU supervisory authority can issue:
Warnings, reprimands, suspensions of data transfers, bans on processing and
orders to correct infringement; and
Substantial fines of up to:
20 million Euros or
4% of total global annual turnover (whichever is greater)
WHAT IS THE PENALTY FOR NOT COMPLYING?
8
GDPR “GAME CHANGERS”
• Data Protection Officer (DPO) (when required) will become a key security stakeholder.
• Data Breaches get costlier and more difficult to manage and prepare for.
• Privacy-by-design is built into GDPR.
• Extraterritorial reach of GDPR will make it a global mandate.
• Providing evidence of risk mitigation counts as much as securing data.
• EU Resident rights adds considerable operational complexity.
9
GDPR AND ITS IMPACT
10
THE WHEELS ARE IN MOTION
Teams are being
established.
Cross functional involvement is
underway.
Leadership is
key.
11
IT’S NOT JUST AN EU ISSUE…
A recent PwC pulse survey asked C-suite
executives from large American multinationals
about the state of their plans for GDPR. The
“pulse” revealed:
• Over half of US multinationals say GDPR is
their top data-protection priority
• Information security enhancement is a top
GDPR initiative
• 77% of survey respondents plan to spend
$1M or more on GDPR
From “GDPR Prepardness Pulse Survey” published by PwC – January 2017From Gartner’s 2016 Security Buying Survey
12
AND IMPROVING PRIVACY IS NOT JUST A RISK MANAGEMENT REQUIREMENT.
PRIVACY
as a
COMPETITIVE
DIFFERENTIATOR
13
Keep andSecure
Duration and
type of data
Data
Integrity
Technology
Data loss &
Breach
Management
Third Parties
Resiliency
Manage
Access
Right to
rectify
Data
destruction
Data
transfers
Right to Inquire
Right to be forgotten
Notify of
changes
Process
Specific data
Specific purpose
Physical &
Electronic
THE DATA LIFECYCLE
Collect
Consent
Relevance
Type of data
Amount of data
Sensitivity
Fairly and lawfully
Identify
Assess
EvaluateTreat
Monitor
Risk
Assessment
DA
TA
SU
BJ
EC
T R
IGH
TS
DA
TA
PR
OT
EC
TIO
N
14
Primary objective:
Know where data is in the
enterprise and who has access
and implement controls in data
processing activities.
Primary objective:
Establish a risk assessment
process to ensure controls are
appropriately designed and
implemented.
Primary objective:
Establish a compliance program
to ensure controls are effective
and operational.
Primary objective:
Detect and respond to the threat
before a breach occurs but if a
breach does occur, you need to
know the details and exact
impact.
FOUR KEYS TO GDPR PLANNING
Breach
Response
Data
Governance
Compliance
Management
Risk
Assessment
15
DECISION TREE: WORKING YOUR WAY TO A PLANDoes your organization
process, store or
handle personally
identifiable information
(PII)/Personal Data
(OR plan to)?
Have you initiated a
project around
GDPR?
No
Are you
affected?
Educate on
GDPR
YesYes
No
Stop
(maybe)
Does any of this PII
include EU residents
including customers
and/or employees?
Have you performed
a risk assessment or
analysis with regards
to GDPR?
Which area(s)
concern you the
most?
Breach Response
Defined as: The
ability to detect and
respond to security
incidents, escalate
and handle data
breaches of any type
What is your strategy
for identifying and
responding to data
breaches?
What steps towards
automation have you
taken to reduce “breach
exposure time?
How do you manage
your risk of
advanced cyber
threats and attacks?
Data Governance
Defined as: The
ability to monitor and
control access to
data
What is your strategy to
ensure access to
personal information is
proper and controlled?
How do you establish
policies around data
governance?
Do you have an
accurate data
processing catalog?
Risk Assessment
Defined as: The
ability to implement
consistent and
sustainable risk
management
processes
Do you have an
overarching risk
management strategy in
place?
Where does data privacy
fit into your risk
management strategy?
How does your
organization handle
risk assessments in
general?
Compliance
Management
Defined as: The
ability to define
policies and
demonstrate
adherence to
regulatory &
corporate obligations
How do you identify,
prioritize and track
compliance issues?
How do you catalog data
and associated
custodians & regulatory
requirements?
How does your
organization handle
compliance in
general?
Yes
Build
your
plan.
DON’T FORGET ABOUT THIRD PARTIES…
16
WHAT’S NEEDED TO CLOSE THE GAP?
17
WHERE DO YOU START?
• Understand what personal data you process
• Where is it and how is it used
• User should always be first
• Privacy at every level
• Mitigation plan
• Risk Management review
• Incident detection and response planning
18
WHO IS RESPONSIBLE FOR PRIVACY?
DATA RISK
MANAGEMENT
DATA
PRIVACY
• Privacy combines elements of Security, Compliance, and broader Data Risk Management considerations.
• Each respective area, function, and process has a role in ensuring that sensitive corporate information is appropriately protected.
19
INSPIREEVERYONE
TO OWNRISK
WHO NEEDS TO BE IN THE DISCUSSION?
CIO
Which technology
/ product
strategies are
creating risk? CLO
How does our
compliance
strategy scale?
CRO
Where are our
risks in the big
picture?
CEO
What should the
risk culture of the
organisation be?
CFO
How do we balance
investment vs risk?
21
COMPONENTSPRIVACY MANAGEMENT PROGRAM
• Governance model,
• Audits & Review,
• Education,
• Process & practices,
• Policies
• Data Inventory
• Self-
Assessments &
Compliance
Posture
• Information Security
Practices
• Policies
• Legal – contracts,
indemnities, agreements
• Response & Complaints
Mgt Process
• Data Access Request
Handling Process
• Communications
Governance
recommended
APPROACH
22
A STRATEGY TO MANAGE DATA PRIVACY
Provide business and IT
context to those processes
Manage your Policy on
the processes needed
internally to comply
Automate the process of
PIA and DPIA
assessments
and data breach reporting
to regulators
Provide a central
repository for Privacy
regulations and
remediation activities
23
THE PROVEN PATHTO TAKE COMMANDOF RISK
24
A GRC STRATEGY TO MANAGE DATA PRIVACY
GRC SOLUTION
Manage
regulatory and
corporate
obligations
Co
mp
lian
ce
Manage
vendor and
outsourced
parties
Th
ird P
arty
Ma
na
ge
me
nt
Protect
business
assets
IT S
ec
urity
Manage
breaches /
disruptions
Bu
sin
es
s
Res
ilien
cy
Operational Risk Management
Third
Line of
Defense
Au
dit
Risk Management
Enterprise Risk Management
CISO
LOB
ExecutivesCXO
Board
CAE
Business Operations
3 Lines of Defence Model
25
A GRC STRATEGY TO MANAGE DATA PRIVACY
Compliance
Policy Management
Controls Assurance
Audit
Audit Program
Third Party Governance
Risk Based vendor
Management
3rd Party Compliance monitoring
Risk Management
Catalog of Sensitive
Information Assets and
related devices
Business Hierachy
Risk Assessments and Reporting
Issues Management
Handling of Findings and Exceptions
Remediation planning
Escalation Workflow
Breach Management
Data Breach process
Handling of Data Subject
Rights processes
26
A GRC STRATEGY TO MANAGE DATA PRIVACY
27
RSA ARCHER FOR PRIVACY MANAGEMENT
Breach
Response
Data
Governance
Compliance
Management
Risk
Assessment
Breach Response
Security Incident Management
Security Operations & Breach
Management
Data Governance
Data Governance
Management
Privacy Program Management
Third Party Catalog
Risk Assessment
IT Risk Management
Compliance Management
IT & Security Policy Program
Management
IT Controls Assurance
Issues Management
28
Is this an inappropriate attempt to access
top secret information?
Do we have a compliance issue?
Is this an issue affecting a high risk
business function?
What are the executive concerns?
Is this a coordinated advanced attack?
How does this new vulnerability affect us?
CYBERRISK NOISE…
29
THIRD PARTY NOISE…
Are the third parties we do business with
compliant with laws and regulations?
Which of our 3rd party relationships pose
the most risk?
Who are all of the third parties that support
our business?
Are all of our third parties performing up to
the levels we expect?
Do we have the needed contingency plans
in place around third party risks?
Should we be doing business with this new
third party?
30
Thank You
Leader in the Gartner Magic Quadrant for:
- Operational Risk Management
- IT Risk Management
- IT Vendor Risk Management
- Business Continuity Management & Planning
Archer®
James FongRegional Business Director | RSA Archer |
Governance, Risk & Compliance
M (65) 8533 1395