View
55
Download
1
Category
Preview:
Citation preview
© 2016 Blancco Oy Ltd. All Rights Reserved.
Data Privacy Laws & Guidelines:Mitigating Risk with Data Sanitization
© 2016 Blancco Oy Ltd. All Rights Reserved.
MEET OUR SPEAKERS
2
Richard StiennonChief Strategy Officer
Blancco Technology Group
Jason BirdGlobal DLP Expert at Cyber Orchestration
Limited
© 2016 Blancco Oy Ltd. All Rights Reserved.
Agenda
• Market Drivers of Data Sanitization• Global Trend Towards Data Privacy Regulations & Standards• Why Organizations Struggle with Data Sanitization • Building a Best-In-Class Data Retention Program
3
© 2016 Blancco Oy Ltd. All Rights Reserved.
Market Drivers of Data Sanitization
© 2016 Blancco Oy Ltd. All Rights Reserved.
Market Drivers of Data Sanitization
Cybersecurity• Less data, smaller target• Prevent reconnaissance • Prevent data breaches
Electronic Records Management
• Reduce discovery burden• Data retention policies
Regulation and Standards
5
© 2016 Blancco Oy Ltd. All Rights Reserved.
Global Trend Toward Data Privacy Regulations & Guidelines
© 2016 Blancco Oy Ltd. All Rights Reserved.
Data Retention, Security & Privacy
7
© 2016 Blancco Oy Ltd. All Rights Reserved.
Data Protection & Information Lifecycle Management
8
© 2016 Blancco Oy Ltd. All Rights Reserved.
Live Poll
Does your organization have a comprehensive data retention program (including a plan for destruction) in place?
• Yes • No• We’re working on it
9
© 2016 Blancco Oy Ltd. All Rights Reserved.
The Old View of Data Retention
10
© 2016 Blancco Oy Ltd. All Rights Reserved.
The New View of Data Retention
11
© 2016 Blancco Oy Ltd. All Rights Reserved.
Data You Cannot Afford to Keep
12
Data Growth in the Digital Universe
Source: IDC, The Digital Universe in 2020
© 2016 Blancco Oy Ltd. All Rights Reserved.
Global Trend Towards Data Privacy Legislation
13
Legislative Trends:• Increasing laws on data
protection (111 countries). Compared to only one in 1998
• Tougher penalties• More active enforcements
EU GDPR:• Requires a Data Protection
Officer• Requires auditable procedures
and routines to be in place• Includes the “right to erasure”
of data• Requires active reporting of
any data breach• Could result in up to 4% of
turnover in fines ($2,500 per RECORD)
© 2016 Blancco Oy Ltd. All Rights Reserved.
Data Retention & Protection Are Both Vital for Regulatory Compliance
14
© 2016 Blancco Oy Ltd. All Rights Reserved.
“Policies and procedures must be in place both to remove any stored data…”
Achieving PCI Compliance Is Important
15
“…as well as making sure no access to data can be achieved in any way throughout the lifecycle.”
15
© 2016 Blancco Oy Ltd. All Rights Reserved.
• HIPAA is more explicit since it deals directly with protecting health records from being exposed.
• HIPAA has two rules of interest to IT security; the Privacy Rule and the Security Rule. In 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act, was enacted to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
• It includes such measures as breach notification for secured protected health information.
• Current best practices for HIPAA compliance include:
• • Construct a security plan for data disposal
• • Remove data from reusable hardware
• • Track all reprocessed hardware
• • Back up all data from all hardware
“Best practice includes plans and policies to manage both the data life cycle and asset life cycle to protect patient information at all times ”
HIPAA: Influencing Healthcare Industry Globally
16
© 2016 Blancco Oy Ltd. All Rights Reserved.17
Data Protection Authority
• 60 personnel today• Advices Eu Commission • Will oversee creation of
State DPAs
Data Protection Supervisor
• Coordinates each State DPS
28 Data Protection Authorities
• Each country sets up DPA
28 Data Protection Supervisors
• Each country sets up DPS
EU GDPR: What You Need to Know
© 2016 Blancco Oy Ltd. All Rights Reserved.18
Mandatory requirement does not override stricter national
requirements (adopted version)
• Voluntary appointment (Council’s version)
• Mandatory requirement, overrides (stricter) national (initial proposal by the Commission)
No minimum threshold; processing activities must be large-scale
(adopted version)
• Very low threshold: process data of > 500 individuals ➔ mandatory for almost all companies
• (Committee on Civil Liberties, Justice and Home Affairs of the Parliament’s version// Parliament’s version)
• High threshold: enterprises > 250 employees
• (initial proposal by the Commission)
Compliance Mandatory as of May 25, 2018
The GDPR’s Data Protection Officer
Violation of the obligation to designate a DPO is subject to fines of up to 10 Million € or 2% of the worldwide annual turnover, whichever is greater, Art. 83 (4a) GDPR
© 2016 Blancco Oy Ltd. All Rights Reserved.
The DPO’s Duties, As Specified by EU GDPR
1Informing the organization of its obligations to comply with the GDPR and other EU or Member State data protection laws
2Monitoring compliance with GDPR and other EU or Member State data protection laws, including managing internal data protection activities, training data processing staff and conducting internal audits
3 Advising the organization on data protection impact assessments
Serving as the point of contact for and cooperating with the relevant Data Protection Authority on issues related to personal data processing4
5Taking inquiries from data subjects (employees, clients, etc.) regarding the organization’s data protection practices and the exercise of their rights under the GDPR 19
© 2016 Blancco Oy Ltd. All Rights Reserved.
Live Poll
Which of the following qualifications/skillsets do you value most in a Data Protection Officer (DPO)?
• Familiarity with compliance requirements and auditing activities, as well as ability to interpret data protection requirements
• Professional certifications, such as the Certified Information Systems Security Professional (CISSP) and the Certified Information Privacy Professional (CIPP)
• Strong grasp of how the business operates and its data processing activities • Well-versed on data lifecycle management, including the required technology
and processes to properly manage data across its entire lifecycle (i.e. create, use, store, archive, share and destroy)
• Clear understanding of customer interactions and how data is collected both online and offline
20
© 2016 Blancco Oy Ltd. All Rights Reserved.21
Hiring a DPO: Your Options
Hire Brand-New Role
Add DPO Duties into
Existing Role
Outsource to 3rd Party
© 2016 Blancco Oy Ltd. All Rights Reserved.
0102
03
04
TOP MANAGEMEN
T
Must implement information
security policy themselves
RISK MANAGEMEN
TRelevant
security risks should be
addressed and mitigated
INTERNAL AUDITS
Must verify all security risks
have been addressed and
operational processes are
set
DATA REMOVAL
Sensitive data and licensed
software must be securely
removed prior to disposal or
reuse
ISO/IEC 27001 Guidelines Matter
22
© 2016 Blancco Oy Ltd. All Rights Reserved.
“Sanitization is a process to render access to target data
(the data subject to the sanitization technique) on the media infeasible for a given
level of recovery effort”
23
Next Step: Live Environment Media Sanitization
NIST: SP 800-88r1 Are Important
© 2016 Blancco Oy Ltd. All Rights Reserved.
ISO Information Security Standard
ISO 27001 requires both ”Privacy and protection of personally identifiable information” as well as ”Secure disposal or re-use of equipment””All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.”
• ”Top management shall implement the information security policy themselves.”
• ”The policy must ensure that all relevant risks are addressed.”
• ”Internal audits should regularly verify that all risks are addressed and operational processes are in place.”
Who is responsible: What should be included at least:
24
© 2016 Blancco Oy Ltd. All Rights Reserved.
Why Organizations Struggle With Data Sanitization
© 2016 Blancco Oy Ltd. All Rights Reserved.
Why Organizations Struggle With Data Sanitization
26
Ineffective Tools & Technology• Basic deletion, quick format & factory reset
are not effective • Shortcomings in data deletion technologies
(insufficient overwrite passes)• Cryptographic erasure is flawedLimited Reach• Failing to erase data stored on
laptops/desktops, mobile devices and removable media
Incomplete Monitoring• Lack of reporting • Missing proof of erasure -> no audit trail and
increased risk
© 2016 Blancco Oy Ltd. All Rights Reserved.
• Online Banking SSL certificates discovered within a Sharepoint portal
• End of Year results in an open file share, for a comms agency to collect for formatting and distribution to the public
• Spreadsheets of customer records exported out of the protected CRM platform
• Live PII data for employees stored within CSV’s and being used to test a cloud based HR Application (no classification tag, unprotected)
• Network diagrams and technical instructions for sensitive applications found in an Open Transfer share
• Password to corporate banking service in an un-encrypted document on the users laptop
• User sending Top Secret documents to colleagues and cc’ing YAHOO email
The Data Management Problem: Use-Case Examples
27
© 2016 Blancco Oy Ltd. All Rights Reserved.
Building a Best-In-Class Data Retention Program
© 2016 Blancco Oy Ltd. All Rights Reserved.
• It is very difficult to go in from day one with a highly accurate data model, knowing all data types, all classifications and therefore all the policies you will ever need
• If Data Loss Prevention, particularly Data At Rest Scanning is new, you are going to need to introduce it at a sensible pace within the business and gain buy-in
Core Policies – Used within all scanning mediums for all
countries and functions (passwords, HR labelled data, Network Diagrams)
Often fire-fighting at this level
Country specific policies – Regulatory
(PCI/SOX/MAS/HIPAA)Defined data elements and
combinations “Crown Jewels”
Business Unit specific policies. Document type
classification and tracking; alongside specific data
violations detectedBusiness Sponsored and
customer responsive service
Phase 1 Phase 2 Phase 3
Maturity in content awareness
+ +
Approaching Data Security Maturity: A Phased Approach
29
© 2016 Blancco Oy Ltd. All Rights Reserved.
Identify Data Storage in
Scope
Identify which data is sensitive (Crown Jewels)
Define business usage controls and content of
interest
Build policies for detection and
apply to defined targets in scope
Distribute Reports within defined target
operating model
Education program for data usage standards
Track & Report Risk Reduction
program
Apply lessons learned to real-time protection
Co-ordinated reporting of Data
in Motion and Data at Rest
Creating a Best-In-Class Data Retention Program
30
© 2016 Blancco Oy Ltd. All Rights Reserved.
Don’t Forget These Important Considerations
31
© 2016 Blancco Oy Ltd. All Rights Reserved.
Q&A
© 2016 Blancco Oy Ltd. All Rights Reserved.33
Content You May Find Useful:
“The Ultimate Guide to Data Retention”https://www.blancco.com/resources/guide-books/ultimate-guide-data-retention/
“The Information End Game: What You Need to Know to Protect Corporate Data Throughout its Lifecycle”: http://www2.blancco.com/en/white-paper/the-information-end-game-what-you-need-to-know-to-protect-corporate-data
“EU GDPR: A Corporate Dilemma”
http://info.blancco.com/EU-GDPR-Corporate-Dilemma-Research-Study
“EU GDPR: Setting Responsibilities & Expectations for the DPO Role”http://info.blancco.com/en-wp-eu-gdpr-setting-responsibilities-and-expectations-for-the-dpo
Recommended