Insights > Blog

How does Information Security support the EU GDPR?

Everyone has a digital footprint from many sources of data, and personal data privacy is now a major area of focus in global government compliance and regulation. You will likely see the consequences and results of non-compliance with the European Union’s General Data Protection Regulations (GDPR) as we progress into 2018.

There is a bit of confusion in the market related to the GDPR. Some claim that GDPR is a security framework to operate by, but it is not that at all. GDPR is consumer and data privacy legislation that will require full support from information security best practices. GDPR’s core tenants are privacy, policy, and lastly information security. You have to build all three pillars successfully to meet the strict requirements of the GDPR.

Are you interested in what information security best practices will be needed to support compliance with the EU GDPR? Take a look at the security controls required below to manage the data of EU subjects according to the GDPR.

Using a Solid Information Security Policy for Breach Notification

Perhaps one of the most critical aspects of the EU GDPR is breach notification in Article 33. As a company that handles EU subject data, you must, without undue delay, notify an EU supervisory authority competent in breach notification. If you already have a well-developed information security policy and procedure for incident response, then you will be in the right place for meeting this portion of the EU GDPR. You may need to update your information security policy, or if you don’t have one, you may want to consider using a template to start and customize as you go.

In preparing your information security policy, you should consider including the following areas from SANS Institute:

General Information Security Policy

Acceptable Encryption Policy

Acceptable Use Policy

Clean Desk Policy

Data Breach Response Policy

Disaster Recovery Plan Policy

Digital Signature Acceptance Policy

Email Policy

Ethics Policy

Pandemic Response Planning Policy

Password Construction Guidelines

Password Protection Policy

Security Response Plan Policy

End User Encryption Key Protection Policy

Network Security Policy

Acquisition Assessment Policy

Server Security Policy

Database Credentials Policy

Application Security

Web Application Security Policy

(Template Sources: SANS Institute Security Resources)

Interested in GDPR Assessment and Consulting? Learn more about CIPHER’s GDPR Services.

If you operate under a multinational organization, you might face a bit of a dilemma with the GDPR breach notification requirement. For example, if you’re working within a U.S. multinational organization and you experienced a significant data breach, you may be forced to prematurely notify your U.S. customers by waiting to notify an EU supervisory authority. This could place your organization at risk for noncompliance with the GDPR, and your organization could face fines up to 4% of your Adjusted Gross Revenue (AGR).

With a robust information security policy, you can show follow best practices for information security and security incident response.

Check out these blog articles on Incident Response Plans:

Leveraging a Security Framework to Support Compliance

If you already adopted an industry-recognized framework, such as ISO, NIST, ICGS, SANS or PCI DSS, you are already one step ahead of the pack. The GDPR encourages organizations to align their compliance with the GDPR with a major security framework, noted in GDPR Article 32.

A solid security framework will help you in providing organization and structure for handling EU data subjects and meeting the compliance requirements of the GDPR. Not only that, but a security framework also shows regulators that your company has implemented proper security controls and made their due diligence in ensuring the organizational security measures are aligned to best practices.

Measure your security maturity in CIPHER’s simplified security framework based on NIST here.

Or, check out our self-assessment tools to gauge your maturity across core domains: https://www.cipher.com/resources

Data Privacy and Encryption

Since the GDPR is entirely related to data privacy, data encryption is paramount. An organization must ensure that its EU subject data, both Personal Identifiable Information (PII) and highly sensitive personal information, are protected from hackers and third-parties attempting to harvest that information.

If you are using encryption, it protects your organization from physically stolen devices and from a hacker accessing your device through malware or virus. Most of your EU subject data will be at rest or archived within a database. However, your organization may be a data processing organization or use data processors and must do everything to safeguard EU subject data with encryption. Consider these three types of encryption in the context of the GDPR as well the common areas you should encrypt within your environment:

Encrypted Data Types:

Data at Rest: you encrypt data archived in the database; field encryption is preferable, table and database are also options
Data in Transit: encrypt both the data and use an encrypted transport protocol such as SSL or VPN
Data in Use: sensitive data should be obfuscated, such as showing dots for a credit card number (except possibly the last four digits)

Areas of Encryption

Data Encryption: you must ensure that files, media, and data are encrypted using disk encryption
Server and Storage Encryption: you must use full disk encryption to protect your servers, storage, and applications running on the IT equipment
Network Encryption: you need network encryption for any data in transit over your network (web-based transactions, internal network traffic,

In the event of a security incident or data breach, encryption can ensure that EU subject data is unusable. Encryption makes it much more difficult for common hackers to make any connection between the data and its subject.

Generating Security Logs on Incidents

GDPR calls for a record of any data processing activities on EU data subjects in Article 30. A Security Incident and Event Management (SIEM) tool is a security best practice for complying with the EU GDPR. A SIEM will generate a substantial amount of data on malicious security incidents and network activity. It will also allow you to monitor user and system activity closely. SIEM logs can be used by a security analyst to identify patterns, detect malicious activity, and create an actionable alert for your organization if someone attempts to access sensitive EU subject data.

You may also want to consider advanced security analytics tools that can free up the security analyst’s time on analyzing logs. Advanced security analytics tools can enable the security analyst to know exactly what data has been accessed and what data events are a priority for your team.

Are you prepared for the enactment of GDPR? Tell us below in the comments what steps you’re taking to become compliant.

Did you enjoy this blog article? Comment below with your feedback.

0 Comments

Submit a Comment Cancel reply

GET EMAIL UPDATES

Information Security Maturity Self-Assessment Survey

Learn More

• Whitepapers
• E-books
• Checklists
• Self-Assessments
• Webcasts
• Infographics

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.

Cookie	Duration	Description
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_86671402_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
ajs_anonymous_id	never	This cookie is set by Segment.io to check the number of ew and returning visitors to the website.
ajs_user_id	never	The cookie is set by Segment.io and is used to analyze how you use the website
CONSENT	16 years 3 months 14 days 7 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
driftt_aid	2 years	The driftt_aid cookie is an anonymous identifier token set by Drift.com for tracking purposes and helps to tie the visitor onto the website. The cookie also allows Drift to remember the information provided by the site visitor, through the chat on successive site visits.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
ajs_group_id	never	This cookie is set by Segment.io. The purpose of the cookie is currently not identified.
AnalyticsSyncHistory	1 month	No description
debug	never	No description available.
drift_aid	2 years	No description
drift_campaign_refresh	30 minutes	No description available.
li_gc	2 years	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Insights > Blog

How does Information Security support the EU GDPR?

Using a Solid Information Security Policy for Breach Notification

Check out these blog articles on Incident Response Plans:

Leveraging a Security Framework to Support Compliance

Data Privacy and Encryption

Encrypted Data Types:

Areas of Encryption

Generating Security Logs on Incidents

Are you prepared for the enactment of GDPR? Tell us below in the comments what steps you’re taking to become compliant.

Did you enjoy this blog article? Comment below with your feedback.

0 Comments

Submit a Comment Cancel reply

GET EMAIL UPDATES

Information Security Maturity Self-Assessment Survey

Learn More

Social Media

LinkedIn

Powered by Juicer

View on LinkedIn

Social Media

Twitter

Twitter feed is not available at the moment.

Social Media

Facebook

Insights

Whitepaper

Dig into the details of cybersecurity and regulations by reading our exclusive white papers. Each paper is written by an expert at Cipher and full of insight and advice.

Learn more