GDPR as an opportunity
The GDPR is forcing CISOs and CIOs to ask themselves and their organisations questions they should really already know the answers to. That is, where is my data? As a seasoned security practitioner (not an expert yet) and even older IT practitioner, I know from experience that invariably organisations know what information they have, what they do with that information. It is highly challenging managing something that is expanding all the time.
Add to that the undocumented shadow IT, the unmanaged systems under desks and broom cupboards that the CIO does not even know exist, running critical information systems and supporting critical business processes.
Spring cleaning data
Few years back I was hired to implement an ISO27001, after an international headline making data breach. The breach kicked-off the usual high profile enquiry and audits. The audit found over 600 shadow IT systems (yes over 600!) that were supporting some of the most critical processes the organisation relied on. Some were running on unsupported, un-patched and un-managed systems running spreadsheets!
Shadow IT aside, if you are a CIO or CISO I suspect the core of your job is to know:
- where the critical asset is?
- who uses it ?
- how it is used ?
- when is it used ?
- why is it needed ?
- where it is used/accessed ?
If you do not know the answers to the above questions then what and how are you protecting it? You can’t be protecting what you don’t know or understand? These are basic questions for any credible risk assessment.
As they say goes “If You Can’t Measure It, You Can’t Manage It“. The same is true for security, if don’t know where you data is, you can’t protect it.
Building a data asset register
GDPR actually requires organisations to build and retain an inventory of their personal data.
In my many years in Security I have seen all sorts of things included as assets, even company pool cars listed in an ISMS asset register! Unless the car was to process or store data it is not an asset! I would not advise you to do either in a car. The reason for this was that people who were tasked with doing the risk assessment were physical security people. Consequently everything physical such as buildings, cars, trolleys, plants, rubbish bins etc. are assets. We IT people are not interested in these, our business is data and to some extent the systems that protect it. Even this has changed, with public cloud computing the systems no longer belong to us. It’s purely about the data. This is there for a good opportunity to really understand what data you have, need and how you use it. A register of data is a building block for information management and cyber security. Therefore this is good news for information management and security people.
GDPR – the knight in shining armour?
The GDPR rightly wants organisations to know where their data is, especially personal data. However, CxO’s rather than taking a piecemeal compliance approach should take a more wider data protection approach and use this opportunity (and budget) to map all their data. I mean when you are looking for personal data in your CRM, you are not going to ignore the other vital data about your customers are you? What about systems containing other regulated data such as PCI-DSS, SOX, HIPPA, Basel X ?
You will want to take this opportunity to map all the data and then filter the personal data for GDPR. You could classify each type of data in the CRM system, e.g. personal, IPR, marketing, etc. This is a great data discovery and data creation opportunity that CIO’s and CISO’s should take advantage of. Not only classifying but impact and risk assessing this data and extending or removing controls as required.
Sharing the fruits of GDPR
Not only will this exercise help to built your information asset register for DPIA, why not extend the DPIA to BCP and use it as BIA exercise to work out your RPO and RTO for business continuity too. If not right away, this asset register from GDPR could be used later for BIA and mapping to critical business processes to build cyber and business resilience for CISOs and CIO’s respectfully.
It is also a great opportunity for data governance people. You may discover data that you never knew existed and also redundant or obsolete data that you have been retaining for years that can finally be deleted. For security, it will be an excellent opportunity to look at all those security logs, monitoring, audit logs that capture personal information. Cloud and other service providers that routinely monitor and capture information and aggregated information for security could be capturing personal data.
GDPR for the first time will have an impact across all your data estate and across the whole organisation. You will really need to know where personal data exists, how it’s used, who is using it, for what and if legitimately. It will force organisations to really have a deep look at their data. It will be akin to an organisation renewing their marriage vows with data and not just personal data.
New paradigm and rationale
I have previously written on how the new 72 Hours Breach Notification will have an impact on incident management but GDPR is much wider than that. It will question why you are collecting the data, do you really need to collect the data for data collections sake and what business value the data is providing. This where “Privacy By Design” will come into play. As a security architect, I have been a great proponent of PBD because I have seen organisation spending a lot of money protecting information or designing security controls for information or processes they do not need. PBD does not only mean you design controls to protect privacy of data that you have but also with minimising the collection and retention of data. Now, unless you are the National Archives or the Library of Congress you do not have to retain personal data for 100 years. Why retain CVs for failed candidates for over 3 months after the recruitment process has ended?
I will be writing more extensively on PBD in another article.
As you can see GDPR is a great opportunity and it should be seen as such. In my co-authored book for AXELOS “RESILIA: Cyber Resilience Best Practices form AXELOS”, we write about the need for organisations to be resilient to failure and to expect incidents and attacks and show how companies can design resilience into systems and business processes. This is a great opportunity have spring clean and start somewhat afresh if not in all areas but in most areas of the business, starting with HR, Marketing, Sales, Legal, Contracts etc.
This is also great opportunity for IT to know the business and vice versa.
Once you have built your asset register with what really matters, you will have database of your classified assets by impact rating, with risks, owners, retention, and answers to all the above questions. This will become your single version of the truth to support your compliance and other information management and protection initiatives.
Data classification and retention
I can’t understand how organisations manage their information without visible classifications. Yet many organisations I have been to do not have a viable, communicated and understood classification scheme. If they have, they are often not enforced or followed, complex or ever so wide that they don’t actually offer any protection against disclosure.
The primary objective of the classifying information is to provide a visible reminder and guidance to people handling the information on its importance how it should be handled, where and who it can be shared etc. Yet you often see organisations don’t provide templates and instruction for their staff with classifications. How the hell do you expect the secretary or the HR rep to understand the importance of personal or any other data? These often leads to people releasing or disclosing personal data inadvertently.
As simple classification scheme such as:
- Internal – for internal use only
- Personal – personal data
- Confidential – all other internal data not for general release
The above basic classifications should work for most organisations. It doesn’t have to more complicated than that unless you are MI5 or MI6 or the GCHQ protecting national secret with all the myriads of caveats and descriptors.
Data mapping – go with the data flow
As part of answering the Where, Who and How, you will need to map your data flows across and outside your organisation and through your supply chain. Starting at the process level, e.g. HR process or finance process, see what data they have, how they use it who uses and where they use it? Those working in PCI-DSS will be familiar with the credit card data mapping. However, data mapping sadly is not ubiquitous. For cyber security, understanding data flows is vital if we are to understand and protect what really matters rather than protecting everything.
Security management system integration
If you already have an information security management system then this is another opportunity to integrate the personal data management into it. Extending the scope should be simple, if personal data systems are not already included. It may need some extra work to include additional risk assessments and controls. This is leveraging existing expertise, system, processes and controls with little or no great outlay.
In conclusion, the GDPR should be seen as a great opportunity by those who work with information, especially those who are accountable for information in their organisations. It will not only help organisations to use and protect personal data but also all other critical data they rely upon. It will help to find synergies between the myriads of compliance programmes and help channel efficient use of finite resources.
Author : Moyn Uddin GDPR-P, CISSP, CISA, CISM, CRISC, ISO27001 LA, TOGAF – is a certified GDPR and Cybersecurity pracitioner. He as a security practitioner has written, tested, embedded many incident management plans and process and dealt with many incidents and data breaches. He is also the co-author of RESILIA – Cyber Resilience Best Practices from AXLEOS, published in 2014 and the author of the accompanying Pocketbook. He is also the lead author of the Cyber Resilience Best Practices training course for ITpreneuers
If you need any assistance with any aspects of GDPR implementation or cyber security please contact us.
If you are interested in our One day GDPR How-to Master Classes please register here at Cyber Counsel.
Copyright Cyber Counsel