GDPR: Security Management Best Practices You Need to Know

Tim Woods

“Go live” for GDPR is May 25, 2018. If you haven’t started your GDPR journey yet, now is the time.

The GDPR intends to protect the personal data of individuals residing in the EU. This, in a world of BYOD, cloud, mobile and IoT, where personal data is more freely transferred and more highly valued than ever.

The articles within the GDPR, in general, cover one of the three areas below:

  • Updated rules and instructions for reporting data breaches that better reflect our current times.
  • The monetary penalties associated with noncompliance. With GDPR, penalties have increased significantly and should serve as sufficient motivation to gain management buy-in for GDPR compliance investments.
  • The power of investigation and discovery; you must open yourself to full disclosure and be prepared to support an in-depth investigation into the nature and occurrence of the breach.

We go further into the details of the GDPR in our upcoming webinar “GDPR: Security Management Best Practices You Need to Know.”

Achieving and maintain compliance with a regulation as strict and as thorough as the GDPR Compliance is enough to give any organization a headache, no matter how well-staffed or well-oiled their security team is. Part of this is due to increasingly complexity of networks and the volume of data they protect. Manual reporting and documentation processes don’t help either.

Fortunately, security monitoring and management tools, FireMon of course being one of them, offer automation and assessments to help streamline compliance. I’ve outlined a few ways that solutions like ours map to the Articles in the GDPR below. Of course, this is not an exhaustive list by any means, and you may discover others as you continue your journey to GDPR compliance.

Articles 25 & 32

Regardless of where the data resides, at the desktop, server, storage, or cloud, the GDPR states that best effort security controls must be in place to ensure personal data protection. Zones of control must be established to ensure that compensating controls are only allowing that access necessary to meet the needs of the business to maintain tight alignment to GDPR requirements.

FireMon Security Manager provides a holistic view of enforcement posture and compliance status across an organization’s entire enterprise infrastructure. With this view, you would be well past a “reasonable” level of data protection as it applies to security policy management, change management, risk and vulnerability analysis and application connectivity.

Article 35

This article asks that companies conduct data protection impact assessments to identify risks to EU citizens. FireMon provides valuable analysis to help fulfill this requirement, including:

  • Identify threats and security holes in security policies that could be exploited by hackers
  • Capture valuable policy documentation to meet compliance assessment requirements
  • Help detect and mitigate security vulnerabilities
  • Provide actionable intelligence for remediation guidance
  • Continuously monitor enforcement point changes that could lead to unnecessary, incorrect or unauthorized access

Article 58

Finally, with automated reporting and documentation, should the need to provide investigative information arise, FireMon can provide substantiating documentation demonstrating proof of automated best practices for security management and compliance.