GDPR: 4 Key Principles for Success

On-Demand

Video Transcription

Lucy Buckley:
Hello everyone, and thank you for joining us for today’s webinar titled, Final Countdown: Four Principles You Need Before GDPR Hits. My name is Lucy Buckley, and I’m the online event coordinator here at ISACA. We have a great presentation in store for you thanks to our sponsor, FireMon.

Lucy Buckley:
Before we get started, I’d like to go through a few quick tips. We have two audio options, one is to listen over your computer’s speakers. Two, you may dial in at any time using the numbers and codes listed to the left. Please note, if you dial in, there might be a slight delay as the slides advance.

Lucy Buckley:
All ISACA members can receive one CPE credit for viewing today’s webinar. If you’re watching the event live, you must complete three attendance checkpoints. Simply click, okay, on the popups that appear on your screen. Click on the credits tab at the top of the screen to track your checkpoint. If you’re watching this event on the on-demand recording, your progress is being tracked by the system and you must watch from the beginning to the very end.

Lucy Buckley:
After completing this webinar, you can receive your CPE certificate by visiting the transcripts page within your my learning portal. Please remember, it takes 24 hours for the CPE credit to appear in your ISACA profile. We have made a CPE submission aid that goes over these steps in more detail. Please click on the papers tab at the top of the presentation to learn more or to download a PDF of today’s presentation.

Lucy Buckley:
Our speaker will be conducting a Q&A session towards the end of this event. So if at any point you have a question, please click on the Q&A tab. If at any time you need technical support, please access the help tab. Finally, if you have questions about the CPE submission process, or suggestions regarding our webinar series, please visit support.isaca.org.

Lucy Buckley:
And now, I’m very excited to be introducing you to today’s speaker, Keith Brennan. Keith is the director of field engineering for FireMon, where he’s worked closely with clients to make sure the FireMon and the clients’ objectives remain aligned. Previous to his attendance here at FireMon, Keith served as the CISO for a California-based healthcare organization. He has over 22 years of IT experience, with the past 10 focused on information security. Okay, Keith, take it away.

Keith Brennan:
Hey, Lucy. Thank you for the introduction.

Keith Brennan:
So, the agenda for today is, basically we’re going to go through some key points here. One is, the essential facts you need to know about GDPR. Secondly, the four principles for GDPR success. And this is what we’ve seen from a lot of our clients, a lot of our customers, and what they’re doing in order to make sure that they are successful with the requirements of GDPR. And finally, the challenges that are out there for everybody as they look to be compliant moving forward.

Keith Brennan:
So of course, we’re going to start off with the essential facts you need to know. And first and most important of these facts, is the fact that I am not a lawyer, all right. So, I’m going to come here, I’m going to present information, information I’ve seen across the industry through different verticals as people look to comply to GDPR, things I’m hearing, et cetera. But understand, at the end of the day, if you have severe questions, if you’re really worried about stuff, seek the proper guidance. Whether it’s going through a VAR you know, whether it’s speaking to other people at ISACA, talk to a more… Conversing through a legal department. Please do seek the proper guidance on that. With that disclaimer gone, let’s actually jump into some real meat of the situation here.

Keith Brennan:
So, first essential fact that everybody needs to know, is the fact that there are a lot of bad actors out there, and they are out to get our data. And in particular, what they really love is private data. Data about people, data that they can use to steal identities, et cetera. And so, what we noticed out there is that, nowadays the attacks are becoming far more sophisticated. 70% to 90% of malware samples collected nowadays are actually purpose written for the organization they’re attacking, that’s pretty scary.

Keith Brennan:
So when you think, when the fear when spear phishing started five years… Well, in earnest probably seven, eight years ago. Now we have spear malware, right. I mean, that is beyond scary. Then on top of it, we noticed that we have breaches that are increasing across the board. So, 65% of large organizations have been breached in the past 12 months. 25% of those experienced repeat incidents. Whether it was somebody leaving an artifact behind, like a hidden piece of malware to breach again. Or, just their controls were that poor, that multiple entities breached them, and it happens.

Keith Brennan:
On top of it, we noticed that it takes on average eight days… Now, I put eight days in quotes. Actually, if you look next to it, 64 hours, right. We all know if a breach happens, everybody’s on board, and we’re going to hunt down that breach. But still, it takes 64 people hours for a security investigation. So that’s scary. So from the time that… Even when you’ve kind of discovered that, hey, I may be breached, it’s still another really, three to eight days before you get to the point where, yes, I am breached and this is the impact of that.

Keith Brennan:
Third thing we’ve noticed still too is, because of this, there’s also a lot of manual processes in this investigation process, and we discovered that there’s a lot of gains can be had from effectiveness. A lot of gains that could be had through automation and stuff to help with effectiveness, and I’ll talk about that a little bit later on. But finally what we see in the current state here, is that it takes on average 256 days to identify a malicious attack. And I’ve heard numbers anywhere from 100, roughly 180 clear up to one year, for the stat. I kind of picked one in the middle. But at the end of the day it doesn’t matter. If it’s 180 days, or if it’s one year, that’s still a heck of a long time to go between the breach and between somebody figures out what’s going on.

Keith Brennan:
So, I’ve kind of set this up just to establish the threat landscape, right. What’s out there, and things we need to worry about. Now let’s talk a little bit more about GDPR, and in particular who needs to be concerned with it. So really, there are three set of people, or it’s actually three classes of organizations that need to be concerned with GDPR. First of all it is any organization that collects data on EU citizens, and the regulation refers that to as a data controller. So that could be somebody collecting payment card information in a way, that’s data. That is somebody collecting health information, anything out there that… Any data that’s collected, at that point of an EU citizen, you are officially a data controller at that point.

Keith Brennan:
Then there’s any organization who processes data on behalf of the data controller, and that is known as a data processor. Now the data processor could be a third party, it could be a different group within the organization. But the interesting part about the data processor here is, it isn’t specific to a single organization. So, it could be that company XYZ is doing the processing the data, but they’re doing it within AWS, then you got to be concerned about AWS too. So it’s really interesting here how they’ve muddled the data processors, basically say, anywhere this data goes, anything that’s done with it, matters. So, not even the organization, but the actual hardware that the processing is happening.

Keith Brennan:
And finally you got to be concerned when the person, which is also known as the data subject, is based in the EU. So that’s a key point right there. Now you notice that at the organizations I have some stars, right. And originally when GDPR was formulated, going back to early thoughts about it, it was mostly centered around social media, right. How do we keep and protect people’s privacy within social media? That was the initial thought, right. And so, the stars are, where does GDPR apply specifically to foreign entities, right? And so minds with that, GDPR particularly applies to foreign entities who collect and or process data for the purpose of offering a good or service, or if that data is used for a behavior monitoring purpose.

Keith Brennan:
So this gets really interesting, right. So, four years ago when they started crafting GDPR, machine learning was kind of a buzzword people started hearing about nowadays, but now it’s becoming a part of everyday life. And so, while the initial attempt was around social media… And now, particularly with this behavior statement down there, behavior monitoring, behavior prediction. It applies to anybody who’s trying to use some various machine learning, some sort of algorithm to predict behavior of an individual, particularly in this case, inside the EU.

Keith Brennan:
So article four of GDPR is specific around the definition of personal data, right. So personal data remains any identified or identifiable information to a natural person in a data subject. So that could be name, it could be the face, passport number, fingerprints, handwriting, telephone number, date of birth, login information, really almost anything. And, you’ll notice at the bottom there, I have IP address, because that is also listed. And that gets really scary when you think about the implications of IP address, because we store IP addresses everywhere. Think about our SIM for instance, right. We all have SIMS out there, it’s all collecting data from our firewalls, gateway devices, IDS, IPS, etc. And what’s in all that information? IP addresses, right. And we use those for behavior modeling too now. Hey, is this IP address is banned, etc.

Keith Brennan:
So, while I don’t think the spirit of the law necessarily goes down to that level of detail, where they’re actually going to start looking at us and beating us up for how we’re storing our SIM logs, or the logs inside the SIM. I mean, there is potential there, and that is something to watch. Because one of the things we’ll learn a little bit later on is, interpretation’s still up for grabs, and it’s at a per country level. So, again as this all works out, there’s something to be concerned about and something to watch. But again, all the basics we know. To me, one of the big shockers was actually the handwriting IP address, those are kind of things that’s wow, okay.

Keith Brennan:
So basically, as we look through the layers of the network, look through the OSI model and all that fun stuff, all areas where personal data is transmitted, processed, serviced or stored, must be taken into account, right. So whether it’s at the host level, somebody’s working at something on their laptop. Whether it is in transit on the internal network, or in transit on the external network. Whether or not that application is… If it’s stored in the application in memory, maybe that’s something to take concern. Do we have to hash that properly, et cetera. And where this gets really fuzzy, and it’s kind of easy to determine where all this stuff is when you’re inside your own corporate network. But when you get stuff out in the Cloud then it gets really fuzzy. And as we noted the graphic here, once stuff gets in the Cloud, you’re not quite sure which layer that sits at inside our little bullseye graphic here. And so, we got to pay special attention to that situation.

Keith Brennan:
And then of course, there’s additional risk of the hardware it’s running on that isn’t yours, etcetera. So that’s all information that you need to be clear of. But at the end of the day, really it’s no different. For those of us in the States, you have to comply with HIPAA. I mean, it’s no different than that, right? You got to make sure the data is protected at rest, in transit, and while it’s in use. For PCI also requires very similar stuff. So a lot of the basic frameworks we’re following nowadays, it’s very similar to what’s going on here inside GDPR.

Keith Brennan:
So unfortunately, there is no… Okay, we all know this, right. Everybody who’s been involved in information security for more than a day basically knows there is no silver bullet. There is no way that you can do just one thing and everything’s fixed, right. There’s always a mixture of different strategies, different mechanisms. Whether it’s at the high up, or it’s at the governance level, whether it’s at the technical level, education. Whatever you’re doing, there are different steps that need to happen in sequence to allow a proper security model, in any particular relation to GDPR.

Keith Brennan:
So, obviously we need to work to promote awareness. Not just among the board, right. I mean I’ve done that, I’ve done my board reports in the past, and made the board aware. But you’ve got to make everybody aware through the whole organization. Hey, look it, we’re concerned about this type of data. If you see in the wild and not protected, please let us know immediately so we can take some more appropriate steps.

Keith Brennan:
Next is part of the next step, which is the evaluation process, right. Understand who uses this data and where that data resides. So again, discovery. Let’s do discovery, let’s do education and let’s do discovery. Then policy, right. So, once you’ve figured everything out, let’s go ahead and adopt policies and procedures to match what we need to do with that data. So we’re going to define our strategies for data in transit, data at rest, data in use. And even to the extent of, maybe we go ahead and put… Oh, what do we call those? Screen protectors on the screens that basically limit the field of view, so people can’t look over the shoulder. We want to get that in depth, what we need to do. But we need to figure out what we need to do at every step of the way with the data.

Keith Brennan:
Then once you’ve done that, then of course, as I mentioned, the screen protectors, while that is a physical in control, it is still technology. What technology pieces do you need to go ahead and implement the policies, procedures as you’ve defined? Whether you choose to go with ISO as a standard, NIST, or what have you. How are we going to go ahead and implement that and make sure it’s implemented successfully. Then the final piece… This goes right back to awareness, it’s education, and continuing education, right. Ensure that everybody is made aware of exactly what is required, or exactly what is expected of them.

Keith Brennan:
So at the end of the day, the question everybody asks is, why should I care? And for those of us who are in risk management is, alright what’s the impact, right. Is there something specific I need to worry about that makes this apply to me? Well, the first reason you should care is the fact that this dog has bite, which is nice. So we all remember when… Again, I have a health care background, primarily. So when HIPAA came out, it was great. Problem was, that dog had absolutely no bite. It was all bark, there was no real penalties for being out of compliance, etcetera. That is definitely an issue for an organization, because then they ask the question. Well, great, if I’m out of compliance, what’s my hit? Is it just reputation hit? Can I just order the reputation hit? All right, so they may choose to do nothing, and now the incident becomes a financial decision.

Keith Brennan:
Well here’s the deal right, the fines for failure of GDPR compliance… And this may not be a first failure, it may be repeated, but, nonetheless. It can be either 20 million euros, or 4% of gross revenue, whichever is greater. So imagine a company doing a huge turnover, they turnover $100 billion a year. Well, ouch, that’s $4 billion that they could potentially be fined. Now, the good or bad news, depending upon how you want to look at that is, the circumstances do play a part in the fine. So, obviously previous infractions, types of controls in place, cooperation, etcetera, will definitely have an impact on how you’re fined.

Keith Brennan:
But the other thing is, what’s really interesting is, GDPR set it up so every nation sets up its own supervisory authority, so SA. And so these are the people in charge with, either cooperating with other countries as they go ahead and do investigations, and also setting up and enforcing GDPR within the individual countries. So, I find this interesting, because at the end of the day you’re going to have multiple interpretations. There have been some discussions about unification among the different countries, but I haven’t seen that happen yet. I mean, it’s just been high level discussions.

Keith Brennan:
And on top of it, I think at the end of the day, it could be greed comes into play. And maybe some country who wants to have a beautiful new IT infrastructure and everything else, they may choose to be not as abusive with the fines as say a country that is really strong into protecting privacy right. So it’s going to be interesting how this plays out. And I’ve already heard people talking in the background about moving key operations into certain countries because of this point. So it is something to pay attention to. And if you do have a very large organization, you may want to be really careful where you place your data.

Keith Brennan:
So with that said, what are the four principles of GDPR success? And what we’re going to see here, is GDPR has some key requirements, and we got to figure out how we’re going to go ahead and meet those requirements moving forward. So the first GDPR requirement is, that you have a GDPR mandate for risk-based approach to data protection and security. Okay, great. So what exactly does this mean? How do we translate that in? And what I’m seeing here in talking to a lot of other individuals as they look to start they’re compliant… Be compliant on May 25th, when it matters. That’s not only enough to think about data warehousing and location, you need to analyze the environment, and determine the right data protection to remove as much risk as possible.

Keith Brennan:
So, really, where does that translate into? Well it translates into basically understanding your entire environment. The who, what, when, where and why, right. So you have the assets, right, that’s the where. That’s where my data is. Your topology, so your network infrastructure, your policies on devices governing the access, etcetera. That’s the how, right. And when we’re looking at risk, again we’re taking a risk-based approach here, where are my vulnerabilities?

Keith Brennan:
And a vulnerability may be, we traditionally think of it, hey, there’s a root level vulnerability on this host, don’t let them through. But it may not necessarily be that level, it may be a person level vulnerability, where you have a poorly trained staff, or etcetera. But where are my vulnerabilities? Let’s go ahead and identify those, and sit down now and actually start categorizing them, and figuring out what we need to start protecting against. And which one of those vulnerabilities we need to start patching in different various ways.

Keith Brennan:
And then finally the who, is threat intelligence, right. Who is doing what? Who would be interested in my data? What attack vectors might they take in, etcetera. That’s the piece of information you need to gather as you go ahead and look and establish your risk based methodologies moving forward. Second piece we have here for GDPR mandate, is now that we’ve done all our risk analysis and everything, right, we need to establish technical measures to validate data is protected. Right? So what does this mean? Actually this one is a pretty straightforward translation, right. Establish your policies, procedures. Establish your technical controls, then perform a regular analysis. See what you find. If all is well it’s validated, if not you need to take action. You need to start the process again, let’s go ahead and reiterate and reiterate until we feel that we have reached a decent risk profile. Again, all that’s based upon a company’s appetite for risk, but still it’s something we need to do.

Keith Brennan:
The analysis of this. So, what do you do at this point? So, there’s a lot of things that you do in this stage, right. So the first thing you’re going to do is, you’re going to do a security configuration assessments, SCAs. That’s required in Article 5. So let’s go ahead and look at that. Let’s start assessing, assessing, assessing, assessing. And it isn’t like you need to hire a third party auditor to do this. At the end of the day you’re going to eventually validate, right. But as you do these iterations, you can do them yourself. You can do them with the team. And just start doing the basic assessments there.

Keith Brennan:
Then once you’ve done those assessments, and you’ve figured out where your data resides, and you think you have the proper policies and procedures in place, and technical controls in there. Then let’s start doing some attack simulations. But I’m not talking full on Pen testing, that’s expensive. Again, it’s something you are going to want to do, something you’re going to need to do later on. But for right now, let’s just do what ifs.

Keith Brennan:
Hey, so somebody walks in through the front door and they tailgate on Suzie as she walks through, and they find an unlocked terminal, what can they get to? Right, that’s the type of stuff you’re looking for. Hey, if somebody exploits a host sitting in our DMV, what can they get out to? So start doing your attack simulations. And do these was vigor, because it’s a lot better to find stuff in the simulation, than is to find it when either the auditors tearing you up as you go through your findings, or when worst case, you’re breached, right. So do this with vigor. Do this with vigor and often. Rinse, repeat, rinse, repeat, rinse, repeat.

Keith Brennan:
Matter of fact, in my organization… I was a smaller healthcare organization, we had six facilities, it wasn’t epically huge. And I still had one person full time, and that’s what they were doing, they would do that. And then I substituted out, I’d pull another person off, hey, I want you to do this now. And so I had multiple people, even though it’s only tying up one entity at a time. But doing simulations, find out where my weakness is and moving forward.

Keith Brennan:
Then the next part is traffic flow analysis. Now, what I mean by this is validation. So, by a validation standpoint let’s go ahead and verify that, hey, six months ago somebody requested that this access was required. Is it actually being used? Has that requirement changed, someone needing three ports instead of five they have listed for the application, etcetera? So take a look at the actual traffic crossing the line.

Keith Brennan:
I was actually helping… And this is part of my position today, I was actually helping an organization do this. And I was showing them a sample on it, and I said, hey let’s monitor traffic that your firewall is rejecting. And sure enough, they weren’t doing this on their own. We took a look at that traffic, analyzed it, and discovered that there was actually a significant malware problem on the network, by doing this type of traffic flow analysis, looking at the packet level. I mean, they ended up having a red team exercise immediately, point. They pulled 40 computers off the network, etcetera. And it’s all because, nobody was actually really looking at the actual traffic traversing the network, so that is important.

Keith Brennan:
Then finally you want to do quantitative risk scores, right. You need some methodology as you do all the above, the three points above, you need some methodology to track where I am. Hey, are the steps I’m taking adequate? Is my posture improving? Etcetera. So having some sort of scoring methodology that you could track at time, that you can hand to either your boss or the board to say look, I mean, we’re doing our job, things are improving. That’s huge. And even when it comes time to audit, or when you’re breached, right. And you have the government coming down breathing down your neck on that. You can still say, hey, look we’re doing our job. They got us, but this is what we’re doing. You have everything documented, you have your risk scores showing that you have been improving the situation, you’ll discover that that helps at the end of the day.

Keith Brennan:
Then finally the last step as I mentioned, once you’ve done all the above, and you’re pretty happy, obviously audit comes into play. And not just self-audit, even though self-audit is a valid methodology. But third party audit, because they’re going to go in and they’re going to see stuff from a different light, right. So anytime somebody can see stuff from a different light, that is huge because perspective is everything. And so they may see something that you were totally missing because it’s always been there. It’s like the cobweb in the corner. You just get used to it, so nobody notices it. So again, they’ll see that stuff, and again, third party audit helps great in that regard.

Keith Brennan:
So third mandate is monitoring and data protection, so continuously monitor data protection measures. Then we take a look at this. There we go. What does this translate into? Real time monitoring. I mean, if at the end of the day, that’s what needs to be happening to make sure all as well. Because now you’ve taken in the previous step. You’ve taken it, you’ve established your baselines. You know your policy, you know what should be traversing the network. So what you need now is real time monitoring to make sure that is happening. And the reason why I say real time monitoring is important, is if you’re actually looking at something that is past history. I want to say, it’s a week ago, right. That situation may not exist on the network anymore, right. So there may have actually been… You may actually be in violation of whatever compliance frameworks are up, or in GDPR in this instance, and not even know it because you’re looking at a week old data.

Keith Brennan:
So looking at stuff in real time. Looking at the current… What is your current vulnerability scanner data? What’s it telling you? What is your current network topology telling you, etcetera? That’s the type of stuff you need, and you need to do it in real time. And then on top of it, you should have some level of organization specific reporting. And this isn’t just reporting that’s a generic answer, but this is reporting that definitely matters to your organization. Because again, GDPR isn’t some overarching framework with specifically subscribed steps you need to take, goals… Actually, goals you do need, but steps you need to take. It isn’t like a CIS benchmark, it isn’t like a NIST standard. Instead, it’s saying, hey, you need to do this, you need to protect this data. The how you do it’s up to you. But if you choose something that isn’t say a standard, like a NIST or an ISO, you definitely have to be specific to what your organization’s requirements are around that and be able to report on it.

Keith Brennan:
And, as we notice in Article 32, this is where all the meat is, is around what the controller and processor should do, right. So, they definitely need to implement the appropriate technical and organizational measures. They need the ability to ensure ongoing confidentiality, integrity, and availability and resilience, right. So this is kind of the key, and this is where the real time comes in here. If you aren’t doing this in real time, how are you ensuring that this is true? Yeah it was true last week, is it true now? Is my secondary database up and running right now? Do you know? That’s the type of stuff that we need to be concerned with.

Keith Brennan:
Then finally of course, Article 32 again has that regular testing. Again, what regular is, that’s in quotes, right. So that’s up to you guys to decide what regular is, but it’s something you need to do on an iterative basis, right. It’s not something you do once and it’s all good, no, you need to continue to do it. The fourth, and I call this orchestrating persistent compliance. But the GDPR mandate is basically, correct any protection failures and notify authorities when compromised. So there’s two statements to this. First of all, correct the protection of failure, and two, notify authorities.

Keith Brennan:
So let’s go ahead and look at the definition for this. Because they quickly make changes to restore your network to compliance, and then tell the authorities when there’s been a breach. So there’s basically two separate things you need to do here. Now the neat part is, is the first statement here, make the network changes to restore compliance. That’s something you do on your own. You don’t need to notify the EU unless there’s actually been a breach. Now unfortunately, a lot of places don’t find out because they aren’t doing the steps mentioned above, the iterative testing etcetera, that they’re out of compliance until the breach has happened.

Keith Brennan:
And this has actually been found, say with inside PCI. So, if anybody’s ever read the Verizon data breach report. There’s a stat that said, it was 96% of organizations had pass their PCI audit previously… So their six month PCI audit. But yet, when they were breached later on, they were out of compliance. So what does that tell you, people aren’t keeping up with it, right. They, okay, it’s PCI audit time, let’s clean up. And okay, good we’re clean, we passed our audit. But then three months later they’re breached, and why, because they’ve fallen out of compliance.

Keith Brennan:
So your compliance needs to be in real time, it needs to be iterative, it needs to be constant. It needs to be something that you are doing, something that’s ingrained to the organization, because if it’s not, that’s when the bad things happen. Right? So again, so couple things that are required here in Article 35. A DPIA is assigned to help an organization assess the risk associated with data processing activities that may pose a high risk to the rights and freedoms of individuals. So again, what is that? That is just your audit, your assessment on the data, the same assessment we’ve talked about here on. Then finally again, we noticed that any data processor, so the person actually processing the data, doing whatever they’re doing with it, needs to have an organizational control to ensure data protection and documentation. So again, the basic controls you need to have in there to allow proper monitoring, proper activity, proper protection of the data. At the end of the day, that’s what this is all about.

Keith Brennan:
So the compliance challenges there. And really, this is trying to hit a moving target. So, as I mentioned a bit earlier here, GDPR isn’t well prescribed. It’s not a NIST framework, is not an ISO framework. It’s nothing to say, this is exactly what you need to do. It says you need to do these things, but how you choose to implement them is up to yours. So again, that makes up a moving target. And then we stepped back a little bit earlier, and we talk about how the different SAs in each country may interpret differently, may fine differently, etcetera. So that definitely makes for an interesting situation here in terms of a moving target.

Keith Brennan:
Alright, and I’m actually going to stop, and I’m going to answer a question that I’ve seen multiple times pop up in the question menu. And, I was going to save it for Q&A, but I’ve had like 18 people enter the same question. So, I’m going to go and answer this right now, so that people quit typing in the same question. That works for me. So the question is, for GDPR compliance right, it only matters if the data is for an entity living in the EU? Effectively is what they’re asking. It’s been asked in several ways. And that is… The question is, that’s absolutely right, right. If it’s an individual, who is an EU citizen, that’s who it applies to. It doesn’t apply to me living here in California, but it applies strictly to EU citizens, so that’s the type of information that they’re interested in.

Keith Brennan:
Again, makes sense, right, that’s who they’re trying to protect, the EU citizen, so that’s who that information applies to specifically. And that’s an answer to 50 or so various questions I’ve had pop up here. So, I just want to answer that one right now. All right, so back on. So compliance standards keep changing and companies struggle to keep pace. And this is true, right. And anybody who’s done audit prep knows it’s a soul sucking task. It’s weeks or months on end, it’s oftentimes a manual process, and that is your life. That is what you’re doing. And it’s cool, because you get paid, right. And we actually get paid well for doing audits, so I don’t mind that. But, it’s not fun. Well for some people it is, but for me it’s definitely not fun. So, I definitely associate it as a soul sucking task, and it’s one of those things that definitely takes forever.

Keith Brennan:
Then on top of it, as the network evolves, compliance starts to drift. And this goes back to the PCI example I brought up earlier from the Verizon PCI report. You get drift and nobody notices. I’m actually noticing this drift big time with a lot of my customers as they begin their Cloud transition strategies. Everybody’s running out to the Cloud, full speed ahead. Yay, it’s the Cloud, and nobody’s stopping to figure out what the impact is of the Cloud to compliance. And so, so now what do you have? You have the security team, the internal compliance teams. They’re struggling to keep up, because DevOps loves it. DevOps is moving full speed ahead in the Cloud, and everybody else is trying to figure out how we stay in compliance as we do that. And so that only gets more and more and more into the fact that there are some significant issues here, and some significant technical challenges now. Where this manual process may not work anymore, we may need to actually put in automated controls to keep up with those speedy people in DevOps.

Keith Brennan:
Then finally, there are always new security requirements and compliance risk with every network change. Those changes happen, that’s why we all have change control boards, right. If you don’t have ones please, please get a change control process in place, because that’d be the first step you need for GDPR compliance. And, you got to evaluate that with each change. And again, as I mentioned earlier, as you get out in the Cloud, you get out with DevOps doing the whole thing, keeping up with that gets to be a nightmare.

Keith Brennan:
So, as we had analyzed this, there is a broad landscape here. And there are many pieces of the GDPR landscape that must be taken into consideration, right. So, for me the first biggest one is identification, right, that’s true discovery. As mentioned, that’s kind of covered. And if we look at this, first of all… Oh, I didn’t speak about the DPO. So, GDPR requires every organization that has to be compliant with it, again for the various reasons mentioned above, to have a data protection officer. It’s no different that these guys are in health care, as in the privacy officer. It’s basically just a person designated in an organization that is in charge with the data protection, of governance around the data protection.

Keith Brennan:
So oftentimes, I see this falling within the lap of the DPO, more than likely. But again, depends on the organization, depends upon organizational structure, etcetera. Make broke the CTO, CFO, who knows. But again, you have to have that person designated. But then the rest of it is kind of your standard fare right. There’s not a lot that is scary from a compliance standpoint. The right to be forgotten. You should have some ability to purge a person’s information out of your database. If you don’t, please figure that out. Data portability is not something I’m discussing too much here, because again for me that is… Now all of a sudden scope of what I’m looking at it is, is to security data versus providing a way for people to pull their data out of the system, or transfer it to other systems. But that is also requirements. Now the good part is, there are tons of standards out there already for that. And so, I think the industry will standardize, whether it’s a X standard, 807 standard, wherever they want. They will standardize upon that for the data portability part.

Keith Brennan:
But the rest of it is doing your due diligence, doing your discovery. Creating policies and procedures to match what you need to protect that data. So again, protection by design. Then continuing to assess it, assess, assess, assess. Did I mention assess? Keep assessing. Then finally provide a mechanism for data breach notifications. That’s going to be the key part to your… Because if you don’t notify, and people don’t… If you don’t notify, even when you’ve been breached, then that fine can get far worse once it’s discovered, and guess what, it will be discovered. How are most breaches discovered? Oh, that information’s out on the dark web. Where did they get all this PII? Oh, I know what database that’s from, etcetera.

Keith Brennan:
I mean, I have one buddy, had the FBI show up at his door saying, hey we found your data out there, I think you’ve been breached. Right, scary moment. But so, when you’re breached, you usually find out the other mechanisms. So, even if you have been breached, and you have been identified. And you identified it, even if you don’t think there’s any impact, still report it. Provide all your information to the SA, and what you’ll discover is, most of the time they will be pretty forgiving. In particular, if hey, we saw the breach, we do not believe data is ex filtrated. Here are the controls we’re putting in place to prevent that in the future. Most places are pretty darn cool with that, though.

Keith Brennan:
So what enterprises need. So, what I mentioned first… So, I’m going to start off on the right hand side top, real time. Real time is key. And in particular, as organizations again, are moving out into the Cloud with DevOps running wild, etcetera. That is definitely something we need to pay attention to. We need to be able to track in real time what is happening across the entire enterprise. Then you need some basic out of the box controls, mechanisms to get you started. And I say that because, if you try to build everything from scratch, it’s going to be a nightmare. So find something as you put your policies, procedures, put your technical controls in place, find something that you can use. But then make sure you can customize it then too. So I know that sounds almost like an oxymoron, I’m talking about get something out of the box that you can customize. But that’s the truth. Because at the end of the day, your policies, procedures are going to be specific to your organization, so you got to make sure that what you use can specifically address your organization’s needs.

Keith Brennan:
So, to give an example, when I did my first HIPPA audit many, many years ago, I use it now, but just a canned reporting tool. And fortunately, as we all know with HIPPA, and much like GDPR, it didn’t prescribe exactly what you need to do. It’d give you the step, step. So you had to figure it out on your own, so it’s based on your policies, procedures. So I end up with a lot of white-listed stuff, and I was trying to explain it to an auditor, and it turned out to be a nightmare. So if you take something, you take that out of the box tool, then tweak it to match exactly which organization needs, you’ll discover that audits go a lot more smoothly. Then on top of it, you’re monitoring for exactly what you need to monitor. Monitor for, instead of a bunch of other things, then filtering out the noise.

Keith Brennan:
Okay assessments, continuous. I’ve said this 60 million times, but it’s the truth. The organizations that aren’t continuously assessing their environment, they’re the ones that are far more likely to be breached than the ones that are, right. Then on top of it, you want final control. You want some methodology to manage this in real time. To go ahead and lock down the violation. So a good example is, let’s say vulnerability scan data, right. So, you have scan data that comes out, and all sudden you’re noticing root level vulnerabilities on critical systems. Wouldn’t it be nice to have something that can immediately go out there and take an initial remediation action, while we’re waiting for the human to come in and actually figure out exactly what needs to be done.

Keith Brennan:
Is it 23 minutes, I think, is the average time it takes well known ports to be scanned on any given IP. So imagine if you had an issue on 443, somebody’s checking it within 23 minutes, right. So they’re going to see that, they’re going to go ahead and… That breach may happen long before the human ever even sets eyes on it. So, you definitely want some methodology to control that in real time.

Keith Brennan:
And again, another scenario, let’s say discovery, right. So we have a discovery practice out there that says, hey, show me information. So if I have a utility running in the background that scanning information, all sudden PII is showing up now on a system I didn’t expect PII to be on, wouldn’t it be nice to have something, again to automatically take a remediation step. Maybe isolate that box of something until we can figure out exactly where it belongs, and again take the appropriate steps.

Keith Brennan:
Again, what this all comes down to is the real time remediation, is minimizing your exposure surface, the attack surface. And, we all saw from the fines… I hate to say it, but it may very well be the case here, where a small five minute disruption of business may be better than a $4 billion fine, right. So, again them things you got to weigh out as you guys do your internal risk assessment. How much risk are we willing to take given the fines extensively levied against the organization.

Keith Brennan:
So, the one thing I was asked by the powers that be, so I threw in a quick slide to have a demo. I’m not even going to talk about this slide too much, other than I did what the powers that be asked me to do, that add the company logo on it, throw that away. And we’re going to talk actually about what this means in general here. So, what this means. It means putting it all together, right. So it means, making sure that you have a complete circle going on.

Keith Brennan:
And again, this is going to hold true, while it holds true for GDPR, it’s going to hold true for almost any compliance framework out there. You need to do the exact same things, right. So you need to definitely do your discovery, whether it is where my data resides, whether it’s where my vulnerabilities are out there to that data, etcetera. But you need to take that step, and you need to do that discovery in real time, right. You’re not looking at data from a week ago, you’re not looking at data from a month ago, but you want to do that discovery in real time, and make sure that everybody is actually, is acting upon that data. So often I see people acting upon month old data that it blows my mind. So, make sure that you’re doing your discovery inside the circle. I’ve tagged it here as vulnerability management, but essentially it’s continuous discovery moving forward, right.

Keith Brennan:
And then finally compliance again. Ongoing, ongoing, ongoing. The reiterate compliance, you want to do that, 24/7, 365, until infinity. Something you keep on doing. And, the cool part is, is a lot of this stuff nowadays can be automated, right. There are tons of tools to help you automate that. It is no longer where… Five, six years ago, I had a nephew, he’d be doing it. That’s what he did. No, no, no, no, no. Now you have tools that can do a great portion of this, right. And they can do it faster than a human too. And so that’s a good part, right.

Keith Brennan:
So find the tools that allow you to do that. We all know that in information security/information privacy, there is a negative 10% unemployment rate. I have a hard time finding people. No, actually I have a hard time finding qualified people, let me straighten that out. So, given that information, using tools that can automate this process for you. That’s absolutely what you need to do. You need to be able to get that, you need to be able to hammer it, and you need to be able to get to the end. And get the key pieces of data that you need humans to act on. So it’s definitely good to have something there for the real time monitoring purpose.

Keith Brennan:
And then finally, orchestration automation. Again, we have automated tools now, they’re mostly… We all have automated tools, they’re doing our vulnerability scanning for us, they’re doing our data discovery for us. Now we have tools helping us with the compliance side too. So as we put the two together, I see, hey, here’s my data. Here’s some vulnerabilities or something associated with it. Here I am from a client standpoint, as we discover stuff that is falls out of compliance based upon data classification etcetera, wouldn’t it be nice to automatically orchestrate remediation for those?

Keith Brennan:
And again, what we’re looking at the end of the day is two things. One is, solving for the issue that we all have way too much work to do and not enough time to do it. I mean, I was up till midnight last night working. And the other thing we are solving for is, the ability to remediate a threat before it’s exposed, we handle this in real time. And again, intelligence systems are using AI machine learning. They’re getting out there, and they’re able to make some really good decisions on what needs to happen, and exactly how to remediate it. And then flag it, right. Hey, I saw XYZ scenario, I took this action, please review, right. That’s stuff that you want. You want that to happen in real time, because again, breaches particularly in relation to GDPR, can be very costly.

Keith Brennan:
So with that said, I do have one question here that I’d like to add, and it’s kind of a polling question at the very end. I’ve talked to a lot of organizations, and a year ago they were… Actually, I don’t want us to do my polling question. So, polling question have been presented to you guys. And I’ll talk about reason why I asked this polling question here once I get the results in. So we’ll go ahead and take 30 seconds or so and let people… Don’t answer the polling question.

Keith Brennan:
Alright, so it looks like we’ve pretty much finished here. And it stayed pretty solid. 80% yes, or 20% no. What’s really interesting is, as we… A year ago, if I would have asked this to people, I think, particularly in the United States, I think the results of this would have been reversed. I think there would have been a certain… Matter of fact, there was. I’m not worried about GDPR, it doesn’t apply to us. But I think, as more and more people have done the research and their homework, they realize it does apply. I mean I was one of those naysayers, right.

Keith Brennan:
So when I was doing our assessment for FireMon, the organization. So again, GDPR doesn’t matter to us. Then I actually turned around and started looking at data I had, and sure enough, in one location which was our user portal, I actually had five components of PII for every user. I was like, oops. Right? So, and again, none of it was epic and earth shattering, but nonetheless it’s still something that made me… Okay, now we need to take steps to protect this information.

Keith Brennan:
And, again we’re a global organization, so I definitely had users from the EU there, so I just chose to adopt that for all users. But, nonetheless it is amazing once you actually go look, and when you realize how spidered we are. Even if we’re just a U.S. based company, or just a company based in India or somewhere else, how spidered we are, and how interconnected we are now that it’s really hard to actually escape something like GDPR. So again, keep that in mind when you guys do your discovery early on, make sure you look at everything. I wouldn’t even thought to look at the user center, I just kind of stumbled across it by accident. I was like uh-oh. So definitely make sure that you evaluate the entire environment when you look for GDPR.

Keith Brennan:
Alright, so Q&A. We actually had quite a few questions pop in here. Actually more than I’ll be able to answer within the allotted period of time. So, I’m going to go ahead and take some… Just answer some random ones here. So, one I have asked, is management level responsible for GDPR? Yeah, absolutely. Well okay, first thing, let’s back up here. Everybody’s responsible for GDPR. If you’re in an organization and that organization falls under any given compliance framework, it’s for everybody from the lowly custodians… Lowly is the wrong term. But from the custodian, clear up to the CEO to make sure you’re in compliance.

Keith Brennan:
Now, it is a management responsibility whether that’s at the board level, C-level, director level, management level, somewhere in there to define the policies and procedures. To define exactly what we’re going to do in order to stay compliant, but it’s everybody’s job to make sure that we are complying with GDPR. I mean, at the end of the day, if a major breach happens and it costs an organization millions if not billions of euros, somebody’s head is going to be on the stake. And it may be the CSO, it may be the CEO, but that’s the type of scary stuff that you need to be aware of.

Keith Brennan:
Third question here, reporting data breaches the customers can no longer be nine months later, right? So, yeah. So, that’s the thing right, it can be. Now if you choose to do that, understand that the SAs, the fining authorities will probably abuse you nicely. They’re going to expect a timely report, right. So, if you discover the breach, you’re expected to immediately report it to the SA, and consequently immediately report it to the end users. If you discover the breach then report that nine months later, good luck asking for mercy when they go to fine you, and they probably will go for a max fine. So, I think that’s one of the things I really like about GDPR, is that dog definitely has some bite. I think what it will do, is I think it will definitely impact some negative behavior we saw in the past. For instance, waiting nine months to report breaches.

Keith Brennan:
Had a question around… Okay, so I had a question. What if anything could we do around ISO 27,001 to update it to be compliant with GDPR? So actually, if you guys are right now, if you’re an ISO compliance shop, that is a great building framework. As a matter of fact, that’s where a lot of my European shops, that’s where they started. We’re going off ISO, we’re starting on ISO. Then what you need to do, is you need to turn around and you need to look at specific stuff. Where does my data reside? Is that data encrypted at risk? Etcetera. And you need to take that information and then build on the ISO, some custom stuff, some organizational specific items that match up what you guys are doing with the data and how you’re utilizing it.

Keith Brennan:
And I think what we’re going to see too, is we’re going to see some more guidance on this. As it happens, there’s going to be a lot of feeling out processes, as SAs figure out exactly what needs to be there, what doesn’t need to be there. And again, that may change from country to country too, so we got to be aware of that. But really if you’re already ISO compliant, you’re 90% of the way there. So it’s now just figuring your data cataloging and making sure of specific controls. For example, encryption of data at rest, etcetera, are being met. But otherwise you’re in good shape there.

Keith Brennan:
Oh, so good question. So we’re just under two weeks away from the deadline for compliance, what percentage of companies do I think are going to be compliant? I think there’s going to be… Well you have a couple like Facebook and stuff that are self-certifying and saying they’re compliant already. Which they may very well be with the letter of the law. I think for a large part, I think it’s going to be slow. I think we’re going to be lucky. I think on a big enterprise level, I think we’re probably be 50, 60% in compliance come the 25th.

Keith Brennan:
Smaller companies, I think that’s going to be a little bit more of a stretch. And it may very well be one or two big fines that happen, that light a fire under our bigger fish getting compliance, that’s usually how something like that works. They do a risk reward scenario, is that we’re spending the money to get compliant, and if they don’t feel it is they’re not going to do it. But, 20 million euro fines are starting… Somebody starts dropping a $20 million, a 20 million euro fine, then that’s definitely going to interest a lot of people in getting compliance at that point.

Keith Brennan:
Somebody just asked what does compliance look like? Yeah, that is a great question. All right. A couple other questions that rolled in here… One person asked, does patch management become an important issue? Absolutely, it should always be an important issue. You need to do continuous risk based assessments, right, that’s what they’re asking. And so, if you have exposed vulnerabilities, then that is definitely something that needs to be addressed. And again, it needs to be continuous. So it needs to be something that happens as part of the process.

Keith Brennan:
And one of the things I’ve learned too, is methodologies, or help is needed with that. And give a story. 11 years ago when I did my first vulnerability scan on a network, I ran it on a Class B network. Started on a Friday. Said I’m going to start patching stuff on Monday when I get back. Came back to 142,000 vulnerabilities. Threw that report away and start scanning individual hosts. So you need some methodology to help you through it, help you through the process. And so whether that is just a policy procedure in place, saying hey, we patch rhythm of vulnerabilities within 12 hours blah, blah, blah, blah.

Keith Brennan:
Or if it’s a piece of software you have, like FireMon, running in the background that says, hey, these are exposed vulnerabilities, these are the ones you need to deal with now. You definitely need to do something like that in order to help from the patch management perspective, because it is key. If you have an unpatched vulnerabilities out there and you’re breached on those vulnerabilities, you will be fined on them. So it’s definitely something I would watch.

Keith Brennan:
Now that said, I see I have two minutes left, so I’ll pick one more question here out the lists. So, third party processing service vendors, this complicates the matter considerably, right. Do they need to be GDPR certified as well? Absolutely, right. So if they are dealing with any aspect of PII that belongs to an EU citizen, they need to be GDPR certified. Again, if you think about it, health care has the same issue, right, in the United States. We have organizations that have third parties doing business for them, whether it’s a transcription service, whether it’s a billing service or something like that. Those all need to be, make sure they’re compliant with HIPAA. So, you have to do the same thing here with GDPR. So, anybody who’s going to be touching that data, and that data belongs to an EU citizen, they need to definitely be compliant.

Keith Brennan:
And this structures into another question I saw a little earlier, it just reminded me. So, what about data transfers, right? So, can you transfer data to a non-compliant entity? And the question that is. Well yeah, you can do anything you want. But you inherit a lot of risk, because you inherently take that risk now as the transferring agent, right. So that’s definitely, you guys need to talk to your third party that you have out there, and making sure that they are taking the appropriate steps to be compliant. And it could be a lot of them already have done it, so if they are doing it, then we’re in good shape, right. But again, you want to make sure it’s documented, you want to make sure they can hand you a soft tier report or something like that, indicating that they’re doing the appropriate steps. But you definitely want to do something to help mitigate that risk you take on by transferring that data to them.

Keith Brennan:
So with that said, I come to the end of the presentation. And of course, the legal disclaimer. Whoops. Put the legal disclaimer up here for a minute so everybody can read it. Again, goes with the fact that I am not a lawyer. So, neither is the stock in this instance, so please, do your due diligence moving forward. And thank you everybody for attending this webinar.

Lucy Buckley:
Thank you so much, Keith. Looks like we’re just about out of time for today. So again, Keith, thank you so much for that great presentation, and a very interesting Q&A session. Also, a big thank you to our sponsor FireMon, whose support has made it possible for ISACA to offer this event free of charge to our constituents.

Lucy Buckley:
Remember to check out the tabs at the top of the presentation window to view additional resources. This webinar was recorded so you can go back and watch it from the on demand program section in your classroom within the my learning portal. If you’re interested in earning up to five free CPE credits with no travel, you can still register for the virtual conference change agents in the cyber security era, just click on the announcements panel and learn more.

Lucy Buckley:
Again, I’d like to thank our sponsor, and our speaker for his time and expertise today, along with everyone in our live audience for your attention and participation. Have a great rest of your day.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO