Intelligent CISO Issue 1 - Page 38

FEATURE guidelines will be in place as to the demonstration of GDPR compliance. SARAH BAILEY BAILEY – – CLIENT CLIENT SARAH DIRECTOR, IT IT SECURITY SECURITY & & GRC, GRC, DIRECTOR, SERVICENOW SERVICENOW In terms of best practices to help organisations on their GDPR journey, I would recommend the following seven steps: 1. FOUNDATIONS: A maturity assessment is needed to help a firm know where it is in relation to being at a point of compliance. It is also at this point that we establish whether the company is hosting any EU citizen data in the first place. and use remediation controls when they become necessary. The monitoring process helps us quickly review the business services that are the most out of compliance and identify areas under the most duress to determine whether the issue is technical, training or personnel related. 7. OPTIMISE AND PREDICT: As we move ahead with GDPR, firms need to create a dedicated knowledge base of articles to help responders quickly take care of repeat issues and to predict potential future threats/breaches. ROLAND DACCACHE, ROLAND DACCACHE, SENIOR SENIOR REGIONAL SALES REGIONAL SALES ENGINEER ENGINEER MENA, FIDELIS MENA, FIDELIS CYBERSECURITY CYBERSECURITY 2. POLICIES: Firms need to establish and amend organisational policies and procedures to match GDPR requirements supporting CIAR (confidentiality, integrity, availability and resiliency). technology for proactive network monitoring, protection and threat detection, which is currently forcing companies across all sectors to update their security infrastructures. This is so that they can effectively respond to increasingly inevitable data breaches and report them to the authorities within the obligatory 72-hour notification window. While an efficient incident response system is a good first step, organisations seeking to demonstrate GDPR compliance must also be able to provide extensive data regarding the incident response process of specific cyber incidents. This detailed analysis would again be near impossible to deliver without the use of an integrated, unified security platform that can automatically provide analysts with all relevant information. BRIAN CHAPPELL, SENIOR SENIOR BRIAN CHAPPELL, DIRECTOR, ENTERPRISE & DIRECTOR, ENTERPRISE & SOLUTION ARCHITECTURE, SOLUTION ARCHITECTURE, BEYONDTRUST BEYONDTRUST 3. STAFF: Firms must appoint a DPO (Data Processing Officer) because this is mandatory in every organisation. Also, at the staff level, firms should involve all stakeholders and get their buy-in to successfully implement GDPR requirements. 4. DETECTION: Firms need to be able to detect and assess changes to their data risk and security posture, in real time, at any time. In this way they will be able to analyse the severity of any data breach when and if it does occur. This detection process will also enable firms to scope out and calculate the cost (and financial impact of) any breach that does occur. 5. RESPOND: All businesses will need to implement regular auto-executions of GDPR controls for related citations and build that control into a risk and security data auditing plan. Also at this point firms can accelerate remediation and orchestration through automation. 6. MONITOR: There is a real need to monitor use of data and gain real-time insight into the state of compliance to assess each firm’s risk posture. In doing so we can then track that risk status 38 Demonstrating GDPR compliance will be near impossible without deploying the appropriate technology. Properly demonstrating GDPR compliance will be near impossible without deploying the appropriate GDPR reinforces much of data privacy best practice and can be complex in achieving compliance. For example, companies need to ensure they have properly classified the personal data they hold and that appropriate consent has been received where necessary. Where data is processed, organisations must have qualified the purpose of that processing and identified the legal bases under which that processing should be performed. You also need to be able to demonstrate that personal Issue 01 | www.intelligentciso.com