EU GDPR And Businesses

New European Union General Data Protection Regulation affects most US businesses

New European Union General Data Protection Regulation affects United States businesses

EU GDPR will be enforced effective May 2018 after a two year post-adoption grace period. This raises some concerns about how US businesses might be affected. This is a brief evaluation of all aspects of this regulation in terms of trade with member countries in Europe, and potential impacts on business processes. GDPR will be a new challenge for business owners in United States and actually all over the (cyber) world.

GDPR applies to all companies (regardless of their physical location) which process and hold the personal data of individuals residing in the European Union member countries (Data Subjects).

Global perspective: what others are doing about GDPR?

It is good to know what others are doing about GDPR. Some data from surveys collected in November 2017 gives us an understanding of what is happening in other companies around the world:

  • 50% do not know about the impact of GDPR on their business
  • 9% of US firms say they have allocated more than $10 million for GDPR compliance
  • 77% budgeted at least $1 million to comply with the regulations
  • 83% of US privacy professionals expect GDPR spending to be in the six figures
  • 61% of US companies did not begin to implement compliance program yet
Which departments are affected, and is that only IT staff that should be worried about GDPR?

Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, you are subject to GDPR requirements.

Depends on your products (goods or services) and business model, simply all departments of a company are affected by this regulation. This in minimum includes but not limited to Marketing and Sales where primary contact with an EU entity would be initiated. Every single marketing email or sales event has the potential of gathering EU citizens information. Any communication with EU member countries virtually through phone, email or websites ends up storing citizens information in some form and fall into GDPR boundaries. The most external layers of a business are the first affected business nodes.

In order to identify the scope of your journey to compliance or even luckily not being affected at all, you need to review your business workflow in deep, and that is a systematic approach rather than blindly jumping only tech-wise in the middle of battle! Today’s businesses are more and more relying on technology and mainly software, but that does not mean you need to start with your tech departments (IT engineering, software development, webmasters…) first. The very first step is to know your workflow. if you already have this piece then your are so ahead of others.

Do you need help implementing GDPR? Do you need a gap analysis?

The answer can easily be determined via a gap analysis but first evaluate the level of knowledge in your organization in regards to regulations and particularly GDPR. Chances are there is a tech savvy with basic understanding of subject, otherwise you have to seek external consultation to do the primary analysis and write a plan for implementation.

For implementation itself, it really depends on the result of analysis. If Systems and Workflows are clearly documented, the implementation will be connecting dots from system to technology. You may need help choosing the technology but that is not a big deal as long as you could define the problem and know exactly what is missing.

Without bright understanding and documented systems and workflows, starting right off the bat with Data Mapping will be tedious and based on company size it requires extra help.

There are some generic actions described mentioned here.

GDPR: Primary Actions

GDPR: start from scratch with these primary steps

Following steps can be helpful identifying where you are in GDPR Compliance Journey. Consider that as a quick audit towards a more comprehensive gap analysis to understand your current situation:

  • Role identification: Identify whether you are a a data controller, data processor, or both.
  • Identify all data collection/processing systems and workflows, knowing where the data came from, every entity it has been shared with, and every location where it is stored.
  • Conduct a full audit, which can be a labor intensive and time-consuming but it is inevitable: how you currently process customers private data e.g. financial information, marketing facts…
  • Determine whether you need to appoint a Data Protection Officer and designate a contact that will cooperate with the GDPR supervisory body.
  • Develop consent and disclosure forms covering all possible uses of data.
  • Ensure you have policies to notify EU citizens of potential breaches when their data is affected.
  • Revise Privacy policy and privacy practices to meet GDPR requirements.
  • Awareness: make sure business associates and subcontractors are aware of their requirements under GDPR.
  • Review policies on data retention. There is a maximum time limit for the storage of data on EU citizens and data can only be kept until the purpose for which the information has been collected has been achieved.
  • Other initiatives: utilize your other regulatory initiatives or privacy and security programs.
  • Consider utilizing Privacy Shield If data transfer across borders is required. You may need start participating in this program.

First challenge is to identify your definition under GDPR: data controller or data processor or perhaps both. This changes many things going forward because obligations are different and each have different set of requirements. As I mentioned multiple times, know your workflow to locate where data is residing within systems and processes. This is going to be the biggest audit of your organization. Even if you sign off of GDPR later for any reason, the values of this Journey affects your business in a positive way forever.

IT System Administration Good Exercises: Event Lookup!

Computer administration is all about how the system and network is running at the moment. What else could be more important than how zeros and ones are really interacting in background?

System and Network administration starts and ends with lowest level of these environment. Those place that we barely look are the source of system and network information. Those pieces that are crucial to administration and proactively find flaws. actually many future and potential security vulnerabilities also start showing some signs at lowest level of system and networks.

In Windows, the main (but not the only) source of system events are stored under System Windows Logs. We could use many interfaces and tools to query this database but the easiest way is to use Windows Event Viewer user interface (eventvwr.msc or eventvwr.exe under \windows\system32).

One of the good exercises it to check this log regularly. It may sounds funny but this regularly could mean annually, still better than zero, which is most system administrators choose. If you are not checking Windows System logs then you simply do not know what is going on on systems you are administrating. Even though this is the starting point, it is very crucial to look up for system anomaly events and start investigating them.

This is not the time and place to go through type of events and build the skill of event analyzing or train you to get your eyes educated, but it is the time and place to emphasis the importance of System logs database where you can start finding issues and tune up your system and network before an issue turn into something bigger or before a user call you that his machine is so slow and you do not have any clue why sometimes your nodes start acting.

I recommend at least every other week review through System log and find red flags for further investigation and analysis. Over time you could develop simple scripts and alerts to trigger certain repeated issues but you have to always go though every once in a while to have sight over your systems.

If your system administration tells you s/he doesn’t have time to do this, it is like saying I do not have time to make sure my bike is working fine in weekend, so I walk to office everyday and I am always late for that reason! Excuses like time and resources in this regard is like I am willing to work with an old fashioned lawn mower just because I do not have time to go to garage and plug the new faster one to outlet!

System logs gives you a lot of information about the computers your are managing. This won’t be limited to the system that your investigating, you will find things that are global within environment: specific to a software, a segment of network, an application malfunctioning or just performance issues. The latter has been generally ignored among IT staff because they find replacing equipment fast and easier than troubleshooting but it is funny when we replace something and issue remains unsolved.

How many times have you found a system having performance issues related to a hardware malfunction? a lot, right, but I assure you will find more performance issue is related to the fact that system is not tuned up and many things are running with problem is background.

But performance is not why I am insisting to lookup System logs. You will find Security issues that have not any reflection on the actual Security log. You will find useful correlation with other logs of the system, network issues, application, Active Directory, and many things that System is not directly a place to follow them but they have artifacts and footprint there.

Develop a simple process to review these logs and you will find yourself proactively mitigating issues before they turn to global system and network problems.

GDPR In A Glance

A Summary of New European Union General Data Protection Regulation

The story of this legislation is to protect the personal data of the EU citizens, including how that data is collected, stored, processed/used, and destroyed once it is no longer needed.

The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.

EUGDPR.ORG

The main purpose of the regulation is to give individuals enough power to choose how their persnal information is kept, processed or discarded.

GDPR defines personal data as “Any information relating to an individual or identifiable natural person” including names, addresses, telephone numbers, email addresses, credit card details, financial information, medical information, posts on social media websites, biometrics and genetic data, location data, an individual’s IP address and other online identifiers.

The rights afforded to EU citizens and the major GDPR requirements include:

  • Data is only collected when there is a legal and lawful reason for doing so
  • Obtaining consent before personal data is collected, stored, or processed
  • Implementing controls to ensure the confidentiality of data is safeguarded
  • Training employees on the correct handling of personal data
  • Ensuring individual’s right to be forgotten can be honored and that it is possible to permanently erase all collected data
  • Ensuring individuals are informed about how their information will be collected and used, similar to the Notice of Privacy Practices required by HIPAA
  • Making sure data transfers across borders occurs in accordance with GDPR regulations
  • Putting data breach notification policies in place to ensure EU citizens receive notifications of a breach of their personal data
  • May be necessary to appoint a Data Protection Officer
History

The European Union’s parliament approved the GDPR in April 2016, it was entered into force by May 2016 and now the two years grace period will end by May 2018.

GDPR applies to all companies regardless of their physical location, that process and hold the personal data of data subjects (individuals, citizens) residing in the European Union member countries.

GDPR is literally a risk-based framework focusing on PII, personally identifiable information; anything from name, gender and address, to bank account info, even sales and marketing transactions which are collected normally during the course of any typical business interaction.

What is the potential loss of non-compliance?

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is greater. This is the maximum fine that can be imposed for the most serious infringements: i.e. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

Cost of GDPR noncompliance is high but how about more positive incentives to be compliance?

The details of how EU is going to enforce GDPR and how noncompliant businesses are going to be proactively identified is not clear now, but community believes any company around the world that has a Web presence and markets their products over the Web will have some homework to do.

Does your firm need to become GDPR compliance? not necessarily if there is zero business relation with EU, but that is very unlikely for most businesses even in USA.

References

EU member countries

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Republic of Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • UK

For details refer to official publications:

EU GDPR 2016_679 General Data Protection Regulation

GDPR glossary of terms

Three Reasons To Trust SECURE TARGET

Articles will be revealing in many aspect of information security and information technology in general, but why would you trust SECURE TARGET?

Articles will be revealing in many aspect of information security and information technology in general, but why would you trust SECURE TARGET?
Being blunt by default and straightforward about root causes of tech insecurities is not common at all. You will soon experience (if have not already) how the Computer Security business is not different from any other market. This is a business, why would you think market leaders do not want more profit and how they are able to make more profit without compromising some aspects of Real Security and pushing something to the market, not as a real ‘Need’ but more as a fake ‘Want’?
This has been one of the challenges of security products’ market in terms of customer acquisition, and the conflict between stakeholders and market drivers will always have its dark shadow over Security Initiatives, making consumer doubtful and uncertain about right solution.
Here you will be told about how to simply and effectively forever take care of the security of your computers and other information technology elements. You will realize which part of the market is real and which part is fake (and only for sake of making more money), but you should not be shocked as this is the reality of almost all businesses. Also it does not mean market is pushing something useless or necessarily insecure, it just might not necessary be what you need at the moment, it may be a waste of money, or may not be what your security program really demands, and yes sometimes it may totally put your security program in an insecure posture! Hence, jeopardizing Security with security!
In the other words, considering rule of “Complexity Equal Insecurity”, you generally pay more for something which not only is not more secure, but also downgrades your current quality of your security posture!
With many years of experience, transparency has been my first byproduct of IT business: I did not sell a single PC while it was possible to tune up the old one better than the current one, and I revealed all security details of a given IT element during my dedicated-focused-professional training without fear of having an student better than teacher! In the meantime, Questioning every aspect of computer technology without affiliation to any product or even any specific Trend put me in a neutral position where the metric would be measuring effectiveness, not what is possible at the moment according to market. So here’s why you can trust my judgment:

1) Member of both communities
I am an advocate to both communities of security and hackers. In order to stop Cybercrime we have to be virtually undercover and there is no way we can feel the heat of this battle unless being a front liner in security side.
Active learning from both communities is the key to help maintaining a healthy and secure cyberspace, something that is prone to turn to a myth! Defending a society is not possible unless knowing your enemy, and I am not talking about ridiculous hands-on training courses on ethical hacking. This is about social engineering of hackers community, that’s what they do with us every single minute of interaction. In opposite side, secure community, the most secluded introvert group of people who think that they can conquer a land before knowing the location of in on the map!

2) Research
knowing what is happening with the fastest-pace-industry-of -all -times (IT) is crucial but it is not enough for handling the unleashed horse of Cyber insecurities. Continuous Research is the key to maintain a level of balance between different individual cyber world entities: what is entering (or better say Penetrating) into world of cyber will bring its own insecurities to the equation which may totally change the current state of insecurities or magnitude of catastrophic outcome of other entities which were totally secure before introducing the new entity! It means we need to constantly research the current equation of cyber elements and assess different factors to manage ongoing changes in a secure manner. This requires research on all aspect of cyberspace not just those topics compiled with the word ‘security’.

3) Result oriented
Judge based on result and outcome not personal preferences, that’s the basic tool and logic of evaluation. Whether you prefer hot or cold coffee, does not change the state of hot and cold coffee! Simply every single security solution is good as long as the result is convincing and satisfying, and every single security solution is a waste of time and money as long as the outcome is not favorable. You could use this analogy with what SECURE TARGET offers as well: if the result is not superior and significantly positive then there is no reason to back up a solution.

Why Environment Constantly Faces Insecurities?

There is no doubt that security is not a project, there is no end and we need to constantly evolve but does it seem to you that you may put more effort you expect? You would sense some doubt about why you are constantly running after fixing issues, but is this the way security works? 

No, although you may get bombed with market elements that you have to run but it is not true, the problem is in a different area… the choice is yours:

Gaining “Security” via constant “fire fighting” vs. “guaranteed security” via adequate system and network administration!

It is all about the way we manage and configure our tech environment, from infrastructure to end-user’s machines, from software to processes. That is the most observed cause of general failure with cyber security: tech team (usually IT department) is not well managing the system and network! 

The way we administer technology is the main driver of our security program, it can fail us or take us to the next level. If we are running all the time to catch up, if we are struggling with a smooth patch management process, if we do not know where are the risk at any given time, if we constantly introducing risk and insecurities to our system…all are because we do not manage our system and network properly. 

The simplest examples would be how we setup a software or hardware with default configuration and hoping that works! How we leave systems and network nodes unattended until they start screaming by indirectly breaking some elements and we always blame technology; we never ask ourselves how we manage the technology! 

Default configuration is not the only example but it happens more frequently because teach team is configuring a new system, software, hardware, script…sooner or later and this usually happens with no security in mind!

The Fine Art of Network Security Configuration: Micro Segmentation

Micro segmentation is the particle of an effective network segregation

Network security administration barely leverages a concept which basically has been there forever and could literally saves them forever when dealing with security of network services, and that is nothing but micros segmentation. 

I usually bring practical examples to my workshops so students are able to see and feel MS in real scenarios but as a brief explanation, micros segmentation is the technique of limiting a network node presence with only needed services and to the limited audience. 

Get rid of the flat network but simple techniques around Micro Segmentation!

This simple technique is so away from majority of network configurations these days where nodes are all connected together to a switch and the most segmentation is done via virtual LAN segmentation. Micro segmentation takes care of nodes within their micro virtual world of services and clients. 

MS turns most insecure network protocols to even more secure than a natively-secure-protocol, improve performance, and forever saves network from unknown attacks or malicious actors. Again, no specific tools is needed to implement this concept on a network of any kind, Linux, Windows, Mac… it fits with any infrastructure or technology, the only thing needed is the clear understanding of nodes, network services and their clients’ needs.

ISO 27001 Audit Tips and Tricks

the easy way to maintain an effective, low cost and smart ISO 27001 security management system

ISO27001/ISO27002: A Pocket Guide
Information is one of your organisation’s most important resources…

Even though there is no magic behind auditing a system based on ISO 27001, there are simple tricks which help you handle ISO 27001 or many other similar standards and frameworks, both as and auditor and auditee.

I would point only at one single tip if I wanted to direct you to just one important aspect of ISO 27001, and that is “Links”. The connection between different parts of standard is the key to kingdom! Understanding this key makes you super strong either as an auditor or as an auditee.

There are certain connections between different Clauses or even different Controls. Majority of ISO 27001 standard element are linked together and this simple means, as long as you follow links, you will reach a final destination for sure which is the flawless system with no broken links.

Main links are from relationship between SoA, Risk, Asset and Access

Links are important because if Clauses, Documents, Policies, Controls…are not connected and consistent, you will be noncompliance ultimately. No matter how hard you try to have a comprehensive, beautiful, technical…set of policies, ignoring links is a reg flag for any experienced auditor, they simply see the effect right away and after that all system looks synthetic!

Main links are between SoA, Risk, Asset and Access. These are foundations and without proper linkage, there is no way to maintain a healthy, consistent, auditable ISO 27001 security management system. Start with SoA, that document is not an index or table of contents! Flow from SoA to Risk Assessment, vice versa and multiple times until all controls has justification. Never compile Asset policies without conducting demonstrating and understanding the links with higher SoA and Risk, and then jump into Access as the baby and outcome of first 3 document.

As an auditor you should always look for broken links because also analysing and accepting a subject without finding conceptual link with other topic is nothing more than ignoring the main purpose of standard, which is a solid management system, not a set of individual files and unclear processes.

As an auditee try to find your broken links prior to audit. This does not require internal audit at all. This is more and more reviewing your key documents by someone who understand the links and concepts, not just memorizing Clauses.

Remember after having a system flawless of broken links, you have already started the easy way to maintain an effective, low cost and smart ISO 27001 security management system, something which has the potential to make money for your business rather than a hassle and expense.

About SECURETARGET

Once Upon A Time . . .

first logo SECURE TARGET

SECURE TARGET was one of the first independent group of professional freelancers in field of IT security, founded 1996 in Islamic Republic of Iran, when even using Internet in the country was a dream!

The freelance group directed by its founder, Kaveh Mofidi and initially named ‘Iran Security Consulting Group’, the first and the last mission of those cybersecurity entrepreneurs was delivering the right and accurate knowledge of computer security towards having a safe and secure CyberSpace. That objective made the foundation to disclosing security vulnerabilities through intensive research and active discovery. The result was compiling numerous hands-on training courses on ethical hacking by the motto “Security through hacking”, from internet portal security, to system, application and network security and hacking essentials. This strategy was replaced later by a new approach as non-disclosure or traditional “Security through obscurity” policy when group found out knowledge could be easily end up in hands of malicious users.

logo SECURETARGET

Members with decades of experience in principles of computer security and as a rare collection of IT professionals who worked so hard and relied on constant learning to enhance the quality of service, finally departed from the group due to lack of financial support; the effect of a extremely depressed economy at the top of technological sanctions on Iran which forced IT industry into its struggling mode, particularly and severely “Security” as an IT luxury.