In recent years, we have witnessed – and some of us have endured – an enormous amount of public data breaches, most of which were classified as personal data. A quick web search on this (check https://haveibeenpwned.com/) would likely reveal that at least one of your personal or corporate accounts was breached at some point in the last few years.
On the other hand, while it has been almost a year since the GDPR was enforced, studies and surveys from the past few months reveal that a considerable percentage of companies still claim to be fully GDPR compliant. In this context, we will review a few key compliance aspects from an IT perspective.
First, the famous Article 32 statement “state of the art security” is something that is widely discussed globally. This definition has been relatively easy to interpret in the IT sector in terms of services provided by IT, such as applying the appropriate access management policies and procedures, client protection, encryption, mobile device management, SIEM etc., and mostly applying ITIL good-practices and CobIT framework. Where IT teams have had the most difficulty is deciphering how all of these practices are to be applied to business data (data owned and managed by different business teams) which tends to become unstructured over time. One of the key reasons for this challenge is the expectation that since IT is championing the process of GDPR compliance (together with Legal/Regulation teams), business teams should be presented with a solution that does not change or disturb the “business as usual” conducted pre-GDPR.
The identification and classification of all data sources, content, and “personal data” is key to having complete control over how data is being handled, provisioned, and secured as part of mature IT services. In order to do so, preventing data silos is a crucial step that IT should continuously fight for. Separated data silos inevitably lead to uncontrolled domains which by-pass the procedures and controls in place. The emphasis here is not to be strict in terms of meeting the service requests of the business, but rather to champion business and provide guidance on designs that satisfy business needs while keeping central governance over the complete picture of corporate data sources.
Since we mentioned central governance, it goes without saying that the IT landscape, – in order to deliver measurable good practices –should be centralized as well (either fully or on a policy-basis) and be fully covered within an identity management governance method. Depending on many variables, such as company size, sector (and hence regulation levels), and application landscape, companies may either go for complete identity management solutions, which is advised from an auditability perspective, or they may go for a custom designed, tailor-fit process that flows with coordination from the application teams. No matter what solution, the key is to keep these identity and role management related transactions as part of the IT Service Management scope (and suite) so that they are measurable, auditable, and in a continuous improvement cycle that can be applied over time with certain metrics.
As the main line of active defence, maintaining a high level of operational security, and therefore designing and maintaining an effective SOC (Security Operations Center), is a must. Naturally, it goes without saying that SOCs should have state of the art tools at their disposal, such as network monitoring, security incident and event monitoring tools, by leveraging AI with accurate correlations. On top of that, there are two factors that keep SOC effective:
1) a good command over the configuration (even customization/setup competences) of such solutions and
2) lean and close collaboration with NOC and Data Protection Officers/Breach Response Teams.
Only when the Data Breach Management process of the GDPR is combined with an effective Information Security Management framework can rapid, accurate and decisive reactions be assured.
As always, trying to keep the momentum going and hence continuous improvement cycles will deliver progressive results and make steps forward.
–Serhat Ada, Head of IT at TTI