@ISACA Volume 4  21 February 2018

Six Essential Data Protection and Privacy Requirements Under GDPR

By Leighton Johnson, CISA, CISM, CIFI, CISSP

Leighton Johnson With the advent of the European Union (EU) deadline for General Data Protection Regulation (GDPR) (EU 2016/679 regulation) coming up on 25 May 2018, many organizations are addressing their data gathering, protection and retention needs concerning the privacy of their data for EU citizens and residents. This regulation has many parts, as ISACA has described in many of its recent publications and events, but all of the efforts revolve around the protection and retention of the EU participants’ personal information. The 6 main areas for data protection defined in this regulation are:

  1. Data security controls need to be, by default, active at all times. Allowing security controls to be optional is not recommended or even suggested. “Always on” is the mantra for protection.
  2. These controls and the protection they provide must be embedded inside all applications. The GDPR view is that privacy is an essential part of functionality, the security of the system and its processing activities.
  3. Along with embedding the data protection controls in applications, the system must maintain data privacy across the entire processing effort for the affected data. This end-to-end need for protection includes collection efforts, retention requirements and even the new “right to be forgotten” requirement, wherein the customer has the right to request removal of their data from an organization’s storage.
  4. Complete data protection and privacy adds full-functional security and business requirements to any processing system in this framework for data privacy. It provides that business requirements and data protection requirements be equally important during the business process.
  5. The primary requirement for protection within the GDPR framework demands the security and privacy controls implemented are proactive rather than reactive. As its principal goal, the system needs to prevent issues, releases and successful attacks. The system is to keep privacy events from occurring in the first place.
  6. With all of these areas needed under GDPR, the most important point for organizations to understand about GDPR is transparency. The EU wants full disclosure of an organization’s efforts, documentation, reviews, assessments and results available for independent third-party review at any point. The goal is to ensure privacy managed by these companies is not dependent upon technology or business practices. It needs to be provable to outside parties and, therefore, acceptable. The EU has purposely placed some strong fine structures and responses into this regulation to ensure compliance.

Having reviewed various organizational efforts in preparation for GDPR implementation, it has been found that it is good practice to look at these 6 areas for all the collected and retained data, not just EU-based data. This zero-tolerance approach to data breaches is purposely designed to be stringent and strong. Good luck to all in meeting and maintaining the data privacy and security requirements of GDPR.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.


Webinar: Ignorance Is Not Bliss When It Comes to GDPR

Webinar:  Ignorance Is Not Bliss When It Comes to GDPR
Source: Pe3check;
Getty Images

The European Union General Data Protection Regulation (GDPR) introduces complex regulatory requirements that could leave an unprepared organization paralyzed. Waiting to implement GDPR until it goes into effect may increase your organization’s regulatory risk and put it behind competitors who capitalize on privacy protection as an advantage. Taking the initiative to implement meaningful changes in how your organization incorporates privacy protection into operations to reduce risk now may make all the difference come May 2018.

To help you implement GDPR business processes effectively at your enterprise, ISACA and MediaPro present the “GDPR—What You Don’t Know Can Hurt You” webinar. This webinar will help you understand the key risk areas around GDPR implementation and illustrate what you need to know to avoid being fined. This webinar takes place on 27 February at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.
Veronika Tonry, president of Privacy Know How LLC, will present the webinar. Tonry has more than 20 years of experience in the global data privacy industry. She will provide insight into GDPR risk analysis, strategic solutions, implementation and training.

To learn more about this webinar or to register for it, visit the GDPR—What You Don’t Know Can Hurt You page of the ISACA website.


Webinar: Maintenance After GDPR

Webinar:  Maintenance After GDPR
Source: Stas_V;
Getty Images

What happens after the European General Data Protection Regulation (GDPR) goes into effect? A sound data protection strategy, operational life cycle and relevant standards must become business as usual once this regulation takes effect. The compliance deadline, 25 May 2018, may mark the day things change for privacy protection, but maintaining this standard after the fact is just as important.

To help you maintain data protection after GDPR is in full swing, ISACA presents the “Maintaining Data Protection and Privacy After GDPR” webinar. This webinar will briefly examine the importance of a sound data protection strategy, the competencies and responsibilities needed in an organization to support the strategy, the key elements to establish in the operational life cycle, and the relevant standards to consider. This webinar takes place on 6 March at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Tim Clements CGEIT, CRISC, FBCS CITP, FIP, CIPP/E, CIPM, CIPT, privacy program management at Mitigate, Denmark, will present the webinar. Clements will use his extensive background in data privacy and IT to illustrate what your enterprise must do to keep GDPR compliant from 25 May 2018 into the future.

To learn more about this webinar or to register for it, visit the Maintaining Data Protection and Privacy After GDPR page of the ISACA website.


Tech Brief: What Are Cloud Access Security Brokers?

Tech Brief:  What Are Cloud Access Security Brokers?
Source: Frank
Peters; Getty

The cloud has allowed organizations to develop an increasingly significant number of applications, tools and services. Many of these services are tested, approved, implemented and monitored by the IT department, but sometimes organizations move for faster development, and the relatively low cost and easy access to the cloud enables this development to go unchecked. While speed, low cost and ease of access are all cloud benefits, the risk of data loss, reputation damage, noncompliance and breach must somehow be mitigated. Cloud access security brokers (CASBs) are one solution that may help monitor cloud risk. ISACA has released the ISACA Tech Brief: CASBs to explain how they are used to enhance your organizations cloud security.

This complimentary tech brief details to the lay person how CASBs can mitigate the risk of cloud-based storage and applications. The cloud has allowed organizations to expand so quickly that their ability to manage, monitor and secure data cannot keep pace. CASBs are positioned between the organization’s technology infrastructure and cloud service provider and work most effectively when paired with security information and event management (SIEM), firewalls, data leak protection (DLP), endpoint management, web security, encryption, and authentication.

The CASB tech brief, like other tech briefs in the series, is intended to offer a quick overview of a topic at a nontechnical level. Tech briefs are a great resource for IT professionals to use when educating their business partners on the basics of a technology that might hold potential in their industry.

To learn more and download this tech brief, visit the ISACA Tech Brief: CASBs page of the ISACA website.


Help Support and Strengthen the COBIT Community


One of the best ways to support and strengthen the COBIT community is through knowledge sharing. COBIT users worldwide add to the COBIT body of knowledge by sharing case studies, practical use articles and tips from COBIT trainers in ISACA’s weekly, peer-reviewed e-magazine COBIT Focus.

If you have experience working with COBIT, consider contributing an article about your work to COBIT Focus. Writing for COBIT Focus is a flexible process that is intended to accommodate, to the greatest degree possible, the needs and preferences of you and your enterprise. Connect the global community of COBIT users in a new way that benefits everyone.

For more information, visit the COBIT Focus Submit an Article page of the ISACA web site. To submit an article, please contact mjasper@isaca.org.