If anyone had any doubts, data privacy is still kind of a big deal. Beyond being at the core of regulations ranging from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States to the global, far-reaching General Data Protection Regulation (GDPR), data privacy has its own annual day of recognition – 28 January. As organizations design operational strategies and tactics around data privacy, opportunities to leverage applications with built-in functionality to safeguard sensitive and confidential data are valued. For those using Microsoft SQL Server 2016, there are a couple of areas where built-in functionality can assist with data privacy initiatives.
Where is the data?
Safeguarding of sensitive or confidential data generally begins with data classification. Once data has been identified and appropriately classified, the next effort is establishing internal controls commensurate with the sensitivity/confidentiality level of the data. Depending on the organization, designing and implementing internal controls may be a bit of a hurdle. In its 2017 State of Cybersecurity Metrics Annual Report, IT consulting firm Thycotic reported that 4 in 5 companies don’t know where their sensitive data is. Understandably, unknown data locations make it difficult to identify safeguards to protect the data. As in prior versions of SQL, using SQL Server Management Studio (SSMS) in SQL Server 2016 can provide a list of databases. Also, in addition to a variety of other data querying options, Transact-SQL (T-SQL) queries can be used to locate data and related tables.
Who has the data?
Having identified where the data resides, entities are faced with ensuring that access to the data is limited to those with the appropriate roles in their organizations. Once those access determinations are made (following the Principle of Least Privilege), organizations can then use Microsoft SQL Server 2016’s Dynamic Data Masking (DDM) feature to support its access strategy. With Dynamic Data Masking, sensitive/confidential data remains unchanged in the database while this data is hidden in designated database fields. Organizations can fully or partially mask the sensitive/confidential data depending on how they configure DDM.
Another option for limiting access to data is to use Always Encrypted. This feature allows encryption of sensitive data (at rest and in transit) within client applications. Since encryption and decryption happen outside of the SQL environment, it facilitates least privilege by limiting data access to those who own the data and need to view it.
As data privacy expectations become more permanent fixtures of entities’ operational landscapes, built-in features such as Dynamic Data Masking will become more commonplace. The newer DDM functionality, coupled with existing functionality through SQL Server Management Studio, can help entities achieve and maintain data privacy goals. Coupled with best practices in data management, this built-in functionality should provide an easier path to meeting the data privacy expectations of customers and compliance regulations.
GDPR, the much-discussed General Data Privacy Regulation from the European Union, will not be a cure-all for the world’s data privacy problems simply because the GDPR, like every law, is subject to the bureaucracy out of which it was born. This bureaucracy can be compared to a super tanker and those who would violate the law to speedboats. While the super tanker takes miles to make a simple course adjustment, speed boats can dance around the super tank with little fear of a collision.
Sure, there will be times when a speedboat captain makes a mistake and collides with the super tanker resulting in the organization being penalized, but my current expectation is that the organizations that will ultimately pay the potential fine of 4 percent of global turnover will be few and far between. I say this because the GDPR, for all its good intentions, was created by humans, and lawyers will quickly find the loopholes, unintentionally created by the humans, to keep their customers from paying significant fines. Moreover, I simply do not believe that many of the organizations charged with enforcing the GDPR currently have the required manpower and skills to successfully enforce the law. Add to this the fact that Working Party 29 continues to provide guidance on what different sections of the law mean and, at least in the short term, we have a construct that may be difficult to enforce.
That said, I think the GDPR could have a very positive effect on the events we have recently seen involving Facebook, Cambridge Analytica and the political decisions they are claimed to have influenced. GDPR clearly lays out individual’s rights and a primary focus of data privacy and information security professionals should be training colleagues, family, and friends about those rights under this law and the threats that attempt to undermine their rights. The key to success is education, for it is only education that can fix stupid. We, the world, must add critical thinking to educational programs at all levels. An educated population, with solid critical thinking skills, will significantly improve our ability to reduce the effectiveness of fake news and to take back our democracies from the forces that would use our data and opinions against us.
Despite these observations, don’t despair. GDPR is a well-intended regulation that has the potential to change the way the world views data privacy. This value will be derived, however, through education rather than through fines. We must all understand that we do not have to accept our employers, governments or, perhaps worst of all, non-governmental organizations that attempt to sway public opinion on crucial political decisions, misusing our data. We have options. We can inform ourselves using multiple accredited sources. We must demand that our rights are respected. We should confront those who spread fake news, both in the internet but also at our own dinner table. Most importantly, we can vote, with a few mouse clicks, and can close our accounts on those social media platforms which exploit our data for their gain. We must all understand that data privacy is a universal right and thinking critically about what those with access to our data will do with it is the ultimate safeguard for our data, our privacy and ultimately for our democracies.
Author’s note: The author’s views are his own and do not necessarily reflect the views of his employer.
There have been many developments for policymakers, privacy advocates, corporate execs and, in fact, the public at large to contemplate considering recent news about Cambridge Analytica and the information collected by Facebook. The facts have been covered heavily elsewhere in the mainstream and industry press, so I’ll spare you a repeat play-by-play here. However, I do think there are a few important, timely observations to call out for leaders and practitioners in the security, risk and assurance communities.
Specifically, regardless of whether you are an end user of enterprise technology, an enterprise software vendor, or just an individual concerned about keeping your (and your household’s) information protected, there are some “lessons learned” to prevent or mitigate headaches down the road.
I should mention at the outset that these aren’t the only lessons that can be gleaned from these events, and they may not even be the best ones depending on your environment and circumstances. And, of course, we will continue to track developments as the story evolves, with perhaps more lessons on the horizon. Consider these, then, prudent measures for anyone – either observer or impacted party – and for organizations to benefit from, with current events serving as a useful “proof points” to explore at the enterprise level.
A punch in the face?
The first factor is being aware of permissions you give and agreements that you enter into – particularly in relation to privacy and security. Quite a few people were surprised and concerned about the volume of information collected by Facebook on mobile platforms, and many viewed with alarm the realization that Facebook collects call records and sent/received SMS messages on Android phones. However, the permissions requested by the Facebook-supplied app (which users agree to when they install) let it do exactly that. While some might view the outcome as undesirable, the app specifically requested these permissions and users agreed to them at the outset.
An analogy would be someone asking you if they can punch you in the face. If you give them your consent to go ahead and take a swing, are they in the right or in the wrong when they follow through? That’s a thorny question, and arguments can be made on both sides (for example, it might matter how they asked the question in the first place). But they did ask for your consent first and, if you don’t want to get punched, you can say no.
This might sound a bit like “blame the victim” – and, if so, that is not my intent. I bring it up because there are lessons here for those on both sides of this equation: end user and technology supplier alike. For the end user, viewing critically (and with a healthy skepticism) the permissions that apps request – and the measures agreed to by a supplier or service provider – is always an exercise in prudence. While some vendors might be more transparent about what they’re doing than others, keeping a handle on what is being requested (or promised) is absolutely critical. This is, in fact, what the Android permission system was built for in the first place.
This same principle extends beyond mobile. For example, if your cloud provider says it is performing a certain task (such as a security countermeasure), how confident are you in that? Are you checking? How would you know if not? For those supplying those services or products, being transparent about why you’re asking for the permissions you’re asking for (and how they’ll be used) can save you quite a bit of hassle down the road and being explicit about what you’re doing to keep information (and how) is likewise valuable.
The supply chain
The second item I’d call to your attention is the “transitive property” that exists between suppliers and the end entity – at least from a perception and customer point of view. For example, in this case, while it is true that Cambridge Analytica allegedly broke the rules and violated Facebook’s terms in how they acquired data, public angst (at least quite a bit of it) is directed at Facebook.
Are there reasons to be concerned about Facebook’s privacy and security more generally? Perhaps. But in this case, much of the pain that Facebook seems to be in results from actions taken by a member of its ecosystem rather than itself directly. As organizations become more interdependent on suppliers, contractors, business partners, and even customers, the lesson of how customers and the world at large will view a failure of trust is important. This is particularly true as it relates to private information about those users and customers.
So, lest we needed to be reminded, a lack of confidence in an organization’s data stewardship (i.e., a privacy issue, a security breach, or any other issue that impacts users’ information) caused by someone in the broader ecosystem can and often does generate ill-will to those connected to it via supplier, partner or other relationships. You’ve heard the old saying that “you can’t outsource liability”? It’s as true now as ever.
I’m sure as events unfold, we’ll all learn more about these circumstances and, with that, new lessons will continue to emerge that we can adapt to the work we do on behalf of our organizations. But starting with these, and working to make sure that we are aware of permissions and agreements that we might have entered into (including potential consequences that might arise), and the relationships that we have in our supply chain that can potentially impact us, is a useful way to ensure we’re keeping our organizations in solid shape.
Although we are less than two months from the European Union’s General Data Protection Regulation (GDPR) compliance deadline of 25 May, many organizations are not yet confident in their level of preparedness for this landmark new data privacy regulation.
If that concern applies to you and your enterprise, know that you are in good company. Many of your colleagues across the globe are in a similar position, still working diligently to make the needed headway to be in solid position once GDPR takes effect.
Another reason not to panic: ISACA is here for you. Our new GDPR Assessment helps users and their enterprises identify gaps in their GDPR readiness and offers guidance on how to resolve those gaps. It provides customized output of areas in which your enterprise needs to focus and provides the opportunity to retake the assessment later after implementing the initial guidance.
The complimentary assessment was powered by the contributions of leading global security and privacy experts and includes gap analysis expertise from CMMI Institute. The tool is part of ISACA’s ongoing commitment to help our global professional community prepare for GDPR; if you have not recently viewed ISACA’s frequently updated array of resources on the topic, I encourage you to visit www.isaca.org/GDPR.
After such a long buildup, it is hard to believe that we are now less than two months away from the deadline. GDPR compliance should be seen as a business opportunity, rather than a roadblock. GDPR is not a checklist to be completed, separate from the enterprise’s core functions and capabilities. Instead, complying with GDPR needs to be a basic, foundational element of the organization’s operations, capabilities and decision-making. It requires a level of cross-functional collaboration that will serve the enterprise well long beyond the compliance deadline.
It will be fascinating to watch how data privacy regulations around the world evolve in the coming years. As the world becomes acclimated to conducting business with the EU in the era of GDPR, expect other nations to develop similar policies in an effort to deal with universal challenges in data protection and data privacy.
I fully expect the ISACA professional community to demonstrate leadership in embracing the challenge of helping their enterprises adjust to the new regulatory environment. GDPR represents an excellent opportunity to put our enterprises on stronger footing and better serve our customers.
Articles 37 and 38 of the General Data Protection Regulation (GDPR) provide information on the principles and impartiality of the critical data protection officer (DPO) role, specifying the high-level rules on what can and can’t be done. But like most of the GDPR, it leaves wide open the interpretation of the how and when it is appropriate to have a DPO.
Article 29 Working Party has provided much-needed guidance on this subject, and we have been told which roles can’t hold DPO responsibilities (such as the CEO and Marketing Director, due to potential conflicts of interest). However, it does not address the first question on every organization's lips: “Do I need to appoint an independent DPO in the first place, and if yes, when?”
The answer lies in the organization itself, or more specifically, the types of data processing activities it undertakes. For example, if you process large quantities of EU personal data (such as a small US-based web profiling firm that tracks IP addresses or web cookies for a French utility website to provide customer website stickiness), or if you hold sensitive personal records like medical histories, then your organization qualifies under GDPR rules and you therefore need to allocate someone to manage the DPO responsibilities (note: the DPO does not necessarily have to be directly employed by the organization, just qualified to hold the role).
Like the applicability of GDPR itself, the DPO role is not dependent upon number of staff or size of turnover, which is why many of the UK’s 5.7 million small-to-medium sized organizations qualify for GDPR (55 million across the EU), and why so many other organizations around the world that provide services into Europe are busy preparing themselves for GDPR compliance. This makes GDPR a truly global regulation and its implications far-reaching. For example, if as an EU citizen I wanted to exercise my rights under GDPR with an organization based in Delhi, then I’m entitled to this right (assuming my personal data is processed there), and the organization has to uphold my request.
Depending upon the size of your organization and the level of processing activities you undertake, you may choose to nominate an individual with responsibility, split the responsibilities among different roles, or even outsource the role externally. However, the only stipulation is that the DPO must be truly independent and understand the systems and processes involving personal data and/or deliver services to EU citizens and, crucially, be qualified or experienced in data protection. This is obvious when you consider the unique nature of advice given and the difficulty in interpretation of the GDPR rule book. It also precludes the role being held by a lawyer; as important it is to understand the law, it is equally important to be able to implement the law within your organization.
So, every DPO has rather a difficult job to do. DPOs need to understand the implications of the law within your organization, uphold the rights of individuals and provide careful advice surrounding the implementation of the rules. Get this wrong, and you could end up in court or face huge financial penalties. Of course, this is naturally dependent upon how much data you are processing or perhaps the risks your systems face from its daily processing activities. In other words, if your systems for processing data are complicated and stretch back to the Doomsday book – you have a lot of work to do. Conversely, if you process small amounts of EU personal data, then the impact of GDPR is nominal. The key to appointing your DPO is choosing an individual who understands law, security and privacy risk. You need someone who can determine the difference between a business decision and a true privacy/security risk (e.g., consent, rights or data encryption), and has the ability to make crucial judgements on what could attract unwanted regulator attention or cost the business in loss of trade or a missed opportunity.
The key to this role, then, not only lies in finding a knowledgeable, balanced individual who is sensible under pressure, but also an individual who understands the principles of privacy and security, can act with integrity to protect the rights of an individual, and preferably can advise on protecting personal data to avoid any harm to that individual.
Above all, whether you outsource, co-source or hire a DPO (or contactor), my strong advice is you pick someone who understands GDPR, risk and controls, and has experience in implementing mechanisms that will allow your organization to make appropriate and proportionate risk assessments (think privacy by design), and realistic recommendations that will balance the cost of compliance in doing business against the cost of growing the business.
Good luck in your search, and take your time to find the right solution for your organization.
Editor's note: For more ISACA resources on GDPR, visit www.isaca.org/gdpr.
We should all know by now what GDPR is and be aware of its implications and fines, so the goal here is not to repeat what others have covered in depth. Rather, I would like to share some learnings from the field (an international perspective). From speaking and working with executive-level security and risk executives, I would like to shed some light on how organizations are viewing GDPR, using the retail/hospitality (“RH”) industry as a reference to frame the discussion.
My focus here will be on some of the key security aspects within the GDPR, namely (but not limited to) Article 24.1 and 24.2, which make reference to “appropriate technical and organizational measures” and “data protection policies” for processing data.
Many have tried to quickly, “fill the compliance gap” between GDPR and some of the other compliance certifications they already hold, using frameworks like ITIL and COBIT 5. I also have seen cases where organizations have adopted the NIST Cybersecurity Framework to help with the security aspects of GDPR. Companies are taking the opportunity to leverage GDPR to safeguard data by improving their overall security profile. Looking at this holistically ensures that privacy and security continue to work hand-in-hand. In addition to GDPR, the Asia Pacific RH industry also is looking closely at China’s new Cyberscurity Law, Singapore’s recent update to its Cybersecurity Law, Australia’s Notifiable Data Breach (NDB) scheme and the most recent PCI DSS 3.2 update. We won’t go into these here, but if you have operations in Asia Pacific, you should look into these and more, as 2018 is definitely the year of compliance and regulation.
The full NIST Cybersecurity Framework, which “… consists of standards, guidelines, and best practices to manage cybersecurity-related risk,” can be downloaded here (https://www.nist.gov/cyberframework). Using this framework has provided an additional way to tackle parts of the GDPR. Ultimately, it is about data privacy and data protection. Security plays a critical role in both, and you can see below how security controls (under the NIST Framework) can help to secure confidential data through Identify, Protect, Detect, Respond and Recover.
Identify (and Discover)
- Organizational self-discovery by understanding key business units and their respective drivers, including key assets, is needed. Given the global footprint of the RH industry, understanding the flow of data between regional entities is critical in understanding the scope and exposure to GDPR. Information about international data flows and where the data was actually processed often surprised many who were previously unaware.
- What other regulations/compliance requirements do organizations need to comply with for the regions in which they operate? For example, identify any possibilities of cross-border data sovereignty issues (e.g. GDPR/CCL) – are they transferring data outside of the EU? Are existing EU model clauses in place between the organizations and their suppliers/vendors to help with EU data protection laws?
- Conduct a gap analysis. Third-party audit and security risk assessments would help provide better visibility into the organization’s exposure to each of the points above and offer suggestions on how to improve overall governance.
Protect (and Manage)
- The RH industry has an extremely mobile workforce, from management scouting new locations for expansion and traveling between hotels to front-line staff servicing customers at check-in through retail kiosks. The new “attack-surface” has evolved from a controlled physical network perimeter into an identity-driven perimeter. Thus, new ways of thinking about security need to be discussed and organizations need to explore tools and updated policies for remote cloud access of confidential data.
- PCI DSS 3.2 is on the radar as a hot topic (along with GDPR) for the RH industry. For example, Multi-Factor Authentication (MFA) is needed for more secure access to PII data. Traditional MFA has its limitations, with all three forms (Something You Know, Something You Have, Something You Are) having vulnerabilities and having been hacked in some way, so the adoption of more behavioral-based conditional access is gaining a lot more traction. Big Data/AI integrated with MFA provides more granular risk-based control of managing identity and access, especially for a highly mobile workforce in the RH sector.
- With at least two devices per worker (in RH, often a mobile phone and tablet), Mobile Device Management (MDM)/Mobile Application Management (MAM) is needed to protect the device not only from external theft, but also from internal employee misuse. Companies need to be able to remote wipe and control user access to confidential information on all devices. For MAM, the growing adoption of RH SaaS apps and internally-developed apps will mean that confidential data exposes companies in new ways. This is where real-time monitoring and telemetry from cloud application monitoring (Cloud Access Security Brokers) can give additional visibility of anomalies, such as large downstream activity in a short period of time, which can be detected via proxy and firewall logs.
- The list could go on for the “Protect” phase, but to mention a few more, it will be key to employ data classification and labeling of data to protect and report encryption of data at rest and in transit, as well as to build a culture of strong password requirements for your staff.
- AI and data analytics are becoming common with vendors, offering a myriad of solutions to help detect potential high-risk behaviors. The strategy needs to change to a more proactive approach.
- Detecting anomalies is the first step in targeting the cyber attacker’s ROI along the attack kill-chain if more proactive detection and protection are put in place. This includes detection tools for advanced persistent threats, both on-premise and in the cloud, through to setting baselines for normal behavior and monitoring for deviations from the norm.
- Put simply, GDPR’s 72-hour mandatory breach notification will require the ability to collect, consolidate and respond to this request. Timeliness of the response is paramount and can only really be achieved if the organization implements processes that take advantage of real-time telemetry, data analytics, trend analysis and real-time dashboards. For example, feeding system and application logs into a security information and event management (SIEM) tool and setting up rules/alerts with the help of AI can significantly improve response times. Given the challenge of managing hundreds of hotel/retail stores, some RH have implemented real-time NOC-type dashboards to give live visibility of status/breaches, and to drill down from a high-level, 20,000-foot view straight into the potential breach The user can track malicious activity from point of entry (such as email phishing link) and observe the payload traversing through the network, down to the OS-level attacks on devices. This helps to strengthen digital forensics.
- The trend of auto-remediation will start to gain popularity, as AI can filter the real threat signals and close the gaps faster. I have seen a keen interest in this from the RH industry and will be starting to trial more advanced AI recovery/remediation tools in 2018.
Since GDPR is so broad, try to consider how a holistic security approach can help kick-start or accelerate the GDPR compliance journey for your organization. In my examples above, the RH industry is using different approaches, including using the NIST Cybersecurity Framework to address some of GDPR’s security-related aspects. It may not be for everyone, so it is important that executives spend some time assessing which frameworks could be useful to their organization.
There is no simple recipe to GDPR compliance, so sharing of experiences in forums like this will be valuable. I look forward to learning more from our ISACA peers in the months to come.
Editor’s note: For additional ISACA resources on GDPR, visit www.isaca.org/GDPR.
India is a country at the cross-roads of transformation. As one of the fastest-growing economies, it is expected to be the most populous country in the world in a few years, potentially home to about 20 percent of the world population. Therefore, events in India are becoming increasingly relevant from an economic as well as geopolitical perspective.
The advent of the General Data Protection Regulation (GDPR) has brought significant focus globally and in India on privacy. The interest in privacy goes beyond the transactional and operational aspects. It explores deeper into the basis and relevance for privacy.
It is in this context that a landmark judgment delivered in August 2017 by The Supreme Court of India assumes significance. A nine-judge bench of the Supreme Court delivered the order that privacy is a fundamental right and an intrinsic part of the right to life and personal liberty guaranteed by the Constitution of India. The judgment has settled the debate on the matter and has meant that initiatives and activities of the government, as well as those of private enterprises and organizations, will need to ensure that privacy of individuals is protected.
A committee was formed by the Indian government in 2012 under the chairmanship of the former Chief Justice of the Delhi High Court to draft a paper that would facilitate the authoring of a privacy law for India. The committee suggested a detailed framework to serve the conceptual foundation for the proposed privacy law and mentioned the following features that should be included:
- Technological neutrality and interoperability with international standards. This feature recognizes the need to preserve privacy in the face of ever-changing technology. It also recognizes the need to be in harmony with international regimes to create trust for cross-border data flow.
- Multi-dimensional privacy. This aspect recognizes that privacy protection involves different types of data and different methods of communication and storage.
- Horizontal applicability. The frameworks should not discriminate between the government and private enterprise in matters related to protection of privacy.
- Conformity with the privacy principles. The committee has laid down privacy principles that are in conformity with globally recognized principles such as choice, collection limitation, etc.
- Co-regulatory enforcement regime. The committee has recommended a structure for regulators and emphasized the need for self-regulatory industry or sector-specific bodies.
India has now set into motion discussions for a data protection law. The government has assembled a committee to study various aspects needed to create a bill under the chairmanship of Justice Srikrishna, former Supreme Court judge. The proposed law is expected to address data privacy in a holistic manner. The committee had issued a white paper to solicit opinion from various stakeholders and the public on multiple aspects, including the content of the law.
GDPR has been a significant step that has spurred discussions around data protection and privacy across the globe, and India is no exception. Given the significance of information technology to India’s growth, the interest is natural. In terms of population, India is about 2.5 times that of the EU. The impact and significance of the data protection law in India is likely to be even higher. It is certain that India is on a path that is in sync with the global direction.
Editor’s note: To view ISACA’s resources on GDPR, visit www.isaca.org/GDPR.
With less than 100 days to 25 May, many organizations outside the European Union have the same question: “Does the General Data Protection Regulation (GDPR) apply to my organization?”
The answer has to be “it depends” – although this is an answer that no one likes. You cannot immediately say yes or no. Instead, you need to take a step-by-step approach to identify the requirements of GDPR, the organization’s connection with the personal data of EU citizens and consult an attorney specializing in GDPR as needed. The answer to this question can only be given based on an analysis of the organization’s operations and usage of personal data, based on Article 3, which defines territorial scope. This article is really important for organizations outside of the EU to determine whether they need to adhere to GDPR. The article states that organizations must comply with GDPR if they offer goods or services to EU citizens, even without payment, or monitor behavior of EU citizens (data subjects). In today’s digital world, these practices are not rare.
The starting point should be to determine whether the organization processes personal data of EU citizens, either as a controller or a processor of data, or whether a part of your organization operates within EU borders. If the answer to one of these questions is yes, then it does not matter where your business headquarters are located. As long you are in the “place where Member State law applies by virtue of public international law,” you need to comply with GDPR.
To help guide this process, organization should perform a data protection impact assessment as a required element of GDPR. This is an initial step in determining the need to comply with GDPR in the process of GDPR implementation. Once the organization determines that it has to comply with the regulation, the compliance program must include all parts of data processing. Data processing “includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.” GDPR applies to both automated and manual data processing.
The organization being impacted by GDPR needs to assess, implement and comply with specific GDPR requirements. These requirements will impact the entire organization and how day-to-day operations are being conducted with respect to personal data. New processes and controls should be implemented to protect personal data of EU citizens and also to protect the organization from liabilities caused by non-compliance with GDPR.
Organizations that see 25 May not only as a deadline, but more as the starting point of a long-lasting GDPR compliance program, will have an advantage in processing personal data applying GDPR principles. Organizations should use this moment as an opportunity to implement best practices and realize benefits from GDPR.
Editor’s note: ISACA’s Implementing the General Data Protection Regulation publication is an educational resource for privacy and other interested professionals; it is not legal or professional advice. Consult a qualified attorney on any specific legal question, problem or other matter. ISACA assumes no responsibility for the information contained in this publication and disclaims all liability with respect to the publication. 2018 © ISACA. All rights reserved. For additional ISACA resources on GDPR, visit www.isaca.org/GDPR.
The purpose of the General Data Privacy Regulation (GDPR) is to harmonize the data privacy regulations that each European Union member state implemented to comply with GDPR’s predecessor. GDPR provides a single, comprehensive regulation that is compulsory for all organizations processing the personal data of individuals living within the European Union.
The regulation becomes enforceable on 25 May 2018, after a two-year grace period to allow organizations to implement GDPR. GDPR substantially increases data subjects’ rights – and with penalties of up to 4% of gross turnover, the regulation has the potential to fundamentally change the way organizations view and process personal data. That said, the purpose of this blog post is not to tell you what GDPR is, who it will impact, nor to pour more oil on the fear-mongering flames. Over the past two years, most of us have seen more than enough of these types of articles from privacy experts. I am writing today to introduce ISACA’s new GDPR guide.
Six months ago, ISACA brought together a team of information technology, information security, audit and data privacy professionals from around the world to help develop a guide that provides a pragmatic approach to implementing GDPR in organizations large and small. This guide provides a comprehensive introduction to GDPR, along with a plan to help organizations implement a data privacy program that complies with GDPR requirements.
The guide also includes the available information from the Article 29 Data Protection Working Party (WP 29), which provides clarification on various topics covered in the regulation. WP 29 guidance, where available, has been included within ISACA’s GDPR guide. At 100 pages, the guide can be easily read in a weekend. It will serve as a handy guide both during the implementation of your data privacy program, as well as a solid reference during your day-to day-activities.
The guide provides advice on topics such as identifying and classifying personal data, data governance, information security, managing compliance in your supply chain, data breaches, employee awareness and more. The guide also includes several annexes that provide specific recommendations to help practitioners implement an effective and efficient data privacy program. Annex 1 is divided into nine domains that cover 46 processes organizations should implement as part of their GDPR programs. Annex 2 provides guidance on how to set up and manage the Data Privacy Impact Assessment (DPIA) process. Annex 3 provides a sample personal data register that must be created, maintained and readily available in the event of an audit. Throughout the document, we have defined common data privacy terminology and included a glossary of terms that we suggest you ensure are correctly used within your organization to avoid confusion.
The ultimate purpose of the guide is not simply to help organizations become GDPR compliant, but also to ensure the privacy of real people. To this end, we stress that the comprehensiveness of your data privacy program should be based on the risk to the subjects’ data that you hold and not solely on the risk to your organization.
ISACA’s GDPR Working Group believes that implementing GDPR will not only reduce the risks to your organization, partners and customers, but also has the potential to improve the effectiveness of your organization through the implementation of sound policies and processes. Many of us on the working group are privacy practitioners who will use the guide to help implement GDPR in our organizations. This will allow us to see first-hand what worked well and what could be improved. Stay tuned to this space, as we will provide regular updates as we count down to 25 May. Once we’ve received sufficient feedback, we will review and update the guide. In the meantime, we hope this guide is beneficial to you and your organization.
News of medical device security flaws are increasingly in the news. Consider the announcement from the U.S. Food & Drug Administration last year about a flaw in one model of a St. Jude Medical implantable pacemaker. This was subsequently covered in more than 14,000 published reports to date. Thirty-four different individuals sent me a message soon after the news broke, asking if I had heard about the approximately 750,000 pacemakers of this specific model that had significant security vulnerabilities. Many reports about other types of wirelessly connected medical device flaws occurred prior to that, and more have been reported in the few months since.
Medical devices are integral parts of hospital networks
According to various estimates from research organizations – and healthcare CISOs I chatted with at the Detroit SecureWorld event last fall, where I delivered a keynote about medical devices – anywhere from 30-70% of medical devices within hospitals and clinics are smart”... digitally connected to smartphones, the internet, clinic networks, directly to other devices, etc. These large numbers of medical devices attached to healthcare networks increase the possibilities for a wide range of security and privacy incidents to occur through exploiting their vulnerabilities – especially from and through the medical devices that have no legitimate security controls engineered within them.
Security and privacy incidents can occur due to various factors, such as:
- Malicious outsider intent - hackers who use such things as ransomware, DDoS bots and other malware to shut down and disrupt network availability, exfiltrate and/or modify data, delete data, etc.
- Malicious insider intent - inappropriately accessing patient data, using patient data for identity fraud and other crimes, selling patient data to criminals, etc.
- Mistakes - input errors, programming errors, accidentally opening access to unauthorized individuals, etc.
- Unintended consequences resulting from lack of planning - attaching smart medical devices to the network that the anti-malware software views as malicious, and subsequently shuts off, creating a denial of service as a result of data volume going beyond bandwidth capabilities, etc.
- Lack of personnel information security and privacy awareness, which can lead to all the previous examples, in addition to knowingly taking actions that result in privacy breaches, data modification, patient harm, etc.
Security complexity requires multiple layers of controls
Some changes to medical devices can be done remotely. Some need to be done in proximity using near field communication (NFC) protocols. However, I’ve communicated with too many in the medical device industry who have expressed belief, or claimed, that using NFC is a 100% solution for security. When I asked upon three different occasions in 2017 about the security of their newly announced medical devices, representatives (IT security VPs/management) from each of three different large medical device manufacturers told me, “We use NFC, so security is not an issue.” When I explained that if medical devices attach via NFC to computers that are part of a network, then basically any other node on that network may be able to get to the medical device through that network connection, such as through control settings necessary for network functions, or through the use of discovery tools such as Shodan, each of the medical device representatives stopped communicating with me. Avoiding a security risk discussion does not solve the associated security risk.
Lack of planning and integrating with networks and systems can shut down medical devices, sometimes during operations. There have already been medical devices used for performing operations, such as heart procedures, that shut down as a result of an anti-virus scan. Or, the time a nurse tried charging her cellphone using the USB port in an anesthesia machine; it shut down the machine. I could provide a hundred additional examples. If medical device manufacturers do not improve the security engineering of their medical devices, security incidents will increase, along with privacy breaches and patient harm.
Medical device security concerns are justified
Healthcare providers (doctors, nurses and surgeons) are concerned. Rightly so. Flawed devices negatively impact their ability to assure patients they are providing them with safe devices that will help, and not potentially harm, them.
Healthcare information security practitioners (CISOs, CIOs, VPs, managers, etc.) are concerned. And for good reason. Security flaws within medical devices create vulnerabilities to data and functioning not only within the devices themselves, but also to the networks to which they are attached, and other devices on the networks.
Healthcare IT auditors are concerned. And they should be. Insufficient medical device security controls are compliance violations for growing numbers of regulations, laws and contractual requirements, in addition to facilities’ own posted privacy and security notices, which contain promises to which they are legally bound.
Healthcare regulators are increasingly concerned. Justifiably so. They are accountable for ensuring information security and privacy regulations are followed. When regulators see more reports of medical device security flaws and vulnerabilities, they are going to become more proactive to pressure medical device-makers to improve security controls, and to pressure device users to ensure devices are implemented with appropriate security.
Patients are concerned. Of course. Their lives could be at stake.
Dedicate 2018 to improving medical device security
As Data Privacy Day approaches this Sunday, here’s a recommendation for those in the medical device space (manufacturers, engineers, and vendors). Make it a goal in 2018 to successfully establish effective and practical information security controls within your devices. Stop telling hospitals and clinics that it is not practical for you to do this. It is actually more practical, and will significantly improve security protections for those using medical devices, to build the security controls into the devices from the start. This idea is supported by not only those in the information security profession, but also by the FDA and other regulators.
This will not let healthcare data security practitioners off the hook. Even if medical device creators improve the security of their devices, healthcare IT and security practitioners will still need to remain diligent to ensure the security of those devices in how they are connected to their networks, the control settings to access them, and the management of the data that comes from them. But improved device security will support these efforts.
Establish your baseline for current levels of medical device security now. Then, in December of this year, determine if and where there have been improvements, or if data security, privacy and patient protections have actually degraded. It all depends upon where medical device companies decide to place their priorities.