ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > GDPR’s Impact in Hospitality, Incorporating NIST Cybersecurity Framework Concepts

GDPR’s Impact in Hospitality, Incorporating NIST Cybersecurity Framework Concepts

Jason Lau, CISSP, CGEIT, CRISC, CISM, CISA, CEH, CNDA, CSM, Cybersecurity Advisor, Microsoft Hong Kong
| Posted at 3:15 PM by ISACA News | Category: Privacy | Permalink | Email this Post | Comments (0)

Jason LauWe should all know by now what GDPR is and be aware of its implications and fines, so the goal here is not to repeat what others have covered in depth. Rather, I would like to share some learnings from the field (an international perspective). From speaking and working with executive-level security and risk executives, I would like to shed some light on how organizations are viewing GDPR, using the retail/hospitality (“RH”) industry as a reference to frame the discussion.

My focus here will be on some of the key security aspects within the GDPR, namely (but not limited to) Article 24.1 and 24.2, which make reference to “appropriate technical and organizational measures” and “data protection policies” for processing data.

Many have tried to quickly, “fill the compliance gap” between GDPR and some of the other compliance certifications they already hold, using frameworks like ITIL and COBIT 5. I also have seen cases where organizations have adopted the NIST Cybersecurity Framework to help with the security aspects of GDPR. Companies are taking the opportunity to leverage GDPR to safeguard data by improving their overall security profile. Looking at this holistically ensures that privacy and security continue to work hand-in-hand. In addition to GDPR, the Asia Pacific RH industry also is looking closely at China’s new Cyberscurity Law, Singapore’s recent update to its Cybersecurity Law, Australia’s Notifiable Data Breach (NDB) scheme and the most recent PCI DSS 3.2 update. We won’t go into these here, but if you have operations in Asia Pacific, you should look into these and more, as 2018 is definitely the year of compliance and regulation.

The full NIST Cybersecurity Framework, which “… consists of standards, guidelines, and best practices to manage cybersecurity-related risk,” can be downloaded here ( Using this framework has provided an additional way to tackle parts of the GDPR. Ultimately, it is about data privacy and data protection. Security plays a critical role in both, and you can see below how security controls (under the NIST Framework) can help to secure confidential data through Identify, Protect, Detect, Respond and Recover.

Identify (and Discover)

  1. Organizational self-discovery by understanding key business units and their respective drivers, including key assets, is needed. Given the global footprint of the RH industry, understanding the flow of data between regional entities is critical in understanding the scope and exposure to GDPR. Information about international data flows and where the data was actually processed often surprised many who were previously unaware.
  2. What other regulations/compliance requirements do organizations need to comply with for the regions in which they operate? For example, identify any possibilities of cross-border data sovereignty issues (e.g. GDPR/CCL) – are they transferring data outside of the EU? Are existing EU model clauses in place between the organizations and their suppliers/vendors to help with EU data protection laws?
  3. Conduct a gap analysis. Third-party audit and security risk assessments would help provide better visibility into the organization’s exposure to each of the points above and offer suggestions on how to improve overall governance.

Protect (and Manage)

  1. The RH industry has an extremely mobile workforce, from management scouting new locations for expansion and traveling between hotels to front-line staff servicing customers at check-in through retail kiosks. The new “attack-surface” has evolved from a controlled physical network perimeter into an identity-driven perimeter. Thus, new ways of thinking about security need to be discussed and organizations need to explore tools and updated policies for remote cloud access of confidential data.
  2. PCI DSS 3.2 is on the radar as a hot topic (along with GDPR) for the RH industry. For example, Multi-Factor Authentication (MFA) is needed for more secure access to PII data.  Traditional MFA has its limitations, with all three forms (Something You Know, Something You Have, Something You Are) having vulnerabilities and having been hacked in some way, so the adoption of more behavioral-based conditional access is gaining a lot more traction. Big Data/AI integrated with MFA provides more granular risk-based control of managing identity and access, especially for a highly mobile workforce in the RH sector.
  3. With at least two devices per worker (in RH, often a mobile phone and tablet), Mobile Device Management (MDM)/Mobile Application Management (MAM) is needed to protect the device not only from external theft, but also from internal employee misuse. Companies need to be able to remote wipe and control user access to confidential information on all devices. For MAM, the growing adoption of RH SaaS apps and internally-developed apps will mean that confidential data exposes companies in new ways. This is where real-time monitoring  and telemetry from cloud application monitoring (Cloud Access Security Brokers) can give additional visibility of anomalies, such as large downstream activity in a short period of time, which can be detected via proxy and firewall logs.
  4. The list could go on for the “Protect” phase, but to mention a few more, it will be key to employ data classification and labeling of data to protect and report encryption of data at rest and in transit, as well as to build a culture of strong password requirements for your staff.


  1. AI and data analytics are becoming common with vendors, offering a myriad of solutions to help detect potential high-risk behaviors. The strategy needs to change to a more proactive approach.
  2. Detecting anomalies is the first step in targeting the cyber attacker’s ROI along the attack kill-chain if more proactive detection and protection are put in place. This includes detection tools for advanced persistent threats, both on-premise and in the cloud, through to setting baselines for normal behavior and monitoring for deviations from the norm. 


  1. Put simply, GDPR’s 72-hour mandatory breach notification will require the ability to collect, consolidate and respond to this request. Timeliness of the response is paramount and can only really be achieved if the organization implements processes that take advantage of real-time telemetry, data analytics, trend analysis and real-time dashboards.  For example, feeding system and application logs into a security information and event management (SIEM) tool and setting up rules/alerts with the help of AI can significantly improve response times. Given the challenge of managing hundreds of hotel/retail stores, some RH have implemented real-time NOC-type dashboards to give live visibility of status/breaches, and to drill down from a high-level, 20,000-foot view straight into the potential breach The user can track malicious activity from point of entry (such as email phishing link) and observe the payload traversing through the network, down to the OS-level attacks on devices. This helps to strengthen digital forensics.


  1. The trend of auto-remediation will start to gain popularity, as AI can filter the real threat signals and close the gaps faster. I have seen a keen interest in this from the RH industry and will be starting to trial more advanced AI recovery/remediation tools in 2018.

Since GDPR is so broad, try to consider how a holistic security approach can help kick-start or accelerate the GDPR compliance journey for your organization. In my examples above, the RH industry is using different approaches, including using the NIST Cybersecurity Framework to address some of GDPR’s security-related aspects. It may not be for everyone, so it is important that executives spend some time assessing which frameworks could be useful to their organization.

There is no simple recipe to GDPR compliance, so sharing of experiences in forums like this will be valuable. I look forward to learning more from our ISACA peers in the months to come.

Editor’s note: For additional ISACA resources on GDPR, visit


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.