1 year ago


data regulations Ian

data regulations Ian Kilpatrick, EVP Cyber Security for Nuvias Group: it's not too late to do something. James Wickes, CEO and co-founder, Cloudview: organisations with old cameras or cameras not manufactured in the UK should review their systems. what data, for how long, and when. Data consumers can access and use data independently, while administrators retain full control over masking, privileges and physical resources. Treat all data equally - most security teams focus on the protection of data in a production environment, but the same budgets and security are often not afforded to non-production copies of data that are used in test, reporting, training and analytic systems. The danger is that non-production data represents approximately 80% of an organisation's total data and their most vulnerable attack surface. By treating nonproduction data as you would production data, then you can mandate policies that reduce the risk of data breaches in all environments - production and nonproduction. Use technology shortcuts - the deadline for compliance with GDPR is 25 May and you will never protect all your sensitive data in time by doing things the same way you always have. Modern data masking solutions have database profiling tools that scan tables and fields to detect confidential information, such as email addresses, credit card numbers or patient records. Some even recommend masking algorithms, which dramatically cut down the time it takes to build and enforce data masking. Stop reinventing the wheel - define security policies once, rather in siloes or at the project level, and, if possible, apply them everywhere. Set enterprise security policies to ensure that the right data is protected, using the right controls and masking algorithms. Policies must then be applied consistently, regardless of the data source, to support compliance with regulations such as HIPAA, GDPR and more. QUICK WINS Encrypting known sensitive data is recommended as a 'quick win' by Colin Tankard, managing director, Digital Pathways. "This is the only technology that is 'called out' in the GDPR rules. 'Awareness' is vitally important. Decision makers and key staff should be aware of GDPR. If not, companies should quickly instigate an awareness campaign to all staff. This provides key evidence of GDPR compliance by the organisation." Ensure that subject access requests are dealt with swiftly and efficiently. "There are current rules with regard to individuals and how companies should respond to a request to show what information is held. GDPR extends this to areas such as your data retention periods and the right to have inaccurate data corrected within 30 days, at zero cost to the requestor," he states. Other areas Tankard identifies that can be handled with reasonable ease include: Accountability: GDPR includes provisions that promote accountability and governance. Therefore, internal audits on processing activities, assessments on data protection policies and reviews of HR policies, should be started again as evidence that GDPR is being considered Data handling: it is important to identify sensitive data and control who has access, especially if it is an outside agency or processor Consent: as part of GDPR there must be a positive opt-in for data to be stored or used for marketing. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent. Consent has to be verifiable Data breaches: a personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised 26 computing security March/April 2018 @CSMagAndAwards

data regulations disclosure of, or access to, personal data. This needs to be reported within 72 hours and so companies need to have plans in place to meet this requirement. As to the NIS (Network Information Systems Directive, which takes effect from May 2019 next year), this is directed at the cyber security requirements of essential services and digital service providers, so that robust security measures are installed, in order to protect networks and data against serious security breaches. "As a bare minimum," says Tankard, "they must control who has access to critical data and systems, and deploy strong authentication techniques, such as two-factor authentication, coupled with encryption. And it would be prudent to consider evidencing your security position by obtaining accreditation." AUDIO AND VIDEO As organisations work towards GDPR compliance, many may not realise that it also applies to audio and video material, if this allows individuals to be identified, points out James Wickes, CEO and cofounder, Cloudview. "This includes recordings from the CCTV systems that they use to protect people, property and premises. These systems are often installed without any involvement from the IT department, so may not be identified when assessing GDPR risks. Add in the NIS Directive and the risks of breaching the regulations escalate exponentially." The first step is to understand what data is being collected and how the risk arises, he says. "Vulnerabilities in CCTV systems range from use of port forwarding and Dynamic DNS to a lack of firmware updates and the existence of manufacturer 'back doors' which are often revealed on the internet." These back doors may be deliberate and pose a significant risk. However, ensuring compliance is relatively straightforward, Wickes says, suggesting the following: Carry out a Privacy Impact Assessment (PIA) to identity and minimise risks, and ensure there is appropriate signage and information about recording of video and audio data. Limit data access to authorised personnel only. Check record-keeping: recordings must be fit for purpose, accurately date and time stamped, and organisations should be able to access them easily to comply with a subject access request or police investigation. Continually assess data security. This includes simple precautions - ensuring strong passwords, regularly updating firmware, and ensuring CCTV data is encrypted both in transit and when stored, as recommended by the Information Commissioner's Office and the Surveillance Camera Commissioner. Some cloud-based systems encrypt all data at source and store it securely in the cloud. Limit data collection. This includes confirming that all CCTV cameras serve a legitimate purpose and the system can be switched off, so recording is not continuous. This is incredibly helpful when it comes to finding events. Continuous random recording makes it harder to find anything. Limit processing to the purpose for which the data is collected and delete recordings when they no longer serve a purpose. This prevents data being used for purposes outside those originally intended. "In the medium term, organisations with old cameras or cameras not manufactured in the UK should review their systems," Wickes advises, "and consider whether to retrofit secure adapters or implement a more secure solution." Colin Tankard, managing director, Digital Pathways: encrypting known sensitive data can serve as a 'quick win'. Jes Breslaw, director of strategy, EMEA at Delphix: companies should be investigating the idea of DataOps. @CSMagAndAwards March/April 2018 computing security 27