CS1705
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
IT asset management<br />
"Organisations haven't taken privacy and cyber<br />
security seriously enough until now."<br />
be met, every organisation, regardless of<br />
location, should create an asset register of<br />
sensitive files, understand who has access and<br />
who is accessing them, and determine when<br />
data can and should be deleted."<br />
ADAPTING PRACTICES<br />
Clearly, companies must look to adapt their<br />
practices ahead of schedule, given the<br />
complexity and scope of the new regulation.<br />
"While it is billed as European legislation, the<br />
nature of networks and the digital economy<br />
imply that it will be far more wide-reaching<br />
than that," comments John Madelin, CEO at<br />
Reliance acsn.<br />
"Organisations must take a holistic approach<br />
to privacy and security, with their most<br />
sensitive information at the heart of it, in<br />
order to adhere to the stringent guidelines<br />
more easily, as well as manage its downfalls.<br />
"Businesses haven't taken privacy and cyber<br />
security seriously enough until now, and these<br />
higher levels of 'parental controls' will help<br />
security experts hold business leaders up to<br />
board level more accountable. Perhaps the<br />
most significant change is in notification.<br />
"In the past, a company only had a problem,<br />
if there was a breach," says Madelin. "The<br />
new legislation will require companies to<br />
demonstrate that they will detect and report<br />
a breach. Companies will have to invest in<br />
creating 24/7 alarming and reporting<br />
capabilities, integrated with their security<br />
infrastructure, which will allow them to<br />
adequately understand where the data is and<br />
protect it. At the moment, the majority of<br />
systems deployed are not fit for purpose."<br />
MASSIVE UNDERTAKING<br />
Preparing for GDPR is likely to be a crossfunctional<br />
exercise, as legal, risk and<br />
compliance, IT and security all have a part to<br />
play in its implementation. "As it is not a small<br />
amount of regulation to comprehend, with<br />
99 Articles and 173 Recitals to trawl through,<br />
there will be numerous processes, procedures,<br />
and training required, in addition to the need<br />
for technology and services, in order to<br />
demonstrate compliance," states Samantha<br />
Humphries, international solutions marketing<br />
manager at Rapid7.<br />
"For some organisations, changes to roles<br />
and responsibilities will be required, too, such<br />
as appointing a data protection officer and<br />
nominating representatives within the EU to<br />
be necessary points of contact. Completing<br />
Privacy Impact Assessments and<br />
implementing processes for access control,<br />
incident detection and response, and breach<br />
notification will all be crucial in ensuring<br />
compliance. By introducing such processes,<br />
businesses can show that they understand<br />
where personal data physically resides, the<br />
categories of personal data they control<br />
and/or process, how and by whom it is<br />
accessed, and how it is secured," she adds.<br />
Disaster recovery should also be high on any<br />
organisation's list. "Being able to detect<br />
attackers early can ease this process. User<br />
Behaviour Analytics can provide businesses<br />
with the capabilities to detect anomalous user<br />
account activity within their environment, so<br />
they can investigate and remediate quickly."<br />
Recognising weak spots in systems and<br />
networks can also help businesses find focus.<br />
"By attacking their own systems through pen<br />
tests to demonstrate real-world scenarios,<br />
businesses can highlight potential failures and<br />
weaknesses that can be rectified to avoid the<br />
threat of a real attack," Humphries concludes.<br />
"This will aid compliance with Article 32,<br />
which states the need to have a process for<br />
regularly testing, assessing and evaluating the<br />
effectiveness of security measures."<br />
Richard Brown, Arbor Networks:<br />
documentation is often created, 'put on<br />
the shelf' and then forgotten about.<br />
Rob Norris, Fujitsu: now is the time to<br />
stop being hunted and instead become<br />
the hunter.<br />
www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security<br />
25