RiskXtraSeptember2018

More documents

Recommendations

Info

x RISKXtra Smart GDPR Assurance for a Smarter World Something needs to change when you’re confronted by the present situation whereby devices professing to be ‘Smart’ or part of a ‘Smarter System’ ask for personal data, but are then easily hacked into by criminals such that valuable personal information can be stolen. In an exclusive article for Risk Xtra, James Willison and Sarb Sembhi examine stakeholder roles in achieving data protection (and security) by design and default in ‘Smart Projects’ with Internet of Things (IoT) devices We’ve just published a new approach to the European Union’s General Data Protection Regulation (GDPR) for security professionals and the stakeholders whom they deal with on a daily basis. The 40- page White Paper, which is sponsored by Axis Communications, stands out because, until now, many colleagues in the security world have lived under the mistaken assumption that GDPR compliance isn’t something that falls within their remit, but is instead managed either by legal, IT or compliance professionals. At least in part, this is based on the belief that their security teams are not data controllers or processors. As far as they’re concerned, the lengthy 200-plus pages of legislation issued by the EU isn’t something they need to worry about. However, the in-house security manager can often be described as a project manager in a large-scale surveillance system implementation, for example, and will therefore need to ensure that the devices and systems duly deployed are secure by both design and default. He or she should also work closely alongside others involved with the project to guarantee that the systems and devices employed harbour data protection (ie privacy) by design and default. In the first half of the White Paper, which is entitled ‘Smart GDPR Assurance for a Smarter World’, we cover in some detail the different ways in which the Internet and the increasing volume of data which connects to IoT systems has meant that personally identifiable information is now placed at a higher risk than it was back in the 1990s. As Professor Klaus Schwab, CEO of the World Economic Forum, has stated on page 59 of his book entitled ‘The Fourth Industrial Revolution’ (published in 2016): “The digital transformations of industry mean that businesses will need to invest heavily in cyber and data security systems in order to avoid direct disruption by criminals and activists or unintentional failures in digital infrastructure.” This has led to the GDPR being written for the protection of the individual’s data privacy and security. It also usually means that the systems involved – and, indeed, those who manage them – often need to demonstrate compliance through the transaction of Data Protection Impact Assessments (DPIA) because of their large-scale nature and the use of innovative technologies such as biometrics and CCTV in ‘Smart Buildings’. IoT ‘Smart’ environments In our new White Paper, we’ve deliberately dedicated a chapter to those technologies, products and services related to large-scale IoT ‘Smart’ environments and briefly outline some that have provided greater functionality, but that have also created increasing concerns in terms of the data collected (or around what that data is used for). This includes a consideration of key areas such as Big Data analytics, cloud computing, Artificial Intelligence, machine learning, sensors, medical devices, physical security systems, surveillance monitoring and Security Information and Event Management services. We then proceed to introduce scenarios such as ‘Smart Vehicles’ and ‘Smart Buildings’ because these are prime examples of how stakeholders are involved in the protection of high volumes of data and, given the connection here to the individual (whether that’s a passenger or consumer), their privacy and security is vulnerable to attack from those with criminal intent on their minds. For the various owners of large IoT installations such as ‘Smart Buildings’ or ‘Smart Cities’, for instance, processing data in compliance with the GDPR becomes something of a complex procedure since there’s a vast number of suppliers who contributed to the final working solution and may not have known 20
Data Protection Considerations for Smart Security Projects what they need to do in order to assist with that compliance. In the second half of the document, we group together important control mechanisms for all the stakeholders in a large IoT ‘Smart’ project. The various groups of obligations across the supply chain in order to comply with the GDPR can be broken down into the following: • the obvious legal obligations of data controllers and data processors to comply with the GDPR • the less obvious obligations of manufacturers to (a) comply with the clarified ‘Opinion’ of the Article 29 Working Party and (b) assist customers in complying more easily with their own legal obligations • the obligation of the pre-production suppliers to ensure that the service they provide assists the manufacturer in meeting its own obligations (and those of its customers) • the obligation of the post-production suppliers to ensure that the service they provide assists the manufacturer in meeting its own obligations (and those of its customers) The major difference between the last two here is that the third group could design data protection and security into the product or service at an earlier stage of the development, whereas the fourth group mainly implements the controls once they’re already built into the product or service provided. Our White Paper is targeted at the last three groups on the assumption that most data controllers and data processors know they need to comply with the GDPR. To help in attaining that state of compliance, we’ve included collated lists of seven groups of control mechanisms, in turn enabling the supply chain stakeholder to ensure that it’s providing added value to be competitive and make IoT products and services more secure with built-in functionality which places data protection at the very heart of the service. “The digital transformations of industry mean that businesses will need to invest heavily in cyber and data security systems in order to avoid direct disruption by criminals and activists or unintentional failures in digital infrastructures” Pre- and post-production phases We focus on the role of manufacturers, project managers, designers, consultants, software suppliers and installers in the pre-production and post-production phases of any large-scale project. What we discuss applies to SMEs who could be component manufacturers or codemakers. Hence, there’s the inclusion of small and medium-sized enterprises (SMEs) who might act as suppliers to the larger enterprise. In fact, it’s often SME data which is less secure and provides an ‘easy way in’ for a cyber attacker to gain access to personal information which might then engender a large fine from the Information Commissioner’s Office postinvestigation. It’s now vital that project managers who are responsible for these systems give the organisation assurance that valuable information is protected. Failure to do so could mean quite serious implications for the security team as past cyber attacks have included compromises of HVAC as well as CCTV and other physical security systems. Should a hefty fine result, it’s then likely that questions will be asked of the security team. In point of fact, the largest fines to date for Target’s data breach have involved an HVAC system third party supplier. Our White Paper covers a wide range of principles and control mechanisms which, if readily practised, will make a real difference to the security strategy and management of these risks. We emphasise how large volumes of data and innovative technologies in large-scale projects such as ‘Smart Buildings’, ‘Smart Shopping’ and ‘Smart Healthcare’ now involve new requirements from the GDPR for DPIA. The security manager may not be required to lead the assessment, but he or she will need to understand a complex risk scenario (which our White Paper introduces). The project manager can evidence good security practise by requiring stakeholders – ie the systems manufacturers, designers, integrators and installers – to actively demonstrate that they’re following the legislation. We welcome Axis Communications’ demonstrable commitment to the GDPR and its ongoing support for privacy and security by design and default, and also recognise the excellent work that the business has undertaken internally to achieve some of the recommendations proposed. Steven Kenny (industry liaison for architecture and engineering at Axis Communications) writes in the Foreword to our document: “GDPR compliance is the first step in winning back trust from a public wary of corporate overreach on issues of personal data. Companies that see beyond compliance and embrace the underlying logic of ‘privacy by design’ are the ones who’ll succeed in the long term in defending against cyber attacks and maintaining reputations. If the conversation has changed into something more positive, the challenges of GDPR compliance and developing a strong security culture remain.” James Willison BA MA MSyI: Founder of Unified Security Sarb Sembhi CISM is CTO and CISO at Virtually Informed It’s recommended that all stakeholders collaborate and establish diverse cross-functional teams, as discussed in the White Paper ‘Supporting Enterprise Security Risk Management: How Vendors Can Support ESRM and CSM’ (published by Unified Security Ltd in 2017) • To download copies of ‘Smart GDPR Assurance for a Smarter World’ visit http://www.axiscommunications.com/ smart-assurance-wp 21 www.riskxtra.com>
Page 1 and 2: x www.riskxtra.com RISKXtra Securit
Page 3 and 4: x RISKXtra September 2018 Contents
Page 5 and 6: x RISKXtra Editorial Good for Busin
Page 7 and 8: News Update City of London Police a
Page 9 and 10: News Analysis: Apprenticeships in t
Page 11 and 12: x RISKXtra News Special: Global MSC
Page 13 and 14: Opinion: The Modernisation of CCTV
Page 15 and 16: Opinion: Mind Your Own Business to
Page 17 and 18: x RISKXtra BSIA Briefing Many reade
Page 19: x RISKXtra Advertisement Feature Mi
Page 23 and 24: x RISKXtra Building Management: Acc
Page 26 and 27: x RISKXtra Advertisement Feature: H
Page 28 and 29: 2018 OLYMPIA LONDON, 28 - 29 NOVEMB
Page 30 and 31: FIRE SAFETY What you need to know a
Page 32 and 33: FIRE SAFETY “All pre-learning mat
Page 34 and 35: FIRE SAFETY Hochiki launches FIREsc
Page 36: FIRE SAFETY Pulse Alert VADs lower
Page 39 and 40: FIRE SAFETY Kentec introduces four-
Page 41 and 42: FIRE SAFETY Ensuring Fire System Ef
Page 43 and 44: x RISKXtra Emergencies and Life Saf
Page 45 and 46: We go to greater lengths. Axis Secu
Page 48 and 49: x RISKXtra The Race to the Bottom i
Page 50 and 51: x RISKXtra Meet The Security Compan
Page 52 and 53: x RISKXtra ‘What makes the modern
Page 54 and 55: x RISKXtra Selling Security Without
Page 56 and 57: x RISKXtra Despite the ongoing best
Page 58 and 59: x RISKXtra Selecting Workforce Mana
Page 60 and 61: x RISKXtra CTI: Keeping UK Citizens
Page 62 and 63: x RISKXtra Routes to Learning: Staf
Page 64 and 65: x RISKXtra Risk in Action Dahua’s
Page 66 and 67: BENCHMARK Smart Solutions BENCHMARK
Page 68 and 69: x RISKXtra Appointments Martin Harv
Page 70 and 71:
ACCESS CONTROL CCTV CCTV INTEGRATED
Page 72 and 73:
GATE AUTOMATION & ACCESSORIES WHOLE
Page 74 and 75:
INTRUSION DETECTION AND PERIMETER P
Page 76:
NOTHING MISSED Independent left and
show all

RiskXtraSeptember2018

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?