najdete od 21. 9. 2017 článek, jehož autorem je Javvad Malik, na téma:
"A 9-step guide to prepare for GDPR compliance"
Cituji z textu článku:
"At 200 pages and 99 articles, the comprehensive regulation is primarily intended to strengthen security and privacy protections around individual data, which it enforces by subjecting organizations to stricter requirements, adding new requirements – such as breach notification – and increasing fines on organizations that fail to comply.""Among other things, organizations will be required to maintain a data breach detection plan, regularly evaluate the effectiveness of security practices, and document evidence of compliance. However, GDPR doesn’t provide specific technical direction, meaning that organizations will be independently responsible for establishing and maintaining the best practices needed to uphold outlined data security requirements. With this in mind, below are nine steps to prepare for the security requirements within GDPR."
Step 1: Implement a Security Information and Event Management (SIEM) tool with log management capabilities.
Step 2: Create an inventory of all critical assets that store or process sensitive data.
Step 3: Undertake vulnerability scanning to identify weaknesses.
Step 4: Conduct risk assessments and apply threat models relevant to the business.
"Organizations must identify and evaluate all of their security risks, not just vulnerabilities. Article 35 of GDPR mandates data protection impact assessments (DPIAs), and Article 32 requires companies to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
Step 5: Regularly test your systems to gain assurance that security controls are working as designed.
Step 6: Put threat detection controls in place to ensure reliable and timely notification when a breach has occurred.
Step 7: Monitor network and user behavior to identify and investigate security incidents in a timely manner.
Step 8: Have a documented and practiced incident response plan.
"...the notification that organizations are required to send to the regulatory body within 72 hours must include all of the following:
- Describe the nature of the breach.
- Provide the name and contact details of the organization’s data protection officer.
- Describe the likely consequences of the breach.
- Describe the measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects..
Step 9: Have a communication plan in place to notify relevant parties.
Cituji ze závěru: "Simplifying GDPR
Preparing for GDPR can seem like a daunting task, but organizations that follow the above steps and are equipped with the right security tools and strategies can rise to the challenge and strengthen their security – particularly their threat detection and response abilities – significantly along the way."
