neděle 8. října 2017

The Essential GDPR IT Checklist

The Essential GDPR IT Checklist - 6 October 2017
Článek najdete na portálu na adrese:
Cituji vybrané části textu:
"The GDPR does two things. It protects the data rights of EU citizens, and it protects their privacy i.e. their personal data. Anyone who does business within the single market will have to comply with it. That includes non-EU businesses who deal with EU customers.
A robust defence requires a multi-faceted approach encompassing networks, devices and people. Security by design means products are created with a view of how they’ll securely integrate to our customer’s networks.
"And the way we collect, store and use data needs to change. This requires a comprehensive data map covering what data is stored, where, and who has access. 
With that in mind, here are the 10 essential actions you need to take before the May 2018 deadline.
1. Stage One: Audit Your Situation
The first stage is to assess your situation. By getting a realistic view of your current status, you’ll know how much you need to change in order to comply. 
- Audit your data
Make sure you know where all your data lives, who has access and on what devices
- Audit your service partners
Make sure every service partner – cloud storage, SaaS etc. – that has access to your data is also compliant with GDPR, or under an officially sanctioned data jurisdiction
- Audit all authorised and unauthorised devices with
access to personal data
- Make sure you know every single device that has access to personal data – officially sanctioned or not
2. Stage Two: Access Control
The second stage is controlling access to company data, to keep track of who has access, and to prevent a single breach granting access to everything.
- Ensure administrative privilege control
- Make sure administrative actions can only be taken by a select few, to minimise the risk of others gaining control of the network
- Ensure tiered access to personal data
- Control access to data on a need to know basis. This should be based on the user, device and the network the request is coming from
- Ensure remote access and erasure rights for company data
- Make sure you can retrieve and erase data from all devices with access to personal data, especially in instances of loss or theft
3. Stage Three: Multi-Layered Security
The final stage is to implement robust security to detect and respond to breaches. Remember that there are no quick fixes in cyber security. HP recommends a multi-layer defence policy, which gives a cohesive and well-rounded approach to a frequently changing cyber security landscape.
- Invest in new, more secure devices, if necessary
- Multi-factor biometric authentication, Bluetooth lock, privacy screens and a self-healing BIOS all help to protect data at device level.
- Implement a regular scan and security software update policy
- Traditional network defences – antivirus, antimalware and firewall – may not be foolproof but they’re still important. Regular updates are essential
- Implement real-time detect and response software
- Secure your endpoints with practical real-time breach responses.Include a Security Information and Event Management (SIEM) tool
- Conduct employee training in cyber security
Aside from building security, these actions help to achieve compliance with the following key provisions of the GDPR:
- Report data breaches within 72 hours; and prove due diligence in preventing them
The right to be forgotten: erase all of an EU citizen’s personal data upon their request
- Data portability: provide all personal data of an EU citizen in a format accessible to them
- International transfers: ensure data is only transferred to other GDPR compliant organisations, or those within jurisdictions deemed ‘adequate’
To find out more about the new GDPR changes, and the role of IT in making their organisation compliant, download our eGuideThe Essential Guide to GDPR Compliance.’ It includes a set of controls.
Uvedený eGuide najdete na adrese: