Top-10 GDPR Security Template

By Thomas B. Cross @techtionary

In this template or guideline, I bring together more than two decades of provider and enterprise security experience to build a viable security model for the new GDPR requirements which portend to bring a new order of internet security to organizations.  On the darker side, in my humble opinion, the GDPR is a shell or fa?ade without the tools, armament and proteactive realtime enforcement to bring real security.  If, however, you want to provide GDPR to your organization, wherever you may be located, I offer up these specific guidelines which they do not.  In a separate article, I discussed the EU-European Union General Data Protection Regulation (GDPR)  Data Subject Rights (key points: Right to be Forgotten, Data Portability, Privacy by Design, Data Protection Officers) and the key rules for complying with the regulations and my own commentary on these key points for your own analysis. Other FAQs can be found here.

Here are some guidelines recognizing your situation may vary considerably.

1 – Start now – gather the necessary resources together into a team to bring these security concepts to bear on the issue.  Have an outside professional review your team and approve or suggest improvement.  You cannot do your own self-assessment without qualified professional services to assess your own capabilities.  To begin with, you must assume that GDPR is not any form of protection but only a framework to proceed.  GRPR rules are more like internet RFCs which are guidelines because at present there is no GDPR police force ready to investigate, enforce and punish the proposed regulations.  That is, yes there are fines for non-compliance but as yet to be found no GDRP police or other body is inplace to investigate and track violations. Moreover, it is uncertain what will happen after the UK Brexit which means the UK will build their own version likely mean a different sets of rules.

2 – Socialize now – get everyone from C-level to street-level including partners, providers and any organization that connects with your organization involved as everyone is a risk for their job and the company.  Unless everyone really knows they could be fired or contracts termination for even unwittingly being part of a breach, face civil litigation or even jail time, then they may not realize the reality of the very serious issues at stake.

3 – Start small – indeed understand that the weakest link of one employee can bring down your house of cards as we have seen in Target, Facebook, Equinox and so many others.  By beginning with a small security “sandbox” you can test weak links and learn from that.

4 – Build Scalable solution – the weakest link needs to be the point where you can scale from as there will be other likely weak links that will emerge.

5 – Build Survivable Model – some like the idea of a security center approach, however, any decentralized organization working in global world, centralized efforts lead to siloed thinking which is what you want the least of.  Whatever model you choose make sure it is really hardened again the worst possible scenario and again test to see if it is really strong.

6 – Security Built In – the concept that Intel branded of “intel inside” reflects that the nature of security must, now and in the future, be built “into” everything you do.  Moreover, with growing use of IoT-internet of things or as I would say “internet in everything” brings about thinking of inside out rather than just outside in of imposing security onto things.  Security must be like “white blood” cells in our body attacking everything and protecting and giving up their there host even when confronted with cancer.

7 – Validation – nothing works until it faces battle.  That is until the concept you built faces the worst possible enemy can you know or hope to know if it will work. 

8 – Circling back – nothing also works unless it adapts to change.  Circling back to the original premise then adding constantly new things means the testing the overall system to see if it really works.  As you should not, I did not forget that the weakest link is not something that is static.  Assume nothing is static because nothing ever is the same as it was yesterday.  In a very large sense, GDPR is an invitation to the worst possible players to come at you with everything they have.  Realize now and everyday that hackers are also more motivated than you will ever be, as you are focused on defense and they are focused on offense.  They can also attack many more vulnerable areas that you know how to protect which means there is not one kind of weak link but many.

9 – No Real Pros – I personally find there are too many providers of too many kinds of security services to bring together a viable formidable approach.  Moreover, no real pros also include professional services or consultants who know one or a few but in fairness probably don’t have all the tools in their toolboxes to really help you.

10 – Future directions – this is always an escape clause that what you know today is not what you need to know tomorrow, next day or year.  However, much of the approach should be not just the weakest link but building stronger links so there are fewer weak links.

Summary - As with any set of rules and regulations such as GDPR, security experts and privacy advocates need maintain and sustain their voice in addressing these issues.  However, like in the last scene of the great sci-fi movie “The Day the Earth Stood Still, “the test of any such higher authority (security) is, of course, the police force that supports it.”  It’s great to have policies but if there is no police force to enforce them and evaluate that enforcement there is no true security or privacy for all, if at all.

If you need guidance and assistance, please email [email protected] 

References:

CA: GDPR Compliance: How Can You Adapt to the New Regulation?

Treasure Data : Marketer’s Guide to the GDPR