What does GDPR mean from a technical IT Perspective?
Simon McCullagh
Helping companies in Central Scotland securely use technology to grow their business
GDPR was introduced across Europe to modernise the Data Protection regulations that were very much out of date.
There is a lot of information about GDPR, but it is mostly orientated around the data you hold and the processes you use. This is very important, but I believe that we are missing a more important and valuable necessity that GDPR insists on SECURITY!
How does the ICO (Information Commissionaires Office) assess how well you are looking after your IT systems? In the unfortunate event that you suffer from a data leak or breach, then the ICO uses the requirements set out by Cyber Essentials\Plus to assess if you have been negligent or just unlucky.
Digital Orchard I.T. believes that securing your IT systems is the foundation of good data security and should be implemented ahead of finding out who the data processor\ controller is, appointing a DPO, or creating a Data asset register. If your IT systems are insecure and you lose data, it will be very costly and time consuming to your business.
What are the Cyber Essential requirements?
There are five technical controls
1. Firewalls
Firewalls should be running on your business network in an office environment, a desktop computer if outside the office environment, or a laptop when it’s being used outside the office environment routers that connect to the internet and company servers.
Firewalls prevent unauthorised access to your IT systems from everyone on the internet.
2. Secure Configuration
Secure configurations should be applied to email, web, and application services, desktop and laptop computers, tablets, mobile phones, firewalls and routers.
The configuration should reduce the level of vulnerabilities and ensure that only the services required are available.
An example of an insecure configuration would be an internet router or network device using the default username and password.
3. User access control
This control ensures that user accounts are assigned to authorised individuals only and only provide access to the IT systems and devices they need to perform their job.
Having too many privileges is the source of soo many issues; if a user as admin rights, they can change setting that can cause them and other users issues. The more significant problem is that if a user gets malware and is an admin, the malware has unrestricted access to infect all systems; this causes downtime and loss to the entire business.
4. Malware protection
Malware protection is used to prevent the execution of known malware and untrusted software, preventing harmful code from causing damage and accessing sensitive data.
Downloading software from the internet can expose a device to a malware infection.
Malware protection must be:
· Up to date, by central management or automated tasks
· To automatically scan files
· To scan webpages
· To prevent access to malicious websites
5. Patch management
Patch management ensures that devices aren’t vulnerable to security issues that there are fixes for; this includes firewalls, routers, desktop and laptop computers, tablets and mobile phones.
The criteria for what must be patch is:
· The device or software must be licensed and supported
· The software must be removed from devices when it is no longer supported
· Patches must be installed within 14 days of the update becoming available for critical and high-risk vulnerabilities
There is a lot to manage and keep on top of; most business could implement the controls set out in the Cyber Essentials standard, we do this day in day out, and the worry and burdens are taken off your shoulders.
Most people are unaware of these obligations when it comes to assessing their GDPR readiness; if this is you and you want to find out more information, please get in touch, and we can discuss how we can help.