Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

Common sense and technical solutions applied to GDPR Slide 1 Common sense and technical solutions applied to GDPR Slide 2 Common sense and technical solutions applied to GDPR Slide 3 Common sense and technical solutions applied to GDPR Slide 4 Common sense and technical solutions applied to GDPR Slide 5 Common sense and technical solutions applied to GDPR Slide 6 Common sense and technical solutions applied to GDPR Slide 7 Common sense and technical solutions applied to GDPR Slide 8 Common sense and technical solutions applied to GDPR Slide 9 Common sense and technical solutions applied to GDPR Slide 10 Common sense and technical solutions applied to GDPR Slide 11 Common sense and technical solutions applied to GDPR Slide 12 Common sense and technical solutions applied to GDPR Slide 13 Common sense and technical solutions applied to GDPR Slide 14 Common sense and technical solutions applied to GDPR Slide 15 Common sense and technical solutions applied to GDPR Slide 16 Common sense and technical solutions applied to GDPR Slide 17 Common sense and technical solutions applied to GDPR Slide 18 Common sense and technical solutions applied to GDPR Slide 19 Common sense and technical solutions applied to GDPR Slide 20 Common sense and technical solutions applied to GDPR Slide 21 Common sense and technical solutions applied to GDPR Slide 22 Common sense and technical solutions applied to GDPR Slide 23 Common sense and technical solutions applied to GDPR Slide 24 Common sense and technical solutions applied to GDPR Slide 25
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Common sense and technical solutions applied to GDPR

Download to read offline

In a practical introduction Jan will explain from his experience in the trenches of IT security how to answer all those difficult questions the new European legislation brings up.
Nil nove sub sole. The first thing you should always remember: the requirements of GDPR are not that new. GDPR is based on existing legislation and securityframeworks like ISO27k. This means there is a treasure-chest of knowledge,templates, procedures and other security tools available. There is no use to reinvent the hot water.
Common sense is the super power. If you decrypt the legal language, a lot of the requirements are plain common sense and in my humble opinion this is the mostimportant security product you need to comply. Security and privacy by design for instance should be engrained in every project in your organisation.

Technology is your friend. Although one technology or a box can not solve all your GDPR worries, there is a lot of technology and next generation solutions that can help you to make complying to GDPR a lot easier. For example: Rolling out encryption in the right way, just like there are a lot of tools to add Artificial Intelligence and machine learning as an extra security layer

Talk 21th of june 2017 - GDPRconference Lint, Belgium

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Common sense and technical solutions applied to GDPR

  1. 1. GDPR Common sense and technology solutions 21th june 2017 Jan Guldentops ( j@ba.be )
  2. 2. Accidental security expert  Jan Guldentops (°1973)  Founder of Better Access (°1996) en BA (°2003)  Open Source Fundamentalist (after hours)  Practical background in ICT and security  Security expert by accident • Documented the security problems of the first Belgian internet bank in 1996, have been doing security ever since • R&D (vooral security) – Basta, Febelfin, Safeshops, etc.
  3. 3. What we really do: COMMON SENSE AS A SERVICE (CAAS)
  4. 4. Nil Nove sub sole...
  5. 5. Why GDPR ? ● Enormous databreaches ● E.g. NMBS ● Personal data of 700.000 ● “et alors?” ● No consequences
  6. 6. GDPR – the new Y2K?
  7. 7. Magic solutions
  8. 8. Nothing new for the industry ● For the industry it is nothing new ● BS(1)7799, ISO27k family ● Based on existing privacy law ● Based on existing best practices ● e.g. Cobit ● Problems / Challenges are the same ● The paradigm hasn’t shifted ● New : ● Big Stick – 4% / 20.000.000 ● DPO (but you often should have a security officer ) ● Right to be forgotten ● Notification obligation (72h!)
  9. 9. Common sense ● Common sense is often so rare, you can start to consider it a superpower ● Understanding and thinking about the requirements solves a lot of problems. ● Think !
  10. 10. Realism ● There is no such thing as absolute security ● Plan for the worst ! ● You will have a security /privacy breach sooner or later! ● So act like it ! ● Educate your management ● Make contingency plans ● Nobody is infalliable ! ( except the pope )
  11. 11. No paper tigers !
  12. 12. The human factor
  13. 13. Don’t store personal data if you don’t need it
  14. 14. Other Common Sense elements ● Outsourcing / insourcing ● Security / privacy by design ● No bolt-on security ● Think before you develop / implement ● Conflict with the current development thinking
  15. 15. Technology is your friend
  16. 16. Encryption = magic bullet ? ● “The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures should render the data unintelligible to any person who is not authorised to access it.” ● Magic bullet ? Get out-of-jail-for-free card ?
  17. 17. Encryption can help ● Encrypt everything ? ● Devices ● Communication ● Datastores ● Servers ● Data in rest ● (Parts of) databases ● Helps with difficult tasks like ● Right to be forgotten
  18. 18. BUT! ● There is only one thing worse than not using encryption -> using bad encryption ● Choose the right software and algoritmes ● Manage your keys ! – Almost nobody has structured key management infrastructure – You have to be able to delete, revoke keys – No keys = no data ● Encryption is not only about confidentiality but also integrity ● If you implement encryption don’t only use it for confidentiality also for integrity.
  19. 19. Authentication and Access Control ● We are still using passwords ! ● Need strong authentication ! ( 2factor) ● We need a centralised authentication system ● One directory for all ● Now often multiple authentication systems ● Role and policy based management of access to data ● à la tête du client
  20. 20. Tracebility ● You want to know what happened so you need to log what happens on your systems / with your data. ● Log what you need to know ● E.g. administrative access, access to files, access to applications, etc. ● Make it irrefutable ● Create tools for analysing these tools ● SIEM ● Advanced tools : track everything your employee does.
  21. 21. Buy the right tools ● Companies offering your software to manage : ● ISMS ● GDPR ● Inventories ● Etc. ● Excell or documents ● The tools you use for other things
  22. 22. Automate ● We need 250.000 security experts in the coming 5 years. ● No we need to automate things ● In systemmanagement : – Puppet, Ansible, System center, etc. ● Choose your poison – Automated, managed updates ● e.g. #wannacry ● In development – Devops – Automated testing ● In audit ● Etc.
  23. 23. Audit ● Traditional audits are extremely expensive, take time and will usually only be held every 3 to 5 years. ● Audit yourself : ● Vulnerability assessment tools ( Nessus, qualsys ) ● Do an access audit ● Or using open source : KALI – A large stack of online tools
  24. 24. Thank You Contact us 016/29.80.45 016/29.80.46 www.ba.be / Twitter: batweets Remy Toren Vaartdijk 3/501 B-3018 Wijgmaal info@ba.be Twitter: JanGuldentops http://be.linkedin.com/in/janguldentops/

In a practical introduction Jan will explain from his experience in the trenches of IT security how to answer all those difficult questions the new European legislation brings up. Nil nove sub sole. The first thing you should always remember: the requirements of GDPR are not that new. GDPR is based on existing legislation and securityframeworks like ISO27k. This means there is a treasure-chest of knowledge,templates, procedures and other security tools available. There is no use to reinvent the hot water. Common sense is the super power. If you decrypt the legal language, a lot of the requirements are plain common sense and in my humble opinion this is the mostimportant security product you need to comply. Security and privacy by design for instance should be engrained in every project in your organisation. Technology is your friend. Although one technology or a box can not solve all your GDPR worries, there is a lot of technology and next generation solutions that can help you to make complying to GDPR a lot easier. For example: Rolling out encryption in the right way, just like there are a lot of tools to add Artificial Intelligence and machine learning as an extra security layer Talk 21th of june 2017 - GDPRconference Lint, Belgium

Views

Total views

270

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

16

Shares

0

Comments

0

Likes

0

×