Preparation for GDPR has been underway for the last two years. Although last month’s deadline has passed and GDPR is now in effect, there are still many companies in the EU and the rest of the world for that matter, that are still not 100% compliant. A recent survey by Spiceworks revealed that only 25 percent of US companies were thought to be compliant when GDPR went into force. Many of these companies are waiting in anticipation to see the first results and the impact the new legislation will bring once a new major breach has been uncovered. As we wait for that first announcement in the news, the chances are that many new breaches have most likely already occurred post-May 25th but are still yet to be detected and disclosed. Dixons Carphone may be the first, announcing a huge data breach last week involving 5.9 million payment cards and 1.2 million personal data records, but the breach was reported to have taken place last year, pre-GDPR, so the consequences are somewhat unclear.
GDPR is unique in that it is the first major regulation to focus on the end scenario, the impact and aftermath of a breach, especially to the individual, as opposed to focusing solely on the prevention and controls put in place by organizations to prevent a breach in the first place. What seems to have caused the most confusion is that there doesn’t seem to be that “one size fits all” approach for companies to meet GDPR compliance and there have been many different interpretations. Companies must be able to prove they have carried out the necessary risk assessments and put the appropriate policies, processes, and procedures in place given all the risks involved.
Historically it has been more common to associate security controls in conjunction with breach prevention, but today cybersecurity strategies have been turned on their head and security operations teams must assume that a breach has or will occur. It is no longer the “if” scenario and focus is now fully on the “when” scenario. This change in mindset puts incident response, in particular data breach notification and reporting processes, at the forefront of reducing the risk of a data breach as opposed to being an afterthought. Organizations under GDPR now have to notify EU authorities within 72-hours and have to prove that their security programs and responses were appropriate to the situation.
If you are not quite fully GDPR compliant yet, there is no time to wait. Here are 5 steps you should take without due delay.
1. Establish Roles and Responsibilities
Data Protection Officer (DPO) is the latest new job title being created within many organizations. Main responsibilities of the DPO include providing advice on security controls, processes and procedures within the organization, as well as acting as the main point of contract for the supervisory authority. The DPO is not the only role that may be required though, as a proper incident response plan will require many additional roles including an incident response coordinator, legal and compliance resources and human resources to name a few. Stakeholders within the organization will need to be aware of how to effectively put the plans into action. If you are yet to define roles and responsibilities, this is a key first step when tackling GDPR.
Under GDPR it is important to understand what data exists, where it is located, who has access to it and for what purpose it is being used. Only the minimum amount of data to perform the task should be collected and processed and it should not be retained for longer than necessary. If data within the company is unknown then it can’t be protected, putting the company at risk. Knowing where data exists is crucial during incident response and breach notification to ensure you do a comprehensive audit of your business and the data it holds.
To respond to a security incident, a thoroughly planned and documented approach is required to maximize its effectiveness. Without structure and documented processes and procedures in place, an incident response attempt could turn into complete mayhem. The process should comprise of the appropriate tools and tasks, as well as personnel required to respond to the incident, ensuring it covers all scenarios whether large or small. It is also important to document both the high-level plan, as well as the more detailed workflows for handling specific types of security incidents (e.g. runbooks and playbooks). Having this documentation and associated processes and procedures in place will help your organization to demonstrate that a formalized, repeatable process using an appropriate response was followed during a potential breach.
4. Test the Plan Regularly
Having a documented plan is one thing, but ensuring it works and is fully tested is another. GDPR not only requires that security controls are in place but also states that they should be tested and evaluated on a regular basis. This will most likely vary from organization to organization, but we would recommend it should take place at least once a year and include exercises such as breach simulations. As well as meeting this requirement under GDPR it also helps to ensure that all stakeholders within the incident response process are up to date and familiar with their respective role and responsibilities.
5. Ensure Reporting Practices and Proficiencies
The GDPR breach reporting and notification element is probably one of the most challenging aspects to comply with, as 72 hours is a relatively short window to detect, remediate, report on and notify all parties of an incident. Organizations need to be able to gather and analyze large amounts of data from multiple sources, as well as make sense of the data before notifying stakeholders internally and externally. Implementing automated procedures for collecting data and preparing detailed reports based on incident and forensic data is essential, as well as having documented processes in place for issuing notifications to potentially hundreds of thousands of individuals.
As we already know, data breach detection and incident response are never going to be a straightforward process for any organization but GDPR has now leveled the playing field to ensure that all companies are meeting the same baseline requirements or face the possibility of hefty fine and public scrutiny. It is now a critical time for organizations to ensure they have detailed and documented incident response plans and procedures in place to deal with any incident should it occur, as well as the tools they need to help them to more easily comply with the requirements.
If your security operations team is looking for assistance with its incident response program and tools to help the organization to demonstrate GDPR compliance as well as breach notification requirements, these useful resources may help. Read our DFLabs IncMan for GDPR solution brief and whitepaper about Increasing the Effectiveness of Incident Management to learn more.
With the GDPR going into effect this week, organizations that this new data protection regulation applies to are left with little time to make sure they have completed the preparations needed in order to achieve compliance with all provisions it entails. The GDPR is aimed at protecting consumer data privacy, and organizations that control and manage personal information of EU citizens in any capacity have until May 25th to adjust their procedures with regards to protection against, and respond to data breaches, in accordance with the new legislation.
Specific measures that organizations have to implement include formalized incident response procedures and internal data breach notification processes, along with demonstration of capability to notify authorities and data subjects in the event of a data breach within a strictly specified timeframe. Putting these measures in place can be an expensive and extremely complicated process, but absolutely necessary nonetheless. Therefore organizations can probably use all the help they can get to reduce the costs associated with meeting GDPR breach notification requirements while streamlining their existing processes as much as possible. This is where a host of security tools come into play, with a vast amount of different solutions available to choose from. While variety and choice is good, on the other hand it can also cause a headache for security professionals, making it difficult for them to make an informed decision and to choose the most cost-effective and relevant solution to cater for their needs.
To make it easier for security professionals to evaluate what they need in order to make sure their organizations are compliant with the upcoming GDPR requirements, this post will offer an overview of the most essential tools and why they are essential for GDPR breach notification compliance.
One of the most important elements of GDPR compliance is how organizations respond to cyber incidents, particularly as it relates to breach notification procedures. Among other things, the GDPR requires that in the event of a data breach that has an impact of data subjects, the affected organization notify the appropriate supervisory authorities within 72 hours of the moment the breach occurred. This is arguably one of the GDPR requirements that organizations are most concerned about, as it involves a short timeframe within which they must not only detect and contain the breach, but be able to fully report on the details while following strict protocols, including documenting the events and making sure the proper incident response and case management procedures have been followed. Failure to comply with these rules can lead to severe and long-lasting consequences, damaging organizations’ reputation as well as their bottom line.
In order to be able to gather evidence and document a data breach and provide proof to authorities that the appropriate formalized procedures have been followed, organizations need a tool that can help make that process as streamlined as possible. That’s exactly the purpose of incident response and case management solutions, which are designed to allow reactions to incidents to be immediate and thorough by following set procedures, processes and workflows. These solutions have the ability to perform effective case management, including creation of an incident record, task assignment and management, evidence collation and analysis, along with data sharing and reporting, all of which are essential elements of meeting various GDPR requirements.
Automated and Orchestrated Response
In addition to case management and incident response procedures, organizations should be looking to automate and orchestrate their response to incidents such as breaches as much as possible. 72 hrs will lapse very fast and it is critical to get these potential incidents under control as soon as possible. With increasing numbers of alerts being received by security teams while usually facing the issue of limited resources, this not only accelerates the mean time to detection and mean time to resolution of potential incidents, but also helps to meet GDPR compliance timeframes.
Security orchestration, automation and response (SOAR) solutions can do this by providing incident response and breach notification playbooks specifically designed to align an organization’s reaction to these types of events with GDPR best practices in mind. They also entail specific GDPR workflows that can be automatically enforced, repeated and formalized, which is another important aspect of achieving GDPR compliance.
How DFLabs IncMan SOAR Platform Can Help
Meeting GDPR requirements and being able to demonstrate compliance takes a comprehensive approach that inevitably requires the implementation of a set of tools that have the capability to ensure a proper implementation of the required procedures in the event of a data breach impacting data subjects. Having a platform in place to formalize and support these requirements is crucial, so why use multiple tools and solutions when you can just use one?
DFLabs IncMan SOAR platform combines incident response and case management processes with comprehensive automation and orchestration functions. This enables organizations to fully adhere to breach notification requirements by implementing an incident response plan in case of a potential breach, automating associated processes, prioritizing incident response and related enrichment and containment actions, managing notification distribution and subsequent advanced reporting documentation of any incident.
For many of us around the world February 14th marks St. Valentine’s Day, but for those of us in Europe, this date also marks the beginning of the 100-day countdown to the upcoming enforcement of the General Data Protection Regulation (GDPR).
As most of us are already aware the EU GDPR was adopted in April 2016 and is due to be formally imposed on May 25th, 2018. In a nutshell for those who are not quite so GDPR savvy, the GDPR emphasizes transparency, security, and accountability by data controllers and introduced mandatory Data Protection Impact Assessments (DPIAs) for those organizations involved in high-risk processing. For example, where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals or where there is large-scale monitoring of a publicly accessible area.
Breach Notification Requirements
A DPIA is the process of systematically considering the potential impact allowing organizations to identify potential privacy issues before they arise and come up with a way to mitigate them. In addition, and a highly important aspect for Security Operation Centers (SOCs) and Computer Security Incident Response Teams (CSIRTs) to be fully aware of and responsive to, data processors must implement an internal breach notification process and inform the supervisory authority of a breach within 72 hours. They must also communicate the breach to affected data subjects without due delay or consequently face a penalty of up to EUR 20,000.00 or 4% of worldwide annual turnover for the preceding financial year, whichever is greater.
Incident Response Processes and Best Practices
As the number of breaches has risen and cyber attacks have become more sophisticated, authorities have recognized a need for increased data protection regulation. The number of simultaneous processes required in a typical forensic or Incident Response Scenario has also grown. Processes need to cover a broad spectrum of technologies and use cases must be standardized, and must perform clearly defined, fully documented actions based upon regulatory requirements, international standards and established best practices.
Additionally, context enrichment and threat analysis capabilities must be integrated to facilitate and automate data breach reporting and notification within the timeframe specified by GDPR. Lastly, customized playbooks must be created to permit rapid response to specific incident types, aid in prioritizing tasks, assignment to individual stakeholders, and to formalize, enforce and measure specific workflows.
Incident Response Management with DFLabs IncMan
Having a platform in place to formalize and support these requirements is crucial. DFLabs IncMan provides all the necessary capabilities to facilitate this. Not only do organizations need an Incident Response plan, they must also have a repeatable and scalable process, as this is one of the steps towards compliance with the GDPR’s accountability principle, requiring that organizations demonstrate the ways in which they comply with data protection principles when transacting business. They must also be able to ensure that they will meet the 72-hour breach notification requirement or face a stiff penalty.
Organizations must establish a framework for accountability, as well as a culture of monitoring, reviewing and assessing their data processing procedures to detect, report and investigate any personal data breach. IncMan implements granular and use-case specific incident response procedures with data segregation and critical security control requirements. To enable Incident Response and breach notification in complex organizations and working across different regions, IncMan can be deployed as a multi-tenant solution with granular role-based access.
Cutting Response Time and Accelerating Incident Containment
Automated responses can be executed to save invaluable time and resources and reduce the window from discovery to containment for an incident. Organizations can easily prepare advanced reports from an automatically collected incident and forensic data, and distribute notifications based on granular rules to report a breach and notify affected customers when required to comply with GDPR and avoid a financial penalty.
Finally, the ability to gather and share intelligence from various sources by anonymizing the data to share safely with 3rd party protect the data without inhibiting the investigation. IncMan contains a Knowledge Base module to document playbooks, threat assessment, situational awareness and best practices which could be shared and transferred across the organization.
IncMan and Fulfilling GDPR Requirements
In summary, DFLabs IncMan Security Automation and Orchestration platform fulfills the requirements of GDPR by providing capabilities to automate and prioritize Incident Response through a range of advanced playbooks and runbooks, with related enrichment, containment, and threat analysis tasks. It distributes appropriate notifications and implements an Incident Response plan (IRP) in case of a potential data breach, with formalized, repeatable and enforceable incident response workflows.
IncMan handles different stages of the Incident Response and Breach Notification Process, providing advanced intelligence reporting with appropriate metrics, with the ability to gather or share intelligence with 3rd parties as required.
So, this Valentine’s Day, we hope that you are enjoying a romantic dinner for two, knowing that your SOC and CSIRT, as well as the wider organization, has the necessary incident response and incident management best practices implemented to sufficiently meet the upcoming GDPR requirements in 100 days’ time. If not, speak to one of our representatives to find out more.
The EU GDPR will be enforced from May 25th next year. GDPR mandates a wide variety of requirements on how data processors must manage customer and 3rd party data. Although it is not primarily focused on cybersecurity, it does contain vague requirements on security monitoring. This includes that data processors must establish a breach notification procedure, that include incident identification systems, and must be able to demonstrate that they have established an incident response plan.
Further, there is a requirement to be able to notify the supervisory authority of a data breach within 72 hours of becoming aware of a data breach or face a stiff financial penalty. This last requirement is of special interest beyond the impact on data processors. Because it means that for the first time, we will begin having reliable data on European breaches.
Historically, European companies have had no external requirement to be transparent about being affected by a breach. This has had the consequence that we have not had good data or an awareness of how well or badly European organizations are doing when it comes to preventing or responding to security breaches.
I am sure that if like myself, you have worked in forensics and incident response in Europe over the years, you are aware of far more breaches that are publicly disclosed. The only information available is when a breach is disclosed due to the press and law enforcement, or the impact is so great that it can’t be ignored. We also have some anonymized reports from some vendors and MSSP’s, but these are really no more than samples. While not without benefit, these also do not provide a reliable indicator, as the samples are not necessarily statistically representative This provides a false sense of how European organizations are faring compared to other regions and presents a skewed image of European security in general.
The true state of European security is an unknown and has been difficult to quantify. I have seen German articles for example that have claimed that German Security is better than the rest of the world because there are less known breaches. The absence of evidence is of course not evidence of absence. Something that has not been quantified cannot be said to be good or bad. More importantly, if you do not measure something, it cannot be improved.
It will be interesting to see whether GDPR will force European organizations to place more focus on Incident Detection and Response, and give us insight into the true state of European security.