Embed Size (px)
Citation preview
Helping you grow your business with
scalable IT services & solutionsfor today’s challenges & tomorrow’s vision.
© 2018 Peters & Associates, Inc. All rights reserved.
GDPR Reasonable Plans and Readiness
Bruce Ward, VP of Business StrategyPeters & Associates
Kevin Barnicle, Founder and CEO, Controle
© 2017 Peters & Associates, Inc. All rights reserved.
IT SecuritySolutionsPartnership
• Mission: Help “Controle” data for Compliance (GDPR)
• Microsoft - Security and Compliance
• 450+ highly regulated/ litigious industries
• Fast growing company
© 2017 Peters & Associates, Inc. All rights reserved.
IT SecuritySolutionsSecurity
DATA
“Data Focused”
“Control Focused”
© 2018 Peters & Associates, Inc. All rights reserved.
GDPR Basics
Business Intelligence
© 2018 Peters & Associates, Inc. All rights reserved.
What is it?
© 2017 Peters & Associates, Inc. All rights reserved.
IT SecuritySolutionsGDPR Explained
Simon Natalia
© 2017 Peters & Associates, Inc. All rights reserved.
IT SecuritySolutionsGDPR Explained
The GDPR bill of rights for individuals:1. The right to be informed2. The right of access3. The right to rectification4. The right to erasure5. The right to restrict processing6. The right to data portability7. The right to object8. Rights in relation to automated decision
making and profiling.
© 2017 Peters & Associates, Inc. All rights reserved.
IT SecuritySolutionsGDPR Explained
Privacy PolicyIdentify Data/PII
Technical Data Assessment
Data Protection Officer (DPO)Classification / LabelsData Subject Requests (DSR)
Technical Controls AssessmentPrivacy TrainingEncryption
Detect / Respond72 Hour Notification / IRP
Activity Recording / Reporting
Uncover, Search and Make Personal Data Visible
Articles: 15,16,17,18,20,30
Place Controls Around Personal Data
Articles: 5,17,32
Protect Personal Data from Loss, Damage or Breach Articles: 5,25,32,33,34,35
Ensure Continual
Adherence to GDPR
Standards Articles:
5,15,16,17,18,20,24, 35, 42, 44, 45
© 2018 Peters & Associates, Inc. All rights reserved.
GDPR: DISCOVER AND MANAGE
10Sensitivity: Internal
Journey to GDPR with Controle
Month 1:Analysis and Preparation
GDPR101
DetailedAssessment
DataDiscovery
Month 2:Planning
Month 6:End User Training &
Adoption
Contracting &Procurement
Project Planning
Internal Audit
End User Training & Adoption
Month 3:Privacy & Compliance
Month 4 & 5:Implementation & Migration
Data Classification Strategy& AIP Implementation
Data Governance& Classification
Email & Data MigrationGDPR Related
Polices & Procedures
Office 365 for GDPR by Controle
Configuration
Response Protocolfor Data Subject Access
Planning and Testing
GDPR Technology Workshops
GDPR team finalization
Transition Planning
11Sensitivity: Internal
GDPR Best Practices
1. Get Legal/Compliance and IT on the same page.
2. Late to planning = focus on highest risk areas:
1. Privacy Policies
2. Data Subject Requests
3. Breach prevention, detection and notification
3. Data classification, less is more initially
– Label PII as Confidential, Sensitive, etc
– Automate. Minimize end user involvement.
4. Practice and mock up Data Subject Requests
5. Journey. Get started. Avoid analysis paralysis.
12Sensitivity: Internal
GDPR Technical Risk Areas
1. Data Subject Requests (DSR, DSAR)• Have obligation to find, produce, and delete/change
PII– Extremely difficult (data all over the place, O365, file
shares, etc)– Need to comb through a lot of data in a short period of
time (30 days) – Need full audit trail/technology enablement– Need a repeatable and defensible process
2. Breach prevention/notification – Protect data at perimeter, source, and in-transit– Detect and notify of breaches
13Sensitivity: Internal
Walk-Thru
© 2015 Peters & Associates, Inc. All rights reserved.© 2018 Peters & Associates, Inc. All rights reserved.
To ask questions, either:
1) Take phone off mute, ask.
2) Type question in IM Window
© 2018 Peters & Associates, Inc. All rights reserved.
GDPR: PROTECT
© 2017 Peters & Associates, Inc. All rights reserved.
IT SecuritySolutionsGDPR Explained
Privacy PolicyIdentify Data/PII
Technical Data Assessment
Data Protection Officer (DPO)Classification / LabelsData Subject Requests (DSR)
Technical Controls AssessmentPrivacy TrainingSecurity Program
Detect / Respond72 Hour Notification / IRP
Activity Recording / Reporting
Protect Personal Data from Loss, Damage or Breach Articles: 5,25,32,33,34,35
© 2017 Peters & Associates, Inc. All rights reserved.
IT SecuritySolutionsCompliance Walk-Thru
https://ServiceTrust.Microsoft.com
© 2017 Peters & Associates, Inc. All rights reserved.
IT SecuritySolutionsTechnical Controls Assessment
© 2018 Peters & Associates, Inc. All rights reserved.
PULSE Aware – Security Awareness Training
19
1) Security Awareness Training Library
2) Monthly Social Engineering Evaluation• Baseline and monthly reporting • Customized phishing email and landing pages
3) Reinforce good employee habits consistently• Scenario-based training exercises • Security tips and tricks email (at your pace)• Training assessments & reporting on results
Training course examples:• Intro security awareness
training • Handling sensitive information
securely • Basics of credit card security • Ransomware • Mobile data security • PCI & GLBA compliance • Strong passwords • Safe web browsing • Financial institution physical
security
Weekly O365 Security Check
Mailbox Auditing Inbox Forwarding Mailbox Retention
Office 365 Domains Office 365 Settings MFA Phone Numbers
Foreign Mailbox Logons Old / Unused Mailboxes Roles assigned
Discuss then Demo1. Secure Score2. Azure Active Directory (Conditional Access,
MFA)3. Azure Identity Protection4. Advanced Threat Analytics5. Intune (MDM and MAM)6. Azure Information Protection (AIP): Data
Classification – Manual or Automatic7. O365 Data Loss Prevention
8. Cloud App Security9. eDiscovery, Advanced eDiscovery10. Audit and Activity Reporting11. O365 ATP12. O365 Advanced Security13. O365 Threat Intelligence14. Advanced Governance15. Windows 10 - Defender ATP, Bitlocker, Hello, Direct Access
© 2018 Peters & Associates, Inc. All rights reserved.
GDPR: REPORT
© 2017 Peters & Associates, Inc. All rights reserved.
IT SecuritySolutionsGDPR Explained
Privacy PolicyIdentify Data/PII
Technical Data Assessment
Data Protection Officer (DPO)Classification / LabelsData Subject Requests (DSR)
Technical Controls AssessmentPrivacy TrainingSecurity Program
Detect / Respond72 Hour Notification / IRP
Activity Recording / Reporting
Ensure Continual
Adherence to GDPR
Standards Articles:
5,15,16,17,18,20,24, 35, 42, 44, 45
© 2017 Peters & Associates, Inc. All rights reserved.
IT SecuritySolutionsAudit Walk-Thru
29Sensitivity: Internal
Discussion
http://www.peters.com/events http://www.peters.com/blog/
Events, Webinars & Blogs
© 2015 Peters & Associates, Inc. All rights reserved.© 2018 Peters & Associates, Inc. All rights reserved.
To ask questions, either:
1) Take phone off mute, ask.
2) Type question in IM Window
1801 S. Meyers Road, Suite 120Oakbrook Terrace, IL 60181
(630) 832-0075
Thank you!
© 2018 Peters & Associates, Inc. All rights reserved.
Bruce Ward
Kevin Barnicle
