The EU GDPR

What Is It & Why Should I Care?

Brian Honan

CEO of BH Consulting – Independent Information Security Firm

Founder & Head of IRISSCERT – Ireland’s first Computer Emergency Response Team

Special Advisor on Internet Security Europol's CyberCrime Centre (EC3)

Adjunct Lecturer at University College Dublin

Expert Advisor to European Network & Information Security Agency (ENISA)

Regularly comments on media stories – BBC, Forbes, Bloomberg, FT, Guardian, Sunday Times

Who Am I?

Courtesy Dermot Casey

“Why do you rob banks?”

“Because that's where the money is.”

Willie Sutton

Courtesy Dermot Casey

“Why do you hack companies?”“Because that's where the Data is.”

CyberWillie Sutton

The EU General Data Protection Regulation (GDPR) is the update to the EU Data Protection Directive

Came into Force 24th May 2016

Will Apply Across All 28 EU Member States

25th May 2018 (Just over 15 months to be ready)

What is GDPR?

Updates the EU Data Protection Directive with a Strong Focus on Individual’s Privacy Rights

Harmonises the Data Protection Regime Across All 28 EU Member States

Will Apply Across All 28 EU Member States

Significant (and Fines) Obligations on Organisations Holding Personal Data

What is GDPR?

Personal Data

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’

What is GDPR?

EU GDPR Applies to EU Member States

EU GDPR Also Applies Globally

The Right to be Informed The Right of Access The Right to Rectification The Right to Erasure

Otherwise Known As The Right to Be Forgotten The Right to Restrict Processing The Right to Data Portability The Right to Object Rights in Relation to Automated Decision Making and

Profiling

What it Means to The Individual

Obtain Clear Consent Obtain parental consent if Data Subject Under 16 Provide a Copy of an Individual’s Personal Data on

Request Erase all Personally Identifiable Records if Requested Provide “Adequate Security” Privacy Impact Assessments One Supervisory Authority to Deal With You Can Select your Preferred Supervisory Authority

What it Means to Organisations?

If Personal Data Breach“likely to result in a risk to the rights and freedoms of individuals”

Notify The Supervisory Authority Within 72 Hours of Becoming Aware of Breach

If High Risk Breach Likely To Affect Rights and Freedoms of Individuals

“ You Must Notify Those Concerned Directly”

Mandatory Breach Notifications

The Nature of the Personal Data Breach Including: Categories and Approximate Number of Individuals

Impacted; Categories and Approximate Number of Personal Data

Records Concerned; Contact Details of the Data Protection Officer or Other Contact

Point; Description of Likely consequences of the Personal Data

Breach; Description of Measures Taken, or Will be Taken to;

Deal with the Breach Measures (if appropriate) Taken to Mitigate any Possible

Adverse Effects.

Mandatory Breach Notifications

Mandatory For A Public Authority (with some exceptions); Companies with;

Large Scale Systematic Monitoring of Individuals, Large Scale Processing of Special Categories of Data Large Scale Processing of Data Relating to Criminal

Convictions and Offence Data Protection Officer Must

Report to the Highest Management Level of Organisation

Operates independently Is not Dismissed or Penalised for Performing their

Task. Have Adequate Resources are Provided

Appoint A Data Protection Officer

Significant Fines

Supervisory Authority Can Fine; Up to €20,000,000 (or 4% of total annual global turnover,

whichever is greater) for the most serious infringements Failing to notify a breach when required to do so can result

in a significant fine up to 10 million Euros or 2 per cent of your global turnover On Top of Fine for the Breach itself

An Individual(s) Can Complain to Supervisory Authority Right To Compensation Potential for Group Actions

Trend Micro's UK Study re GDPR

50% of UK IT decision makers were unaware of the impending legislation

25% percent adamant that compliance is not achievable

Ready for GDPR?

May 25th 2018

Identify Key Data Assets

Establish Policies

Use Existing Frameworks

ISO/IEC 27001:2013 Information Security Standard ISO/IEC/27002:2013 Guidance

NIST CyberSecurity Framework

The Center for Internet Security - Critical Security Controls

Security Awareness

Training

Monitor & Respond

Start Your GDPR Project Now

@BrianHonanBrian.honan@bhconsulting.ie

TRIPWIRE OVERVIEWFoundational Controls for GDPR

Tim ErlinSr. Dir. Product Management, Tripwire

• Foundational controls for Security, Compliance and IT Operations

• Stable, growing public company in a chaotic industry

• Relied on by thousands of customers since 1997

A Leader in Security, Compliance and Operational Excellence

1000s of successfulcustomerdeployments

Trustedby half the Fortune 500

96% customer satisfaction

F500

20M critical endpoints covered globally

30

Extensive library of security configuration best-practices to establish and monitor configurations

Detection and alerts on all changes to established baseline—what, who and business context

Discover assets, vulnerabilities and malicious changes, and help automate the workflow and process of remediation

Automate manual processes associated with dealing with change—isolate and escalate changes and events of interest

How we enable Security

Assess configurations against security policies

Detect unauthorized changes

Identify risks on assets

Deal with securitydata overload

31

Out-of-the-box audit report templates, and automated compliance reporting

Industry’s most comprehensive library of policy tests for all major standards

Logging of changes to in-scope assets with details on who and when

Continuous monitoring andreporting to flag remediationneeded to stay compliant

How we support Compliance

Reduce the time spenton compliance

Demonstrate compliance with standards

Produce data for auditsand for forensics

Maintain complianceover time

32 TRIPWIRE PROPRIETARY & CONFIDENTIAL. NOT FOR DISTRIBUTION

Configuration & Compliance Management

Log Management

Flexible Log Storage and

Retention

Correlation and Log Forwarding

Secure, Reliable Log Collection

Automated Remediation

Policy Management

Configuration Management

VulnerabilityManagement

Asset Inventory and Profiling

Vulnerability Assessment

Risk Scoring and Prioritization

Network Security

IT ServiceManagement

Threat Intelligence

SIEM & Analytics

Tripwire Capabilities

Integrity Monitoring

Database Configuration

Monitoring

System Configuration

Monitoring

File Integrity Monitoring

33 TRIPWIRE PROPRIETARY & CONFIDENTIAL. NOT FOR DISTRIBUTION

Configuration & Compliance Management

Log Management

Flexible Log Storage and

Retention

Correlation and Log Forwarding

Secure, Reliable Log Collection

Automated Remediation

Policy Management

Configuration Management

VulnerabilityManagement

Asset Inventory and Profiling

Vulnerability Assessment

Risk Scoring and Prioritization

Network Security

IT ServiceManagement

Threat Intelligence

SIEM & Analytics

Tripwire Capabilities

Database Configuration

Monitoring

System Configuration

Monitoring

File Integrity Monitoring

34

Tripwire supports numerous frameworks and standards

35

Tripwire Supports Security & Compliance FrameworksThe Center for Internet Security - Critical Security Controls

Tripwire supports security and compliance frameworks including NIST, CoBIT, PCI, ISO 27000, FISMA

20 Critical Security Controls Tripwire Solutions

CSC1 Inventory of Authorized and Unauthorized Devices

CSC2 Inventory of Authorized and Unauthorized Software

CSC3 Secure Configurations for Hardware and Software

CSC4 Continuous Vulnerability Assessment and Remediation

CSC5 Controlled Use of Administrative Privileges

CSC6 Maintenance, Monitoring, and Analysis of Audit Logs

CSC7 Email and Web Browser Protections

CSC8 Malware Defenses

CSC9 Limitation and Control of Network Ports

CSC10 Data Recovery Capability

20 Critical Security Controls Tripwire Solutions

CSC11 Secure Configurations for Network Devices

CSC12 Boundary Defense

CSC13 Data Protection

CSC14 Controlled Access Based on the Need to Know

CSC15 Wireless Access Control

CSC16 Account Monitoring and Control

CSC17 Security Skills Assessment and Appropriate Training to Fill Gaps

CSC18 Application Software Security

CSC19 Incident Response and Management

CSC20 Penetration Tests and Red Team Exercises

36

NIST Cyber Security Framework

37

GDPRTripwire Supports Your Efforts

Article 25 Data Protection by design and by default Article 30 Records of processing activities Article 32 Security Processing Article 35 Data protection impact assessment Article 39 Tasks of the data protection officer Article 59 Activity reports

tripwire.com | @TripwireInc

Thank You

Brian HonanOwner/FounderBH Consulting@BrianHonan

Tim ErlinSr. Dir. Product ManagementTripwire@terlin

http://www.tripwire.com@TripwireInc