The 12 month countdown to GDPR enforcement has begun so if you haven’t started the process of reviewing its impact now is an ideal time to embrace this as a positive opportunity for your organisation to re-assess its security maturity.
Whilst many vendors are focussing on the penalties and fines associated with Personal Identifiable Information (PII) regulation breaches, there are several options to mitigate risk namely people, process and technology.
A review of Policies and Standards and their implementation needs to be a key foundational step towards meeting GDPR requirements. In doing so organisations will benefit from ensuring staff understand the sensitive or confidential nature of corporate and PII information, the associated security based processes, and be better placed to make considered technology infrastructure investments that are effective. Making “rules before tools” your mantra should help reduce cost and mitigate risk.
The ISO27k family of standards provide a good baseline to assist organisations demonstrate they have policies in place to support the requirements of the GDPR. ISO standards are not written to comply with the laws of any particular jurisdiction and there will be a need to interpret or apply the standards to support the data protection regulations. Specifically looking to the controls outlined in Annex A of the ISO27001 Information Security Management System (ISMS) and the related ISO27002 standard will provide a good starting point. There are some additional controls covered in standards such as ISO27017 and ISO27018. The latter being the Code of practice for protection of PII by public cloud service providers acting as PII processors that will also be relevant to apply. ISO 27017 delivers some brand new security controls for personal data plus extends existing ISO 27002 controls to cover content for cloud privacy.
The privacy and protection of personal data is an area where an ISMS will need specific work so it provides extended coverage regarding PII and those who work with or manage that data as defined in the GDPR. This will help to manage the risk and the use of mitigating controls around the personal data without the need for additional similar information protection processes just for GDPR.
Examples of just some of the new additional controls introduced in ISO27018 to increase the level of protection of personal data stored in the cloud include
- Secure erasure of temporary files
- Recording of PII disclosures to third parties
- Notification of data breach involving PII
- PII return, transfer and disposal policies
- Encryption of PII data that is transmitted over public networks
- The use of unique user IDs for cloud customers
- Disclosing the geographic location of stored data to the cloud customer
However, Human Factors ultimately will play a big part in ensuring an organisation does not fall foul of the new regulation in May 2018. This reinforces the importance of taking the pending GDPR directive as an ideal opportunity to re-assess your IT security policies and standards, updating them to meet current compliance requirements such as ISO27002, ISO27018 etc to demonstrate good information governance.
Having the policies documented in easy to understand non-technical language and made accessible to all staff is key along with an on-going maintenance plan to ensure the policies are always current and relevant to your organisation.
Protocol Policy Systems provide a customisable intranet based IT Policy management solution platform of around 25 key IT Policies that are cross referenced to standards such as ISO27002, PCI-DSS and full cross referencing of policies to match the Public Services Network (PSN) compliance requirements.
To review how our IT policy management platform may be adopted to demonstrate good information governance as part of your preparations for GDPR please contact firstname.lastname@example.org to arrange a time and date to schedule a demonstration or have an initial discussion with one of our subject matter experts.