GDPR Compliance: 5 Security Strategies
The GDPR compliance deadline is rapidly approaching. If you are a global organization or a company that does business in the European Union, then the date May 25, 2018 should mean something to you. That is the General Data Protection Regulation (GDPR) compliance deadline. And it is only months away.
GDPR is a new EU-based regulation that protects the personal data of individuals within the EU. No matter where your organization is headquartered or established, you must comply with GDPR if you are collecting or processing personal data of EU citizens. When it comes to security expectations around protecting customer data, GDPR is very clear. What isn’t quite as clear is exactly how an organization should go about securing their data. The road to compliance might be different for every organization, but the end result should include methods for reducing the security vulnerabilities and new ways to track and report personal data access and processing.
GDPR Compliance Tips for Developing Your Plan
If you haven’t started already, now is the time to begin developing your plan for compliance. We recently released a white paper, Five Security Strategies for GDPR Compliance that discusses some of the key GDPR security requirements and how Ivanti can help meet the requirements. The white paper also provides strategies that you should consider adding to your GDPR compliance plan to help you prepare for the 2018 deadline. I have included just a highlight of the information below to help you on your way:
1. Decrease security exposures from mobile workers - The number of mobile workers regularly accessing cloud-based apps and services from multiple devices and multiple locations is growing. To mitigate risk and help ensure GDPR compliance, new context-aware security and policy controls are needed. Context-aware controls adapt a user’s workspace to the level of security risk they pose based on the location, known or unknown device, trusted or untrusted network, unrecognized or company-sanctioned USB drives or peripherals, and time of day. With context-aware access controls in place, IT departments can easily control and track user access and create audit trails that assist your organization with meeting GDPR compliance requirements.
2. Reduce and control privileged user access - Many organizations grant elevated user access or admin rights to a much larger number of users than is needed to adequately manage systems. These privileged users are prime targets of malicious actors because their elevated access rights allow attackers to more easily navigate corporate networks, systems and apps. To reduce risk, implement dynamic access controls that automatically elevate and reduce access as needed so users can efficiently conduct their work. Privileged user rights should be immediately returned to normal when admins or others move out of an app or indicate a job is complete. Reducing the number of privileged users decreases the risk of malicious actors gaining full access to personal data, thereby helping organizations comply with GDPR.
3. Limit success rates for ransomware and malware - Cybercriminals use email phishing attacks, websites, external drives and peripherals to transmit malicious code to devices and gain access to personal data. Most organizations already have some form of whitelisting in place, but adding granular hash-level controls that employ signatures to open files or execute apps can prevent users from accidentally launching an attack. Put controls in place to dynamically block users from accessing specific websites or files, prevent users from saving malicious files to local drives or disks, and lock down external devices so only protected or encrypted files can be opened or saved. These types of proactive controls help organizations ensure personal data is protected and help demonstrate compliance with GDPR security requirements.
4. Ensure complete and accurate onboarding and offboarding - Many organizations still rely on manual processes to onboard and offboard workers, which often leads to inaccuracies and delays of days or weeks. Studies have shown that many workers still have access to corporate data after they leave an organization – sometimes for an extended period of time. It is important to implement IT processes that enforce access policies and automate the provisioning and deprovisioning of worker access to apps and services. With a more holistic approach to identity lifecycle management, you can significantly improve security to help support GDPR compliance requirements.
5. Log and track access to personal data for accurate reporting - Organizations must maintain records of all processing activities and be able to easily report on personal data use and processing compliance. Having the ability to prove that you are tracking who accessed what data is a must. Implement software solutions that provide detailed audit logs on deployed workspaces, including changes, usage, devices, apps and configurations. Having the right reporting capabilities in place will allow organizations to demonstrate proof of GDPR compliance, satisfy internal and external audit requests and quickly prepare the information required for reporting breaches to supervisory authorities and individuals.
GDPR Risk Assessment
Gauge your own GDPR readiness and discover how much risk your organization may face around the key data protection requirements. After you complete the survey, we will provide some strategies that you should consider adding to your GDPR compliance plan to help you prepare for the compliance deadline.