Advisory and Risk Management
CTI Global works with an enterprise’s information security risk practitioners to identify organizational risk. The foundation of information security is not patching, or good code design, or training users to avoid phishing. The foundation is, pure and simple, risk management. You identify what information security risks your enterprise faces, and you work to mitigate them depending on the risk appetite of your executive leadership. This statement is excerpted from Richard Guida’s book, The Entropy Police: Practicing Information Security in the Enterprise.
The General Data Protection Regulation (GDPR) is one of the most important movements in the area of data protection in recent years. It was passed into European Union (EU) law on 28th April 2016 and will become enforceable on 25th May 2018. In summary, the GDPR defines controls around how organizations store and process the personal data of EU resident, irrespective of where the organization is based, owned, or operating. it is EU residents not citizens. Further, an EU resident traveling in the US and doing business in the US, e.g. purchasing something at a retail brick and mortar store here, does not result in that store being subject to GDPR. That same person purchasing something from the same store BUT while the person is in the EU and the purchase is done over the internet, DOES result in the store being subject to GDPR; at least that is the position of the EU regulators, although not yet tested in court.
Anyone storing or processing the personal data of an EU resident must comply with the GDPR or face significant fines in the event of an audit or data breach. Those fines can be up to 4% of the organizations global turnover or €10m, whichever is greater. With this level of impact, it is vital that all organizations understand their obligations under the GDPR and take appropriate measures to ensure they are compliant demonstrating that the proper controls are in place to protect information.
GDPR was designed to simplify the current requirements and not introduce a massive new burden on organizations. In fact, GDPR consolidates the 28 distinct implementations of the previous Data Protection Directive (95/46/EC) into one regulation for consistency, standardized version control, and reporting.
CTI Global can be engaged to complete a GDPR Gap Analysis and Compliance Remediation Plan.
CTI Global will:
- Develop a profile of your organization’s current state of compliance to the requirements of GDPR leveraging the company’s existing standards, e.g. ISO 27001 ISMS and EU-US Privacy Shield certifications.
- Develop recommendations relating to the use of additional approved certification mechanisms to demonstrate compliance with GDPR Articles 24 and 42.
- Provide a detailed GDPR compliance remediation plan which includes identifying those issues that require advice and direction from counsel.
- Conduct Data Mapping of the collection, processing, storage, and transfer of EU personal data within your organization.
- Conduct a Risk Assessment and Data Protection Impact Assessment as by GDPR.
The ISO 27001 standard is well suited to tailoring; it does not require undue bureaucratic overhead to implement. The standard explicitly states that an enterprise’s information security management system must take into account the context of the organization and not be a notional or theoretical
construct divorced from practical realities that the organization faces. The best way to start a discussion on ISO27001 is to describe the documents that need to be created to meet the requirements of the standard. In some cases, the documents are policies. In other cases, they are standard operating procedures, and in other cases they are declaratory statements
The Information Security Policy needs to include:
- Definition of Security Roles and Responsibilities
- Acceptable Use of Assets
- Access Control Policy
- Secure System Engineering Principles
- Statutory, Regulatory and Contractual Requirements
Standard Operating Procedure need to include:
- Incident Management Procedure
- Business Continuity Procedure
- Operating Procedures for IT Management
Declaratory statements should address these topics:
- Information Security Management Scope and Boundaries
- Information Security Policy itself
- Risk Assessment and Risk Treatment Methodology
- Statement of Applicability
- Risk Treatment Plan
- Risk Assessment Report
- Inventory of Assets
This overall list may seem daunting, and it can be, but there are ways to deal with it that reduce the apparent impact of doing everything that it implicates. The ISO 27001 process concludes with an audit. Depending on the auditor you get, the depth necessary to pass the audit will vary. In preparing clients to succeed in such audits, we usually start helping the client about six months prior to the audit. Our help includes assembling the necessary documentation and often writing much of it for the first time, preparing the people who will be interviewed and then acting as an advisor during the conduct of the audit itself.