GDPR is the most significant change to data protection in a generation and an imminent global issue that will dominate data privacy, management and regulation discussions in 2017. According to recent research, over half of businesses lack preparedness for GDPR. With a quarter of the EU’s grace period over and with fines of up to €20 million (or 4% of global turnover), there is a lot at stake for companies falling behind the May 2018 deadline. So, where do you start? Join renowned information security consultant and GDPR expert, Brian Honan, along with Tim Erlin, Senior Director, Security and IT Risk Strategist at Tripwire as they walk you through the essential steps to accelerate your GDPR preparedness. In this session you will learn: • The key facts about the GDPR regulations • The implications of the new rules and how they will impact your business • Practical steps your business can take to prepare • How your existing security frameworks (ISO/NIST/CSC) can help set the foundation • How Tripwire can help

1. The EU GDPR
What Is It & Why Should I Care?
Brian Honan

2. CEO of BH Consulting – Independent Information Security Firm
Founder & Head of IRISSCERT – Ireland’s first Computer
Emergency Response Team
Special Advisor on Internet Security Europol's CyberCrime
Centre (EC3)
Adjunct Lecturer at University College Dublin
Expert Advisor to European Network & Information Security
Agency (ENISA)
Regularly comments on media stories –
BBC, Forbes, Bloomberg, FT, Guardian, Sunday Times
Who Am I?

5. “Why do you rob
banks?”
“Because that's
where
the money is.”
Willie Sutton

6. “Why do you hack
companies?”
“Because that's
where
the Data is.”
CyberWillie Sutton

7.  The EU General Data Protection Regulation (GDPR)
is the update to the EU Data Protection Directive
 Came into Force 24th May 2016
 Will Apply Across All 28 EU Member States
25th May 2018
(Just over 15 months to be ready)
What is GDPR?

8.  Updates the EU Data Protection Directive with a
Strong Focus on Individual’s Privacy Rights
 Harmonises the Data Protection Regime Across All
28 EU Member States
 Will Apply Across All 28 EU Member States
 Significant (and Fines) Obligations on Organisations
Holding Personal Data
What is GDPR?

9.  Personal Data
‘personal data’ means any information relating to an
identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who
can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person;’
What is GDPR?

10. EU GDPR Applies to EU Member States

11. EU GDPR Also Applies Globally

12.  The Right to be Informed
 The Right of Access
 The Right to Rectification
 The Right to Erasure
Otherwise Known As The Right to Be Forgotten
 The Right to Restrict Processing
 The Right to Data Portability
 The Right to Object
 Rights in Relation to Automated Decision Making and
Profiling
What it Means to The Individual

13.  Obtain Clear Consent
 Obtain parental consent if Data Subject Under 16
 Provide a Copy of an Individual’s Personal Data on
Request
 Erase all Personally Identifiable Records if Requested
 Provide “Adequate Security”
 Privacy Impact Assessments
 One Supervisory Authority to Deal With
 You Can Select your Preferred Supervisory Authority
What it Means to Organisations?

14.  If Personal Data Breach
“likely to result in a risk to the rights and freedoms
of individuals”
 Notify The Supervisory Authority Within 72 Hours of
Becoming Aware of Breach
 If High Risk Breach Likely To Affect Rights and
Freedoms of Individuals
“ You Must Notify Those Concerned Directly”
Mandatory Breach Notifications

15.  The Nature of the Personal Data Breach Including:
 Categories and Approximate Number of Individuals
Impacted;
 Categories and Approximate Number of Personal Data
Records Concerned;
 Contact Details of the Data Protection Officer or Other Contact
Point;
 Description of Likely consequences of the Personal Data
Breach;
 Description of Measures Taken, or Will be Taken to;
 Deal with the Breach
 Measures (if appropriate) Taken to Mitigate any Possible
Adverse Effects.
Mandatory Breach Notifications

16.  Mandatory For
 A Public Authority (with some exceptions);
 Companies with;
 Large Scale Systematic Monitoring of Individuals,
 Large Scale Processing of Special Categories of Data
 Large Scale Processing of Data Relating to Criminal
Convictions and Offence
 Data Protection Officer Must
 Report to the Highest Management Level of
Organisation
 Operates independently
 Is not Dismissed or Penalised for Performing their
Task.
 Have Adequate Resources are Provided
Appoint A Data Protection Officer

17. Significant Fines
 Supervisory Authority Can Fine;
 Up to €20,000,000 (or 4% of total annual global turnover,
whichever is greater) for the most serious infringements
 Failing to notify a breach when required to do so can result
in a significant fine up to 10 million Euros or 2 per cent of
your global turnover
 On Top of Fine for the Breach itself
 An Individual(s) Can
 Complain to Supervisory Authority
 Right To Compensation
 Potential for Group Actions

18. Trend Micro's UK Study re GDPR
 50% of UK IT decision makers were unaware of the
impending legislation
 25% percent adamant that compliance is not
achievable
Ready for GDPR?

19. May 25th 2018

20. Identify Key Data Assets

22. Establish Policies

23. Use Existing Frameworks
 ISO/IEC 27001:2013 Information Security Standard
 ISO/IEC/27002:2013 Guidance
 NIST CyberSecurity Framework
 The Center for Internet Security - Critical Security
Controls

24. Security
Awareness
Training

25. Monitor & Respond

26. Start Your GDPR Project Now

27. @BrianHonan
Brian.honan@bhconsulting.ie

29. 1000s
of successful
customer
deployments
Trusted
by half the
Fortune 500
96%
customer
satisfaction
20M
critical
endpoints
covered
globally

30. Extensive library of security
configuration best-practices to establish
and monitor configurations
Detection and alerts on all changes to
established baseline—what, who and
business context
Discover assets, vulnerabilities and
malicious changes, and help automate
the workflow and process of remediation
Automate manual processes associated
with dealing with change—isolate and
escalate changes and events of interest
Assess configurations
against security policies
Detect unauthorized changes
Identify risks on assets
Deal with security
data overload

31. Out-of-the-box audit report templates,
and automated compliance reporting
Industry’s most comprehensive library of
policy tests for all major standards
Logging of changes to in-scope assets
with details on who and when
Continuous monitoring and
reporting to flag remediation
needed to stay compliant
Reduce the time spent
on compliance
Demonstrate compliance with
standards
Produce data for audits
and for forensics
Maintain compliance
over time

32. Configuration &
Compliance
Management
Log
Management
Vulnerability
Management
Integrity
Monitoring

33. Configuration &
Compliance
Management
Log
Management
Vulnerability
Management

35. 20 Critical Security Controls
Tripwire
Solutions
CSC1
Inventory of Authorized and
Unauthorized Devices
CSC2
Inventory of Authorized and
Unauthorized Software
CSC3
Secure Configurations for Hardware
and Software
CSC4
Continuous Vulnerability Assessment
and Remediation
CSC5
Controlled Use of Administrative
Privileges
CSC6
Maintenance, Monitoring, and Analysis
of Audit Logs
CSC7 Email and Web Browser Protections
CSC8 Malware Defenses
CSC9 Limitation and Control of Network Ports
CSC10 Data Recovery Capability
CSC11
Secure Configurations for Network
Devices
CSC12 Boundary Defense
CSC13 Data Protection
CSC14
Controlled Access Based on the Need
to Know
CSC15 Wireless Access Control
CSC16 Account Monitoring and Control
CSC17
Security Skills Assessment and
Appropriate Training to Fill Gaps
CSC18 Application Software Security
CSC19 Incident Response and Management
CSC20
Penetration Tests and Red Team
Exercises

38. tripwire.com | @TripwireInc
http://www.tripwire.com