SlideShare une entreprise Scribd logo

Compliance mapping GDPR vs ISO_en

Balázs Antók
Balázs Antók

GDPRvs ISO The similarities in Privileged Access Management (PAM) requirements This mapping table aims to highlight the similarities in Privileged Access Management (PAM) requirements that exist between the General Data Protection Regulation (GDPR) and the international standard ISO/IEC 27001:2013. It should help readers understand how a ubiquitous privileged access management solution can be used to answer several compliance regulations without disrupting users’ and administrators’ daily activities. This mapping table distinguishes the direct and indirect values brought by PAM to help companies comply with both these regulations.

Direction et management
1  sur  7
Télécharger pour lire hors ligne
WALLIX I 2018 The similarities in Privileged Access Management (PAM) requirements GDPRvs ISO
2 GDPRvs ISOThe similarities in Privileged Access Management (PAM) requirements 2 ABSTRACT This mapping table aims to highlight the similarities in Privileged Access Management (PAM) requirements that exist between the General Data Protection Regulation (GDPR) and the international standard ISO/IEC 27001:2013. It should help readers understand how a ubiquitous privileged access management solution can be used to answer several compliance regulations without disrupting users’ and administrators’ daily activities. This mapping table distinguishes the direct and indirect values brought by PAM to help companies comply with both these regulations.
3 GDPR vs ISO - The similarities in PAM requirements • WALLIX 2018 GDPR ISO/IEC 27001:2013 Privileged Access Management Article Note Section Note Added Value 5 These subsections specify that personal data must be: accurate and kept up to date (1d), and processed securely to protect their integrity and confidentiality (1f). A.5 A.6 A.9 A.11 A.12 A.15 A.16 A.18 A majority of controls covered in ISO 27001 meet the requirement of that article as the standard aims to anticipate many of the norms and regulations in place. PAM plays a critical role in both those scenarios because it reinforces access to critical data and gives super admins the complete visibility over each individual privileged user and their session, including what they do, when, and how. 15 Under GDPR, individuals have a Right of access over their data. For example, they can request information about who accesses or will access their data and where they will be used (1c). A.6 A.9 A.12 Sections 6, 9 and 12 of ISO 27007 cover three key elements of GDPR’s Article 15 because they can provide individuals with information about how their personal data is processed and by whom. A PAM solution provides super- administrators with a complete visibility over privileged users from the moment the log into a target system; it can list all privileged users according to their rights, grant or revoke access, monitor and record session logs and activities, etc. This visibility can help controllers answer GDPR’s Right of access. 24 The controller and processor in charge of controlling the processing of personal data must ensure and provide proof of data security according to state-of-art policies. A.5 A.6 A.9 A.12 A.15 ISO 27001 largely covers GDPR’s Article 24, from ensuring that security policies and roles are defined and in place, to reinforcing access controls. PAM helps define accurate and thorough security policies by helping super-administrators segregate duties, defining access rights and role allocation. It also reinforces personal data security through the control of access and sessions, and can provide feasible proofs of data security. 25 To guarantee an optimal level of data protection by design and by default, GDPR requires that appropriate technical and organizational measures be undertaken (2) and justified (3). A.5 A.6 A.9 A.12 A.15 ISO 27001 identifies several controls that answer Article 25 of the GDPR, some of which particularly deal with access and activity control of internal and external parties. A PAM solution helps define and implement the security policies identified by organizations to comply with GDPR and ISO 27001 by securing all privileged access and sessions, offering controllers password encryption and management, as well as a centralized view of all accounts, users, roles, and sessions in real-time and after an event has occurred through session recording. Direct need for PAM Legend: Indirect need for PAM
4 GDPR vs ISO - The similarities in PAM requirements • WALLIX 2018 GDPR ISO/IEC 27001:2013 Privileged Access Management Article Note Section Note Added Value 28 Where data processing involves the intervention of third parties, the data controller has the responsibility to ensure and justify that all third parties follow GDPR rules to secure data protection. A.9 A.15 A.18 Controls A.15 and A.18 of ISO 27001 are dedicated to controlling supplier relationships to ensure information security, and to confirming that companies are compliant with internal requirements. Control A.9 identifies specific security measures that help organizations reach that goal. The Session Manager module of a PAM solution records all activity logs generated by external parties and enables super-administrators to have a full view of third parties’ screens in real-time as if they were in front of the computer. These features can spot and alert fraudulent activities, terminate the sessions automatically or manually, and provide post-mortem proof for audit reports of who did what, when, and how. The PAM solution also ensures that third parties’ actions and access are limited to the scope of their mission. 29 GDPR specifically requires that processors solely access and process the data they need according the controller’s instructions. A.5 A.9 A.18 Controls A.5 and A.18 of ISO 27001 help the controller define the organizations’ security policies. Control A.9, Access Controls, deals with the implementation of this process. A PAM solution allows controllers to define specific access rules according to each privileged user’s rights and gives them the possibly to create different clusters for each privilege and access. 30 All controllers must keep a detailed track record of all processing activities under their responsibility (1&2). A.6 A.9 A.15 Control A.6 helps define a number of security policies to put in place which can give controllers the visibility they need over their users, particularly through the segregation of duties. Controls A.9 and A.15, addressing Access Controls and Supplier Relationships provide a feasible way for them to implement those policies. From the moment privileged users log into the target systems, their activity is recorded by the PAM solution and can be reviewed in various forms (logs, video, screenshots, etc.). PAM can integrate completely with other cybersecurity solutions such as SIEM to enhance the monitoring of activities and provide a complete security cycle, from high traceability to event alert and reporting.
5 GDPR vs ISO - The similarities in PAM requirements • WALLIX 2018 GDPR ISO/IEC 27001:2013 Privileged Access Management Article Note Section Note Added Value 32 GDPR calls for an evaluation of security risks and for the implementation of strict policies to guarantee data availability while maintaining integrity and confidentiality, and to achieve resilience in the event of an incident. A.5 A.6 A.9 A.16 A.18 Several controls required by ISO 27001 help answer Article 32. They enable organizations to address and maintain a holistic security cycle, from the definition of accurate policies to their implementation and evaluation. A PAM solution helps achieve these controls through four main elements: a password vault securing access with encrypted passwords, session management and monitoring, password management features enhancing access controls, and access management enforcing the principles of least privileged though clusters. A PAM solution should also easily integrate with other security technologies to fit in a broader cybersecurity ecosystem. 33 Personal data breaches must be notified to the supervisory authorities within 72 hours and without delay. . A.16 Control 16 of ISO 27001 deals with the management of security incidents and give organizations tools to comply with Article 33 A PAM solution provides security managers with accurate information about privileged account sessions and offers instant reporting on any administrative sessions that takes place on targeted systems which can give security managers a working narrative of the incident, helping controllers meet Article 33 of the GDPR. 35 Before going through data processing, the controller must assess the potential security risk and impact of the data processing on information confidentiality and integrity. A.6 Control A.6 helps define a number of security policies which can give controllers complete visibility over their users. Having complete visibility over data processing provides controllers with some valuable information which can be used to assess data processing’ security risks and impacts. PAM provides administrators with the means to create, adjust, or delete fine- grained groups of users and sub-users. It helps administrators have high visibility over the number of users within their system and allocate roles in a fluid manner. At the same time, administrators can directly assign users the right level of privilege from a central point of command, thereby allowing them respond to the principle of least privilege and segregate duties appropriately. With each role and privilege clearly defined, PAM allows controllers to assess the risk linked to data processing while mitigating the risk of unauthorized or negligent activity within organizations’ core network.
6 GDPR vs ISO - The similarities in PAM requirements • WALLIX 2018 GDPR ISO/IEC 27001:2013 Privileged Access Management Article Note Section Note Added Value 40 Supervisory authorities are expected to apply security best practices and lay out codes of conduct to ensure the proper application of GDPR. A.5 A.6 A.18 Controls A.5 and A.6 help define thorough organization and policies for information security. To comply with Article 40, the codes of conduct laid out by supervisory authorities can and should also be determined by internal security requirements and current regulations (A.18). PAM help security managers define and implement cybersecurity policies and procedures. Setting up a PAM solution requires administrators to create, adjust, or delete fine-grained groups of users and sub-users, which gives them visibility over roles and access rights. It also gives them the ability to segregate duties to respond to the principle of least privilege. These elements are key to respond to Article 40. 58 Independent public authorities in charge of monitoring GDPR compliance to protect European personal data have the right to access and process any information necessary for the performance of their task (1). A.6 A.9 While independent public authorities should have the right to access and process personal data, controllers should have a visibility over which data they are accessing and processing, what they are doing, how, and when according to best practices for cybersecurity. A PAM solution can restrict the access of independent public authorities and allow them to specifically process and view the information they need, diminishing the risk of negligence and human errors. PAM’s Session Manager module can also provide a track record of the activities that have been done on the systems, offering an additional layer of security in case of incident. 59 Supervisory authorities must produce an annual report of all of their activities (infringement types, security measures taken to strengthen data protection, etc.). A.16 Complying with Article 59 of GDPR requires to ensure the management of information security incident, described in ISO 27001’s Control A.16. Answering the objectives of this control will produce the necessary information for organizations to write their activity reports. PAM provides security managers with accurate information about privileged account sessions and offers instant reporting on any administrative sessions that takes place on targeted systems, elements which can help produce the annual activities report required by Article 59. This mapping table does not constitute as legal advice for meeting the European General Data Protection Regulation (GDPR).
www.wallix.com WALLIX Group is a cybersecurity software vendor dedicated to defending and fostering organizations’ success and renown against the cyberthreats they are facing. For over a decade, WALLIX has strived to protect companies, public organizations, as well as service providers’ most critical IT and strategic assets against data breaches, making it the European expert in Privileged Access Management. As digitalization impacts companies’ IT security and data integrity worldwide, it poses an even greater challenge if the data involved is highly sensitive. The recent regulatory changes in Europe (NIS/GDPR) and in the United States (NERC CIP/Cyber Security Directorate) urge companies belonging to sensitive sectors to place cybersecurity at the heart of their activity. In response to these challenges, WALLIX created a bastion designed to secure organizations’ core assets while adapting to their daily operational duties: WALLIX Bastion. The WALLIX bastion accompanies more than 100 operators in sensitive sectors to conform with regulations and over 400 organizations in the protection of their critical assets, securing the access to more than 100,000 resources throughout Europe and the MEA region. It was also the first government-certified solution in the market. WALLIX partners with a trained and certified network of over 90 resellers and distributors that help guarantee effective deployment and user adoption. WALLIX is the first European cybersecurity software editor to be publicly traded and can be found on EuroNext under the code ALLIX. As one of the leaders of the PAM market, major players trust WALLIX to secure access to their data: Danagas, Dassault Aviation, Gulf Air, Maroc Telecom, McDonald’s, and Michelin are among them. WALLIX is the founding member of Hexatrust. The WALLIX bastion was elected “Best Buy” by SC Magazine and awarded at the 2016 Computing Security Awards, BPI Excellence, and Pôle Systematic. Twitter: @wallixcom More information on: www.wallix.com WALLIX FRANCE (HQ) http://www.wallix.com/fr Email : sales@wallix.com 250 bis, rue du Faubourg Saint-Honoré 75017 Paris - FRANCE Tél. : +33 (0)1 53 42 12 90 Fax : +33 (0)1 43 87 68 38 WALLIX DEUTSCHLAND http://www.wallix.de Email: deinfo@wallix.com Landsberger Str. 398 81241 München Phone: +49 89 716771910 WALLIX UK http://www.wallix.co.uk Email: ukinfo@wallix.com 1 Farnham Rd, Guildford, Surrey, GU2 4RG,UK Office: +44 (0)1483 549 944 WALLIX ASIA PACIFIC (Bizsecure Asia Pacific Pte Ltd) Email: contact@bizsecure-apac.com 8 Ubi Road 2, Zervex 07-10 Singapore 408538 Tel: +65-6333 9077 - Fax: +65-6339 8836 WALLIX AFRICA SYSCAS (Systems Cabling & Security) Email: sales@wallix.com Angré 7ème Tranche Cocody 06 BP 2517 Abidjan 06 CÔTE D'IVOIRE Tél. : (+225) 22 50 81 90 WALLIX USA (HQ) http://www.wallix.com Email: usinfo@wallix.com World Financial District, 60 Broad Street Suite 3502, New York, NY 10004 - USA Phone: +1 781-569-6634 OFFICES & LOCAL REPRESENTATIONS WALLIX RUSSIA & CIS http://www.wallix.com/ru Email: wallix@it-bastion.com ООО «ИТ БАСТИОН» 107023, Россия, Москва, ул. Большая Семеновская, 45 Тел.: +7 (495) 225-48-10

Recommandé

NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
NA Putra
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
Eugene Lee
 
Encryption in Microsoft 365 - session for CollabDays UK - Bletchley Park
Encryption in Microsoft 365 - session for CollabDays UK - Bletchley ParkEncryption in Microsoft 365 - session for CollabDays UK - Bletchley Park
Encryption in Microsoft 365 - session for CollabDays UK - Bletchley Park
Albert Hoitingh
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
Doreen Loeber
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
Coenraad Smith
 
NQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 MappingNQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 Mapping
NQA
 
Extend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPsExtend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPs
IBM Security
 

Recommandé

NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
NA Putra
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
Eugene Lee
 
Encryption in Microsoft 365 - session for CollabDays UK - Bletchley Park
Encryption in Microsoft 365 - session for CollabDays UK - Bletchley ParkEncryption in Microsoft 365 - session for CollabDays UK - Bletchley Park
Encryption in Microsoft 365 - session for CollabDays UK - Bletchley Park
Albert Hoitingh
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
Doreen Loeber
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
Coenraad Smith
 
NQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 MappingNQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 Mapping
NQA
 
Extend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPsExtend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPs
IBM Security
 
ISO 27701
ISO 27701ISO 27701
ISO 27701
UtkarshDhiman4
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
Hernan Huwyler, MBA CPA
 
NIST Zero Trust Explained
NIST Zero Trust ExplainedNIST Zero Trust Explained
NIST Zero Trust Explained
rtp2009
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
Denise Bailey
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level Executives
Camilo Fandiño Gómez
 
SWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxSWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptx
MdMofijulHaque
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
Uppala Anand
 
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
Jerimi Soma
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15
Jay Steidle
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
ClashWithGROUDON
 

Contenu connexe

Tendances

ISO 27701
ISO 27701ISO 27701
ISO 27701
UtkarshDhiman4
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
Uppala Anand
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 

Tendances (20)

ISO 27701
ISO 27701ISO 27701
ISO 27701
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
NIST Zero Trust Explained
NIST Zero Trust ExplainedNIST Zero Trust Explained
NIST Zero Trust Explained
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
 
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level Executives
 
SWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxSWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptx
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 

Similaire à Compliance mapping GDPR vs ISO_en

Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15
Jay Steidle
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
LynellBull52
 
Bluedog White Paper - overview of RMF implementation.pdf
Bluedog White Paper - overview of RMF implementation.pdfBluedog White Paper - overview of RMF implementation.pdf
Bluedog White Paper - overview of RMF implementation.pdf
tom termini
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
mbmobile
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
dewhirstichabod
 

Similaire à Compliance mapping GDPR vs ISO_en (20)

Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
 
800-37.pptx
800-37.pptx800-37.pptx
800-37.pptx
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdf
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdf
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
WITDOM Data Protection Orchestrator
WITDOM Data Protection OrchestratorWITDOM Data Protection Orchestrator
WITDOM Data Protection Orchestrator
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
Bluedog White Paper - overview of RMF implementation.pdf
Bluedog White Paper - overview of RMF implementation.pdfBluedog White Paper - overview of RMF implementation.pdf
Bluedog White Paper - overview of RMF implementation.pdf
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
 
ISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementISO 22301 Business Continuity Management
ISO 22301 Business Continuity Management
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
iso22301businesscontinuitymanagement-140207090550-phpapp01.pdf
iso22301businesscontinuitymanagement-140207090550-phpapp01.pdfiso22301businesscontinuitymanagement-140207090550-phpapp01.pdf
iso22301businesscontinuitymanagement-140207090550-phpapp01.pdf
 
Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business value
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
IIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseIIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended Use
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
SecureGRC - Cloud based SaaS
SecureGRC - Cloud based SaaSSecureGRC - Cloud based SaaS
SecureGRC - Cloud based SaaS
 

Plus de Balázs Antók

Grey Wizard - Teljes körű weboldal, API és DDoS védelmi szolgáltatás
Grey Wizard - Teljes körű weboldal, API és DDoS védelmi szolgáltatásGrey Wizard - Teljes körű weboldal, API és DDoS védelmi szolgáltatás
Grey Wizard - Teljes körű weboldal, API és DDoS védelmi szolgáltatás
Balázs Antók
 
Mailstore advisory GDPR
Mailstore advisory GDPRMailstore advisory GDPR
Mailstore advisory GDPR
Balázs Antók
 
Vectra Cognito - Mesterséges intelligencia alapú automatikus támadáskezelés é...
Vectra Cognito - Mesterséges intelligencia alapú automatikus támadáskezelés é...Vectra Cognito - Mesterséges intelligencia alapú automatikus támadáskezelés é...
Vectra Cognito - Mesterséges intelligencia alapú automatikus támadáskezelés é...
Balázs Antók
 
WannaCry zsarolóvírus információk
WannaCry zsarolóvírus információkWannaCry zsarolóvírus információk
WannaCry zsarolóvírus információk
Balázs Antók
 
Fizetési garancia jutalékszámlaval
Fizetési garancia jutalékszámlavalFizetési garancia jutalékszámlaval
Fizetési garancia jutalékszámlaval
Balázs Antók
 
Munkaero felugyelet-dtex-teramind
Munkaero felugyelet-dtex-teramindMunkaero felugyelet-dtex-teramind
Munkaero felugyelet-dtex-teramind
Balázs Antók
 
Darktrace kiberintelligencia
Darktrace kiberintelligenciaDarktrace kiberintelligencia
Darktrace kiberintelligencia
Balázs Antók
 
Stormshield - A helyes választás
Stormshield - A helyes választásStormshield - A helyes választás
Stormshield - A helyes választás
Balázs Antók
 
Mojo Certified Engineer tréning
Mojo Certified Engineer tréningMojo Certified Engineer tréning
Mojo Certified Engineer tréning
Balázs Antók
 
MailStore Server vállalati email archiváló és levélkezelő rendszer Termékbemu...
MailStore Server vállalati email archiváló és levélkezelő rendszer Termékbemu...MailStore Server vállalati email archiváló és levélkezelő rendszer Termékbemu...
MailStore Server vállalati email archiváló és levélkezelő rendszer Termékbemu...
Balázs Antók
 
SzerverWebáruház készlet integrátoroknak 131207
SzerverWebáruház készlet integrátoroknak 131207SzerverWebáruház készlet integrátoroknak 131207
SzerverWebáruház készlet integrátoroknak 131207
Balázs Antók
 
SzerverWebáruház raktár 20130924
SzerverWebáruház raktár 20130924SzerverWebáruház raktár 20130924
SzerverWebáruház raktár 20130924
Balázs Antók
 

Plus de Balázs Antók (15)

Grey Wizard - Teljes körű weboldal, API és DDoS védelmi szolgáltatás
Grey Wizard - Teljes körű weboldal, API és DDoS védelmi szolgáltatásGrey Wizard - Teljes körű weboldal, API és DDoS védelmi szolgáltatás
Grey Wizard - Teljes körű weboldal, API és DDoS védelmi szolgáltatás
 
Mailstore advisory GDPR
Mailstore advisory GDPRMailstore advisory GDPR
Mailstore advisory GDPR
 
Vectra Cognito - Mesterséges intelligencia alapú automatikus támadáskezelés é...
Vectra Cognito - Mesterséges intelligencia alapú automatikus támadáskezelés é...Vectra Cognito - Mesterséges intelligencia alapú automatikus támadáskezelés é...
Vectra Cognito - Mesterséges intelligencia alapú automatikus támadáskezelés é...
 
WannaCry zsarolóvírus információk
WannaCry zsarolóvírus információkWannaCry zsarolóvírus információk
WannaCry zsarolóvírus információk
 
Megérkeztek a stormshield új kis irodai modelljei
Megérkeztek a stormshield új kis irodai modelljeiMegérkeztek a stormshield új kis irodai modelljei
Megérkeztek a stormshield új kis irodai modelljei
 
Sns en-sn160 w-datasheet-201702
Sns en-sn160 w-datasheet-201702Sns en-sn160 w-datasheet-201702
Sns en-sn160 w-datasheet-201702
 
Yellow cube 2016
Yellow cube 2016Yellow cube 2016
Yellow cube 2016
 
Fizetési garancia jutalékszámlaval
Fizetési garancia jutalékszámlavalFizetési garancia jutalékszámlaval
Fizetési garancia jutalékszámlaval
 
Munkaero felugyelet-dtex-teramind
Munkaero felugyelet-dtex-teramindMunkaero felugyelet-dtex-teramind
Munkaero felugyelet-dtex-teramind
 
Darktrace kiberintelligencia
Darktrace kiberintelligenciaDarktrace kiberintelligencia
Darktrace kiberintelligencia
 
Stormshield - A helyes választás
Stormshield - A helyes választásStormshield - A helyes választás
Stormshield - A helyes választás
 
Mojo Certified Engineer tréning
Mojo Certified Engineer tréningMojo Certified Engineer tréning
Mojo Certified Engineer tréning
 
MailStore Server vállalati email archiváló és levélkezelő rendszer Termékbemu...
MailStore Server vállalati email archiváló és levélkezelő rendszer Termékbemu...MailStore Server vállalati email archiváló és levélkezelő rendszer Termékbemu...
MailStore Server vállalati email archiváló és levélkezelő rendszer Termékbemu...
 
SzerverWebáruház készlet integrátoroknak 131207
SzerverWebáruház készlet integrátoroknak 131207SzerverWebáruház készlet integrátoroknak 131207
SzerverWebáruház készlet integrátoroknak 131207
 
SzerverWebáruház raktár 20130924
SzerverWebáruház raktár 20130924SzerverWebáruház raktár 20130924
SzerverWebáruház raktár 20130924
 

Dernier

internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamra
AllTops
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
Aaron Stannard
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
alinstan901
 
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot ModelGautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Nitya salvi
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Riyadh +966572737505 get cytotec
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
Nimot Muili
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard Brown
SandaliGurusinghe2
 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
William (Bill) H. Bender, FCSI
 

Dernier (16)

internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamra
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
 
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime SiliguriSiliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdf
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptx
 
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot ModelGautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field Artillery
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docx
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard Brown
 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
 
digital Human resource management presentation.pdf
digital Human resource management presentation.pdfdigital Human resource management presentation.pdf
digital Human resource management presentation.pdf
 

Compliance mapping GDPR vs ISO_en

  • 1. WALLIX I 2018 The similarities in Privileged Access Management (PAM) requirements GDPRvs ISO
  • 2. 2 GDPRvs ISOThe similarities in Privileged Access Management (PAM) requirements 2 ABSTRACT This mapping table aims to highlight the similarities in Privileged Access Management (PAM) requirements that exist between the General Data Protection Regulation (GDPR) and the international standard ISO/IEC 27001:2013. It should help readers understand how a ubiquitous privileged access management solution can be used to answer several compliance regulations without disrupting users’ and administrators’ daily activities. This mapping table distinguishes the direct and indirect values brought by PAM to help companies comply with both these regulations.
  • 3. 3 GDPR vs ISO - The similarities in PAM requirements • WALLIX 2018 GDPR ISO/IEC 27001:2013 Privileged Access Management Article Note Section Note Added Value 5 These subsections specify that personal data must be: accurate and kept up to date (1d), and processed securely to protect their integrity and confidentiality (1f). A.5 A.6 A.9 A.11 A.12 A.15 A.16 A.18 A majority of controls covered in ISO 27001 meet the requirement of that article as the standard aims to anticipate many of the norms and regulations in place. PAM plays a critical role in both those scenarios because it reinforces access to critical data and gives super admins the complete visibility over each individual privileged user and their session, including what they do, when, and how. 15 Under GDPR, individuals have a Right of access over their data. For example, they can request information about who accesses or will access their data and where they will be used (1c). A.6 A.9 A.12 Sections 6, 9 and 12 of ISO 27007 cover three key elements of GDPR’s Article 15 because they can provide individuals with information about how their personal data is processed and by whom. A PAM solution provides super- administrators with a complete visibility over privileged users from the moment the log into a target system; it can list all privileged users according to their rights, grant or revoke access, monitor and record session logs and activities, etc. This visibility can help controllers answer GDPR’s Right of access. 24 The controller and processor in charge of controlling the processing of personal data must ensure and provide proof of data security according to state-of-art policies. A.5 A.6 A.9 A.12 A.15 ISO 27001 largely covers GDPR’s Article 24, from ensuring that security policies and roles are defined and in place, to reinforcing access controls. PAM helps define accurate and thorough security policies by helping super-administrators segregate duties, defining access rights and role allocation. It also reinforces personal data security through the control of access and sessions, and can provide feasible proofs of data security. 25 To guarantee an optimal level of data protection by design and by default, GDPR requires that appropriate technical and organizational measures be undertaken (2) and justified (3). A.5 A.6 A.9 A.12 A.15 ISO 27001 identifies several controls that answer Article 25 of the GDPR, some of which particularly deal with access and activity control of internal and external parties. A PAM solution helps define and implement the security policies identified by organizations to comply with GDPR and ISO 27001 by securing all privileged access and sessions, offering controllers password encryption and management, as well as a centralized view of all accounts, users, roles, and sessions in real-time and after an event has occurred through session recording. Direct need for PAM Legend: Indirect need for PAM
  • 4. 4 GDPR vs ISO - The similarities in PAM requirements • WALLIX 2018 GDPR ISO/IEC 27001:2013 Privileged Access Management Article Note Section Note Added Value 28 Where data processing involves the intervention of third parties, the data controller has the responsibility to ensure and justify that all third parties follow GDPR rules to secure data protection. A.9 A.15 A.18 Controls A.15 and A.18 of ISO 27001 are dedicated to controlling supplier relationships to ensure information security, and to confirming that companies are compliant with internal requirements. Control A.9 identifies specific security measures that help organizations reach that goal. The Session Manager module of a PAM solution records all activity logs generated by external parties and enables super-administrators to have a full view of third parties’ screens in real-time as if they were in front of the computer. These features can spot and alert fraudulent activities, terminate the sessions automatically or manually, and provide post-mortem proof for audit reports of who did what, when, and how. The PAM solution also ensures that third parties’ actions and access are limited to the scope of their mission. 29 GDPR specifically requires that processors solely access and process the data they need according the controller’s instructions. A.5 A.9 A.18 Controls A.5 and A.18 of ISO 27001 help the controller define the organizations’ security policies. Control A.9, Access Controls, deals with the implementation of this process. A PAM solution allows controllers to define specific access rules according to each privileged user’s rights and gives them the possibly to create different clusters for each privilege and access. 30 All controllers must keep a detailed track record of all processing activities under their responsibility (1&2). A.6 A.9 A.15 Control A.6 helps define a number of security policies to put in place which can give controllers the visibility they need over their users, particularly through the segregation of duties. Controls A.9 and A.15, addressing Access Controls and Supplier Relationships provide a feasible way for them to implement those policies. From the moment privileged users log into the target systems, their activity is recorded by the PAM solution and can be reviewed in various forms (logs, video, screenshots, etc.). PAM can integrate completely with other cybersecurity solutions such as SIEM to enhance the monitoring of activities and provide a complete security cycle, from high traceability to event alert and reporting.
  • 5. 5 GDPR vs ISO - The similarities in PAM requirements • WALLIX 2018 GDPR ISO/IEC 27001:2013 Privileged Access Management Article Note Section Note Added Value 32 GDPR calls for an evaluation of security risks and for the implementation of strict policies to guarantee data availability while maintaining integrity and confidentiality, and to achieve resilience in the event of an incident. A.5 A.6 A.9 A.16 A.18 Several controls required by ISO 27001 help answer Article 32. They enable organizations to address and maintain a holistic security cycle, from the definition of accurate policies to their implementation and evaluation. A PAM solution helps achieve these controls through four main elements: a password vault securing access with encrypted passwords, session management and monitoring, password management features enhancing access controls, and access management enforcing the principles of least privileged though clusters. A PAM solution should also easily integrate with other security technologies to fit in a broader cybersecurity ecosystem. 33 Personal data breaches must be notified to the supervisory authorities within 72 hours and without delay. . A.16 Control 16 of ISO 27001 deals with the management of security incidents and give organizations tools to comply with Article 33 A PAM solution provides security managers with accurate information about privileged account sessions and offers instant reporting on any administrative sessions that takes place on targeted systems which can give security managers a working narrative of the incident, helping controllers meet Article 33 of the GDPR. 35 Before going through data processing, the controller must assess the potential security risk and impact of the data processing on information confidentiality and integrity. A.6 Control A.6 helps define a number of security policies which can give controllers complete visibility over their users. Having complete visibility over data processing provides controllers with some valuable information which can be used to assess data processing’ security risks and impacts. PAM provides administrators with the means to create, adjust, or delete fine- grained groups of users and sub-users. It helps administrators have high visibility over the number of users within their system and allocate roles in a fluid manner. At the same time, administrators can directly assign users the right level of privilege from a central point of command, thereby allowing them respond to the principle of least privilege and segregate duties appropriately. With each role and privilege clearly defined, PAM allows controllers to assess the risk linked to data processing while mitigating the risk of unauthorized or negligent activity within organizations’ core network.
  • 6. 6 GDPR vs ISO - The similarities in PAM requirements • WALLIX 2018 GDPR ISO/IEC 27001:2013 Privileged Access Management Article Note Section Note Added Value 40 Supervisory authorities are expected to apply security best practices and lay out codes of conduct to ensure the proper application of GDPR. A.5 A.6 A.18 Controls A.5 and A.6 help define thorough organization and policies for information security. To comply with Article 40, the codes of conduct laid out by supervisory authorities can and should also be determined by internal security requirements and current regulations (A.18). PAM help security managers define and implement cybersecurity policies and procedures. Setting up a PAM solution requires administrators to create, adjust, or delete fine-grained groups of users and sub-users, which gives them visibility over roles and access rights. It also gives them the ability to segregate duties to respond to the principle of least privilege. These elements are key to respond to Article 40. 58 Independent public authorities in charge of monitoring GDPR compliance to protect European personal data have the right to access and process any information necessary for the performance of their task (1). A.6 A.9 While independent public authorities should have the right to access and process personal data, controllers should have a visibility over which data they are accessing and processing, what they are doing, how, and when according to best practices for cybersecurity. A PAM solution can restrict the access of independent public authorities and allow them to specifically process and view the information they need, diminishing the risk of negligence and human errors. PAM’s Session Manager module can also provide a track record of the activities that have been done on the systems, offering an additional layer of security in case of incident. 59 Supervisory authorities must produce an annual report of all of their activities (infringement types, security measures taken to strengthen data protection, etc.). A.16 Complying with Article 59 of GDPR requires to ensure the management of information security incident, described in ISO 27001’s Control A.16. Answering the objectives of this control will produce the necessary information for organizations to write their activity reports. PAM provides security managers with accurate information about privileged account sessions and offers instant reporting on any administrative sessions that takes place on targeted systems, elements which can help produce the annual activities report required by Article 59. This mapping table does not constitute as legal advice for meeting the European General Data Protection Regulation (GDPR).
  • 7. www.wallix.com WALLIX Group is a cybersecurity software vendor dedicated to defending and fostering organizations’ success and renown against the cyberthreats they are facing. For over a decade, WALLIX has strived to protect companies, public organizations, as well as service providers’ most critical IT and strategic assets against data breaches, making it the European expert in Privileged Access Management. As digitalization impacts companies’ IT security and data integrity worldwide, it poses an even greater challenge if the data involved is highly sensitive. The recent regulatory changes in Europe (NIS/GDPR) and in the United States (NERC CIP/Cyber Security Directorate) urge companies belonging to sensitive sectors to place cybersecurity at the heart of their activity. In response to these challenges, WALLIX created a bastion designed to secure organizations’ core assets while adapting to their daily operational duties: WALLIX Bastion. The WALLIX bastion accompanies more than 100 operators in sensitive sectors to conform with regulations and over 400 organizations in the protection of their critical assets, securing the access to more than 100,000 resources throughout Europe and the MEA region. It was also the first government-certified solution in the market. WALLIX partners with a trained and certified network of over 90 resellers and distributors that help guarantee effective deployment and user adoption. WALLIX is the first European cybersecurity software editor to be publicly traded and can be found on EuroNext under the code ALLIX. As one of the leaders of the PAM market, major players trust WALLIX to secure access to their data: Danagas, Dassault Aviation, Gulf Air, Maroc Telecom, McDonald’s, and Michelin are among them. WALLIX is the founding member of Hexatrust. The WALLIX bastion was elected “Best Buy” by SC Magazine and awarded at the 2016 Computing Security Awards, BPI Excellence, and Pôle Systematic. Twitter: @wallixcom More information on: www.wallix.com WALLIX FRANCE (HQ) http://www.wallix.com/fr Email : sales@wallix.com 250 bis, rue du Faubourg Saint-Honoré 75017 Paris - FRANCE Tél. : +33 (0)1 53 42 12 90 Fax : +33 (0)1 43 87 68 38 WALLIX DEUTSCHLAND http://www.wallix.de Email: deinfo@wallix.com Landsberger Str. 398 81241 München Phone: +49 89 716771910 WALLIX UK http://www.wallix.co.uk Email: ukinfo@wallix.com 1 Farnham Rd, Guildford, Surrey, GU2 4RG,UK Office: +44 (0)1483 549 944 WALLIX ASIA PACIFIC (Bizsecure Asia Pacific Pte Ltd) Email: contact@bizsecure-apac.com 8 Ubi Road 2, Zervex 07-10 Singapore 408538 Tel: +65-6333 9077 - Fax: +65-6339 8836 WALLIX AFRICA SYSCAS (Systems Cabling & Security) Email: sales@wallix.com Angré 7ème Tranche Cocody 06 BP 2517 Abidjan 06 CÔTE D'IVOIRE Tél. : (+225) 22 50 81 90 WALLIX USA (HQ) http://www.wallix.com Email: usinfo@wallix.com World Financial District, 60 Broad Street Suite 3502, New York, NY 10004 - USA Phone: +1 781-569-6634 OFFICES & LOCAL REPRESENTATIONS WALLIX RUSSIA & CIS http://www.wallix.com/ru Email: wallix@it-bastion.com ООО «ИТ БАСТИОН» 107023, Россия, Москва, ул. Большая Семеновская, 45 Тел.: +7 (495) 225-48-10