Data Compliance: Get it right the first time

Below is a short overview of the #Hexnode webinar, presented 2022-04-07 about data compliance.

The webinar recording is published at the Hexnode website (and embedded below).
And the PDF version of the slide deck is published in full color and B/W print version on Slideshare, see links below.

PPT version available on request (send me a DM on LinkedIN).

Data is the new oil…

Whatever business you run…

.. it won’t run without data:

  • Business data
  • Management data
  • HR data
  • Technical data
  • Network data
  • Personal data (PII)
  • Communications
  • Mail data 
  • Financial data
  • Operational data
  • Intelligence
  • Intellectual Property (IP)
  • Ideas

Other businesses want your data as well…

There is a massive growth of digital business:

  • Direct marketing
  • Data brokers
  • Data Intelligence
  • Data analytics
  • Big data
  • Artificial intelligence
  • Machine learning
  • Health care, research & development

But also… the dark side wants your data.

And your data in the wrong hands.. is explosive.

Current state of crime

Company and user data, and personal data is an important target and leverage in cybercrime lik

  • Phishing
  • Ransomware
    • not only encryption
    • data leak extortion
  • Reconnaissance & Hacking
  • Data breaches 
  • Biometric data
  • Digital & Economical war

Now the question is… How do YOU get in control?

You can’t simply lock up your data… because data needs to flow. (You want to use it…)

Data management essentials to get grip

Ask yourself: how much €$ can you spend to protect your data? To answer that question, you’ll need to get grip of some basic data management principles, in relation to security:

  1. You can only protect what you know you have
  2. Without an owner there is no protection
  3. Nothing is stable, everything has a lifecycle
Data lifecycle

Data lifecycle

The start of the cycle is mostly

  • short,
  • easy to manage,
  • low security risk. (if the creation fails… you have no data to keep under control)

The end of the cycle is mostly

  • long, (there are various reasons why you need to keep the data for a while, eg in archive before you dispose of it..)
  • difficult to manage (if the process fails, it’s difficult to track or keep under control)
  • high security risk. (risk of losing ownership, risk of leakages, …)

What is risk?

Assets have

Vulnerabilities (weaknesses/properties) 

that can be exploited by 

Threats (activities)

with impact ($$ cost).

You need to balance the protection against the impact. You don’t want to over-spend or under-protect.

Your boss (or insurance, of CFO ) needs a budget, spreading cost over a year, or 2..3..4..5.

[Risk management is calculating impact over the rate of occurrence/frequency…]

How to get started

Know the external context

  • International regulations (GDPR, …)
  • National regulations (SOC, …)
  • Sector regulations (PCI-DSS, ..)
  • Contractual obligations
  • Enterprise vs PII/personal data requirements

Know the internal context

  • Know your business (what)
  • Know your organization (organigram)
  • Make an inventory of processes and interfaces
  • Assign business ownership
    • For each process
    • For each asset

Know the processes

  • Know the data flow 
  • Know your sources (IN)
  • Know the data processing
  • Know your receivers (OUT)

Know the data in the processes

  • Categorize your data – data types
    • Enterprise data
    • PII / Personal data (GDPR !)
    • Other ?

Categorization (define data classes)

  • Sensitivity = linked to business impact
  • Ask the owner : “What if data is …”
    • unavailable, 
    • changed,
    • destroyed,
    • leaked,
    • accessed unauthorized, illegally, unlawfully,
  • Categorize your data sensitivity
    • Enterprise data, for example
    • Unclassified, Official, Restricted, Confidential, Secret, Top Secret (NATO) 
    • Public, Company internal, Confidential, Strictly confidential  
    • TLP RED, TLP Amber, TLB Green, TLP White (public)

Classification (apply the labels)

  • Responsibility of owner
  • Label all data
  • Label containers if you can’t label the data
    • Folder or File share
    • Database
    • mailbox 
    •  …

Mind the lifecycle

  • Get started
  • Keep going
  • Start over again
  • Think about security when
    • creating new processes
    • changing processes
    • removing processes
    • recheck on a regular schedule (even when nothing changes)

Mind the business and legal requirements

  • Accountability & Responsibility 
  • Reporting & audit requirements (SOC I-II, …)
  • Incident management requirements
  • Data breach requirements (GDPR)
  • Subject rights 

Consequences of data management failure

  • Financial loss
  • Business loss
  • Reputation loss 
  • Contract SLA violation
  • Regulatory violations
  • Fines
  • Prosecution
  • Personal accountability

Think about

  • Direct and indirect impact
  • Short term and long term impact
  • How long can you survive a total breakdown?

TAKEAWAYS

  • Manage enterprise data like personal data
  • Keep the categories simple (<7)
  • 3 TLP (RedAmberGreen) + 2 categories (public + highly critical)
  • Define and maintain ownership
  • Involve everyone
  • Evangelize internal & external stakeholders (incl. customers…)
  • Lead by example

Use business best practices

  • Use standards and frameworks
  • ISO (international)
  • NIST (US)
  • ENISA (EU)
  • COBIT (ISACA)

Classification and labeling

  • Force labeling
  • Aim to classify everything
  • Start with new data first
  • Update labels when you change documents
  • Set a default label for archived data that doesn’t change
  • DO NOT set “public” as default

Think about the support processes

  • Incident management (ISO 27035 & NIST)
  • Data breach management (GDPR & other …)
  • Business continuity (ISO22301)
  • Disaster recovery

Questions

How to identify regulations you should follow?

  • know and analyse the services you’re offering,
  • where is your data stored?
  • what kind of data you have (enterprise data, personal data, financial, …)
  • identify the local, national, regional, international regulations of sector legislations that apply to your business (check partners/competition, sector representatives, …)

Is there difference in regulation for small or large business?

  • very limited impact of size of company…
  • very likely some impact on financial and tax reporting,
  • some legislation only apply in large scale operations (eg GDPR only requires a DPO for certain type of operations, …)

Best place to start for SME/SMB?

Webinar recording by Hexnode

Hexnode webinar
https://www.hexnode.com/events/webinars/data-compliance-get-it-right-the-first-time/

Presentations

Full color

Black/White print

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.