The EU General Data Protection Regulation (GDPR) is just around the corner and Non-EU organisations that do business in the EU with EU data subjects' personal data should prepare to comply with the Regulation as well.
Those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.
The GDPR will be enforced from 25 May 2018. Organisations only have a short time to ensure that they are compliant.
Introduced to keep pace with the modern digital landscape, the GDPR is more extensive in scope and application than the current Data Protection Act (DPA). The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures.
Today I was looking at the minimum technical measures and wondered how we, BCC, can help organisations in some of those areas.
So what are the minimum technical measures under the GDPR?
- Firewalls which are properly configured and using the latest software
- User access control management by, for example, the UAC functionality in Windows. Please note, that in order to comply with the law, there should be no one person in your organisation with full access to all files and even your network administrator should have restricted access. In fact, it is recommended that the network administrator’s normal user account and his/her account with administrator privileges should be separated and only used when appropriate. This makes auditing and control of administrator actions much simpler. Failure to implement this measure has allowed for the Snowden incidents to happen
- Unique passwords of sufficient complexity and regular (but not too frequent) expiry on all devices (including mobile phones) to defend against dictionary and rainbow table attacks. The UK government’s National Technical Authority for Information Assurance (CESG) has recently advised against forcing users to change their ‘complex’passwords because this may lead to the recycling of old passwords, which may be already known to attackers, the need to note passwords down often on an exposed medium left near the device and users forgetting their passwords and being locked out, which leads to a loss in productivity.
- Regular software updates, if appropriate, by using patch management software
- Timely decommissioning and secure wiping (that renders data unrecoverable) of old software and hardware
- Real-time protection anti-virus, anti-malware and anti-spyware software
- Encryption of all portable devices ensuring appropriate protection of the key
- Encryption of personal data in transit by using suitable encryption solutions. This may include SSL and IPsec VPN connections which are appropriate for machine-to-machine connections, or PGP which is generally used for messaging, such as, e-mail. PGP or “Pretty good privacy”(around since 1991) has long been part of state of the art security.
- Implement secure configuration on all devices (including mobile phones)
- Put in place intrusion detection and prevention
- Data backup
Some of these requirements are fairly easy to implement but others are far more complex.
BCC can help in some of the tricky areas within the IBM Notes/Domino Environment.
BCC DominoProtect for example allows you to track and prevent changes to sensitive data on your Domino server in real-time and provides you with a reliable audit trail. It also facilitates setting up request and approval based change management processes with automated compliance level documentation for all actions taken with easy one-click rollback.
DominoProtect helps to eliminate security vulnerabilities such as unencrypted server.id files and makes it easy to secure the file with one or multiple passwords and yet allow unattended server restarts.
By default DominoProtect creates a 60 character complex password for the server.id and secures this with AES 256bit encryption.
The Snowden scenario mentioned in point 2 can be alleviated with DominoProtect’s ability to restrict “Full Access Administration” privileges, therefore your Administrators don’t have God like access to your Domino data.
With regard to secure messaging, MailProtect provides several secure messaging options such as conventional encryption via PGP, S/MIME including certificate handling or password based instant encryption. Instant Encryption is designed to satisfy data protection needs without implementing a Public Key Infrastructure.
MailProtect also offers a spam and antivirus shield for email users. In addition to the included ClamAV engine, BCC provides an integrated OEM antivirus solution form AVIRA. It can also work with other scan engines available on the market. MailProtect uses the leading antispam technology and word lists to provide effective antispam services.
Need more information?