GDPR: Get Your Priorities Straight

GDPR: Forget the Damned Fines, Worry About Staying in Business!

How many ‘news’ articles / blogs / ads have you seen with titles like; “You could be fined up to 4% of your global revenue under GDPR!”  a.k.a “Be afraid and give us lots of money you clueless sap.

I’m seeing it from every online cybersecurity publication, lawyers, cybersecurity vendors / consultants, and increasingly from cyber insurance vendors. I’m even getting spammed from people I KNOW!

It’s more than a little irritating …frankly, it borders on unprofessional.

I can understand lawyers jumping on the bandwagon. The GDPR was written by lawyers, and if you don’t get a lawyer’s input to how GDPR will affect your business, you deserve a 4% fine. Yes, privacy lawyers are expensive, and yes, it’s bloody annoying to spend this money on something that adds absolutely nothing to the bottom line, but do it anyway. At the very least, piggy-back of a business partner that has spoken to a lawyer!

And no, asking your contacts on LinkedIn is not the same thing.

For cyber insurance vendors, I can fully appreciated how tough it’s been to find something to pin a marketing budgets on. Ambivalence towards cybersecurity is legendary. But what I cannot condone is using GDPR’s fine structure to scare organisations into buying a policy that will likely be completely inappropriate. Even choosing the right cyber insurance requires significant due diligence.

As for cybersecurity vendors, I’ve already addressed/redressed them in GDPR and Cybersecurity, a Very Limited Partnership. They simply have no right to bring up a 4% fine in a sales pitch when the maximum fine for data breach is 2%, not 4.

There is a lot more than fines in the GDPR of which you should be aware, but first…

About the Fines…

…borrowing heavily from my previous blog;

It can be assumed that if the maximum fine for ANY infringement, no matter how egregious, is 4% of the annual revenue from the previous year (in the case of an undertaking). That 4% is what the EU considers the maximum for a fine to qualify as “effective, proportionate and dissuasive” (per Article 83(1)). Therefore, a fine of €20,000,000 (for example) would be reserved for any organisation with revenue over €1,000,000,000 annually. Yes, that’s 1 BILLION.

It must follow that if 4% is the maximum, then fines will go down the less egregious the offence. Everything you need to determine the level of ‘egregiousness’ is contained in the 11 lines of Article 83(2)(a) – (k). Words like ‘intentional’, ‘negligent’, ‘degree’, and ‘manner’ are bandied around, all of which can be answered by you.

In this spreadsheet, I have taken a stab at adding specific questions to each of the (a) – (k) line items. Answer them all truthfully and you’ll get an indication of what I consider to be an appropriate fine based on your annual revenue: GDPR Fine Worksheet. Note: This is based on data breaches only (2% fine structure), and is not based on anything resembling known fact or precedent.

Frankly, it’s not the fines you should be worrying about, as I get the feeling you have to REALLY screw up before they’ll even be considered in the first place.

Worry about the ‘Corrective Powers’

What no-one seems to be writing about are the other so-called ‘corrective powers’ as detailed in Article 58(2) that each member state’s supervisory body will wield. Some of these are far worse than fines, and from what I know of GDPR, far more likely to be put into effect first.

Article 58(2) starts out very reasonably; 58(2)(a), (b) and (c) are:

(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation; [i.e. be careful]

(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation; [i.e. smack on the wrist]

(c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation; [i.e. now do it properly, we’re watching]

..then it gets a little more punitive in (d) and (e):

(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period; [i.e. now do it properly, or else]

(e) to order the controller to communicate a personal data breach to the data subject; [i.e. tell everyone with whom you do business that you f*&%ed up]

…then there’s the stuff that could put you out of business (assuming personal data is central to it) from (f)  through (h):

(f) to impose a temporary or definitive limitation including a ban on processing[i.e. stop everything you’re doing with personal data, now]

(g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19; [i.e. you can’t do what you do with personal data the way you were doing it]

(h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met; [i.e. good luck getting anyone in the EU to do business with you]

…and NOW the fines:

(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; [i.e. not only can we stop you doing business, but we can also fine you]

…and finally, back to the potentially out of business:

(j) to order the suspension of data flows to a recipient in a third country or to an international organisation. [i.e. specific to cross-border, but you’re screwed if this is relevant]

Now ask yourself; can a cybersecurity vendor help you in a scenario where the data is safe but you’re just not allowed to use it? Could cyber insurance replace your ENTIRE business and customer base?

Clearly not, so the only people you SHOULD be talking to right now are privacy experts. Not ones who passed a 75 question multiple choice exam to achieve a Certified Information Privacy Professional (CIPP) acronym, and/or the Certified GDPR Practitioner course, a lawyer. And not just any lawyer, a lawyer who specialises in privacy.

I’m not disparaging the CIPP/E or EU GDPR P certifications, they are actually very good foundations for anyone wanting to ask a true expert the right questions. And if, as per Recital 13; “…this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.”, you are small enough not to have to worry about validation of your practices, maybe someone with these certs is good enough.

It’s up to you, you’re the ones betting your businesses on it.

[If you liked this article, please share! Want more like it, subscribe!]

Cybersecurity Collage

Without 3rd Party Security ‘Vendor Brokers’, AWS and Azure May Not Be For You

…at least for PCI anyway. It’s just too damned difficult to get all the security wrappers PCI requires without Vendor Brokers.

Cybersecurity has now be made too complex – by security vendors – to be able to mix-and-match with individual vendors from the AWS/Azure marketplaces. I don’t know of any single vendor who can cover even a majority of the PCI requirements related to platforms.

i.e.

  1. Firewall Management;
  2. Configuration Standard(s);
  3. Anti-Virus;
  4. Vulnerability Management;
  5. Patching;
  6. Access Control;
  7. Authentication Mechanism(s);
  8. Logging & Monitoring;
  9. Web Application Firewall; and
  10. File Integrity Monitoring

There are many reasons for this, one of which is that ever since security became a multi-billion £/$/€ a year industry, hundreds of companies have started up to try bring us the ‘silver bullet’ appliances.  Not only do silver bullets not exist in cybersecurity – and you should be shot for using the phrase in any way that’s non-derogatory – but where are the overwhelming majority of those companies now?

They either failed, or have been ‘collected’ by larger companies who have tried to duct-tape the disparate products into silver-bullet solutions.

Which have also failed.

It’s not that the original products didn’t work, some of them actually did, it’s that;

  1. Organisations threw technology at business problems without knowing why they were doing it;
  2. The big companies that collected the smaller ones tried to integrate the individual products together under one GUI, instead of unifying the functionality under a single code base; and
  3. There has never been, and there never will be, a one-size-fits-all solution to security.

But the market is still ripe for innovation, and there will continue to be companies starting up with the goal of bringing a single product to market that will catch the latest security hype/wave/buzz and make them their fortunes (UEBA for example).  They may even succeed, but only if they make their impact in the first year or two, otherwise the market will have moved on.

And if they’re VERY lucky, the larger companies will be naive / ignorant enough to buy them and save them the trouble.

Don’t get me wrong, I am not against combining single products into a larger solutions. In fact it’s the only way to go, but only if it’s done correctly.  Single product companies have 100% focus, which gives them drive, short-term goals, and a dedication to making their one product the best. The second you absorb that company however, every one of those attributes that put them on (or near) the top, are lost in the larger mix.  The functionality is diluted, innovation ceases, and the the whole thing quickly becomes obsolete.

True integration of functionality can only be accomplished with a single code base, and a single platform, which means that any organisation that absorbed the smaller companies better have a plan in mind to migrate not only the applications over to their growing solution, but they will need to consider all of the clients who bought the product prior to the M&A.  These guys often suffer from a total lack of customer service and support, and there’s no way they’ll buy into the larger program.

In my experience, the due diligence necessary to combine product companies is not overly abundant, and until it is, we should all be VERY careful when we look to resolve our security issues with multi-function solutions.

I call these Vendor Brokers ‘collage companies’, as the picture might be pretty, but it’s in no way whole.

Here are a few questions you might want to ask your potential providers;

  1. Can your solution replace some / most of my current functionality?
  2. Do you provide a consultancy ‘wrapper’ around these solutions to help us manage them against our business goals?
  3. Will the output from your solution feed into my current collection mechanism, or can my current output feed into yours?
  4. Are the various aspects / functions of your solution ‘home grown’, or obtained through acquisition?  If acquisition, how have you unified the back end code and platforms?
  5. How do you ensure that the different functions of the solution receive a similar attention to what the single product vendors provide?
  6. Do you have a single customer support process to handle all functionality questions?

Regardless of the shenanigans going on in the security product market, your choice of Vendor Broker should only be driven by what your risk assessment and gap analysis said you need, and your due diligence should cover any requirements you may have regarding integration and ongoing maintenance.

If is doesn’t, don’t expect Vendor Brokers to help, they have enough problems keeping their own houses in order. 

[If you liked this article, please share! Want more like it, subscribe!]

GDPR Certified

There is No Such Thing as GDPR Certification …Yet!

If you’re looking for more information on GDPR, and surprisingly few of you are, you will likely have seen vendors selling things like; Certified EU General Data Protection Regulation (GDPR) Practitioner, some of whom also promise delegates that they will be “awarded the ISO 17024-accredited EU GDPR Practitioner (EU GDPR P) qualification by IBITGQ”.

Sounds really impressive, right? Unfortunately, it doesn’t mean a damned thing.

ISO 17024 – Conformity Assessment – General Requirements for Bodies Operating Certification of Persons only covers the “principles and requirements for a body certifying persons against specific requirements, and includes the development and maintenance of a certification scheme for persons.” and the IBITGQ (International Body for IT Governance Qualifications) are only “dedicated to the provision of training, qualifications and the continued professional development of information security, business resilience and IT governance professionals.”

While there is absolutely nothing wrong with either ISO 17024 standard or the IBITGQ, when applied appropriately, they have absolutely nothing to do with GDPR certification. The ‘practitioner’ course itself may cover aspects GDPR, but there are no certifications yet available for GDPR, let alone accredited certification bodies who can provide it.

For example, in the UK, the Information Commissioner’s Office (ICO) will be the ‘supervisory authority’ responsible for the:

  1. “...establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.” – GDPR Final Text, Article 42, Para. 1, and;
    o
  2. “…accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article [which] shall take place on the basis of criteria approved by the supervisory authority...” – GDPR Final Text, Article 43, Para. 3

In other words, without the ICO there is no GDPR certifications available from anyone for anything. To date the ICO have release nothing on certification / accreditation, not even guidance. Nor have the Article 29 Working Party (Art. 29 WP) to whom the ICO refer.

One of the  challenges is that the term ‘certification’ means several things even within the GDPR itself. From the certification of ‘appropriate measures’ between processors and controllers (GDPR Final Text, Recital 76), to the “The adherence of the processor to an approved code of conduct or an approved certification mechanism…” (GDPR Final Text, Recital 81), the nature and extent of these certifications will vary considerably.

What IS out there however are organisations offering GDPR foundation classes. These courses are designed to instruct and inform, not offer useless acronyms. It’s these courses you should be looking into, but like everything else, you must ask the right questions.

For example, if you’re:

  1. a Data Protection Officer (DPO), you will need to know how the GDPR affects your responsibilities and management reporting;
  2. a contract lawyer, you’ll need to know how all of your vendor AND client contracts will be affected;
  3. an IT manager you’ll want to know how the GDPR will be implemented from an infrastructure perspective; and
  4.  responsible for cybersecurity, how do you demonstrate ‘appropriate measures’?

But worse than vendors trying to provide training certificates are the ones providing GDPR compliance consultancy, or worst yet, software. I can understand privacy lawyers offering these services, but cybersecurity vendors!? Data security is less than 5% of the work organisations will have to perform to bring themselves into compliance with GDPR. Not only that, in the ICO’s Guide to Data Protection they already mention ISO 27001 under Principle 7 – Information Security, so it’s fairly clear against which benchmark security programs will be measured.

GDPR is not an IT problem, it’s certainly not just a data security problem, it is a business problem, and one that will affect every individual in your organisation to a greater or lesser degree. The first step is not to buy the first training course that comes your way, it’s to raise the awareness of GDPR to the people whose very arses are on the line. Whether you call them the Senior / Executive Management, the C-Suite, or the Leadership Team makes no difference, the implementation of GDPR starts with those at the top. They are the ones who will be held accountable, so they are the ones who should ensure that everyone has the training and awareness they need.

Every new data protection regulation is seen by vendors as a way into your wallets. The GDPR is no different. Do your homework, and ignore any organisation offering services predicated on fear, uncertainty and doubt. Or worse, utter nonsense.

[If you liked this article, please share! Want more like it, subscribe!]

PCI L1 Service Provider

From FinTech Concept to PCI Compliant in 6 Months?

Anyone wanting to start a new business in FinTech/payments – digital wallets for example – has to address PCI. Like it not, payment cards are still the dominant form of non-cash payment on the planet. By far.

So what if you have a great idea in this amazing world of opportunity, but your skill-set is in payments and innovation, and not IT or cybersecurity. How do you get your service to market, AND play by the rules? Can you do this in time to be ahead of game given the incredibly short timeframe of today’s competitive advantage?

Well, you could just self assess, but you are restricting yourself to a maximum of 300,000 transaction annually.  But more importantly, would you trust your money to a service provider who self assesses? No, neither would I.

However, I’m talking about full Level 1 Service Provider compliance through a reputable QSA (yes, there are some out there). How can you set up the infrastructure, get all the documentation in place, AND get all the way through a PCI DSS Level 1 assessment in 6 months? And if you do, have you really done it properly?

The answer is yes, you can, but there are MANY caveats, and if you deviate from these steps you will not get there. I am only interested in helping organisations get compliant properly, I have no interest in adding more crap service providers to the ecosystem.

First, you have to completely ignore the PCI DSS. Any plans you make to design both your physical infrastructure and your security program from scratch must be with real security in mind. Never compliance alone. For that, many organisations turn to the ISO 27001 standard. There are others, but try finding affordable consultants who can help you implement them. As long as you realise they are all just frameworks, not step-by-step instructions, then you’re ready to start asking questions.

So What Are the Steps to Compliance?

o

  1. Get Help – This should be no surprise. I don’t perform emergency appendectomies, I’m not remotely qualified, why would you try to achieve compliance when that’s not your experience or skill-set. Yes, is can be expensive, but nowhere near as expensive as any of the alternatives. There are some very good consultants out there, do your homework and find the best one for you.
    o
  2. Outsource the Infrastructure – Unless you’re an expert in everything from hardened operating systems, to logging and monitoring, to firewall management, you will want to outsource as much of the platform as you possibly can. Unfortunately, finding a single provider who can take on anything more than physical hosting and some networking stuff is still ridiculously difficult. Amazon Web Services (AWS) for example is about as bad as you can get. Unless of course you want a dozen or so independent service providers to manage along with Amazon.
    You MUST ask the right questions, and this is where your  consultant comes into play. S/he will write your RFP, interview providers, and eventually produce a responsibility mapping of services against the PCI DSS. This will match their Attestation of Compliance, as YOU should only do business with L1 PCI compliant service providers.
    o
    You are welcome to use my mapping if you don’t have one: PCI DSS v3.2 SP Responsibility Mapping
    o
  3. Policies, Standards & Procedures – You have to start somewhere, so you will likely want to buy a Policy Set. Once again, you have to be very careful as there are dozens of options but few will be fit for purpose. In this case, ‘fit for purpose’ means the service must 1) get you through compliance, 2) provide a platform for your unique culture, and 3) be self-sustainable for the long-term.
    If you buy a Policy Set with ‘PCI’ in the title, you have already failed. Buy one that your consultant can customise on your behalf, and then teach you to manage yourself. Get one that; 1) Is already mapped to both the PCI DSS and your chosen framework (usually ISO 27001), 2) has document management built in (numbering, content standards, assigned coordination etc.), and 3) is easily distributed to the subject matter experts best placed to maintain them.
    o
    I have written a quasi-white paper on how to choose the right the right service, you use the questions as an RFP: ‘Selecting the Right Policy Set
    o
  4. Hire a Completely Independent QSA – While it may be very tempting to have your consultant take care of all the ‘PCI stuff’, bite the bullet and keep these separate. No, you don’t have to be an expert in this stuff, but if you are relying completely on your consultant you are building in a single source of failure. By all means have your consultant run with the assessment, but be involved. If you don’t, you’ll have no idea what you paid for in the first place. In fact, you may even want to build in some SLAs regarding how much remediation is required from by QSA. There will always be some, but if it involves significant scope creep or capital cost, your consultant has failed you. Remember, you have outsourced almost the entire function of PCI to your platform provider, validation of compliance should be a formality.

Of course this is oversimplified, but I’m already way over my self-imposed word limit. However, while I haven’t included any of the inevitable challenges, the process is a simple as security itself, it’s up to you to find someone who can make it simple.

[If you liked this article, please share! Want more like it, subscribe!]

All About the Data

Forget Cyber, Forget Cloud, It’s ALL About the Data!

Ever wonder why data breaches are now called cyber attacks, or an application on the Internet is now called The Cloud? It’s for the same reason that Coca Cola is constantly changing it’s ‘look’, adding ‘new’ flavours of what is basically the same sugary mess. And why they’ve changed their slogan FORTY SEVEN times in their 125 year history;

To keep things fresh, to keep you thinking about them, and of course, to help you spend money.

So is this necessarily a bad thing for the field of information security? The answer is clearly no if these marketing ‘tricks’ actually help keep you secure though valid awareness programs and good services. But a resounding YES if it’s just a new buzz-phrase used to sell the same services with less due diligence.

Too many vendors and self-interested lobby groups are frighteningly good at demand generation. From new buzz-phrases, the invention of perceived needs, and playing on an organisation’s fear of losing a competitive edge, these have all been the cause of many bad purchasing decisions. This is especially frustrating when the tools for making good decisions have been around for decades. Literally.

For example; ISO 27001 – probably the best known and de facto security framework – has it’s roots in BS 7799 first published in 1995, ISACA’s COBIT was released in 1996, and even PCI (which is just a controls based standard for the protection of cardholder data) has some merit in its 10th year in existence. If these aren’t enough, the ages-old – but still VERY much alive – concept of Confidentiality, Integrity and Availability has been around for so long that no-one seems to know when it started.

And these are just the overarching frameworks for the security of data, beneath them you have equally well known, mature, and readily available tools for the protection of your data assets:

1. Governance – The Business side and the IT side having meaningful conversations;

2. Risk Assessment – An examination of the business needs applied to the current ability to achieve those goals;

3. Vendor Due Diligence – a THOROUGH review of the external help you’ll likely need;

4. Asset Management – You can’t manage what you don’t even know you have; and

5. Vulnerability Management and Change Control – If you have absolute control over the changes you make internally, the only things that can increase risk are from the outside. These two tools work hand-in-hand.

All of these tools are covered to a varying degree in the above frameworks, and represent standard good security practices established for longer than most of us have been alive. Without these processes in place, you don’t have data security. Full stop.

So if they are that established, why are they not as well known and pervasive as they should be? Simple, and for the same reason no-one likes paying for insurance; there is no obvious positive impact on the bottom line. Where’s the ROI for spending money on security? But this assumes that an ROI involves making MORE money, but is not LOSING money just as impactful? Fines, damages / reparations, and the inevitable loss of reputation all have significant negative impact.

Instituting an appropriate level of data security for your business is actually quite simple, keeping it in place requires much more effort but is equally simple; follow the decades-old advice of the existing frameworks.

[Ed. Written in collaboration with Voodoo Technology, Ltd.]

[If you liked this article, please share! Want more like it, subscribe!]