GDPR is asking us (quite vaguely, some say) to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk(Article 32, Security of processing). We assume you’re one of the lucky ones that was recently appointed as DPO (Data Protection Officer) , without prior experience into a similar role, and still struggle to start setting things up on the technical side. This article is meant to summarize some of the worldwide recognized standards which you can use as a starting point to establish the appropriate security measures in your company. If you’ve been dealing with data protection and managing security programs for your entire career, you probably know many of the concepts below and if you spend the time reading the article, we would sure benefit from your feedback.
Before anything else..Why Security?
The reason we lock the door when we leave the house is the same reason we use cybersecurity. We want to protect what’s inside. When someone breaks into our home, even if they don’t seal anything, the feeling that our privacy has been invaded is uncomfortable and disturbing enough to protect ourselves even better in the future. So we buy an alarm or some new locking system. We apply the same concept with digital data. Which resides in our phones, computers, tablets, company server, and all other devices that hold information.
If you’re not yet familiar with it, this is a crucial concept to understand – The famous CIA triad: Confidentiality, Integrity and Availability – the core principles of information security.
- Confidentiality – access to information should be granted only to the systems or users that have been authorized to know it
- Integrity – the data should not be altered and should stay accurate and complete during its entire life cycle
- Availability – ensures that the services and resources are available when needed
In a shorter phrase, if you’re doing a good job, the information your company holds is accessible only to those that are entitled to it and it is available when requested, without being altered in any way. We also call it business as usual, but sometimes we get lost in technical details and we forget that’s why we needed security in the first place.
How do I know what is security best practice in my company ?
While planning a data protection or security program, a good starting plan is:
- Don’t reinvent the wheel. Study the existing guidelines and get a high level understanding of what’s already available.
- Choose 1-3 frameworks, based on industry and your organization’s requirements and activities (Are you accepting credit card payment? Follow PCI Security Standards ; Are you in healtcare? Follow HIPAA )
- Summarize the mixed set of requirements from selected frameworks and adapt them to your business ( This can be documented in your Information Security Policy)
- Start implementing each requirement, following the selected guidelines
- Asses, review and adjust as needed.
Design the security measures and the data protection program with your employees in mind, because they’re the ones that will apply a great part of it. If you’re not technical, then probably you’re the same as most of your colleagues (unless you’re the lawyer of a SOC team). Security best practices are for the entire organization, not only for your network engineers!
You don’t have to start from zero!
Securing the new, dynamic systems we use requires a wide variety of approaches, including cryptography, network security protocols, database and app security everything adapted to the new mobility and speed of the business user and the fast changing legislative landscape. Luckily, several well-known organizations have put effort, research and implementation experience to develop overall guidance, best practices and standards to implement and evaluate cybersecurity for organizations around the world. Here are some of the important best practices documents and guidelines you should know about:
- Information Security Forum – The Standard of Good Practice for Information Security
- National Institute of Standards and Technology (NIST) – Framework for Improving Critical Infrastructure Cybersecurity
- International Standards Organization – ISO 27002 – Code of Practice for Information Security Controls
The Standard of Good Practice for Information Security (SGP)
The Information Security Forum (ISF) is an independent, non-for-profit organization dedicated to investigating, clarifying and resolving key issues in information security, by developing best practice methodologies that meet the business needs of the organizations around the world. This standard also covers topics set out in ISO/IEC , COBIT , NIST , SANS and Payment Card Industry Data Security Standard.
Considering the wide coverage, SGP can be a good candidate for selecting a main security guideline. SGP covers everyone around the organization from C-level to business user and system developers, addressing how information security should be applied across the company.
SGP is structured into 17 categories, covering the life cycle of employees, information, hardware and system development.
National Institute of Standards and Technology (NIST) Framework
Represents guideline designed for organizations to assess and reduce security risks to critical infrastructure. The framework has 3 main components:
- CORE – a set of activities, desired outcomes and applicable reference, split into 5 key functions: Identify, Protect, Detect, Respond, Recover. The Framework Core can be used in planning of the security goals of the organization.
- PROFILE – a list of outcomes that the organization has chosen, based on it needs. The framework profile reflects the organization’s security posture.
- TIERS – provides the context on how the organization views cybersecurity risks and the degree of sophistication of its management approach. The tiers will define organization’s security priorities.
The ISO 27000 Suite of Information Security Standards
The ISO Suite is one of the most important set of standards in cybersecurity, dealing with all aspects of an Information Security Management System. It contains generic recommendations useful for any size of business, in any industry to organize information security. ISO 27001 is a brief normative standard used for a company certification/audit. ISO 27002 is a longer version, used as the framework of selecting the security controls required by an Information Security Management System. If you look into ISO 27002, you can use it as checklist for your security control selection, but going back to the The Standard of Good Practice for Information Security might be useful to get more detailed information.
If you have more time to look into it, you can also check The CIS Critical Security Controls for Effective Cyber Defense developed by, or the COBIT 5 framework , developed by ISACA. If you develop any in-house application, it’s important that your dev team follows the OWASP Top 10 , a list of the most critical application security risks that you should take into consideration.
Now that you have some research material, you can start defining the Information Security Policy , which should represent the technical and organizational measures you take to ensure information security in your company, for GDPR and not only. Make sure you don’t end up with a generic set of rules that don’t cover your business use cases and make sure this is not just a formal document sitting in your desk to prove your compliance.
What’s more important than to chose the right security measures in your company is to have your employees understand them and apply them. Compliance won’t be achieved by your documents, but by the actions and commitment of each member in your organization.