GDPR Compliance in the Cloud

With the upcoming onset of the GDPR, many companies are seeking to leverage their cloud services for GDPR compliance. The Microsoft Office Modern Workplace episode, ‘GDPR: What You Need to Know’ includes outlines to make this process painless.  Companies want to ensure that those cloud services in use are compliant.  The GDPR places a higher burden on companies storing data on Europeans, and for many businesses, this data resides in the cloud.  Some important GDPR compliance considerations include building support for the consent requirement, rights to erasure and data portability, and 72-hour breach notification, among other GDPR requirements.

The good news is that cloud providers have not been standing still and they can be a valuable partner for a company’s compliance effort.  The decision to utilize the services of cloud providers was likely made not only for the features they provide but because cloud providers can often implement security controls and procedures that would be cost prohibitive for a company to do on its own.  Many cloud providers are actively considering how to comply with GDPR, and some have already adopted GDPR compliant practices.

Today, cloud services are not only present in organizations, they are often ubiquitous.  One study found that European companies are using over 600 cloud services on average and it is likely that U.S. companies use a similar number of cloud services.  So how do companies with such a large cloud presence comply with GDPR?

Assign compliance responsibility

The first step in the GDPR compliance effort is to identify which person or group will be responsible for ensuring compliance with GDPR.  This may be different groups depending on the organizational culture or the business use of personal information.

According to Karen Lawrence Öqvist, CEO at Privasee, the group responsible may include legal, compliance, or even IT.  IT is often the driver in companies where collecting data is not core to the business while legal often has responsibility when there is an emphasis on the collection of personal information.   No matter which person or group is chosen, someone must be accountable for bringing the company into compliance.

Identify cloud providers

The individual or group responsible for compliance must then determine which cloud providers are in use and what data is stored or processed on these cloud services.  It can be tempting to reduce the scope of the process only to those that house data on Europeans, but this might be a short-term perspective.  Companies must be careful not to limit their scalability and agility by staying on non-compliant systems because those systems may need to house such data in the future as the company evolves.

GDPR compliance can also be an opportunity to build a better relationship with customers.  According to Brendon Lynch, Chief Privacy Officer at Microsoft, the increased control and transparency mandated by the GDPR can be a way to build and maintain more trust with customers.  This is a benefit not only for European customers, but also those around the globe.

Once cloud providers have been identified, consider ways to consolidate services to reduce ease management and compliance with GDPR.  Take the time to identify redundancies and standardize those services across the enterprise with a single provider.  Tiered pricing models and bundling of services can reduce cost, but the primary driver for these changes is reduced complexity of data flows to and from cloud providers.  Do not limit this analysis to cloud providers only.  Consider also which activities are performed in-house and whether moving those operations to a GDPR compliant cloud provider would increase efficiencies or lower costs.

Gap analysis

Next, conduct a gap analysis of each cloud vendor.  Vendor management or compliance groups may send out questionnaires to assess whether cloud providers have the capability to meet GDPR requirements and, if not, whether they have a reasonable plan on how to implement these capabilities before the May 25, 2018, deadline.

Mainstream cloud vendors have been some of the most proactive in implementing methods to secure data in their cloud service offerings and to do so in a way that is compliant with the GDPR.  For example, in the recent Microsoft Office Modern Workplace episode, GDPR: What You Need to Know, the Office 365 prebuilt filters were demonstrated.  These filters are already in place for personal data types such as those used by European countries.  Administrators can use filters to define a policy that will automatically identify data in email, SharePoint, and other Office cloud services, and then take specific compliance actions.

Conduct privacy impact assessments

Privacy impact assessments should be performed on high-risk assets such as HR or financial data to ensure that this information is adequately protected with whichever cloud providers are storing or processing the data.  Privacy impact assessments analyze what personal information the company is collecting, why it is collected, and how it is stored, used, and protected.

Document and train on procedures

It is not enough for the cloud provider to have the capability to comply.  The company must be able to use these capabilities in their compliance strategy.  For example, the option to remove or transfer personal data may be possible on a cloud system, but the company must document how to utilize these features if needed.

Persons or departments in the company must then be trained on how to perform these actions so that they will be ready and able when customers make data requests.  Training alone is not sufficient to ensure that staff will meet the GDPR’s stringent 72 hour notification period.  Here, simulation can provide more reliable assurance that incident response activities can be performed in compliance with the GDPR.  Simulations should have incident response teams and cloud service providers work together to effectively investigating a data breach and gather information for notification.

Wrapping it up

Companies who wish to comply with the GDPR by the May 25, 2018 deadline are trying to understand where their data is, particularly that of Europeans, and how that data is handled.  Cloud providers can be a great partner in this effort and companies should embrace their cloud providers in the effort to become compliant.  Consider your cloud provider a core partner in your compliance rather than a liability and utilize what they have to offer in order to meet the GDPR requirements.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Important considerations for your business and GDPR

The General Data Protection Regulation (GDPR) is the latest in a host of rules designed to protect privacy.  It is significant because it affects companies that do business in Europe or collect data on Europeans.  GDPR’s wide-ranging scope ranks it right at the top of significant regulations, sitting beside well-known requirements such as HIPAA and PCI.

Your business may be doing quite a few things required by GDPR already because GDPR has similar goals to other regulations.  While HIPAA is designed to protect patient information in covered entities and business associates and PCI to protect credit card information from card processing environments, GDPR aims to protect the personal information of Europeans.  This overlap of objectives results in a considerable similarity in GDPR specifications to those of other regulations.  However, GDPR does introduce some new requirements that companies need to understand.

The upcoming Microsoft Office Modern Workplace episode “GDPR: What You Need to Know” incorporates the expertise of Brendon Lynch, Chief Privacy Officer at Microsoft, and Karen Lawrence Öqvist, CEO at Privasee on how to prepare for GDPR.  Some fundamental aspects of GDPR that are distinct from other regulations include the consent requirement, rights to erasure and data portability, accelerated breach notification, and the requirement for a data protection officer.

Consent requirement

GDPR mandates that companies obtain consent from individuals before storing their information.  Consent must be specifically for how the data will be used.  Organizations must first spell out how they will use an individual’s data and then obtain the approval for that use.  Data use is then limited to only what the person allowed, and the organization must keep records on how information is used and processed.  This information must be produced upon request by supervisory authorities, a local governing body that the business has associated with for purposes of compliance and reporting.

Rights to erasure and data portability

Under GDPR, individuals have the right to erasure and the right to data portability.  Companies must remove the data they have on a person if requested to by the individual, and they must facilitate the transfer of a person’s information from their systems to another system using an open standard electronic format that is in common use.

Accelerated breach notification

Breach notification timelines are greatly accelerated in GDPR.  The supervisory authority must be notified within 72 hours of the breach.  This notification must include the relevant details of the breach including the number of victims impacted, and personal records disclosed, likely consequences to victims due to the breach, how the company is handling the breach, and what the company will do to mitigate possible adverse effects of the breach.  This accelerated schedule will require businesses to have a much more robust incident response and investigative procedures as well as effective coordination of incident response, legal, investigative, and executive teams.

Data protection officer

Much like HIPAA’s privacy officer requirement, GDPR requires public authorities and organizations to have a data protection officer when their core business involves large scale processing or monitoring of individuals.  The data protection officer must be a senior person in the organization who reports to executive management.  They must have the freedom to operate independently from the rest of the company and be provided with adequate resources to perform their role.

Next steps

We live in an incredibly globalized world, one where businesses of all sizes work with customers spread around the world.  GDPR has a wide-ranging impact on these companies, so it is important to understand its requirements.  In addition to what has been presented here, the Microsoft Office Modern Workplace episode on GDPR provides some excellent guidance.  Begin the process now to position your company to operate and thrive under GDPR. The deadline for companies to comply with this regulation is May 25, 2018.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Stop Hoarding! Improve Security, Efficiency and the Bottom Line through an Effective Data Retention Policy

Organizations are accumulating data at a pace that would cause a hoarder to blush.  Just like that old bicycle seat stored in the attic, data is often kept “just in case it may be needed someday.”  This practice, however, comes at a cost.

Some organizations think that it is inexpensive to store data, in particular with the steady decline in hard drive prices.  The fact is, however, data is expensive to keep.  Organizations spend a significant portion of time managing, archiving and securing data.  Data is housed on servers, each of which must be maintained.  Data is also archived regularly according to the organization’s backup schedule, and it is audited and secured against loss.  Each of these activities consumes the time (i.e. increases the cost) for those in information management.

Excessive data retention can also pose a risk to an organization regarding compliance and electronic discovery requirements.  Personally Identifiable Information (PII) that is lost could result in significant fines.  Also, old document drafts that may not provide organizational value could still damage the organization if disclosed.  Data related to litigation is costly to obtain, organize, and produce.  Searching through an organization’s legacy data adds additional complexity and cost.

For the above-stated reasons, it is important to remove unnecessary data.  A structured approach is necessary to avoid the loss of important data and to provide consistency throughout an organization.  The structure can be accomplished through a data retention policy.   A data retention policy should specify how long certain types of data such as emails, documents, drafts, instant message conversations, or even voice mails should be kept and how the data will be properly disposed of.

Contents

At a minimum, a data retention policy should contain a scope section that outlines the types of data covered.  Examples would be tax records, personal information, business records and legal documents. Also, the policy will need to spell out how long and in what form each type of document will be retained.  Some policies may include guidelines on removal of data – or this may be left to a data destruction policy.

Retention Term

One of the most difficult parts of defining a  data retention policy is specifying the length of time to retain certain types of documents.  Compliance requirements may determine the minimum or maximum length of time while business requirements may stipulate other terms.  Both the compliance and business requirements will need to be considered in defining the duration. The following are some best practices and can be used a starting point in the formation of a data retention policy:

  • Audit documentation and associated financial documents will need to be kept for at least seven years if there is a SOX requirement. The IRS requires that tax documents be retained for at least four years after they were due.
  • The list of hazardous chemicals provided by OSHA contains many substances common in the workplace and data retention policies should define how long documentation of hazardous chemical exposure data will be kept.  OSHA requires that such documents be retained for 30 years.
  • The Health Insurance Portability and Accounting Act (HIPAA) requires that information disclosure authorizations, patient requests, business associate contracts and other such covered documents be retained for at least six years from the last transaction or 2 years following the patient’s death.
  • Exceptions may be made to these recommendations when pending litigation or audits require an information freeze or legal hold for specific data.  In these instances, organizations will need to show that they have made reasonable efforts to prevent the destruction of discoverable information.

Businesses have a definite need for data retention policies.  The regulatory requirements mentioned here should be included in business retention requirements for those that fall under such regulations.   An effective data retention policy can go a long way in reducing data clutter, improving organizational efficiency and reducing risk.  However, defining the policy will not be enough.  Employees will need to be aware of the policy and motivated to follow it.

 

 

Information Security Compliance: ISO 27000

ISO 27000 is a set of security standards that organizations can implement to provide an industry-recognized minimum level of security.  ISO 27000 came out of the BS (British Standard) 7799, originally published in 1995 in three parts.  The first part of BS 7799, dealing with the best practices of information security, was incorporated in ISO 17799 and made part of the ISO 27000 series in 2000.  Part two, titled “Information Security Management Systems – Specification with Guidance for Use” became ISO 27001 and dealt with the implementation of an information security management system.  The third part was not incorporated into the ISO 27000 series.  Similar to ISO’s 9000 series, which focuses on quality, ISO 27000 is an optional accreditation that can be used to show that an organization meets a specified level of information security maturity.

Overview of the ISO 27000 sections

The six parts to the 27000 series each deal with a different area of an Information Security Management System (ISMS).  This document will briefly outline each section and then concentrate on ISO 27001, the section that details the requirements for ISMS.  An overview of what the series deals with can be found in the table below.

ISO 27000 Series

ISO27001 ISMS Requirements
ISO27002 ISMS controls
ISO27003 ISMS implementation guidelines
ISO27004 ISMS Measurements
ISO27005 Risk Management
ISO27006 Guidelines for ISO 27000 accreditation bodies

As can be seen in the table above, ISO 27001 details the actual requirements for businesses to comply with the ISO 27000 standard.  ISO 27002 builds on ISO 27001 by providing a description of the various controls that can be utilized to meet the requirements of ISO 27001.  ISO 27003 provides details on the implementation of the standard including project approval, scope, analysis, risk assessment, and ISMS design.  ISO 27004 outlines how an organization can monitor and measure security about the ISO 27000 standards with metrics.  ISO 27005 defines the high-level risk management approach recommended by ISO and ISO 27006 outlines the requirements for organizations that will measure ISO 27000 compliance for certification.

Series contents

The ISO 27000 series provides recommendations for “establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System” (http://www.27000.org).  The standard can be broken down into the following sections:

  • Risk assessment – a quantitative or qualitative approach to determining the risks to organizational assets. The degree of risk is based on the impact to the asset and the likelihood of occurrence.
  • Security policy – formal statements that define the organization’s security expectations.
  • Asset management – inventory and classification of information assets.
  • Human resources security – security aspects for employees joining, moving within or for those leaving an organization.
  • Physical and environmental security – physical/tangible systems used to protect systems and data such as alarm systems, guards, office layout, locked doors, keypads, cameras, etc..
  • Communications and operations management – management of technical security controls in systems and networks.
  • Access control – restriction of access rights to networks, systems, applications, functions and data; maintaining the confidentiality of access credentials and the integrity of access control systems.
  • Information systems acquisition, development, and maintenance – building security into applications when they are designed or purchased.
  • Information security incident management – planning and responding appropriately to information security breaches.
  • Business continuity management – protecting, maintaining and recovering business-critical processes and systems when they become unavailable.

Certification process

Within the ISO 27001 document, there are specifications to which a company’s ISMS can be submitted for potential certification.  The certification process begins after an accredited organization finds that the corporation has met the requirements as outlined in ISO 27001.  Once this body determines that the company has complied with the requirements of ISO 27001, the certification is granted.  Certification must be renewed every three years and is subject to audits.

Benefit to business

Compliance with the ISO standards provides companies with a credential which demonstrates that the business is in conformity with the requirements of this well-recognized standard.  It also gives employees and clients more assurance that their data is safe with the enterprise.  In some cases, companies may require ISO certification to do business.  The ISO 27000 standard contains many useful recommendations and businesses are encouraged to familiarize themselves with the recommendations, even if they do not plan on becoming certified.  The acquisition of the standard does cost money to obtain; however, qualified compliance practitioners can assist with the preparation for the compliance effort.

Summary

ISO 27000 is comprised of six parts outlining the requirements for certification, guidelines for achieving the requirements, and guidelines for accrediting organizations. The standard provides many useful recommendations for companies seeking certification as well as those merely interested in improving their security.  Similar to the ISO 9000 quality standard, ISO 27000 is optional, but it may soon be a business requirement.

Protecting against data breaches and security incidents with cyber insurance

Data breaches and security incidents are a significant risk for organizations and some are using cyber insurance to transfer the risk similar to how many other business risks are transferred.  If you are considering cyber insurance, the first step is to identify the cyber risks you are facing to determine if they fall within you risk tolerance level or if they need to be addressed.  Security controls may need to be implemented to bring risks to an acceptable level.  There may be other risks where it is better to transfer the risk through cyber insurance.

Cyber insurance is still a relatively new concept so the offerings differ greatly between vendors.  Check with your vendor to see what they will cover.  Some of the costs of a data breach or security incident include:

  • Notification expenses such as those required under HIPAA
  • Investigation costs
  • Computer forensic services
  • Data restoration services
  • Public relations costs
  • Loss of business during the interruption
  • Loss of business following the interruption
  • Regulatory fines
  • Credit monitoring for impacted individuals

Insurance providers will want to know how risky a policy is so they will most likely have some questions on your security procedures before issuing a policy.  Cyber insurance is not a solution.  It needs to be pursued as part of the overall security governance of the organization along with security controls and other risk mitigation activities.

Information Security Compliance: PCI-DSS

PCI-DSS applies to a wide range of corporations and companies that deal with credit card transactions, and it can be a useful tool for other organizations as well.  The PCI-DSS specification was created by credit card companies such as Discover, American Express, Visa, and MasterCard to protect the individual from credit card fraud and identity theft through standardization of security controls surrounding the protection of credit card information.  Similar to ISO standards, PCI-DSS is not a government regulation full of fines for non-compliance.  Rather, the rule thrives under positive reinforcement by allowing companies to demonstrate that they have achieved a level of information assurance suitable to protect customer credit card information.  However, it should be mentioned that there can be fines if an organization has a loss of credit card information and they are not PCI-DSS compliant.

Compliance is recommended for all companies that process, store or transmit credit card data.  Some ask why they should expend the time and resources to become compliant if the process is voluntary.  Firstly, PCI-DSS compliance can give customers more confidence in your ability to protect their data.  Second, a company that is compliant with PCI-DSS will be better equipped to comply with other regulations and standards such as HIPAA, COBIT, or ITIL since many of the requirements overlap. Thirdly, the recommendations in PCI-DSS are reasonable and practical for many companies who take information security seriously, and they can bring significant benefit to the organization’s ability to safeguard systems and data.

What’s required?

The PCI-DSS requirements are comprised of six categories called control objectives.

Control Objectives

PCI-DSS Requirements

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

Excerpt from the PCI-DSS 1.2 standard

How does one become certified?

For many companies, the compliance process is a somewhat ambiguous and what little is known of the process is often representative of the outliers rather than the norm.  Compliance seminars and information security speakers often talk of the penalties for non-compliance or the immense costs of compliance initiatives, 111111111111111111111111111111and this can make the activity seem quite frightening.  However, the PCI-DSS process is relatively straight-forward.

After implementing controls to satisfy the objectives above, a company then must complete periodical reports outlining their compliance with PCI-DSS.  Small businesses can complete a self-assessment and then pass a vulnerability scan performed by an approved scanning vendor.  Larger companies go through an audit by qualified security assessors.  An annual review is required to maintain your PCI-DSS standing.

Where to next?

This entry regarding PCI-DSS covered who needs to comply with it, what is required, and how the process works.  As you can see, the process is not as complicated as some believe.  Organizations can improve the security of handling credit card information and provide an increased level of assurance to customers that their credit card information is being protected.

Information Security Compliance: HIPAA

HIPAA is regulation intended to help covered entities and their business associates protect Electronic Protected Health Information (ePHI).  The U.S. Department of Health and Human Services (HHS) outlines who HIPAA applies to in their definition of a covered entity.

Health and Human Services (HHS) lists a covered entity as follows:

A Health Care Provider A Health Plan A Health Care Clearinghouse
This includes providers such as:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

…but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

This includes:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for healthcare, such as Medicare, Medicaid, and the military and veterans health care programs
This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

In addition to those seen in the diagram below, HIPAA applies to companies that provide services that would use e-PHI such as suppliers or outsourced IT providers.

Now that we know who this applies to we can discuss the basics of HIPAA compliance.  The primary goal of HIPAA is to protect ePHI which includes, name, dates such as birth, admission, discharge, death, telephone number, SSN, photographs, address, etc.  Companies under this regulation will need to implement technical and procedural controls to protect this information and perform risk analysis on risk and vulnerabilities to the confidentiality, integrity, and availability of ePHI.   Technical controls include such things as encryption, authentication, password complexity, access auditing, segmentation, etc., and procedural controls include such elements as password policies, incident response plans, contingency plans, and audit procedures.

HIPAA also requires companies to provide patients with information on their privacy practices and they must record acknowledgement that the patient received the information.  You have most likely experienced this at the doctor’s office.

The covered entity or business associate must provide a plan outlining how the company will follow the act and designate someone who is responsible for creating and implementing policies to support the plan.  If a company outsources certain business processes, then the company must make sure that the third party is also in compliance with HIPAA standards.

This article is too short to go into detail on the controls necessary for an organization but each system that houses or transmits ePHI will need to have adequate controls and each person who works with ePHI will have to follow procedures intended to protect this private information.  The scope of HIPAA compliance can be quite broad.  Included under this broad umbrella are doctor’s offices and other medical fields for the protection of patients. Certain businesses are also included.  Any company that gives its employees a degree of healthcare are bound to follow the confidentiality rules as well as the uniformity rules.  HIPAA defines a covered healthcare provider as a person or business that deals with healthcare in the normal course of the business day and does so electronically.

This first installment in a series of blogs about information security compliance dealt with the medically related HIPAA or Health Insurance Portability and Accountability Act of 1996.  We defined it and included a summarization of the applications of HIPAA.  Finally, we included an overview of which companies should be concerned with the application and therefore the implementation of HIPAA.