Election to the European Parliament reminds us after one year with General Data Protection Regulation (GDPR) why we need regulation to safeguard our foundational human rights to personal data protection and freedoms. The purpose of GDPR makes a lot of sense once you step back from the details and look at the brought perspective. Our personal rights and freedoms are foundational and vital to the well-being of our European way of democracy.
2019 is not only the year of the European Parliament election
One year celebration of GDPR and Brexit, but it is also the year when World Economic Forum released its 14th edition of The Global Risk Report 2019. The report names Cyber-attacks, Data fraud or theft in Top 5 risks and Critical Information Infrastructure Breakdown in Top 10 Global Risks. We have already witnessed companies suffering significant loss of business as victims of cyber-crime (e.g. Maersk $300 million, Hydro $50 million). The world has changed rapidly along with globalization and technologies; thus enabling new digital business opportunities and new terms for the game of business.
The new high-ranking business risks have been around for years, but along with the changing perception of the value of data – “data is the new oil” – the creativity and motivation – with bad intent – to gain access to business critical data increase. The tools, knowledge and support for exercising cybercrime are freely and easy available, and with increasing concentration of wealth and availability of technology in poor regions of the world, cybercrime is inevitably part of the new terms for successful business.
(Picture Source: https://www.visualcapitalist.com/top-global-risks-2019/)
GDPR ask that companies demonstrate accountability of the data subjects rights – to be informed, to provide consent, to access, to rectification, to deletion of their data and not to be subject to automated decision making – but also to ensure secure processing of personal data (Art. 32). Appropriate technical and organizational measures shall be established based on risk assessment. The requirements to establish and maintain compliance with GDPR fall within the nature of the work required to ensure the needed Cyber Resilience to protect the continuous successful business.
Ten years ago we talked about “Business – IT alignment” where the business side of the organization was struggling to make IT help realizing their business goals. Today’s high availability of IT services has moved the challenge to dealing with “Business – IT Security alignment”. The existing aging IT infrastructure did not change but the risk of vulnerabilities being exploited did! Along with introduction of new hybrid and cloud technologies the demands on IT security has risen, leaving IT security professionals with a huge challenge in aligning it’s needs for investment and effort to ensure and protect the business and enabling a continued business success. Further, and even more critical, leaving the Business with a strategic important blind spot of risk to the success of the business.
A good place to start dealing with the “Business – IT Security alignment” challenge is through establishment of a management system focusing on the business’ information security risk.
Experience shows how a structured approach to the orchestration of security (Confidentiality, Integrity & Availability) is a great way to build the needed bridge between business and technology including the vital security aspect. C-level needs a simple risk based storytelling, not a complicated security technical one. The standard ISO 27001 Information Security Management System (ISMS) is a good example how to implement an effective “three lines of defense” model ensuring a risk based approach to information security. This standard has repeatedly been referred to as a good practice for demonstration of GDPR Art. 32 – Secure processing compliance. The standard provide a high level of security transparency due to its international mature level of acceptance.
GDPR is entering a second wave along with the availability of maturing technologies enabling data-driven and facts based compliance monitoring of the processing of personal data. Digitalization of the compliance process is a vital element of the digital transformation process. Within the SAP space we now see great and affordable tools to enable the process of “get clean and stay clean” when it comes to Segregation of Duties and authorizations.
Real-time security monitoring across your SAP landscape with feed to the general company SIEM solution is also readily available. The job to delete data remain a cumbersome process, but it is possible as well as UI-masking and logging etc. In the space of unstructured data, compliance solutions also emerge and gradually become available enabling smart GDPR compliance related to the almost impossible manual task to both “get clean” and “stay clean” and achieve sustainable GDPR compliance.
Figure 1: ERP Maestro’s Access Analyzer is a good example of providing a data-driven Software-as-a-Service which out of the box with a simple agent installed in the SAP landscape provides a ruleset and within hours present the SoD risk dashboard including risk mitigation actions. Continuous monitoring of access risk is an example of appropriate technical measures to meet e.g. GDPR compliance requirements. Source: ERP Maestro
Figure 2: SecurityBridge by ABEX is yet a good example of easy and affordable new technology for effective data-driven monitoring of security events across the entire SAP landscape, including ABAP code security scanning. Both cyber threats and insider threats are addressed and the solution add to the collection of appropriate technical measure to ensure secure processing of data. (Source: ABEX)
At itelligence we envision Sustainable Data Accountability Solutions, supporting any compliance framework, which truly enable digital intelligent enterprises and successful digital business transformations.
itelligence Nordic – GRC lob offers GDPR and Information Security Management consultancy, Security Assessments along with both SAP and non-SAP security technologies and services.