complying with new data security and privacy requirements ... · complying with new data security...
Post on 21-May-2020
10 Views
Preview:
TRANSCRIPT
Complying with New Data Security and Privacy
Requirements for Cloud Computing
October 2018
2© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
Malu recently joined Capgemini, a global leader in consulting, technology services and digital transformation. She brings 25 years of digital transformation and risk management leadership
experience across Fortune 100’s.
Malu is a forever learner always staying current in the latest innovations on technology and their business applications.
Speaker Bio
Malu Septien Milan
GRC Lead ArchitectGo-to-Market
Capgemini North America
Photo
3© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018Securing Cloud Transformation Through Advanced Monitoring | October 2018
Presentation Overview
Implement a practical approach to global regulatory compliance readiness
Achieve a unified operational execution plan to avoid fines
Through this presentation you will gain knowledge on how to:
Deliver cybersecurity training for your employees to proactively reduce risk
Stay ahead of regulatory requirements
4© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
The cloud’s threat landscape has brought about new regulations
5© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
ThankYou
What is GDPR?The basics
The General Data Protection Regulation (GDPR) is a new law which establishes a single set of rules for every EU Member State to protect personal data. It builds upon and updates the current EU data protection framework.
Effective date & Fines
25 May 2018 & 4% Net Revenue or 20M Euros
COMPANIES PROCESSING PERSONAL DATA MUST CONTINUE TO ENSURE THEY HAVE PROPER CONTROLS OVER THE PROCESSING AND SECURITY OF PERSONAL DATA , ACCORDING TO THE DATA PROTECTION PRINCIPLES IN THE GDPR.
THEY MUST CONTINUE TO CONTROL HOW PERSONAL DATA IS STORED, KEPT UP TO DATE, ACCESSED, TRANSFERRED AND DELETED.
Personal data is widely defined to mean any information relating to an identified or identifiable individual (known as a “data subject” under the GDPR). Personal data may include name, physical address, email address, identification number, location data, online identifier, credit card number, or health information.
6© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
What does GDPR change for your company?
Establishing more comprehensive data protection standards (e.g. companies must build privacy into projects, products and systems that will process personal data);
Requiring companies to keep detailed internal records of their processing activities;
Strengthening the enforcement powers of supervisory authorities and giving them the right to impose substantial fines;
Requiring companies to notify the relevant supervisory authority about serious personal data breaches within 72 hours and to notify affected individuals if there is a high risk of harm to them as a result of the breach.
1
2
3
4
PLUS A NEW DIRECTIVES IN FORCE: EU NIS Directive, NIS 800-171 Cybersecurity Foundational Requirements to GDPR Successful Mitigation
7© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
Compliance, Privacy, and GRC Primer…the clock is ticking
© Capgemini 2018. All nghts reserved I 18
.....
-
8© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018Securing Cloud Transformation Through Advanced Monitoring | October 2018
Stay ahead of regulatory requirements 1. Implement a routine self
assessment process against current regulation.
2. Partner with a trusted company to help you through the journey.
3. Enroll in regulatory compliance bodies around the world to stay ahead of regulation and fines enforced to corporations.
4. Drive learning into the organization
5. Embrace the rapid change in GRC regulation as a result of rapid cloud and digital transformation
6. Reach out to our experts to help you with next steps
7. Win our raffle!
9© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
Create your Roadmap to Cloud GRC to beat the odds following our practical advise
?
Source: 2018 cloud security report – Crowd Research Partners
Visibility into infrastructure
security vulnerabilities is
step 1
Difficulty Complying to Regulation
Which Security Policies Apply
Security and privacy not being able to keep up
with pace of changes in applications
Cloud GRC Challenges
Implement a practical approach to global regulatory compliance readiness
10© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
ThankYou
Start with a GRCself-assessmentacross GDPR controls
Sample Customer GDPR Self-Assessment 10/11/2018
11© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
Establish building blocks of GDPR and privacy compliance
GDPR ProgramData Protection Register management, Awareness & Change management,
Program coordination and follow-up (incl KPI’s, Risk and reporting), DPO Organization & Tooling, Processor and third party management, GDPR organization, methodology and
procedures
Data DiscoveryData discovery services Consent & Individual’s
Rights ManagementConsent management,
Individual’s rights management
PseudonymizingPseudonymizing Services
Data LifecycleData retention and data disposal
Data ProtectionIdentity Access Management &
Identity as a Service,Data & Database Security
GDPR Assessment Program Scoping, Detailed process diagnosis and action plan, Data Protection Impact Assessment1
2
3
4
56
7
GDPR AssuranceData Breach Simulation, GDPR compliance tracking, Application security & privacy testing
Breach Management & ReportingSecurity Operations Center as a Service, Data Leak Prevention as a Service
8
9
12© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
Simplify to what you can measure & respond to first given your risk exposure assessment results
Concurrent AuditServices (CAS)
Duplicate Payment Review (Historical & Ongoing)
Vendor Overpayment Audits
Continuous TransactionMonitoring
Revenue Assurance
DPO Appointment
Continuous Control Monitoring
Financial Controls
IT Controls
IT Risk & Compliance services
Integrated IT Risk Management
Third Party Risk Management
IT General Controls assessment
VAPT and Application code Review
SOC for Cybersecurity
SAP Security
IT Service Continuity
ISO 27001:2013 implementation
Regulatory compliance services
SOX/SOC 1 Assessments
SOC 2/3 Assessments
Data Privacy Assessments (GDPR, CAPR etc)
Data Privacy Continuous Monitoring
PCI Compliance Management
EU NIS Directive, CIS V7, ISO 27001 etc
Application access controls &SoD analysis
User Account Management
Access Rights Management
Privileged Account Management
Segregation of Duties (SOD) Analysis
13© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018Securing Cloud Transformation Through Advanced Monitoring | October 2018
Drive employee awareness through tailored training
Deliver effective and efficient cybersecurity training for your employees to proactively reduce risk
– https:/ / info.wombatsecurity.com/capgemini-register-training
Focus on changing employee behavior…not simply training
1. Assessing – Where there are weaknesses
2. Educating –Addressing areas of weakness
3. Reinforcing – Practicing/ reminding of what just
learned
4. Measuring and Repeating
14© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
Apply learning
science principles
• Present concepts and procedures together
• Bite-sized lessons
• Story-based environment
• Provide immediate feedback
• Learn by doing
• Use conversational tone
• Collect valuable data
• Create teachable moments
reserved.
15© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
Continuous training methodology supporting
continuous GRC readiness
Analyze
and
Repeat
.
Simulated attacks and knowledge
assessments
Interactive training modules and
games
Attack reporting, posters, and
videos
Detailed reports show
progress
16© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
Integrated 72 hour Breach Notification and Completeness
Infrastructure & Applications Cybersecurity
Vendor Privacy Regulation Controls
Security and privacy by design require a DMAIC Approach
Real time Consent Management
Partners
Consumers
Customers
Employees
Contractors
Things
Applications
Address your weakest areas first DMAIC Approach
1.Define the problem areas
against specific controls in specific regulation
2.Measure Gaps
3.Analyze Remediation Options
4.Implement Remediation
5.Control Plan: Ongoing
monitoring of effectiveness
Achieve a unified operational execution plan to avoid fines
17© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018Securing Cloud Transformation Through Advanced Monitoring | October 2018
Simple GRCreadiness plan
360º
Secure-Cyber Foundations
Privacy& GRC Program
EmployeeReadiness
18© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
GDPR Compliance Approach End to End View
Roadmap
GDPR Assessment
Baseline
Compliance
Document
Compliance
Maturity
Strategic
RoadmapPrivate Data
Protection
Discovery Privacy
MaturityDPIA
Protect
Data
Protection
Consent
ManagementData Lifecycle
Monitor
Breach Management
& ReportingPolicy
Manage: GDPR Program
Privacy Architecture
Privacy by Design
Data Classification
PbD Risk
Privacy Policy
Education & Awareness
Risk Assessment
GDPR Assurance
Data Classification
Privacy Policy
Risk Assessment
Privacy Architecture
Risk Management Program
Compliance Tracking
Data Request Response Program
Breach & Incident Response Program
DPIA Program
Security RM and Privacy Maturity
Data Privacy Controls
99 Articles & Integrated Controls
Organizational Awareness &
Readiness
Business Processes & Consent
Management
RM Index
Data RM Index
Remediate CIS Basics
Privacy PM Tools
Consent Workflows
Policy Management
Data Subjects Rights
Capgemini Confidential–CybersecuritiyCapabilitiesPresentat
©Capgemini 2018.Allrightsreserved | 18
19© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
Security and Privacy in The Cloud requires even closer collaboration between Infrastructure, Applications, Business and Legal
Data
Cloud Risk Management Platform
Governance & Training
Security Scorecards
GDPR Execution Platform
DevOps Security Risk ScoringITIL Integration (CMDB)
GRC automation as competitive advantage
Company X
20© Capgemini 2018. All rights reserved |Complying with New Data Security and Privacy Requirements for Cloud Computing | October 2018
ThankYou
Problem: GRC security and privacy complexity raised
Solution: Must be tailored to your needs and measured GRC Readiness to avoid boiling the ocean
Questions?
mmilan@Capgemini.com
In Summary
A global leader in consulting, technology services and digital transformation,Capgemini is at the forefront of innovation to address the entire breadth of clients’opportunities in the evolving world of cloud, digital and platforms. Building on itsstrong 50-year heritage and deep industry-specific expertise, Capgemini enablesorganizations to realize their business ambitions through an array of services fromstrategy to operations. Capgemini is driven by the conviction that the businessvalue of technology comes from and through people. It is a multicultural companyof 200,000 team members in over 40 countries. The Group reported 2017 globalrevenues of EUR 12.8 billion.
About Capgemini
Learn more about us at
www.capgemini.com
This message contains information that may be privileged or confidential and is the property of the Capgemini Group.
Copyright © 2018 Capgemini. All rights reserved.
People matter, results count.
top related