How can organizations that are impacted by these regulations implement the necessary changes for compliance?
Three Keys to Success
Whether it’s the NY Cybersecurity Requirements, the GDPR or other data protection and privacy regulations, efforts should be focused on discovering and identifying regulated data, and then managing and protecting it. While there is no “one-size-fits-all” approach, the majority of requirements in these regulations can be met through the development and/or maturation of programs many large enterprises have already begun to implement: data-centric security, incident response, and third-party risk management. This week we’re looking at the first step.
1. Data-Centric Security
It is no longer enough to focus IT security efforts on networks and endpoints. As IT changes continue to occur, organizations need to keep pace and advance their security by focusing on the data itself through a data-centric security program. The development of a robust data-centric security program is invaluable not only to the GDPR and NY Cybersecurity Requirements, but to all data protection and data privacy efforts.
A comprehensive data-centric security strategy includes the following components:
• Data discovery
• Data classification
• Data tagging & watermarking
• Data governance
• Data loss prevention
• Data visibility
• Encryption strategies
• Enhanced gateway controls
• Identity and access management (IAM)
• Cloud access
• Continuous education
Several aspects of data-centric security are particularly important to compliance readiness for regulations such as the GDPR and NY requirements, including data discovery, data classification, IAM, data governance and encryption.
Many organizations don’t even know where their sensitive information is, which makes it extremely difficult to comply with requirements such as the GDPR “right to be forgotten”. You need to identify the regulated data you store and process, its location, its path from point A to point B, which systems it is being processed by, etc. Data discovery tools provide visibility into the location, volume, context and risk associated with sensitive, unstructured data across the enterprise — both on-premises and in the cloud.
Data classification policies and tools facilitate the separation of valuable information that may be targeted from less valuable information. Information is divided into predefined groups that share a common risk, and the corresponding security controls required to secure each group type are detailed. Data classification tools can be used to improve the treatment and handling of sensitive, regulated data, and promote a culture of security that helps to enforce data governance policies and prevent inadvertent disclosure. Classification metadata can be ingested by data loss prevention (DLP), encryption and other security solutions to determine which information is sensitive, and how it should be protected.
Identity and Access Management (IAM)
The NY requirements specify the use of multi-factor, risk-based authentication “for any individual accessing the Covered Entity’s internal networks from an external network (500.12)” and as a means for protecting sensitive data. Multi-factor solutions and services, including mobile device-based authentication products and single sign-on federated access controls can help.
The NY requirements obligate organizations to ensure that confidentiality, integrity, and availability of information and information systems are the predominant focus of their cybersecurity program. This requirement drives organizational practices towards defining and implementing policies, processes, and standards for the effective use and management of data (structured/unstructured) and information systems. Utilizing GRC tools can help to automate governance processes, and optimize the business value of data. Effective data governance enables organizations to address data privacy and data protection requirements no matter where the data is collected, resides or is consumed.
The NY requirements call for greater use of encryption for data at rest and data in motion. End-to-end encryption maximizes data protection regardless of whether the data is in a public or private cloud, on a device, or in transit. It can be invaluable in the effort to combat advanced threats, protect against IoT-enabled breaches, and maintain regulatory compliance. Enterprise key management solutions are an important accompaniment to encryption tools, helping to securely generate, store and monitor keys, and streamline ongoing administration. In the case of the EU GDPR, organizations that experience a personal data breach that have encrypted the data will be able demonstrate that the breach is unlikely to affect the rights and freedoms of the data subjects; breaches of encrypted data therefore may not require data subject notification.
This blog was originally published by our Partner Forsythe. Join us next week as we look at the second step, incident response.