The GDPR is forcing CISOs and CIOs to ask themselves and their organisation questions they should really already know the answers to. That is, where is my data? As a seasoned security practitioner (not an expert yet) and even older IT practitioner, I know from experience that invariably organisations know what information they have, what they do with that information. It is highly challenging managing something that is expanding all the time.
Add to that the undocumented shadow IT, the unmanaged systems under desks and broom cupboards that the CIO does not even know exist, running critical information systems and supporting critical business processes.
Spring cleaning data
Few years back I was hired to implement an ISO27001, after an international headline making data breach. The breach kicked-off the usual high profile enquiry and audits. The audit found over 600 shadow IT systems (yes over 600!) that were supporting some of the most critical processes the organisation relied on. Some were running on unsupported, un-patched and un-managed systems running spreadsheets!
Shadow IT aside, if you are a CIO or CISO I suspect the core of your job is to know:
- where the critical asset is?
- who uses it ?
- how it is used ?
- when is it used ?
- why is it needed ?
- where it is used/accessed ?
If you do not know the answers to the above questions then what and how are you protecting it? You can’t be protecting what you don’t know or understand? These are basic questions for any credible risk assessment.
As they say goes “If You Can’t Measure It, You Can’t Manage It“. The same is true for security, if don’t know where you data is, you can’t protect it.
Building a data asset register
GDPR actually requires organisations to build and retain an inventory of their personal data.
In my many years in Security I have seen all sorts of things included as assets, even company pool cars listed in an ISMS asset register! Unless the car was to process or store data it is not an asset! I would not advise you to do either in a car. The reason for this was that people who were tasked with doing the risk assessment were physical security people. Consequently everything physical such as buildings, cars, trolleys, plants, rubbish bins etc. are assets. We IT people are not interested in these, our business is data and to some extent the systems that protect it. Even this has changed, with public cloud computing the systems no longer belong to us. It’s purely about the data. This is there for a good opportunity to really understand what data you have, need and how you use it. A register of data is a building block for information management and cyber security. Therefore this is good news for information management and security people.
GDPR – the knight in shining armour?
The GDPR rightly wants organisations to know where their data is, especially personal data. However, CxO’s rather than taking a piecemeal compliance approach should take a more wider data protection approach and use this opportunity (and budget) to map all their data. I mean when you are looking for personal data in your CRM, you are not going to ignore the other vital data about your customers are you? What about systems containing other regulated data such as PCI-DSS, SOX, HIPPA, Basel X ?
You will want to take this opportunity to map all the data and then filter the personal data for GDPR. You could classify each type of data in the CRM system, e.g. personal, IPR, marketing, etc. This is a great data discovery and data creation opportunity that CIO’s and CISO’s should take advantage of. Not only classifying but impact and risk assessing this data and extending or removing controls as required.
Sharing the fruits of GDPR
Not only will this exercise help to built your information asset register for DPIA, why not extend the DPIA to BCP and use it as BIA exercise to work out your RPO and RTO for business continuity too. If not right away, this asset register from GDPR could be used later for BIA and mapping to critical business processes to build cyber and business resilience for CISOs and CIO’s respectfully.
It is also a great opportunity for data governance people. You may discover data that you never knew existed and also redundant or obsolete data that you have been retaining for years that can finally be deleted. For security, it will be an excellent opportunity to look at all those security logs, monitoring, audit logs that capture personal information. Cloud and other service providers that routinely monitor and capture information and aggregated information for security could be capturing personal data.
GDPR for the first time will have an impact across all your data estate and across the whole organisation. You will really need to know where personal data exists, how it’s used, who is using it, for what and if legitimately. It will force organisations to really have a deep look at their data. It will be akin to an organisation renewing their marriage vows with data and not just personal data.
New paradigm and rationale
I have previously written on how the new 72 Hours Breach Notification will have an impact on incident management but GDPR is much wider than that. It will question why you are collecting the data, do you really need to collect the data for data collections sake and what business value the data is providing. This where “Privacy By Design” will come into play. As a security architect, I have been a great proponent of PBD because I have seen organisation spending a lot of money protecting information or designing security controls for information or processes they do not need. PBD does not only mean you design controls to protect privacy of data that you have but also with minimising the collection and retention of data. Now, unless you are the National Archives or the Library of Congress you do not have to retain personal data for 100 years. Why retain CVs for failed candidates for over 3 months after the recruitment process has ended?
I will be writing more extensively on PBD in another article.
As you can see GDPR is a great opportunity and it should be seen as such. In my co-authored book for AXELOS “RESILIA: Cyber Resilience Best Practices form AXELOS”, we write about the need for organisations to be resilient to failure and to expect incidents and attacks and show how companies can design resilience into systems and business processes. This is a great opportunity have spring clean and start somewhat afresh if not in all areas but in most areas of the business, starting with HR, Marketing, Sales, Legal, Contracts etc.
This is also great opportunity for IT to know the business and vice versa.
Once you have built your asset register with what really matters, you will have database of your classified assets by impact rating, with risks, owners, retention, and answers to all the above questions. This will become your single version of the truth to support your compliance and other information management and protection initiatives.