gdpr: the day after… - oracle | integrated cloud ... · gdpr: the day after | march 21, 2017 we...
TRANSCRIPT
GDPR: The Day After…
Pierre-Luc REFALO
2Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
25+ years in Information & Cyber Security consultancy
CISO for SFR & Vivendi Universal (1997 – 2002)
Author
Teacher
Speaker
The speaker: Pierre-Luc REFALOGlobal Head of Strategic Cybersecurity Consulting
2002 2012
2013 Award
3Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
« Success consists of going from failure to failure
without loss of enthusiasm! »
Sir Winston Churchill
4Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
http://breachlevelindex.com/
(1) Ponemon Institute - Research Report - 2016(2) Hiscox - Cyber Readiness Report – 2017(3) Verizon - DBIR - 2016
201 daysaverage time to detect a cyber
incident. (1)
70 daysaverage time to recover after a
targeted attack. (1)
89% of breaches had a financial or
espionage motive. (3)
90% of cyberespionage breaches
capture trade secrets or
proprietary information. (3)
$445bnestimated annual cost to the
global economy from cyber
crime. (2)
“The processing of personal data should be designed to serve mankind.
The right to the protection of personal data is not an absolute right;
it must be considered in relation to its function in society and be
balanced against other fundamental rights,
in accordance with the principle of proportionality. ”
GDPR – Recital #4 – 27 April 2016
You’ve been breached: just a question of time …
5Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
What?
You’ve been breached: impacts are real and maybe huge
Economic impact
Loss of revenue, fines,
additional costs, etc...
Reputation impact
The nightly news, market brand, etc.
Operational impact
Disrupted process, stress, etc.
Legal impact
Contractual clauses, Law suits, Class
actions, etc.
6Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
You’ve been breached: you have to understand …
When?How?
7Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
You’ve been breached: real life…
Target Corporation suffered one of the largest cyber
breaches to date..
Source: Columbia University, Benjamin Dean
$252 millions: loss of revenue (Q4 2013)
$57 millions: reduced taxes$90 millions: Insurance reimbursement
https://www.youtube.com/watch?v=ZgTtycPracY
John Mulligan (Target CFO) had to
face a Senate judiciary committee
for almost 3 hours.
40 millions of financial data stolen70 millions of personal data stolen
Net loss = $105 millions (0,1% of 2014 sales)
8Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Extracts from GDPR: Section 2 – Security of Personal Data
Article 32
9Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Did you monitor your Systems and Crown Jewels?
10Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Did you protected your data and assets (enough)?
11Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Did you perform a Privacy Impact Assessment?
12Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Did you perform a Privacy Impact Assessment?
3. PIA on new business initiatives – scope: new product & service development, marketing
programs, campaigns, etc.
Data protection impact assessment (as described in art.35, GDPR) are required, where the
usage of new technologies is likely to result in a high risk to the rights and freedoms of natural
persons. Risk mitigating measures have to be designed into products by default (art.25,
GDPR).
1. PIA on organization - scope: privacy governance & policies
The organizational privacy impact assessment reviews basically all GDPR articles and gives
insight to define the organizations privacy governance and policy framework.
2. PIA on operations – scope: business processes, systems & people
The operational privacy impact assessment is very much related to the responsibility of the
controller (art.24, GDPR). It reviews the technical & organizational measures of the existing
operations to be compliant with the GDPR.
Three different PIA approaches
It is not a one off exercise; privacy is here to stay!
13Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Did you implement Data Discovery and Classification?
14Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Did you implement Data Discovery and Classification?The new Digital Landscape – IT & IoT
Data
CenterData analysis
Connected
Objects
(IoT
Products)
Sensors
Data
AcquisitionHub of
sensors
Hub of
sensors
Public
Cloud
Big Data
Internet
ObjectObject
Gateway Data aggregation
App
Gateway
Private
Cloud
App
15Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Did you implement Data Discovery and Classification?
Collect
Profile data to get a structure
and format overview
Identify Personal Data, in DB,
tables and fields
Start looking at deduplication
Catalogue findings on fields,
table and DB level
Connect to all relevant
DB and systemsIdentify
Classify
According to risks
- the nature
- The scope
- the volume
- the users
- the access
- the location
- the process itself
16Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Do you plan a Journey to the Cloud?
Cloud services provide better security than many on premise infrastructures.
3 topics remain under data owner / controller accountability:Governance, Risk & Compliance
Identity and Access Management
Information & Data Protection
Two key challenges:Internet of Things and connected objects
Geo-strategy & Sovereignty
17Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Applications
Data
Virtualization
Runtime
Middleware
O/S
Servers
Storage
Networking
Applications
Data
Virtualization
Runtime
Middleware
O/S
Servers
Storage
Networking
Applications
Data
Virtualization
Runtime
Middleware
O/S
Servers
Storage
Networking
Applications
Data
Virtualization
Runtime
Middleware
O/S
Servers
Storage
Networking
Custo
mer
M
anages
On-PremisesInfrastructure
(as a Service)
Platform
(as a Service)Software
(as a Service)
Information and Data Protection
Identity & Access Management
Governance Risk & Compliance
Information and Data Protection
Identity & Access Management
Governance Risk & Compliance
Information and Data Protection
Identity & Access Management
Governance Risk & Compliance
Information and Data Protection
Identity & Access Management
Governance Risk & Compliance
Clo
ud S
upplie
r Manages
Clo
ud S
upplie
r Manages
Clo
ud S
upplie
r Manages
Custo
mer
M
anages
Custo
mer
M
anages
Custo
mer
M
anages
The type of cloud service drives how shared responsibility is
assigned between the Cloud Service Provider and the organisation
….while Governance, Risk and Compliance, Identity & Access Management and
Information & Data Protection will always be the responsibility of the
customer
18Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Data Protection is a long term challenge that Capgemini handles
globally since 2014
Binding Corporate Rules
2014: 2 key Group Initiatives
19Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
We release a new survey on “Cybersecurity & Privacy for Financial Institutions”The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer and More Secure
Source: Capgemini’s Digital Transformation Institute Cybersecurity and Privacy Survey
Hig
hL
ow
HighLow
Strength of data privacy policies vs. strength of security framework
Banking Insurance
Str
en
gth
of
Se
cu
rity
Fra
mew
ork
31%
20% 29%
20%
Privacy-passives
Security-sloths
Pace-setters
Strength of Data Privacy Policies
Laggards
20Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
We provide 12 « end to end services » to help our clients to comply with GDPR
Capgemini is a trusted partner from a strategic / tactical / operational perspective
Organize
Strategic
1
Operational
Protect
1112
Monitor
4 3
2
5 6
7
10 9
8
3
2
4
1
IDaaS
Data & Data Base
Security *
+ Anonymization
Awareness & Change
Management
IAM Fast Track
Compliance
Tracking
Organization
Transformation &
Professionalization
Data Automatic
Classification
SOC &
SOCaaS
Data Leak
Prevention
Data Discovery
* Incl. Key Management System
Data Protection
Maturity Assessment &
Roadmap
Privacy Impact
Assessment
21Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Data Privacy & Protection is at the heart of our internal CySIP program
Be Secure Protect digital assets within Capgemini
Protect the personal data of Capgemini
employees and customers
Secure our delivery to clients
Be Trusted Comply with the law
Provide solid cyber security and data
privacy solutions to our clients
Win More Become a leader in Cyber Security and Data Privacy by being
exemplary within our organization
Provide best-in-class cybersecurity, alongside technology solutions
The CySIP Program aims at leveraging the Capgemini Cybersecurity Unit to protect Capgemini’s digital
assets and reputation; to secure delivery management; and to develop business
BUSINESS
RISK COMPLIANCE
22Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Takeaways: 2017-2018 Challenges
1- Digital Risk Officer – 2- Data Leak Prevention
The last stretch: Data Privacy / Protection Transformation Program
Make sure a proper Data Protection Governance is in place including a Data Protection Officer when
required - working with CISO and DRO1
Establish accountability (Controller and Processor) for Personal Data Processing
Implement encryption and enhance IAM within Database
Translate GDPR to make it understandable to …
IT Staff: Developers, architects, project managers, etc.
Business Lines (Marketing, Sales, Supply chain, etc.) and central functions (HR, Purchase, etc.)
Cloud services stakeholders
On a case by case basis, prepare or develop a « DLP2 » initiative
Shadow IT controls
Threat Hunting
Deep / Dark Web monitoring
Implement a « security AND privacy by design » process
Set up or revise privacy impact assessment procedures and privacy-by-design methods
Handle increased requirements for security of processing taking into account the risk profile of data
processed (pseudonimization in particular)
Think about a specific « Design Authority » (decision making body) for critical processes
23Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Takeaways: Data and People are structuring Digital Risk Management
24Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR: The day after | March 21, 2017
Takeaways: Privacy vs Security is still a challenge…
« Those who would give up essential liberty to purchase a little
temporary safety deserve neither liberty nor safety.”
Benjamin Franklin – 1705 - 1790