Más contenido relacionado
La actualidad más candente (20)
Similar a CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell (20)
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
- 1. GDPR or ‘How to Eat the Elephant
a bit at a time’!
Andy Powell
VP UK Cybersecurity
Sep17
- 2. 2Copyright © Capgemini 2014. All Rights Reserved
Owned by Capgemini/Andy Powell (28 Mar 17) – This DOES NOT constitute any form of legal or legally binding advice
This is NOT an Elephant?!
It is in fact a vaguely purple
Octopus!
- 3. 3Copyright © Capgemini 2014. All Rights Reserved
Worried about GDPR, but not sure why? How to eat the GDPR Elephant
a bit at a time!
Andy Powell will …
Simplify what GDPR really means and outline an Enterprise
approach – so that even the CFO gets it!
Explain the Threat – without hype – and why the Threat is not just
from ‘Hackers’ but also in other forms!
Explain how the Enterprise-wide principles of ‘Build, Watch, Proact
and React’, as practiced in Medieval Warfare, and viewed through
the lens of data management and Cybersecurity will help you be
ready!
There is NO silver bullet to dispatch the GDPR Elephant, just good old
fashioned common sense, prioritisation of effort and a balanced
programme of measures across people, process and tools!!
- 4. 4Copyright © Capgemini 2014. All Rights Reserved
The GDPR Octopus
Transparency
Accountability Governance
Consent Rights
Safeguards
Data Management
Legal/Contracts
Breach Reporting
Security
‘ACCOUNTABILITY’
Appoint DPO
Controllers/Processors
3rd Parties
External to EU
Understand Exclusions
Etc......
Rights of:
Being Informed
Access
Rectification
Erasure
Restrict Processing
Data Portability
Objection
Automated Processing
Audit ‘HOW’
Legacy
GDPR by Design
‘Show Workings’
PIA
The ‘WHO’ owns -
Board OWN
Plus Enterprise-wide
Responsibility NOT Security/CIO
Definition of
Private Data
In-built e.g Encryption, Access etc..
And Security Controls e.g Review
SANS/CSC 20 v GDPR and adjust
Data: Discovery, Analytics
Store/Access/Dispose etc..
Owned by Capgemini/Andy Powell (28 Mar 17) – This DOES NOT constitute any form of legal or legally binding advice
- 5. 5Copyright © Capgemini 2014. All Rights Reserved
Some Quotes….!
‘… to correct the scaremongering and misunderstanding, we will not be looking to make early
Examples to make a point on GDPR Compliance….’.
Elizabeth Denham, ICO
“The Government’s recent Cyber Risk Survey found
that whilst 69 per cent of businesses say their senior
management consider cyber security is a very or fairly
high priority for their organisation only half of
businesses have actually taken recommended actions
to identify cyber risks.” ICO
“I want organisations to think to themselves: ‘we base
our online user experience around what consumers
want. We shape our products and services around what
consumers want. We need to shape our data protection
approach around what consumers expect’.” ICO
“To meet the challenges I’ve described, we need to move
from a mindset of compliance to a mindset of
commitment: commitment to managing data sensitively
and ethically.” ICO
…the Vendor/Supplier base is over hyping the Cyber Risk and GDPR impact to panic
Business into investing in products and solutions they do not need….’
NCSC Leadership
- 6. 6Copyright © Capgemini 2014. All Rights Reserved
The GDPR ‘Threat (s)’!
GDPR ‘Threats’
‘Hackers’
Internal Readiness/Complacency
External/Legal Rights - Clients/Customers
Why?
Personal Data has value
Identity is the ‘new boundary’
Rights awareness.
Who?
Criminals – organized to various degrees?!
Employees and Clients/Customers
Lawyers - ‘There is money to be made by helping’!
Likely Impact on Business
Positive – ‘FINALLY! EXPLOIT YOUR DATA FOR BUSINESS ADVANTAGE’!
Negative – ‘FAIL TO PROTECT YOUR DATA – LOSE BRAND,
SHAREHOLDER CONFIDENCE, CLIENTS and YOUR JOB’!
- 7. 7Copyright © Capgemini 2014. All Rights Reserved
Countering the Threat – ‘a truly Medieval Approach’
BUILD
Create a Keep
(for precious things)
and build security into
your Castle (NOT just walls, but
small rooms and staircases to
contain threat once inside (it will get
in!)
• Locate and Track Precious Data
• Segment Architecture
• Target Security Controls
• Think Resilience
WATCH
Constant Reconnaissance
Outside and inside the walls
• Sentries Looking Out and In
• Understand the Threat
• Impact of Change!
• Adjust your Defence posture
constantly
PROACT
Be proactive
and unpredictable
• Deny the enemy cover (Access
Management)
• Slow their advance (Cyber
Hygiene)
• Change where and when you
patrol (Audits, Patching etc..)
REACT
Be prepared
to act!
• Be Prepared to Deal
with a Breach
• Tried and Tested
Consent and Access
Process
• Test and Adjust
Think laterally
and like a
human!
CxO!
- 8. 8Copyright © Capgemini 2014. All Rights Reserved
Build
Think Data Life Cycle
Management from the start and
Design to support Secure but
Ready Access
1
• Understand Where Your Data is and How it Flows
• Compartment your Network and Data via Hard and Soft Means
• Build Resilience into your Components and Links
• Build to Change
• Instrument
‘think laterally and indirectly,
how could someone navigate
through this
and get at something vital for
good or bad!”
- 9. 9Copyright © Capgemini 2014. All Rights Reserved
Watch2
The key to Data Management and
Security is constantly watching
And adapting your data processes
And security
• Strategic and Specific Intelligence
• Internal Threat Management
• People
• Data Flow
• Patterns
• External Threat Management
• Recruit, Train and Retain
• Users
• Data managers
• Security
• Network
“Intelligence-led, human in the loop,
all process harnessed to manage the data for effect, securely”
- 10. 10Copyright © Capgemini 2014. All Rights Reserved
Proact3
The 7 Ps! There is NO silver bullet.
A combination of Training, Awareness
Governance and Process,
Underpinned by Tools!
• People
• Select, Train and Test
• Awareness
• Process
• Governance
• Consent
• Access
• Audit
• Change Management
• Tools
• Patch
• Run VM
• Data
“Mitigate the Threat by Preparation –
Good Data Management and Cyber Hygiene is cheap!”
- 11. 11Copyright © Capgemini 2014. All Rights Reserved
React4
Be Decisive, Meet Obligations,
Be Ready for Changes, and
Practice!
• To Access Requests and Consent Changes
• To Events and Breaches
• Stop it and Immediate Forensics!
• External – Client, Media, Peers, Authority
• Internal – Lessons, Implement and Sustain
• Share – Intelligence with Peers and Authority
• Compliance/Mandate – Legal obligations
- 12. 12Copyright © Capgemini 2014. All Rights Reserved
Synopsis, Bio & Picture
Andy Powell - VP Cyber Security - Capgemini
About Andy
Andy is Vice-President (VP) for UK Cybersecurity at
Capgemini with over 30 years experience in Defence and
Security roles and recent senior leadership roles as CIO
and CISO for the Royal Air Force, Joint Operations and as
head of the Ministry of Defence’s Cyber Defence
Operations and Network Operations. As VP for UK
Cybersecurity at Capgemini Andy leads a business that
covers all Sectors from Public to Energy and Utilities, and
including Consumer, Private Sector and Finance –
delivering a broad range of Consulting, Project and
Managed Cyber Services. A Systems and Electronic
Warfare engineer by training he describes Cyber as ‘ the
constant battle of wits between attacker and defender
where people, process and technology must converge to
enable the business!’
Andy.powell@capgemini.com
07891151835