What measures your organisation needs to have in before GDPR

CT’s Technical Director, Chris Barr, shares his GDPR Checklist – what measures your organisation needs to have in place.

The new EU General Data Protection Regulation (GDPR) is coming into effect in a month’s time. GDPR affects absolutely every company, which is dealing with the processing of personal data in its everyday business – be it the clients’ data or even the data of its own employees. In a nutshell, personal data needs to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Chris takes a closer look at the questions your organisation needs to be asking itself to ensure you are getting your GDPR compliance measures in place.

Are you required to use complex passwords and change them on a regular basis?

Why: Simple passwords don’t provide sufficient protection against a brute force dictionary-based attack. Changing passwords on a regular basis reduces the time of exposure to compromised passwords. An account lockout threshold should also be configured to lockout accounts after multiple failed login attempts. Users should be advised on the organisation’s password policy to avoid bad habits such as writing down or sharing passwords that would put the organisation at risk of a security breach.

How do you ensure remote access to your IT infrastructure is limited to authorised employees?

Why:  Opening up a private network for external access creates an inherent risk. Reducing the “surface area” by limiting remote access to only the user accounts that require it (and also by time where possible) works to provide an effective way of reducing the number of user accounts that could potentially be used to breach security measures.

Do you have a disaster recovery plan? Has it been tested?

Why: The GDPR requires, “The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”. This is of particular importance to organisations where a delay in the restoration of service would cause an immediate impact to individuals (such as healthcare environments). All organisations should consider the impact of a disaster event in general, even if personal data would not be affected, as a disruption to other business processes could have a significant impact.

Are mobile devices encrypted?

Mobile devices can be used to access company information such as email accounts which usually involves storing a copy of the user’s mailbox on the mobile device. Should the user send or receive personal data this would then end up being stored on the device and require encryption to prevent it from being accessed by unauthorised users. The loss of an un-encrypted mobile device containing personal data would need to be reported to the ICO. It is easy to encrypt most mobile devices, for example on an Apple device check in the passcode menu if “Data protection is enabled”.

Is role based access defined and implemented (e.g. HR, sales)?

Why: The ISO advises “Each user should use an account that has permissions appropriate to the job they are carrying out at the time.” Allowing users more permissions than required presents a risk from an internal security breach, or an external security breach should their account become compromised.

Do you have a guest wireless network? Is this separate from your corporate network?

Devices not issued by the organisation are unknown in terms of AV protection and patch levels. They could also have malware infections.  Allowing such devices to join the organisation’s private network could present a significant risk as firewalls are bypassed. Most business grade wireless access points have the ability to broadcast additional networks that are separated from the organisation’s private network, such as a guest wireless network.

Is internet access filtered to prevent users from accessing inappropriate and illegal websites?

Why: The ICO advises “An internet gateway can prevent users within your organisation from accessing websites or other online services that present a threat, or that you do not trust”. Users can be tricked into volunteering information to, or downloading malware from websites. Users should be prevented from inadvertently accessing such websites.

Do you send personal data electronically outside your organisation? Consider email.

Why: The ICO advises “Many data breaches arise from the theft or loss of a device, (eg laptop, mobile phone or USB drive) but you should also consider the security surrounding any data you send by email or post.” If personal data needs to be sent outside of the network it should be encrypted to prevent a 3rd party from being able to intercept and view the data. Many solutions are now available to facilitate encrypting data.

Do you know where all your data is located? Consider hosted services.

Why: The ICO advises “The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.” There are conditions for transferring data outside of the EU. Most major cloud services offer EU based data centre locations to facilitate compliance with this particular restriction. The data stored on cloud services still remains the responsibility of the organisation consuming the cloud service, for example, Microsoft advises, “With Office 365, it’s your data. You own it. You control it. And it is yours to take with you if you decide to leave the service.” – Moving the data to their infrastructure doesn’t remove the traditional requirements for protecting it with a backup. There are now many solutions to facilitate keeping a separate copy of the data stored on cloud services.

What is your backup retention policy?

Why: The ICO advises “You need to have a robust data backup strategy in place to protect against disasters but also malware, such as ransomware” and that an organisation should protect against “accidental loss, destruction or damage” of data.  A retention policy needs to take into account situations such as holiday periods.  For example, should a ransomware attack take place over Christmas, a short retention period for an online backup service may not be sufficient to prevent all the backup data from also being encrypted.  Long-term retention needs to be considered to provide protection for when the damage of data may not be detected for an extended period of time.  CT recommend a 14-day retention for daily backups and a 6-month retention for monthly backups.

Are your backups isolated from your production infrastructure?

Why: The ICO advises “Back-ups should not be stored in a way that makes them permanently visible to the rest of the network. If they are, then they can be encrypted by malware or the files accidentally deleted. At least one of your back-ups should be off-site.” The industry standard 3-2-1 rule of best practice advises; 3 copies of the data, on 2 different types of media with 1 off-site (and off-network).  This method has provided the most consistent level of protection against traditional risks such as hardware failure and newer security threats such as ransomware.

If there was a data breach how would you gather evidence?

Why: Should a breach occur, it’s essential to understand how and when the breach happened, information such as the user account(s) used and from where the breach originated.