GDPR is forcing companies around the world to revisit and revise how they manage and protect data in today’s interconnected cyber landscape. A recent PwC survey found over half of U.S. multinationals say GDPR is their top data-protection priority.
DATA PRIVACY IS A BUSINESS RISK
“We used to live in a world where executives ran the business, IT ran the infrastructure, security set the perimeter, and compliance made the rules, but regulations like GDPR are breaking down those old walls,” said Rohit Ghai, President, RSA. “GDPR translates cyber risk to a bottom-line business issue, which completely changes how businesses view their customers’ data.”
RSA offers a combination of products and services across these domains, including two new use cases in the market leading RSA® Archer® Suite:
· The RSA Archer Data Governance use case is designed to assist organizations in better documenting data governance requirements to improve support for data-centric regulations, such as HIPAA, GLBA and GDPR. - The RSA Archer Privacy Program Management use case is designed to enable organizations to holistically manage privacy programs and align processes with regulations, including privacy assessments and regulatory case tracking.
Ultimately, GDPR is not just a Governance, Risk and Compliance (GRC) issue. GDPR spans the full enterprise and forces companies to adopt a healthier privacy and security risk posture in four critical areas: Risk Assessment, Breach Readiness, Data Governance, and Compliance Management.
RISK ASSESMENT: UNDERSTANDING YOUR CYBER AND BUSINESS RISK
GDPR Article 32 outlines elements of a security risk assessment process to ensure the appropriate design and implementation of controls. An effective risk assessment process helps accelerate the identification of the linkage between risks and internal controls, potentially reduce the GDPR compliance gaps and improve risk mitigation strategies, while also giving companies a game plan for improving their cyber posture.
The RSA Archer Suite is designed to empower organizations to manage multiple dimensions of risk with solutions built on industry standards and best practices on one configurable, integrated software platform. Other use cases that can help support critical GDPR related processes include: - RSA Archer Security Incident Management helps enable processes to address the flood of security alerts and implement a managed process to escalate, investigate and resolve security incidents.
- RSA Archer Security Operations and Breach Management helps extend the security incident process by adding workflow for data breaches and management of the overall security operations team.
- RSA Archer Issues Management helps organizations manage issues generated from risk and control assessments and audits.
- RSA Archer IT Risk Management helps accelerate the identification of IT risks related to GDPR compliance and improves an organization’s risk mitigation strategies.
- RSA Archer IT & Security Policy Program Management provides the framework to help organizations establish a scalable and flexible environment to document and manage an organization’s policies and procedures to help comply with the GRPR.
- RSA Archer IT Controls Assurance provides a framework and taxonomy to assist organizations by systematically documenting the GDPR control universe, enabling organizations to assess and report on the performance of controls at business hierarchy and business process levels.
- RSA Archer Third Party Catalog assists in documenting third party relationships, engagements and associated contracts to identify help track external parties related to GDPR.
BREACH RESPONSE: RESPONDING REQUIRES VISIBILITY
Article 33 of the GDPR regulation outlines specific requirements for notification of a personal data breach to the supervisory authority, which makes having a full understanding of the details of a data breach paramount. The goal of any security team is to prevent these kinds of breaches, but breaches can still occur. As a result, many data protection requirements focus on breach response and reporting.
Additionally, GDPR requires notification to regulators, generally within 72 hours of becoming aware of an actual breach. Released earlier this summer, the newest edition of RSA NetWitness® Suite is designed to scan your entire infrastructure for indications of an attack, and uses behavioral analysis and machine learning to help better understand the scope and nature of a breach with improved visibility into the attack sequence, enabling faster notification.
DATA GOVERNANCE MEANS IDENTITY MANAGEMENT
Another critical element of GDPR compliance is controlling who has access to personal data. Organizations must protect personal data in a number of different ways, and must be able to demonstrate accountability in keeping accurate records of processing activities, including the categories of personal data processed, the purposes of processing, transfers to third countries outside of the European Economic Area, and the relevant technical and organizational security measures.
The RSA SecurID® Suite, including RSA SecurID® Access and RSA® Identity Governance and Lifecycle, is designed to enable organizations of all size and maturity to minimize identity risk and deliver convenient and secure access to their modern workforce. By leveraging risk analytics and context-based awareness, RSA SecurID Suite helps ensure the right individuals have the right access, from anywhere and any device. These products can play a critical role in addressing the fundamental need for identity and access assurance.
PROGRAM MANAGEMENT: COMPLIANCE IS NOT A DESTINATION
Compliance program management establishes a scalable and flexible environment to document and manage an organization’s relevant privacy policy and/or GDPR related procedures, standards and controls. However, being GDPR compliant, just like having a “secure” enterprise can change from moment to moment and is a moving target for businesses.
The RSA Risk and Cyber Security Practice offers a range of strategic services designed to help customers develop a business-driven security posture, build an advanced security operations center and revitalize their GRC program. To complement a robust product offering, RSA also provides implementation and post-implementation support so customers can maximize their existing investment in RSA products. - The RSA Risk Management Practice delivers strategic consulting services to help optimize an organization’s GRC program. It also offers staff augmentation and support services to help plan, implement, deploy and upgrade RSA products and services, including the RSA Archer Suite.
- The RSA Advanced Cyber Defense Practice helps security organizations develop the processes, procedures, workflows and automation that enable prompt, decisive response to data breaches and other cyber incidents.
- The RSA Incident Response Practice helps organizations respond to security breaches as they prepare to meet new 72-hour notification requirements of GDPR.
- The RSA Identity Assurance Practice helps organizations plan and implement comprehensive programs for managing access to GDPR-relevant data. With knowledge of who has access to what, organizations can make more informed access decisions, better identify risky activity, and meet compliance mandates.
With an organized, managed process to escalate issues identified during control testing, organizations get visibility into risks and can address the risks in a timely manner. Organizations will see quicker reaction to emerging issues, create a more proactive and resilient environment, and reduce the churn in driving accountability towards GDPR compliance.