AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Search in comments
Filter by Custom Post Type
Posts

Aligning Network Security with GDPR

by

In May this year, the EU began enforcing the General Data Protection Regulation (GDPR) with the aim of protecting the personally identifiable information of EU citizens. It applies to any organization that is based within or operates in the EU – any organization with operations, customers, suppliers or partners within the EU is liable.

As you’ll no doubt be aware, an organization found to be in breach of the regulation (for example, by failing to adequately safeguard customer data against a breach, or to report it to their supervisory authority within 48 hours) can face heavy fines: up to 20 million euros or 4% of annual turnover, whichever is the greater. With the stakes so high, it is critical that businesses ensure that their processes across the entire organization comply with the regulation – including network security.

Where GDPR meets network security

Three of the articles contained within GDPR are directly related to network security:

  • Article 32 mandates that data controllers and processors implement appropriate technical and organizational measures to ensure a level of security that is appropriate to the level of risk
  • Article 35 requires organizations to conduct data protection impact assessments (DPIA)
  • Article 83 requires data controllers and processors to evaluate the inherent risks in the processing of data and then implement risk mitigation measures.

However, while GDPR sets out these standards that relate to network security, as of yet, the EU has not provided an approved implementation framework or reporting structure. As a result, there are no official or industry guidelines for how GDPR compliance audits should be conducted, nor is there any indication of specific steps that organizations need to follow to prepare for an audit following a breach.

Against this backdrop, it is incredibly challenging for organizations to know what constitutes ‘best practice’ when it comes to ensuring that their network security processes are compliant with GDPR. Typically, new regulations rely on implementation frameworks that are already utilized by other verticals and we can use such guidance here.

Standards cross-over

In the case of GDPR, the most relevant standard that is already widely adopted is ISO 20071. ISO 27001 covers many security best practices without specifying the type of information that needs to be protected. Furthermore, it requires organizations to implement measures that would equally apply to GDPR. As such, as an initial baseline for demonstrating GDPR compliance, AlgoSec recommends following the ISO 20071 network security standards and reporting frameworks.

Aligning network security with GDPR

Beyond looking to the ISO 20071 framework as a guide, companies can also find an easier path to compliance by using network security policy automation. For example, we have added out-of-the-box GDPR support in the latest version of our network security policy management, 2018.1.

At the click of a button, AlgoSec users can generate GDPR compliance reports for all applicable network security, obtaining an up-to-date, accurate snapshot of the organization’s compliance status. Security teams can immediately pinpoint gaps in compliance and get actionable recommendations for remediation, and proactively assess GDPR risk and compliance for every firewall rule change. Going well beyond continuous compliance, this feature also delivers a full GDPR-ready audit trail for every change.

Given the high cost of failing to meet the standards laid out in GDPR, it’s critical that organizations take the necessary steps to comply. By utilizing AlgoSec, organizations can automatically align network security with key articles in GDPR, while automatically generating the audit trail they need to demonstrate compliance – reducing the risk of incurring penalties in the event of a breach.

For more details on how AlgoSec can help address your GDPR compliance requirements click here.

Subscribe to Blog

Receive notifications of new posts by email.