Practical Suggestions for EU CISOs From the Authorities
If you worry about a data breach (and who doesn’t?), you might be wondering how a CISO can prepare to face the authorities.
Privacy and data breaches go hand in hand. We have all been bombarded with information around GDPR and similar regulations. As with all requirements the key issue is how to prepare, and what is acceptable by the regulators.
This is becoming increasingly significant in the EU as privacy becomes more of a consumer concern, and lawyers become more aware of the opportunity a breach provides. As an observation, listening to the UK Information Commissioner giving evidence of online harm and disinformation this week to a Parliamentary committee one interesting fact that came to light was that the regulator had recently increased their team by 85%. They are taking this seriously.
As if lawyers and regulators weren’t enough, we are also dealing with the constant emphasis on digital transformation; the disappearance of the perimeter and decreasing visibility across our assets. Businesses will want to move even faster and with greater flexibility. A perfect storm.
How To Prepare for Compliance
It is therefore very useful to have a viewpoint based on multiple use cases of how an organisation should prepare or at least prioritise in their planning.
The European Data Protection Board (“EDPB”) has just released draft guidelines on “Examples Regarding a Breach Notification.”
What is helpful is that they are based on use cases and provide a set of basic comments on standards and response capability.
There are 18 cases discussed. The EDPB use cases cover a range of scenarios such as ransomware, data exfiltration, human error, social engineering and lost devices. At a high level the structure is: case, description, prior measure, mitigation and obligations and a simple table of actions required. So not detailed — but a useful view as to future expectations.
The guidelines are out for comment so others are encouraged to submit their views and observations.
This certainly is worth a look to help prepare CISOs and may well be useful when communicating the security story internally to other stakeholders, or simply as a check on what security capabilities are in place already.
Try Duo For Free
With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.