From 6a4350287f08dcb21a2aa0532dda14375b7f0c9f Mon Sep 17 00:00:00 2001 From: Ann-Marie Grace Date: Sat, 17 Jun 2017 16:59:42 +0100 Subject: [PATCH 1/2] Update GDPR-letter.md --- Outcomes/CISO/GDPR-letter.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/Outcomes/CISO/GDPR-letter.md b/Outcomes/CISO/GDPR-letter.md index 5b8a87465..0e16b5390 100644 --- a/Outcomes/CISO/GDPR-letter.md +++ b/Outcomes/CISO/GDPR-letter.md @@ -6,9 +6,6 @@ title : GDPR and DPO AppSec implications ### Synopsis and takeaways - -## Questions - **PII** - In the event of a data breach when the IP address is an Indicator of Compromise (IOC), and that IP address is not specifically tied to a user, is it still considered PII? @@ -38,7 +35,7 @@ Example Scenario: an organisation uses a free tier (or educational/charitable) v - Should security be mandatory on Wi-Fi networks? - What type of evidence is required in the event of a data breach to prove due diligence (process vs. pentest reports)? - Subjects rights - The right to be forgotten. + - The right to be forgotten. - Are data backups in scope? - What if the data backup is the source of the breach? @@ -68,7 +65,7 @@ You must notify the ICO of a breach only where it is likely to result in a risk - Do you need consent to record an IP Address? - What is “legitimate business context”? -As an IP address is not necessary unique to a person, at what point does it become PII? See the following scenarios: +As an IP address is not necessarily unique to a person, at what point does it become PII? See the following scenarios: - IP address - IP address from known Proxy / TOR / UPA, etc. From d1d0311818496bdedcf93476f32f75a30af103aa Mon Sep 17 00:00:00 2001 From: Ann-Marie Grace Date: Thu, 22 Jun 2017 09:49:42 +0100 Subject: [PATCH 2/2] Update GDPR-letter.md --- Outcomes/CISO/GDPR-letter.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Outcomes/CISO/GDPR-letter.md b/Outcomes/CISO/GDPR-letter.md index 0e16b5390..42c6f6cb7 100644 --- a/Outcomes/CISO/GDPR-letter.md +++ b/Outcomes/CISO/GDPR-letter.md @@ -6,12 +6,12 @@ title : GDPR and DPO AppSec implications ### Synopsis and takeaways -**PII** +#### PII - In the event of a data breach when the IP address is an Indicator of Compromise (IOC), and that IP address is not specifically tied to a user, is it still considered PII? - If a third party provides a component of your product, do you need to anonymize/encrypt PII data? If so, how, and What are the approved methods? -**Supplier responsibility** +#### Supplier responsibility Example Scenario: an organisation uses a free tier (or educational/charitable) version of Google Docs (or any other SaaS) for storing lists of customers/benefactors. In this scenario: - Is Google considered a processor? @@ -24,12 +24,12 @@ Example Scenario: an organisation uses a free tier (or educational/charitable) v - Browser fingerprinting, URLs visited, etc., clearly fall under the definition of “personal data” (Article 4 - 1) and “profiling” (Article 4 - 4) - If you are using a cloud provider and they state that the server side is encrypted, is that enough? End-to-end (client side also) vs. server side encryption? -**Definitions** +#### Definitions - What types of company are required to have a DPO? - How do we quantify what a breach actually is? -**Operational Questions** +#### Operational Questions - Transfer of data (e.g., when accessing a free Wi-Fi, should a default routed VPN be used when accessing customer data)? - Should security be mandatory on Wi-Fi networks? @@ -39,7 +39,7 @@ Example Scenario: an organisation uses a free tier (or educational/charitable) v - Are data backups in scope? - What if the data backup is the source of the breach? -**Data Breach Notification** +#### Data Breach Notification You must notify the ICO of a breach only where it is likely to result in a risk to the rights and freedoms of individuals – for example, if it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. @@ -51,7 +51,7 @@ You must notify the ICO of a breach only where it is likely to result in a risk - Is this another PCI DSS scenario where the offending party must pay for expensive consultants to come in and tell the offender how to put things right? - Can this be the penalty rather than a fine? -**ICO** +#### ICO - Are external parties required to report (responsible disclosure) ICO notification following the discovery of a vulnerability that resulted in the extraction of personal data that potentially is being exploited by malicious parties? - In the event of vulnerability discovery, how is the magnitude and sensitivity of personal data disclosure determined; what dictates disclosure to the ICO or regulator? @@ -59,7 +59,7 @@ You must notify the ICO of a breach only where it is likely to result in a risk - Must the compliance documentation (risk assessment) be available to the ICO prior to any breach or only after an incident? - How is commercially sensitive information made available? Can it be published to all? (ED, clarify) -**IP Address** +#### IP Address - Is an IP Address on its own PII? - Do you need consent to record an IP Address? @@ -75,32 +75,32 @@ As an IP address is not necessarily unique to a person, at what point does it be - IP address and browser type (footprint) - IP address and MAC address -**Impact assessments** +#### Impact assessments - Is an impact assessment a part of your actual cyber hygiene regime and overall cyber risk assessment? - Once legislation is enacted, is an impact assessment (or any changes made to systems/infrastructure since the enactment) retrospective? Does it cover existing infrastructure, systems, and applications? -**Personal data** +#### Personal data - What happens to personal data deletion requests, does this apply to backups and archiving? - What about off-site archived data? - What happens when archived personal data is restored following a denial of service attack? - Is the data holder responsible for deleting from all locations? -**Consent** +#### Consent - How long is consent valid? - Do we need consent management in our application design or data models? -**Education** +#### Education - Who should be responsible for GDPR education initiatives? - Technical Leads - Legal Leads - Data Owners -**Pseudonymisation** +#### Pseudonymisation Consider a situation where an organisation hashes personal data (e.g., email address). - Is this still considered personal data even though it is not theoretically reversible?