Tuesday, September 17, 2019

SIEM and General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) was approved by EU Parliament on April 14, 2016 and its enforcement date is marked on May 25, 2018. Any organization not compliant to GDPR will face heavy fines.

GDPR Overview
  •    Objective
The EU General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/EC. It was designed for data privacy across Europe. The aim of GDPR is to protect all EU citizens from privacy and data breaches. It applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company's location.
  • Penalties
Breach of GDPR can be fined up to 4% annual global turnover of Euro 20 million (whichever is greater). It is to be noted that this is the maximum fine that can be imposed for the most serious infringements.


Serious infringement? 
It include not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

However, there is a tiered approach to fines. For example a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.

It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
  • Data Subject Rights
Breach Notification
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”.
Notification: within 72 hours of first having become aware of the breach.

Right to Access
Right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.

Right to be Forgotten
The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

Data Portability
GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.

Privacy by Design
Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

Data Protection Officers
Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
May be a staff member or an external service provider
Contact details must be provided to the relevant DPA
Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
Must report directly to the highest level of management
Must not carry out any other tasks that could results in a conflict of interest.​

How to monitor GDPR using SIEM?
Now the thing is, you may be using SIEM solution for monitoring all events. The question to ponder upon is, how to ensure timely notification of any events that might indicate breach or matter of concern? Things to monitor can be summarized as below

Overview of you system in General
  1. All active user objects
  2. All deactivated user objects
  3. All Organizational Units
  4. All groups and group Policies
  5. What are the types of devices you use? like: directory devices, active devices, microsoft devices, non-microsoft, domain controllers, deactivated devices, active servers etc
  6. Active directory group types. like global group, universal group etc.
Details of User Activities in Active Directory
  1. Members added and removed from groups
  2. User who is responsible for any changes that occurs in your infrastructure
  3. Affected classes and attributes
  4. All successful and failed Authentication using different devices
  5. Successful and failed network access
  6. Locked and unlocked users statistics
  7. Failed authenticated users and their reasons
  8. Any update (change, add, delete etc) to your infrastructure. audit, authentication, authorization policy changes
Details of File System Activities
  1. Who accessed what files and folders. Successful and failed file access?
  2. Who accessed critical files and folders?
  3. Who copied what files to cloud application like Dropbox, Google Drive, OneDrive etc.?
  4. Who copied what files to removable storage (USB devices)?
Details of Mobile Devices and Activities
  1. What kind of mobile devices are being used and by who
  2. Is user trying to ActiveSync any files/datas? What is the status of ActiveSync
  3. What is the statistics of successful and failed authentication?
Details of Location of your data
  • Where are your data located internationally and nationally?
Details of Database Activities
    • Types of databases in your organization
    • What are the types of actions in databases?
    • Users involved in database activities
    • Was access and action authorized?

    No comments:

    Post a Comment