SlideShare uma empresa Scribd logo

Assessing Impact of Security Services

Transferir como PPTX, PDF
Jisc
Jisc

A presentation from the Jisc security conference 2018 by Andrew Cormack, chief regulatory adviser, Jisc technologies

Tecnologia
1 de 41
Assessing the impact of security services Andrew Cormack chief regulatory adviser, Jisc technologies, Jisc.
Why assess DP impact?
Why assess DP impact? Legal requirement? •GDPR Art.35 Data Protection Impact Assessment (DPIA) •“if likely to result in a high risk to the rights and freedoms of natural persons”
Why assess DP impact? Legal requirement? •GDPR Art.35 Data Protection Impact Assessment (DPIA) •“if likely to result in a high risk to the rights and freedoms of natural persons” Regulator recommendation? •ICO Legitimate Interests Assessment (LIA) •“if relying on legitimate interests”
5 But mostly… To reassure us, members, customers and users that we’re creating privacy/security benefits, not risks!
Factors likely to require DPIA (Art29WP/EDPB) Match 2 or more => Usually need DPIA •Evaluation or scoring •Automated decision-making •Systematic monitoring •Sensitive (or highly-personal) data •Data processed on large scale •Matching/combining datasets •Vulnerable data subjects •Innovative use or new technological/organisational solutions •Processing prevents data subject exercising right/using service/contract
Jisc security services…
Jisc security services… Security operations centre (SOC) •Large scale •Applies to all Janet traffic •Passive monitoring •Mostly by machine •Some automation (e.g. DDoS) => DPIA
Jisc security services… Security operations centre (SOC) •Large scale •Applies to all Janet traffic •Passive monitoring •Mostly by machine •Some automation (e.g. DDoS) => DPIA Penetration testing service •Small scale •Commissioned by organisation • Limited scope: systems and people •Active attacks/social engineering => LIA
10 SOC DPIA
DPIA process NOT based on ICO guide – it hadn’t been published 11
DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A 12
DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another 13
DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another •ICO (now) suggests cyclic DPIA process • Consultation apparently before own risk/mitigation assessment? • Surely more efficient to ask users for issues you didn’t spot? 14
DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another •ICO (now) suggests cyclic DPIA process • Consultation apparently before own risk/mitigation assessment? • Surely more efficient to ask users for issues you didn’t spot? •So use 1st round DPIA report for 2nd round consultation (~18 months) 15
ICO DPIA cycle 16 Identify need Describe process Consult? Nec. and Prop. Identify risks Identify controls Record and Sign off Integrate actions into plan Review
DPIA data gathering/reporting Based on GDPR structure 17
DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… 18
DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too 19
DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too •Assessment of risks to rights and freedoms (see later) •Measures to address risks, and demonstrate compliance (see later) 20
DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too •Assessment of risks to rights and freedoms (see later) •Measures to address risks, and demonstrate compliance (see later) •Conclusions •Are risks mitigated? Recommendations 21
DPIA risk management 22
DPIA risk management Assess impact •Think data and processing 23
DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause 24
DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 25
DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 26 Manage likelihood •Think causes •Internal (accident/malicious) • External (accident/malicious) • Environment (accident)
DPIA risk management Assess impact •Think processing and data •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 27 Manage likelihood •Think causes •Internal (accident/malicious) • External (accident/malicious) • Environment (accident) •Think mitigations • Most of which reduce likelihood • Some reduce impact too •How to monitor/maintain compliance?
DPIA conclusions •All risks mitigated to (well) below high •Automated processing itself a significant mitigation •Some new opportunities for controls/monitoring • See https://ji.sc/SOC-DPIA 28
29 Penetration testing LIA
LIA process Based on ICO light-touch risk assessment… 30
LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A 31
LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? 32
LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? •Necessity: any less intrusive way to do it? [No] 33
LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? •Necessity: any less intrusive way to do it? [No] •Balance benefits vs harms •What is relationship with individuals? What is possible impact? •Will you explain it? Will they object/feel intrusion? •What safeguards can you provide? Can they opt-out? 34
LIA conclusions 35
LIA conclusions •Technical pentests have strong safeguards/minimisation 36
LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals 37
LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals •Targets are in positions of authority/responsibility; significant risks to others •Organisations must support/explain what was done and why •And provide guidance, training, etc. so they don’t fall for a real attack 38
LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals •Targets are in positions of authority/responsibility; significant risks to others •Organisations must support/explain what was done and why •And provide guidance, training, etc. so they don’t fall for a real attack •Organisations must fix vulnerabilities, otherwise no benefit to justify risk! • See https://ji.sc/PENTEST-LIA 39
References • DPIA • Art.29 https://ji.sc/DPIA-art29 • CNIL https://ji.sc/CNIL-PIA-guides • [ICO https://ji.sc/ICO-DPIA] • https://ji.sc/SOC-DPIA • LIA • ICO https://ji.sc/ICO-legitimate-interests • https://ji.sc/PENTEST-LIA 40
Get in touch… Except where otherwise noted, this work is licensed under CC-BY Andrew Cormack chief regulatory adviser Andrew.Cormack@jisc.ac.uk

Recomendados

#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance Dovetail Software
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
Social Business =Cloud + Big Data + Social Media + Mobile Computing
Social Business =Cloud + Big Data + Social Media + Mobile ComputingSocial Business =Cloud + Big Data + Social Media + Mobile Computing
Social Business =Cloud + Big Data + Social Media + Mobile ComputingWilliam Tanenbaum
 
Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!Performance Tuning Corporation
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyEryk Budi Pratama
 
ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast Logikcull.com
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)Bright
 

Recomendados

#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance Dovetail Software
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
Social Business =Cloud + Big Data + Social Media + Mobile Computing
Social Business =Cloud + Big Data + Social Media + Mobile ComputingSocial Business =Cloud + Big Data + Social Media + Mobile Computing
Social Business =Cloud + Big Data + Social Media + Mobile ComputingWilliam Tanenbaum
 
Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!Your data is your business: Secure it or Lose it!
Your data is your business: Secure it or Lose it!Performance Tuning Corporation
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyEryk Budi Pratama
 
ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast Logikcull.com
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)An Introduction to the General Data Protection Regulation (GDPR)
An Introduction to the General Data Protection Regulation (GDPR)Bright
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...Ardoq
 
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...Ardoq
 
Data protection within development
Data protection within developmentData protection within development
Data protection within developmentowaspsuffolk
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Isaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceIsaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceFrançois Samarcq
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers Gary Dodson
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEryk Budi Pratama
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure ComplianceAIIM International
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsTrustArc
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overviewRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityEQS Group
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?Christiana Kozakou
 
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014Eversheds Sutherland
 
2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinarRichard Hogg,Global GDPR Offerings Evangelist
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Brian Miller, Solicitor
 
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-smIBM Sverige
 
Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeCloud Watchmen Inc.
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 

Mais conteúdo relacionado

Mais procurados

Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...Ardoq
 
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...Ardoq
 
Data protection within development
Data protection within developmentData protection within development
Data protection within developmentowaspsuffolk
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Isaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceIsaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceFrançois Samarcq
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers Gary Dodson
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEryk Budi Pratama
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure ComplianceAIIM International
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsTrustArc
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityEQS Group
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?Christiana Kozakou
 
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014Eversheds Sutherland
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Brian Miller, Solicitor
 
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-smIBM Sverige
 

Mais procurados (20)

Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...
 
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
Ardoq in Edinburgh - Events - Building Resilience in a Post-GDPR World (14-au...
 
Data protection within development
Data protection within developmentData protection within development
Data protection within development
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Isaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceIsaca csx2018-continuous assurance
Isaca csx2018-continuous assurance
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?
 
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
Eversheds SHINE Webinars - Multi jurisdictional compliance 23rd October 2014
 
2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
 
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
1 -2-6 kista watson summit-gdpr ibm pov hogg-sm
 

Semelhante a Assessing Impact of Security Services

Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeCloud Watchmen Inc.
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security TwistSecurity Innovation
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesDimitri Sirota
 
[Webinar] Is Your Database Ready for GDPR?
[Webinar] Is Your Database Ready for GDPR?[Webinar] Is Your Database Ready for GDPR?
[Webinar] Is Your Database Ready for GDPR?Yaniv Yehuda
 
GDPR and EA Commissioning a web site part 2 - Legal Environment
GDPR and EA Commissioning a web site part 2 - Legal EnvironmentGDPR and EA Commissioning a web site part 2 - Legal Environment
GDPR and EA Commissioning a web site part 2 - Legal EnvironmentAllen Woods
 
General Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, LondonGeneral Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, LondonBrowne Jacobson LLP
 
GDPR Scotland 2018
GDPR Scotland 2018GDPR Scotland 2018
GDPR Scotland 2018Ray Bugg
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...AIIM International
 
Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011Atlantic Security Conference
 
TrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc
 
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQAFest
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 

Semelhante a Assessing Impact of Security Services (20)

Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance Office
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
[Webinar] Is Your Database Ready for GDPR?
[Webinar] Is Your Database Ready for GDPR?[Webinar] Is Your Database Ready for GDPR?
[Webinar] Is Your Database Ready for GDPR?
 
GDPR and EA Commissioning a web site part 2 - Legal Environment
GDPR and EA Commissioning a web site part 2 - Legal EnvironmentGDPR and EA Commissioning a web site part 2 - Legal Environment
GDPR and EA Commissioning a web site part 2 - Legal Environment
 
General Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, LondonGeneral Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, London
 
Week 4.pptx
Week 4.pptxWeek 4.pptx
Week 4.pptx
 
CIO 360 grados: empoderamiento total
CIO 360 grados: empoderamiento totalCIO 360 grados: empoderamiento total
CIO 360 grados: empoderamiento total
 
GDPR Scotland 2018
GDPR Scotland 2018GDPR Scotland 2018
GDPR Scotland 2018
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
 
Compliance as Culture Strategy
Compliance as Culture StrategyCompliance as Culture Strategy
Compliance as Culture Strategy
 
TrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA Compliance
 
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 

Mais de Jisc

Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...Jisc
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxJisc
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxJisc
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Jisc
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...Jisc
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptxJisc
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxJisc
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxJisc
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxJisc
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJisc
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxJisc
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptxJisc
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptxJisc
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxJisc
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptxJisc
 

Mais de Jisc (20)

Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptx
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptx
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptx
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptx
 

Último

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 

Último (20)

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 

Assessing Impact of Security Services

  • 1. Assessing the impact of security services Andrew Cormack chief regulatory adviser, Jisc technologies, Jisc.
  • 2. Why assess DP impact?
  • 3. Why assess DP impact? Legal requirement? •GDPR Art.35 Data Protection Impact Assessment (DPIA) •“if likely to result in a high risk to the rights and freedoms of natural persons”
  • 4. Why assess DP impact? Legal requirement? •GDPR Art.35 Data Protection Impact Assessment (DPIA) •“if likely to result in a high risk to the rights and freedoms of natural persons” Regulator recommendation? •ICO Legitimate Interests Assessment (LIA) •“if relying on legitimate interests”
  • 5. 5 But mostly… To reassure us, members, customers and users that we’re creating privacy/security benefits, not risks!
  • 6. Factors likely to require DPIA (Art29WP/EDPB) Match 2 or more => Usually need DPIA •Evaluation or scoring •Automated decision-making •Systematic monitoring •Sensitive (or highly-personal) data •Data processed on large scale •Matching/combining datasets •Vulnerable data subjects •Innovative use or new technological/organisational solutions •Processing prevents data subject exercising right/using service/contract
  • 8. Jisc security services… Security operations centre (SOC) •Large scale •Applies to all Janet traffic •Passive monitoring •Mostly by machine •Some automation (e.g. DDoS) => DPIA
  • 9. Jisc security services… Security operations centre (SOC) •Large scale •Applies to all Janet traffic •Passive monitoring •Mostly by machine •Some automation (e.g. DDoS) => DPIA Penetration testing service •Small scale •Commissioned by organisation • Limited scope: systems and people •Active attacks/social engineering => LIA
  • 11. DPIA process NOT based on ICO guide – it hadn’t been published 11
  • 12. DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A 12
  • 13. DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another 13
  • 14. DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another •ICO (now) suggests cyclic DPIA process • Consultation apparently before own risk/mitigation assessment? • Surely more efficient to ask users for issues you didn’t spot? 14
  • 15. DPIA process NOT based on ICO guide – it hadn’t been published •So derive from GDPR text and CNIL (very) detailed approach •Structured interviews: service managers/operators/DPO + follow-up Q&A •User consultation •Annual consultation recently completed, don’t really want another •ICO (now) suggests cyclic DPIA process • Consultation apparently before own risk/mitigation assessment? • Surely more efficient to ask users for issues you didn’t spot? •So use 1st round DPIA report for 2nd round consultation (~18 months) 15
  • 16. ICO DPIA cycle 16 Identify need Describe process Consult? Nec. and Prop. Identify risks Identify controls Record and Sign off Integrate actions into plan Review
  • 17. DPIA data gathering/reporting Based on GDPR structure 17
  • 18. DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… 18
  • 19. DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too 19
  • 20. DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too •Assessment of risks to rights and freedoms (see later) •Measures to address risks, and demonstrate compliance (see later) 20
  • 21. DPIA data gathering/reporting Based on GDPR structure •Description of operations and purpose •Controllers, processors, recipients, purpose/legal basis… •What data, how, where, how long… •Assessment of necessity and proportionality •Individual rights/principles fit here too •Assessment of risks to rights and freedoms (see later) •Measures to address risks, and demonstrate compliance (see later) •Conclusions •Are risks mitigated? Recommendations 21
  • 23. DPIA risk management Assess impact •Think data and processing 23
  • 24. DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause 24
  • 25. DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 25
  • 26. DPIA risk management Assess impact •Think data and processing •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 26 Manage likelihood •Think causes •Internal (accident/malicious) • External (accident/malicious) • Environment (accident)
  • 27. DPIA risk management Assess impact •Think processing and data •Effect of breach/misuse •On confidentiality/integrity/availability •Ignoring (for now) cause •What harm results? •Personal, financial, … •Rights and freedoms •Impact: high/medium/low 27 Manage likelihood •Think causes •Internal (accident/malicious) • External (accident/malicious) • Environment (accident) •Think mitigations • Most of which reduce likelihood • Some reduce impact too •How to monitor/maintain compliance?
  • 28. DPIA conclusions •All risks mitigated to (well) below high •Automated processing itself a significant mitigation •Some new opportunities for controls/monitoring • See https://ji.sc/SOC-DPIA 28
  • 30. LIA process Based on ICO light-touch risk assessment… 30
  • 31. LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A 31
  • 32. LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? 32
  • 33. LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? •Necessity: any less intrusive way to do it? [No] 33
  • 34. LIA process Based on ICO light-touch risk assessment… •Structured interviews with service managers/operators + follow-up Q&A •What is legitimate interest? [Site improving security of key DP processes] •Who benefits? How? How much? Ethical/Legal Issues? •Necessity: any less intrusive way to do it? [No] •Balance benefits vs harms •What is relationship with individuals? What is possible impact? •Will you explain it? Will they object/feel intrusion? •What safeguards can you provide? Can they opt-out? 34
  • 36. LIA conclusions •Technical pentests have strong safeguards/minimisation 36
  • 37. LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals 37
  • 38. LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals •Targets are in positions of authority/responsibility; significant risks to others •Organisations must support/explain what was done and why •And provide guidance, training, etc. so they don’t fall for a real attack 38
  • 39. LIA conclusions •Technical pentests have strong safeguards/minimisation •Social engineering can cause harm to a few individuals •Targets are in positions of authority/responsibility; significant risks to others •Organisations must support/explain what was done and why •And provide guidance, training, etc. so they don’t fall for a real attack •Organisations must fix vulnerabilities, otherwise no benefit to justify risk! • See https://ji.sc/PENTEST-LIA 39
  • 40. References • DPIA • Art.29 https://ji.sc/DPIA-art29 • CNIL https://ji.sc/CNIL-PIA-guides • [ICO https://ji.sc/ICO-DPIA] • https://ji.sc/SOC-DPIA • LIA • ICO https://ji.sc/ICO-legitimate-interests • https://ji.sc/PENTEST-LIA 40
  • 41. Get in touch… Except where otherwise noted, this work is licensed under CC-BY Andrew Cormack chief regulatory adviser Andrew.Cormack@jisc.ac.uk

Notas do Editor

  1. UK ICO adds Risk of Physical Harm, Tracking, Invisible Processing; deletes large scale, automated decision-making, arguably systematic monitoring (which may be a superset of “tracking”); interestingly the EDPB pushes back against such modifications… Maybe it *is* harmonising?