The most hyped law on data protection has finally come into effect on May 25, 2018. Passed by the European Parliament on April 14, 2016, it is already being touted as the most stringent data protection law across the world. Prior to GDPR, Data Protection Directive of 1995 was applicable which now stands repealed. Apart from the businesses incorporated in the European Union, GDPR also applies to businesses incorporate outside the European Union but are dealing with the data of EU residents.
Just like any other law, GDPR also brings with itself a long list of legal and compliance requirements. If these requirements are not fulfilled and a data breach occurs, hefty fines have to be paid to the supervising authority. When it comes to organizational security and meeting the GDPR requirements, SIEM systems don an important role. (A summary of GDPR provisions can be read here)
For example, GDPR requires an entity to implement appropriate technical and process controls for protecting personally identifiable information (PII) of data subjects. This requirement can be fulfilled by a robust SIEM system with a central interface for validation of various data security controls such as normalization, verification, collection, storage, etc. across the entire network. Along with providing a 24×7 visibility of organizational data and its security using graphics and visualization, the SIEM system can also map data processing activities and events to GDPR requirements with the help of predefined rules. (How SIEM systems have evolved over the years?)
SIEM & GDPR Compliance
Privacy and data protection are two areas which are often kept as after-designing activities or completely ignored altogether by the designers. To curb this, GDPR prescribes for data protection by design and default under Article 25. It talks about techniques such as tokenization, encryption, minimization, and data pseudonymisation. Moreover, Article 15 gives a right to data subjects to access their data stored with a controller or a processor.
As a general practice, SIEM systems offer services such as investigation capabilities, threat detection, compliance reporting, log management, etc. In order to meet the requirements of GDPR, automated compliance reporting can be set up such that PII is handled as prescribed by the GDPR. Flexibility and speed of data processing and collection act as basic components in GDPR compliance as a business administrator must know when something is happening to someone, to whom, how, when, where, why, what, and how.
1. Know your Log Data
Right to erase the data is explicitly given under Article 17 while Article 20 talks about the transfer of data from one company to another company. In addition, while collecting, processing, and storing the data of data subjects, businesses are required to –
- Obtain consent for all types of personal data,
- Maintain & provide information about the data stored whenever requested,
- Disclose the purpose of processing,
- Duration for which the data will be stored, and
- Details of the third party with whom data will be shared, whether directly or indirectly.
If there is a central data collection point in your SIEM system, it is possible that sending PII to SIEM can create a massive repository of personal data. Accordingly, GDPR takes risks associated with data processing and specifically addresses them under Article 7, 9, and 17. Stating in the crux, GDPR protects data elements either individually or jointly which can be used to identify an individual. Such data elements include names, phone numbers, credit or debit card data, IP Addresses, MAC Addresses, etc. If a business ever fails to meet these requirements, it may face penalties up to 4% of its annual worldwide revenue, or €20 million (approximately $25 million).
However, it is also speculated that processing of PII through SIEM will fall under legitimate interest given under Article 6 and will not amount to non-compliance. As per our interpretation and understanding of GDPR, an organization will not be required to take specific consent for collecting log data for its security. However, the procedure must be transparent and properly documented.
2. Conduct a Risk Assessment
So often, businesses miss out on understanding the risks associated with the data stored on their servers. For example, log data will be never be given as much importance as internal trade secrets. The centralized system being discussed must also feature strong authentication techniques with proper role-based access control mechanisms. In addition, the need-to-know concept should be implemented and auditing who accessed what & when should be considered as an industry standard.
GDPR considerations such as pseudonymization and anonymization must be reviewed on the lines of risk assessment in order to –
- Understand how they reduce security risks associated with the data,
- Perceive their effectiveness in specific scenarios,
- Establish a chain of evidence during a breach,
- Minimize the cost of maintenance, and
- Realizing the interplay between flexibility and data transfer.
3. Designing a data-destruction policy
A comprehensive data destruction policy would ensure that you don’t keep protecting the data even after it has become useless. Moreover, with unnecessary data stored in your systems, the efforts put in to secure it would eventually go in vain as this data is of no value to the business processes.
There are a number of existing SIEM technologies which include data masking. This could serve as a viable option for the protection of PII, however, it significantly impacts your ability to respond to a security incident. An ideal data destruction policy must include –
- A thoroughly explained set of processes and controls to be followed, and details about what is an ideal data destruction environment,
- Training the employees about these policies and related activities, and
- Documenting each and every step involved and undertaken.
Processes & Controls
The processes and controls to be included in your organization’s data destruction policy will be highly dependent on the equipment used along with the sensitivity of data. The policy should deal with organizational data stored in the company’s hardware, company’s servers, storage devices, and portable media devices such as phones, UDB Drive, etc. In addition, for deleting data from a particular storage device, following questions must be asked –
- Is it possible to sell the device and reuse it in the secondary market?
- Is it possible to erase the data in a non-destructive method?
- Whether the device is leased or your company is the absolute owner?
A well-documented data destruction policy is of no use if it not implemented at all or poorly implemented. The first step towards effective implementation of a policy is to aware the staff about the policy and how to follow it. Along with this, the employees must be trained on different types of data breaches as there are many threats which they would not have considered.
Various devices such as USB drives, portable hard drives, laptop, mobile phones, etc. contain sensitive data and are transported out of the organization’s premises on a daily basis. Apart from basic internet etiquettes, these devices must also be protected to prevent data breaches.
When it comes to documentation, there are two sides – many companies understand the importance of erasing the data from their systems after its utilisation while many companies still believe in keeping it stored in their systems. In order to be compliant with GDPR, details pertaining to erasure of data must be maintained thereby including information such as –
- Date of erasure,
- Stored on which device,
- Serial number of the said device,
- The method used for erasure, and
- Reusability of the device.
4. Implementing Role-based Access Controls
An employee sitting at the front-desk of your company does not need to know what the address details of a customer are. By implementing role-based access controls, you can ensure that only a limited number of authorized personnel can access the personal data stored in log files. Periodical audit for the same can be carried out to pin down illegal access attempts. With anonymization and pseudonymisation as essentials, your SIEM system must be capable of these technologies. Simultaneously, your business should consider following a least-privilege policy for limiting the data access by employees to an extent required to do their jobs.
5. Additional Tools for Compliance
An SIEM system can definitely prove to be a useful tool for monitoring and identifying malicious behaviour in a corporate environment. Apart from preventing data breaches, it can also provide useful information for carrying out incident response activities within 72 hours to comply with the statutory requirement of reporting to the supervisory authority.
However, no single technology can be considered a silver bullet for complying with the GDPR. As per the business requirements of your business and its operations, additional tools may or may not be required.
GDPR may not be essentially a burden on the companies as implementing additional security solutions will only enhance the existing security posture of an organization. Moreover, with an array of rights given to a data subject, the processing activities have to be transparent so that the data subjects, as well as the supervisory authority, can get the required information about the processing activities being carried out by a company. With the capabilities possessed by an SIEM system, one can expect that implementing GDPR will decrease the financial burden on the companies by simplifying the processes and centralizing various processes and controls related to an organization’s security. Hence, an SIEM system can effectively reduce the risks associated, not add to it.