Despite
the fact that the General Data Protection Regulation (GDPR) is mandatory only
in Europe, it will change the way of working of all companies in the world that
handle, store or use personal data. In other words, Latin American
companies that have subsidiaries and / or store and process personal
information about EU citizens will also have to prepare for compliance.
Personal data is defined as any information that, by itself, or
when combined with other data that the holder can access, can be used to identify
an individual. For a cybercriminal, accessing the collection, processing
and transfer of this personal data takes on value, especially in industries
such as finance. Much of the stolen data hits a black market where prices
vary depending on the type of data and how long ago it was stolen.
If your organization collects or processes the personal data of
residents of the European Union, regardless of whether or not it has a physical
presence in the EU, it is subject to the GDPR. Under this regulation, data
loss due to the lack of proper policies and protection measures can lead to
fines of up to 4% of the company's annual global turnover.
The Enemy At Home
A recent Ipswitch survey of 255 IT professionals found that only
27% of data loss is the result of malicious behavior; another equal
percentage that is due to accidental behavior or human error; and 46% of
the losses were caused by process or network failures. In other words,
most of the data is lost because someone within the organization is doing something
that they shouldn't, such as transmitting data through insecure means.
In this sense, the General Data Protection Regulation requires
fair, legal and transparent processing, that is, additional care must be taken
when designing and implementing personal information processing activities. In
turn, personal data must be protected against internal and external threats,
accidental loss, destruction and damage; all reasonable steps must be
taken to ensure that personal data is accurate; compliance with the Data Loss Protection
Principles must be documented; and personal data should not be stored
longer than is necessary for the stated purpose.
7 steps to comply with the GDPR
·
Automation: Commonly used file transfer workflows should be automated to
mitigate the introduction of human error that could lead to data loss. An
organization's file transfer tools should have support features such as
automatic resubmission, error correction, and acknowledgment of all data
transfers.
·
Control and visibility: Control and visibility of data flows and
events are the most important requirements for effective security management,
and essential to validate compliance. The tools to use should enable
central visibility, control, and pre-authorization of all file transfers.
·
Information security: The technology, tools or processes must
guarantee the integrity of the files; deletion of data after receipt. An
important aspect of compliance is the existence of an inviolable audit trail
that tracks integrity, delivery, authentication, non-repudiation, and
subsequent deletion of externally transmitted data files.
·
Authentication: Authentication of users and administrators is
an essential aspect of security and compliance.
·
Cryptography: Encryption algorithms have a limited lifespan. Compliance
standards often do not allow the use of compromised systems. Therefore, it
is essential that data exchange systems employ state-of-the-art and robust
cryptographic mechanisms and allow for secure selection, distribution, and
protection of encryption keys. To protect against the future strengthening
of data protection standards, systems must ensure the continued protection and
integrity of data both in transit and at rest.
·
Secure architecture: The architecture of a system must integrate
with existing security infrastructures and applications.
·
Failover:
A key requirement of many data protection regulations is secure business
continuity. This requirement is intended to safeguard the confidentiality,
integrity, and availability of file transfers, at all stages throughout any
failure, disaster, or interruption.
Ipswitch
manufactures business software to manage networks, securely transfer files, and
communicate via email. With practical solutions for the real needs of
business, network administrators and users, in organizations of all sizes, to
increase their productivity.
No comments:
Post a Comment