Knowledge is Power: Guidance from ICO and NCSC on GDPR Security Outcomes

The GDPR is now in effect, but for many technical folks, especially in security, it is still a challenging ride to translate a high level legislation into clear, actionable items. The legislation is not as detailed as many in Info Security would like, especially when-compared to PCI Compliance which specifically details what your password policy should be, or how long log data should be stored. However, the reason why the GDPR isn’t as descriptive, is because it needs to stand for a long time, without major modifications, and stay relevant as new technology and threats emerge. For organizations, this means that the lessons to be learned around GDPR will be ongoing.

We at Splunk sat with legal experts, and following the outcome-focused approach to the GDPR, outlined how to protect personal information through the use of machine data. We continue to closely monitor new advice being shared by leading authorities, and fresh findings from audits being released. From pre-GDPR national decisions, to post-GDPR and EU wide impacts - knowledge is power.

For example, a lesson learned and documented by the ICO on Community Pharmacies is to never use shared user accounts to access personal information:

The National Cyber Security Centre (NCSC) with the UK’s Information Commissioner’s Office (ICO), recently published a Guidance document on GDPR Security Outcomes. It summarises several articles and converts the information into the people, processes and technologies that are needed by security managers and practitioners in today’s organizations. Businesses with a higher security maturity should already have most of these things in place, but this is often not the case.

Quoting from the ICO and NCSC guidance, I want to point out the importance of security monitoring, and how data collection from your business applications falls under the GDPR:

We understand the challenge in collecting a full audit trail from systems that process personal data. Organizations may have multiple business applications where information is widely distributed. Each business application provides different APIs to collect the data, as well as the various formats in how the audit trail information is structured - those and the volume of data generated is too vast to handle with traditional tools. However, it still needs to be collected, and made accessible and usable in order to detect potential anomalies early, or scope the impacts of potential incidents; e.g. knowing if any EU personal data was put at risk by a compromised user account. In preparation of an audit by the authorities, you may want to also prove that your security controls are enforced, and employees follow your IT policies, such as not sharing user accounts to access personal data.

Today, we at Splunk enable thousands of organizations to mature their security capabilities. Just one example is how we help UCAS to protect over 800k student records every year. If you want to learn more, reach out to our team for a GDPR Workshop to review what’s required of your organisation under the GDPR, what situations you may face, and identify any gaps in your current efforts.

Happy Splunking,

Matthias