• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering

Cybersecurity

Group logo of Cybersecurity
Public Group active 1 hour, 45 minutes ago

Enhance cybersecurity awareness and survivability for DoD, industry partners, and academia in the face of the ever-increasing threat of cyber attacks. Cybersecurity (CS) includes managing risks related to the use, processing, storage, and transmission of information and the systems and processes used for those purposes, including analog and physical form. CS includes information availability, identification and authentication, confidentiality, integrity, and non-repudiation as well as the economic considerations with respect to selection of CS techniques, CS processes, and industry trends.

  • Home
  • Forum

Will GDPR of EU make company information more secure ?

  • This topic has 25 replies, 20 voices, and was last updated 3 years, 3 months ago by risonhaug.
  • Creator
    Topic
  • 2017-12-23 at 02:08 #12940
    ericho
    Participant

    The GDPR law will be effective in May 2018 and China has passed their Cybersecurity Law recently. With all these cyber security regulations in place, will the companies complying to these law be more secure in the future ? Thoughts ?

  • Creator
    Topic
Viewing 23 reply threads
  • Author
    Replies
    • 2017-12-23 at 08:42 #12943
      ednode
      Participant

      Not in the near term. At the moment firms are struggling to classify data properly. That essentially is the first step to understanding what security needs to be put in place but when GDPR goes live the focus will be on mapping and classification of data.

      In time, yes it will help. If we know what the data is we can understand the data most susceptible to attack as well as the type of actors and methods most likely to be used.

    • 2017-12-24 at 01:29 #12949
      ericho
      Participant

      Agree. In the first 1-2 years, the IT and Security teams will be overloaded with the compliance activities. As a result, some of the essential security investment would be delayed or deferred due budget or resources issues. This make the organization more vunerable to different type of cyberattacks. There should be longer grace period such that the industry have enough time to nurture enough experts in this field.

    • 2017-12-24 at 11:32 #12955
      vasolrac
      Participant

      I agree with the fact that either IT and/or the organization’s risk mitigation team will be busy classifying data in order to take full advantage of new governance tools meant to comply with GDPR.

      I do think the GDPR is a positive step in security. For instance, I am happy to see Microsoft rolling out the HYOK (hold your own key) encryption ability for their Office 365 users (end to end encryption for email). Big orgs like Microsoft, Google and Box have European citizens as clients and will need to comply with GDPR. The nice things is that US customers will be able to take advantage of the new security features being rolled out sooner than later.

      But the first step is data governance, clean up and classification – with leadership buy in.

    • 2017-12-25 at 00:23 #12961
      llem
      Participant

      Over time the GDRP could achieve the objectives by establishing compliancy, protecting personal data, and establishing assessment measures to maintain compliancy. These are three major elements and I agree with the posts so far that there is a lot of work behind the scene to bring these ideas online. This is a step in the right direction, while I think global diplomacy amongst the major participants will still be a challenge. What do you think?

    • 2017-12-25 at 14:17 #12969
      cyberpichu
      Participant

      Privacy and security are not mutually exclusive capabilities – from what I’ve observed, an organization cannot demonstrate privacy hygiene by discounting security and data protection controls.
      GDPR provides the rigor for organizations to identify the personal information relevant to their environment (such as physical identifier, social identifier, genetic identifier etc.) and associated business processes, systems and applications that process those information (Article 30 in GDPR). This insight is a starting point for many organization to catalog their critical systems and applications and evaluate their privacy and data protection controls. Of course, beyond the compliance aspect, organizations should focus on leveraging the data mapping results and managing defensible data protection and information security hygiene overall.

    • 2017-12-26 at 07:21 #12982
      disabatom
      Participant

      Companies will reply to GDPR based upon the cost of compliance and the cost of non-compliance. With the fine for non-compliance being up to 4% of an enterprises prior year’s revenues, the potential cost is huge. But only in so far as it is demanded. There are many penalties for not having ‘good’ security and privacy practices, but there have not been many firms told they need to pay any sort of penalty for non-compliance. In the instances where there have been, they are most likely viewed as the cost of doing business.

    • 2017-12-26 at 18:12 #13020
      rballeste
      Participant

      According to experts in international privacy law, GDPR standards will benefit internet users, and this perhaps should be exported from Europe. How long organizations will need to fully implement it? Is there a significant financial impact? Thank you for your feedback.

    • 2017-12-26 at 18:33 #13022
      marislan
      Participant

      I agree that GDPR by itself will not in the short term make data more security, especially in large companies that have not been disciplined with basic tenets of data governance because these companies are currently working to just classify the data. Classification, in my experience, is just the first step. We can use GDPR as leverage to drive privacy and security initiatives which must be integrated into larger governance programs.

      • 2017-12-26 at 20:26 #13026
        packerman007
        Participant

        Thanks for sharing these insights. I question whether many US companies will be in compliance with the EUs GDPR by mid-May (25th) 2018. Much due to over-committed resources and prioritization by the organization that may not fully understand this new EU regulation and its impact to the business.

    • 2017-12-26 at 22:47 #13025
      packerman007
      Participant

      Thanks everyone for your insights regarding the impact the EUs new GDPR regulation will likely have.
      GDPR in the Healthcare/Life Sciences industries within the US may still have a great deal of work left to accomplish complying with the mid May 2018 timeline meeting the requirement(s).

      There are some videos and framework documents here: http://www.itgovernance.co.uk, http://www.itgovernance.co.uk/shop/p-1830-eu-gdpr-a-pocket-guide.aspx
      https://www.itgovernance.co.uk/shop/product/eu-general-data-protection-regulation-gdpr-documentation-toolkit

    • 2017-12-26 at 22:50 #13023
      packerman007
      Participant

      Some of the questions pertaining to the GDPR regulation, among others:

      Does the company understand its data footprint in the European Union (e.g., data about employees, consumers and clients)?
      The company’s preparation providing evidence of GDPR compliance to EU or US privacy regulators, during an assessment/audit?
      The company’s overall framework for GDPR compliance? How aligned and integrated with other regulatory systems, e.g. Quality Management Systems (QMS)?
      The company’s Data Protection Officer (DPO). Does the company have this role defined? Is this resource the Data Integrity Office as well?`

    • 2017-12-27 at 11:13 #13044
      marislan
      Participant

      @packerman007, are you defining the Data Integrity Office as the group accountable for data quality? If so, at our organization, that is separate from our Data Privacy Group. We actually have Security and Privacy in separate groups and I oversee data governance which includes security and privacy as well as data quality. I actually believe we would make more progress if we brought all through groups together under a Chief Data Officer.

    • 2017-12-28 at 12:59 #13059
      ks75020n
      Participant

      The impacts & insights on how would CS revolve around nations in Europe post BREXIT & the GDPR law coming into force May 2018 has some really interesting facts to reveal.

      https://www.checkmarx.com/2017/04/27/brexit-effect-cybersecurity/

      • This reply was modified 3 years, 3 months ago by ks75020n.
      • This reply was modified 3 years, 3 months ago by ks75020n.
    • 2017-12-29 at 12:13 #13086
      jreade
      Moderator

      Here is an recent article on GDPR and data localization and the impact it will have on Cloud. I thought this discussion might find it interesting.

      https://www.scmagazine.com/gdpr-and-data-localization-the-significant-and-often-unforeseen-impact-on-the-cloud/article/718552/

      • This reply was modified 3 years, 3 months ago by jreade. Reason: Edited link to open in new tab and no longer redirect first
    • 2017-12-31 at 01:29 #13098
      frederik
      Participant

      For the China part of your question, I’ve been in touch with the Chinese culture a little bit over the last years.

      Having laws in place will not necessarily make Chinese companies more secure…

      One of my (Mainland Chinese) CEO’s (in a multi billion USD turnover and multi million USD profit) company literally said when I requested a tiny budget (20K USD) for cyber security: “We have never been hacked, we don’t need that, why would anyone want our information!”

      A few months later we turned out to be hacked already… we only got the go ahead to invest close to half a million in cyber security 6 months after that hack…

      Chinese habits of using pirated software, high levels of pride and negative thoughts or emotions not to be spoken out loud, will make it more tough to secure.

      Of course there will be numerous examples of very well organized and structured companies in China as well!

    • 2017-12-31 at 11:35 #13108
      leeh
      Participant

      If the question is “will the companies complying to these laws be more secure in the future?” I think that the answer is arguably yes! I agree with most of the comments that businesses have a lot of work ahead of them to classify data that needs to be protected, to put in place systems to protect the data, and putting a DPO in place (among other necessary activities). However, even starting down this road and starting to look at these issues will put many businesses in a more secure position in the near future. Will they be compliant and more secure by May 2018? Probably not, but the GDPR has opened up many needed discussions in the past six months. Additionally, the potential for large fines if you are found in violation of the GDPR gives many businesses a financial incentive, that they might not previously have recognized, to invest more time and resources into data security and protection.

      • This reply was modified 3 years, 3 months ago by leeh.
    • 2018-01-01 at 15:21 #13119
      nquinn
      Participant

      I do believe it will make company information more secure although it may take a while to see the value of it. Implementing the standards will be challenging. One of the interesting aspects is the data localization in light of cloud platform popularity. Keeping data within a countries borders and yet many vendors use data centres in different countries.
      Another aspect of the challenge coming will be for non EU vendors. US companies such as our own will need to implement the same standards when working with EU data and localized.

      See jreades post above with a link to a great article on Data Localization

    • 2018-01-01 at 17:02 #13126
      agb83
      Participant

      No doubt will make information more secure. However, this will take time as unfortunately many organisations specially those outside EU but handling data of EU subjects, are still far from implementing and getting up to date with the new regulation.

    • 2018-01-02 at 03:55 #13152
      msiro
      Participant

      @packerman007 with regard to the question “The company’s preparation providing evidence of GDPR compliance to EU or US privacy regulators, during an assessment/audit?” the first evidence is surely the “Record of processing activities” ex art. 30 GDPR that is also the first document to be drafted when assessing the compliance to the GDPR.
      A second evidence is the performance of Data Protection Impact Assessment “if the processing is likely to result in a high risk to the rights and freedom of natural persons” (Art. 35).
      The French privacy Authority CNIL has just released a free software for carrying out the DPIA activities available here:

      https://www.cnil.fr/en/cnil-releases-free-software-pia-tool-help-data-controllers-carry-out-data-protection-impact

    • 2018-01-02 at 10:43 #13170
      aksver
      Participant

      Most best practices that are recommended by the GDPR are already recommended as the echelon of best practices that companies are to follow. The suggestions for pseudo-anonymization and maintenance of data protection personnel are good practices that are being imposed and the impact as widely discussed in the forum above is extra-territorial. Since I am from India I thought it would be pertinent to mention that the Data processors in India as well as scrambling to comply with the provisions and the way in which the regulation has been structured to not only include best practices from a prevention but also a risk mitigation perspective can have a major impact on the way cyber security is dealt with. GDPR has also brought attention the boards which is a welcome impact, therefore from a policy perspective that would augment an organization’s stance and practice the GDPR has a far reaching impact.

    • 2018-01-02 at 16:25 #13206
      barlas
      Participant

      As in other compliance programs, the beginning years are more testing than bite. There will be some early adopters, There will be companies that test their limits. We will see how serious the EU takes this after May.

    • 2018-01-02 at 19:35 #13213
      edlimxs
      Participant

      I think it will and it is a great step in the right direction. GDPR focus more on the process of handling data which many think is correct. As people are often the weakest link in any security scenario, governing the way data is being handled is the best way.

    • 2018-01-03 at 05:31 #13233
      msiro
      Participant

      I don’t think there’s space for “early adopters” nor what the EU will do. This is a regulation (not a directive) therefore is self-executing in every EU Country without the need to be made national law.
      In Italy, for example, the control regarding the privacy laws are made by the “Guardia di Finanza” that is a sort of Tax Police: the Italian Supervisory Authority (“Garante Privacy”) and the Guardia di Finanza keep saying that from May 26th they will start to control and that fees will be important for those not compliant. The same goes in France and UK.

    • 2018-01-04 at 09:24 #13245
      jreade
      Moderator

      Here is another recent article from Forbes on GDPR Compliance and the importance of Information Governance. https://www.forbes.com/sites/forbestechcouncil/2017/12/06/if-gdpr-compliance-doesnt-start-with-information-governance-youll-probably-fail/#348d36042e1e

      The Compliance, Governance and Oversight Council (CGOC) has developed the “Information Governance Process Maturity Model” to help organizations understand the strategies, processes and technologies required for an efficient governance program. Other important resources include the Electronic Discovery Reference Model (EDRM) and the Information Governance Reference Model (IGRM).

      • This reply was modified 3 years, 3 months ago by jreade. Reason: Defined CGOC
    • 2018-01-04 at 16:34 #13247
      risonhaug
      Participant

      The GDPRegulative that kicks in, have made all the US software and consultant firm targeting the European marked in a massive way. I see little smartens in how they try to “help” but mor into increasing earnings.

      The only way that GDPR will make information more secure is, now IT and LOB will get “new” money and resources to do some real lift in information security. Historically infosec in Europe has been updating Endpoint security and replacing firewalls – but never read the logs.

      While the US marked have been heavily investing ing e.g. DLP, most European leaders dont have clue what its about, now they have to wakeup

  • Author
    Replies
Viewing 23 reply threads

You must be logged in to reply to this topic.

sidebar

Community Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Cully Patch

An internal CSIAC SME with a passion for learning, teaching, and supporting the warfighter, Mr. Cully Patch has been a member of the CSIAC staff for 5 years. Cully was instrumental in leading the development and instruction of an extensive course on DoD Cybersecurity Analysis and Reporting (DoDCAR) - a threat-based approach to addressing system cybersecurity. As a senior program manager for cybersecurity and intelligence, Mr. Patch has extensive experience in providing cybersecurity training and education to both university students and military operators. Cully is a retired US Air Force military officer with career accomplishments in the fields of research, Intelligence, cybersecurity operations, planning, and technical course instruction. CSIAC is honored to have Mr. Patch as a subject matter expert, where he leads teams of technologists through problem solving, training program development, scientific and technical information generation, and analysis of complex system requirements.

View SME's Contributed Content

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • Explore the Innovare Advancement Center-Part 1 Series: Innovare Advancement Center & The CSIAC Podcast
  • Cybersecurity Maturity Model Certification (CMMC): The Road to Compliance Series: The CSIAC Podcast
  • Deep Learning for Radio Frequency Target Classification Series: CSIAC Webinars
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 3 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 2 Series: Programming Language Comparisons
View all Podcasts

Upcoming Events

Thu 29

Data Connectors Phoenix Virtual Cybersecurity Summit

April 29
Organizer: Data Connectors
636-778-9495
May 17

SANS Purple Team Summit & Training 2021

May 17 - May 28
Organizer: SANS Institute
May 27

DockerCon LIVE 2021

May 27 @ 06:00 - 14:00 EDT
May 28

LayerOne 2021

May 28 - May 30
Oct 18

IEEE Secure Development Conference

October 18 - October 21
Organizer: Institute of Electrical and Electronics Engineers (IEEE)
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT