When the EU General Data Protection Regulation (GDPR) went into effect in May 2018, management attention to controls around data breaches—mitigation controls and incident management—became the most important issues that an organization can face based on financial penalties. Therefore, a practical understanding of the nuances of its implementation are critical to mitigating any penalties. The data management concerns for senior management, auditors, data governance and other key stakeholders are centralized around these areas:
- Where personal information (PI)/personal health information is stored
- Who has access to PI
- How access to the data at the field, table and database level are tracked, monitored and reported for compliance to establish access rules and for the anomalous access
- If there are additional threat intelligence relevant feeds that should be reviewed
- Increased focus and frequency of risk assessments (e.g., reviewing the internal threat landscape and identifying the mitigating factors)
- Increased focus on the MITRE ATT&CK Enterprise Matrix and MITRE ATT&CK Cloud Matrix as it relates to the vectors that impact privacy data
- The impact of violating GDPR in the event of a data security incident
There are additional items that must be in the security operations center (SOC) analyst checklist to ensure that intelligence efforts are comprehensive. The challenge is for security professionals to step up their proactive efforts to mitigate risk while facing some interesting challenges in terms of integrating GDPR into their organization's threat intelligence programs.
Editor’s note: For further insights on this topic, read Larry Marks’ recent Journal article, “Impact of GDPR Impact on Threat Intelligence Programs,” ISACA Journal, volume 4, 2020, and for additional privacy resources from ISACA, see the CCPA Audit Program and learn more about ISACA’s new Certified Data Privacy Solutions Engineer (CDPSE) certification.
