Countdown to GDPR: Protecting the Pathways to Personal Information
October 24, 2017 | Regulations, Audit & Compliance | Corey O'Connor
The General Data Protection Regulation (GDPR) goes into force on May 25, 2018, yet despite the rapidly approaching deadline, many organizations are still either confused about or unprepared for this sizable piece of legislation.
To help organizations better prepare for the upcoming changes, while underscoring the strategic business value of securing access to personal data, we’ve developed a GDPR Advisory series, which is now available. The series outlines practical steps for meeting GDPR requirements for protecting personal data, including protecting access, responding rapidly, assessing risk and demonstrating compliance.
Protecting the Pathways to Personal Information
As we’ve covered in previous posts, a cyber attacker typically follows the privileged pathway leading to an organization’s most sensitive assets and information. To protect your organization, you must tightly control your pathways to privileged access, so unauthorized users are blocked on the spot—whether they are malicious or mistaken.
Privileged “users” including employees and third parties—even certain applications or processes—all have access to this pathway, and therefore, personal data. You are now responsible for all of these under GDPR.
Our first GDPR Advisory delves into the specific articles within the GDPR legislation that outline who, or what, can (and cannot) have privileged access to personal data. For example:
- GDPR Article 25 requires protection of personal data by design and by default: We’ll explore how implementing the “least privilege principle” can limit user access to the minimal level of data that allows normal business functions and significantly strengthens operational control over access to personal data.
- GDPR Article 32(2) says organizations must protect against the accidental or unlawful destruction, loss, alteration or access to personal data: We’ll outline proactive steps you can take to comply with this article, including placing privileged credentials in a secure digital vault and enforcing individual accountability for each action taken using those credential—at any point in time.
Strong privileged account security requires more than the management of individual users’ passwords. You also need to comprehensively isolate, control and monitor privileged access across systems, databases and VMs. We’ll explore an actionable “checklist” of steps to secure system access and stop attackers and malicious insiders from leveraging compromised credentials to bypass monitoring solutions and security controls.
Read the full GDPR Advisory here. To learn more about protecting your pathways to personal information, contact your sales representative or visit here to learn how CyberArk can help your organization with GDPR readiness.