Escolar Documentos
Profissional Documentos
Cultura Documentos
Kick Off
START
Pick The Best Framework For Your Needs: Article 25 – Data protection by design and by default
AS NECESSARY – ADJUST TO CHANGES TO CYBERSECURITY & PRIVACY FRAMEWORKS
- Generally Accepted Privacy Principles (GAPP) Article 17 – Right to erasure (right to be forgotten)
PRIVACY
- Service Organization Control (SOC 2) Article 20 – Right to data portability
FRAMEWORK
- Asia-Pacific Economic Cooperation (APEC)
Article 25 – Data protection by design and by default
- Organization for Economic Co-Operation & Development (OECD)
Article 30 – Processing activities
- Other
Article 35 – Data Protection Impact Assessment (DPIA)
Operational Expectations:
Publish & manage policies, standards & procedures that cover applicable cybersecurity & privacy requirements.
Data Lifecycles
Implement ongoing risk management practices (e.g., Data Protection Impact Assessment (DPIA) or other risk
OPERATIONALIZE FRAMEWORKS assessments)
Formalize a Secure Development Lifecycle (SDLC) program that helps ensure both cybersecurity & privacy principles
THROUGH STANDARDIZED
are designed and implemented by design and default.
OPERATING PROCEDURES (SOP) & Perform Control Validation Testing (CVT) to validate the existence and effectiveness of cybersecurity & privacy
DOCUMENTED SDLC PROCESSES controls. CVT should be done prior to “go live” or after significant changes.
Maintain a mature Incident Response (IR) capability.
EU GDPR Compliance Criteria (EGCC) 4/24/2018
Mechanisms exist to identify and document appropriate - Threat intelligence personnel Art 31
contacts within relevant law enforcement and regulatory - Integrated Security Incident Response Team (ISIRT) Art 36.1
bodies. Art 36.2
Art 36.3
Security & Privacy
Contacts With Authorities GOV-06 Management 6.1.3 IR-6 Art 37.7 x x x x x x x
Governance
Art 40.1
Art 41.1
Art 42.2
Art 50
Mechanisms exist to establish contact with selected - SANS
groups and associations within the cybersecurity & - CISO Executive Network
privacy communities to: - ISACA chapters
▪ Facilitate ongoing cybersecurity and privacy education - IAPP chapters
Art 40.2
and training for organizational personnel; - ISAA chapters
Art 41.1
Security & Privacy Contacts With Groups & ▪ Maintain currency with recommended cybersecurity AT-5
GOV-07 Management 6.1.4 Art 42.2 x x x x
Governance Associations and privacy practices, techniques and technologies; and PM-15
Art 42.3
▪ Share current security-related information including
Art 43.2
threats, vulnerabilities and incidents.
Mechanisms exist to facilitate the implementation of - Generally Accepted Accounting Principles (GAAP)
Art 32.1
Asset Management Asset Governance AST-01 asset management controls. - ITIL - Configuration Management Database (CMDB) Management PM-5 x
Art 32.2
www.securecontrolsframework.com 1 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
Mechanisms exist to facilitate the implementation of - Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Art 1.2
relevant legislative statutory, regulatory and contractual Archer, RSAM, Metric stream, etc.) Art 2.1
controls. - Steering committee Art 2.2
Art 3.1
Art 3.2
Art 3.3
Art 6.1
Art 17.3
Art 20.3
Art 23.1
Art 23.2
Art 24.1
3.3 Art 24.2
3.3.3 Art 24.3
3.3.4 Art 25.1
Statutory, Regulatory & ID.GV-3
Compliance CPL-01 All Users 18.1.1 5.1 PM-8 3.4 Art 25.2 x x x x x x x x x x x x x x x
Contractual Compliance PR.IP-5
3.4.1 Art 25.3
3.4.2 Art 27.1
3.4.3 Art 27.2
Art 27.3
Art 27.4
Art 27.5
Art 32.1
Art 32.2
Art 32.3
Art 32.4
Art 40.1
Art 40.2
Art 42.2
Art 43
Art 50
Mechanisms exist to provide a security controls - Governance, Risk and Compliance Solution (GRC) tool (ZenGRC,
oversight function. Archer, RSAM, Metric stream, etc.) 3.12.1
- Steering committee 5.10 CA-7 3.12.2
DE.DP-5
Compliance Security Controls Oversight CPL-02 - Formalized SDLC program Management 8.2.7 5.11 CA-7(1) 3.3.8 3.12.3 Art 5.2 x
PR.IP-7
- Formalized DevOps program 5.12 PM-14 3.12.4
- Control Validation Testing (CVT) NFO
- Security Test & Evaluation (STE)
Mechanisms exist to ensure managers regularly review - Control Validation Testing (CVT)
the processes and documented procedures within their - Security Test & Evaluation (STE)
area of responsibility to adhere to appropriate security - Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Art 5.2
Compliance Security Assessments CPL-03 Technical P8.1 10.2.4 18.2.2 5.12 CA-2 3.4.9 x x
policies, standards and other applicable requirements. Archer, RSAM, Metric stream, etc.) Art 32.3
Mechanisms exist to utilize independent assessors at - Control Validation Testing (CVT) Art 40.2
planned intervals or when the system, service or project - Security Test & Evaluation (STE) Art 42.1
undergoes significant changes. Art 42.2
Art 42.3
Compliance Independent Assessors CPL-03.1 Technical 18.2.1 3.4.9 x x x
Art 42.4
Art 42.6
Art 42.7
Art 43.2
Mechanisms exist to facilitate the implementation of - NNT Change Tracker
configuration management controls. - Change Management Database (CMDB)
3.3.5
Configuration Configuration Management - Baseline hardening standards CM-1 Art 32.1
CFG-01 Management 3.4.7 NFO x
Management Program - Formalized DevOps program CM-9 Art 32.2
3.4.8
- Control Validation Testing (CVT)
- Security Test & Evaluation (STE)
Mechanisms exist to facilitate the implementation of - Splunk DE.CM-1
enterprise-wide monitoring controls. AU-1 DE.DP-1 Art 32.1
Monitoring Continuous Monitoring MON-01 Technical 12.4.1 NFO x
SI-4 DE.DP-2 Art 32.2
PR.PT-1
Mechanisms exist to facilitate the implementation of - Key and certificate management solutions SC-8(2)
Art 5.1
Cryptographic cryptographic protections controls using known public - BitLocker and EFS SC-13
Use of Cryptographic Controls CRY-01 All Users 10.1.1 3.13.11 Art 32.1 x x
Protections standards and trusted cryptographic technologies. - dm- crypt, LUKS SC-13(1)
Art 32.2
SI-7(6)
Cryptographic mechanisms are utilized to protect the - SSL / TLS protocols
Cryptographic confidentiality of data being transmitted. - IPSEC Tunnels SC-8
Transmission Confidentiality CRY-03 Technical C1.3 8.2.5 13.2.3 PR.DS-2 Art 5.1 x
Protections - Native MPLS encrypted tunnel configurations SC-9
- Custom encrypted payloads
Cryptographic mechanisms are utilized to protect the SC-8 3.8.6
Cryptographic
Transmission Integrity CRY-04 integrity of data being transmitted. Technical 14.1.3 SC-16(1) 3.13.8 PR.DS-8 Art 5.1 x
Protections
SC-28(1) 3.13.16
Cryptographic mechanisms are utilized on systems to
Cryptographic SC-13
Encrypting Data At Rest CRY-05 prevent unauthorized disclosure of information at rest. All Users 10.1.1 PR.DS-1 Art 5.1 x
Protections SC-28(2)
Mechanisms exist to retain media and data in - Data Protection Impact Assessment (DPIA) PI1.4
Data Classification & 8.3 MP-7
Media & Data Retention DCH-18 accordance with applicable statutory, regulatory and All Users PI1.5 Art 5.1 x
Handling 18.1.3 SI-12
contractual obligations. PI1.6
www.securecontrolsframework.com 2 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
Mechanisms exist to limit Personal Information (PI) - Data Protection Impact Assessment (DPIA) Art 35.1
being processed in the information lifecycle to elements Art 35.2
Limit Personally Identifiable identified in the Data Protection Impact Assessment Art 35.3
Data Classification &
Information (PII) Elements In DCH-18.1 (DPIA). Management Art 35.6 x
Handling
Testing, Training & Research Art 35.8
Art 35.9
Art 35.11
Mechanisms exist to minimize the use of Personal - Data Protection Impact Assessment (DPIA) Art 5.1
Information (PI) for research, testing, or training, in Art 35.1
accordance with the Data Protection Impact Assessment Art 35.2
Data Classification & Minimize Personally (DPIA). Art 35.3
DCH-18.2 Management 5.5 x x
Handling Identifiable Information (PII) Art 35.6
Art 35.8
Art 35.9
Art 35.11
Mechanisms exist to identify and document the location - Data Flow Diagram (DFD) Art 6.1
of information and the specific system components on Art 26.1
which the information resides. Art 26.2
Art 27.3
Art 28.1
Art 28.2
Art 28.3
Art 28.4
Art 28.5
Art 28.6
Art 28.9
Art 28.10
Data Classification &
Information Location DCH-24 Technical Art 29 x x x x x x x x x x x
Handling
Art 44
Art 45.1
Art 45.2
Art 46.1
Art 46.2
Art 46.3
Art 47.1
Art 47.2
Art 48
Art 49.1
Art 49.2
Art 49.6
Mechanisms exist to restrict and govern the transfer of - Model contracts Art 44
data to third-countries or international organizations. - Privacy Shield Art 45.1
- Binding Corporate Rules (BCR) Art 45.2
Art 46.1
Art 46.2
Data Classification & Transfer of Personal Art 46.3
DCH-25 Management x x x x x x
Handling Information Art 47.1
Art 47.2
Art 48
Art 49.1
Art 49.2
Art 49.6
Mechanisms exist to facilitate the implementation of
Embedded Technology Art 32.1
Embedded Technology EMB-01 embedded technology controls. All Users x
Security Program Art 32.2
www.securecontrolsframework.com 3 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
www.securecontrolsframework.com 4 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
www.securecontrolsframework.com 5 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
www.securecontrolsframework.com 6 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
www.securecontrolsframework.com 7 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
Mechanisms exist to conduct a Business Impact Analysis - Risk Management Program (RMP) Art 35.1
(BIAs). - Data Protection Impact Assessment (DPIA) Art 35.2
- Business Impact Analysis (BIA) Art 35.3
Business Impact Analysis Art 35.6
Risk Management RSK-08 All Users 5.12 ID.RA-4 x x
(BIAs) Art 35.8
Art 35.9
Art 35.11
Art 36.3
Mechanisms exist to assess supply chain risks associated - Risk Management Program (RMP) Art 35.1
with systems, system components and services. - Data Protection Impact Assessment (DPIA) Art 35.2
Art 35.3
Art 35.6
Risk Management Supply Chain Risk Assessment RSK-09.1 Management 5.12 x x
Art 35.8
Art 35.9
Art 35.11
Art 36.3
Mechanisms exist to conduct a Data Protection Impact - Risk Management Program (RMP) Art 35.1
Assessment (DPIA) on systems, applications and services - Data Protection Impact Assessment (DPIA) Art 35.2
to evaluate privacy implications. - Privacy Impact Assessment (PIA) Art 35.3
Art 35.6
Data Protection Impact 1.2.4 AR-2 Art 35.8
Risk Management RSK-10 All Users 5.12 x x
Assessment (DPIA) 4.2.3 PL-5 Art 35.9
Art 35.11
Art 36.1
Art 36.2
Art 36.3
Mechanisms exist to facilitate the implementation of Art 5.2
industry-recognized security and privacy practices in the Art 24.1
specification, design, development, implementation and Art 24.2
AR-7
modification of systems and services. 4.2.3 2.1 Art 24.3
SA-8 3.13.1
Secure Engineering & 6.2.2 5.10 2.2 Art 25.1
Secure Engineering Principles SEA-01 All Users CC3.2 14.2.5 SA-13 3.13.2 Principle 4 x x x x x
Architecture 7.2.2 5.11 2.3 Art 25.2
SC-7(18) NFO
7.2.3 2.4 Art 25.3
SI-1
Art 32.1
Art 32.2
Art 40.2
Mechanisms exist to centrally-manage the organization- 3.4
wide management and implementation of cybersecurity 3.4.3
Art 5.2
and privacy controls and related processes. 3.4.4
Art 24.1
3.4.5
Art 24.2
3.4.6
Art 24.3
Centralized Management of 3.4.7
Secure Engineering & 5.10 Art 25.1
Cybersecurity & Privacy SEA-01.1 Management PL-9 3.4.8 x x x x x
Architecture 5.11 Art 25.2
Controls 3.4.9
Art 25.3
3.4.10
Art 32.1
3.4.11
Art 32.2
3.4.12
Art 40.2
3.4.13
3.4.14
Mechanisms exist to standardize technology and process Art 4.1
terminology to reduce confusion amongst groups and Art 4.2
departments. Art 4.3
Art 4.4
Art 4.5
Art 4.6
Art 4.7
Art 4.8
Art 4.9
Art 4.10
Art 4.11
Art 4.12
Secure Engineering & Art 4.13
Standardized Terminology SEA-02.1 Technical x
Architecture Art 4.14
Art 4.15
Art 4.16
Art 4.17
Art 4.18
Art 4.19
Art 4.20
Art 4.21
Art 4.22
Art 4.23
Art 4.24
Art 4.25
Art 4.26
www.securecontrolsframework.com 8 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
www.securecontrolsframework.com 9 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
Mechanisms exist to identify, regularly review and - Non-Disclosure Agreements (NDAs) Art 28.1
document third-party confidentiality, Non-Disclosure Art 28.2
Agreements (NDAs) and other contracts that reflect the Art 28.3
organization’s needs to protect systems and data. Art 28.4
Third-Party Third-Party Contract 13.2.4
TPM-05 All Users C1.4 SA-9(3) ID.SC-3 Art 28.5 x x
Management Requirements 15.1.2
Art 28.6
Art 28.9
Art 28.10
Art 29
Mechanisms exist to implement a threat awareness
Art 32.1
Threat Management Threat Awareness Program THR-01 program that includes a cross-organization information- Management CC3.1 PM-16 ID.BE-2 x
Art 32.2
sharing capability.
Mechanisms exist to facilitate the implementation and - Vulnerability & Patch Management Program (ComplianceForge)
Vulnerability & Patch Vulnerability & Patch SI-2 ID.RA-1 Art 32.1
VPM-01 monitoring of vulnerability management controls. All Users CC6.1 12.6.1 x
Management Management Program (VPMP) SI-3(2) PR.IP-12 Art 32.2
Flaw Remediation with Mechanisms exist to identify and correct flaws related to
Vulnerability & Patch
Personally Identifiable VPM-04.2 the collection, usage, processing or dissemination of Management SI-2(7) Art 5.1 x
Management
Information (PII) Personal Information (PI).
Mechanisms exist to facilitate the implementation of an
enterprise-wide web management policy, as well as Art 32.1
Web Security Web Security WEB-01 Technical 13.1.3 x
associated standards, controls and procedures. Art 32.2
www.securecontrolsframework.com 10 of 10