A Security Operations Center (SOC) has the Information Security team responsible for monitoring and analyzing the organizations security practice on continuous basis. As an organisation we will have to apply the best practices in SOC for ensuring that it is complaint to GDPR.
- Data breaches in SOC for achieving GDPR compliance.
The General Data Protection Regulation (GDPR) mandates that a company reports any security incidents such as vulnerabilities and personal data breaches, within 72 hours, and must be able to detect the potential security breaches. The SOC will require to report the breach of the security incidents to be reported within 24 hours to Supervisory Authority.
- Record the IT activities to comply with GDPR
Security Information and Event Management (SIEM) solution should be monitored by SOC. The SIEM receives the logs from the SIEM tool and searches the SIEM logs to locate potential breaches in the systems. The Security Incident Response Team (SIRT) deals with forensics after a breach to find how much data has been stolen by an attacker.
- GDPR awareness session for the employees.
In SOC, the organisation needs to establish a Data Governance Committee and establish data management standards. A Data Protection Officer (DPO) must be hired mandatorily. The organization needs to educate all the employees about best data practices as per SOC.
- Define roles and restrict data access to specific employees as per SOC
In SOC best practices, sensitive data is restricted to only the specific people or group that may use the data.
Example: Finance team should have access to only finance data and not to HR data and HR team should have access to HR and not finance data.
An Identity Management software can help us to restrict access to databases or specific data sets within a database for the employees.
- What is the data you are having in SOC?
As per the latest survey, over fifty percent of the data that any organization holds is “dark” data. It means they have no idea what it contains, and they are not even aware they are holding it.
- Back up your organisation data in SOC
GDPR ensures that EU citizens have the right to request access to their data, as well as request that a company transfer ownership of or delete their data. Back up your data to ensure that it’s on file if or when your EU customers request it.
The organisation should invest in Business Continuity Planning(BCP) and have Disaster Recovery (DR) planning to ensure that your data is always backed up and available.
- Now what falls under GDPR compliance
GDPR applies to all businesses and organizations established in Europe(EU), regardless of whether the data processing takes place in the EU or not, then the non-EU established organizations will be subject to GDPR. If your business offers goods and/ or services to citizens in the EU, then it’s subject to GDPR.
- Customer engagement and the GDPR impact
The conditions for obtaining consent are stricter under GDPR requirements as the data subjects must have the right to withdraw consent at any time and there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities. This means you should able to show that the Data Subject agreed to a certain action, to receive a newsletter for instance.
GDPR has changed a lot of things for companies such as the way your sales teams prospect or the way that marketing activities are managed. Companies have had to review business processes, applications and forms to be compliant with double opt-in rules and email marketing best practices. For Instance, to sign up for communication, prospects will have to fill out a form or tick a check box and then confirm it was their actions in a further email.
There are tough penalties for those companies and organizations who don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.
But most people think that the GDPR is just an issue relating to the IT Dept. which is not.
Hence, it is recommended for security operations centers to have mandatory processes and procedures in place which are complaint to GDPR.
Vivek is the Senior Technical Lead for IMSS AT Happiest minds. With 12+ year of experience in IT, With areas of expertise in Compliance and handling of Projects in GDPR, ISO 27001, Business Continuity Planning,
Disaster Recovery , Internal Audits, ITSM processes and continual improvement of Information security, In free time like to play Table tennis, travel and listening to music.
