The General Data Protection Regulation (GDPR) is an EU regulation which sets out the minimum requirements for Data Protection in the EU. It is a bit more stringent than the Data Protection Act, which is the current legislation in the UK. The UK has been heavily involved in its development, and it will come into force on 28th May 2018.
As an EU Regulation it immediately becomes law in every member country the day it comes out, and every member state will have to comply from that date.
For further advice and guidance, go to the ICO website and check out these 12 Steps to GDPR which you should be following right now.
It’s all well and good having lots of security controls in place, lots of shiny hardware and the latest software, but how do you know that what you have is effective and is being used by everyone?
That’s what Governance is for. It’s about the oversight of all security related activities to make sure that they are fit for purpose and delivering benefit. It’s normally done through regular reporting, reviews of metrics (ie data which demonstrates how effective controls are) and key performance indicators.
What does this mean in practice? Let me give you an example. Let’s assume that an organisation is security policy states that all relevant critical patches from software vendors must be applied within 1 month of their release. A metric that might be used is to identify the number of machines which don’t have critical patches applied within 2 months, and for those machines to be inspected to find out why.
Grey Hat hacker
In an earlier post we talked about Black Hat hackers, who are effectively the bad guys, and we’ll talk about White Hats later this year (you’ve guessed it, they’re the good guys). Grey Hats fall somewhere in between. They see themselves as doing good, trying to help organisations, but technically they’re breaking the law.
It works something like this. A white hacker has written permission in advance before trying to test a system for vulnerabilities. A grey hat doesn’t have that permission, but tests systems for them anyway. When they find a vulnerability, they either notify the organisation or the company that makes the software they’ve found the vulnerability in, often in the hope they’ll get some kind of reward. It has been known for them to be arrested because they’ve not had that ore-authorisation to carry out their tests.