Good Enough IT Risk Management

The EU GDPR: Three tips that will save you time, money, and worrying.

[fa icon="calendar'] Thursday, 08 June 2017 / by Jakob Holm Hansen under compliance, eu general data protection regulation, GDPR

[fa icon="comment"] 2 comments

In less than a year, the EU Data Protection Regulation comes into force. That’s ample time – if you manage it wisely, that is. Here are three useful tips that will help you prioritise your tasks and effectively make sure your organisation is prepared come 25th of May, 2018.

The EU data protection regulation is about getting those who process personal data used to the right processes. However, when it comes to compliance, the GDPR is very much about getting used to doing what is necessary. No more, no less.

At Neupart we have identified three areas in which you can save time, money, and worrying:

More [fa icon="long-arrow-right"]

Continuous Compliance with the GDPR

[fa icon="calendar'] Tuesday, 25 April 2017 / by Jakob Holm Hansen under compliance, eu general data protection regulation, eu gdpr

[fa icon="comment"] 0 comments

Climbing that mountain of compliance, over and over again.

The GDPR has been with us for a year, and everyone is (still) panicking. Becoming compliant and staying compliant are two very different things. In this blogpost, I will highlight the difference between the two and how to tackle the challenges that may arise along the way.

For the better part of a year, we have all been told that the EU GDPR is here, and that we will need to live up to a host of new requirements. The fear mongers have also told us about the huge fines we will be subject to, and just how far away from being compliant we all are.

So, there has been a lot of talk about what the requirements we will be hit with are, but there has not been as much talk about how to actually run an implementation project. And a lot of that talk is based on interpretations of the regulation and - in many cases - an unfounded over-implementation of the regulation.

More [fa icon="long-arrow-right"]

Data Protection Officers - Who Needs Them?

[fa icon="calendar'] Monday, 13 March 2017 / by Jakob Holm Hansen under compliance, eu general data protection regulation, eu gdpr, DPO

[fa icon="comment"] 0 comments

Data Protection Officers. It’s a topic that seems to be on everyone’s mind now that we actively start to prepare for the implementation of the GDPR, but who really needs them?

Anyone working with information security management is by this stage well aware of the upcoming EU General Data Protection Regulation. Come to think of it, even those not working with information security management have probably heard of it too, considering the amount of coverage it has gotten. It’s no wonder, really, given that the new regulation will be the biggest data protection regulation to date. Even though it is being set by the European Union, it will affect companies worldwide. This is because together, the 28 EU member states not only represent the world’s largest economy, but are the top trading partner for 80 countries. Effectively, this means that any country dealing with personal data from citizens of the European Union will need to comply with the GDPR.

 

Get our 7-step guide to easy implentation of the EU GDPR

 

Soon after the news about the GDPR broke, another abbreviation started popping up everywhere: DPO. Of course, a Data Protection Officer is not a new role per se, but with sudden focus on the legality of data protection, it only makes sense that we start focusing more on the their role. In fact, the International Association of Privacy Professionals originally estimated that the new data protection regulation would require 28,000 DPOs in Europe and the United States. They have now increased that number up to 75,000 new DPO positions, worldwide. 75,000 is a lot of positions to fill, which leads to the question: who needs a Data Protection Officer?

More [fa icon="long-arrow-right"]

Personal Data Protection - How Hard Can It Be?

[fa icon="calendar'] Monday, 05 December 2016 / by Lars Neupart under Compliance and task management, ISO Standards, eu general data protection regulation, eu gdpr

[fa icon="comment"] 0 comments

Haven’t we had enough? It feels like there’s been an endless stream of GDPR offers lately. Courses and certificates, as well as attorneys and consultancies which offer an array of services. Services which are then presented as absolute necessities in order not to be hit by enormous fines as soon as May 2018 hits us.

Of course proper protection of our personal data is vital, and it’s important for companies to comply with the law, so perhaps this barrage of offers is justifiable. But then again, just how difficult can it be to comply with the EU’s new general data protection regulation?

More [fa icon="long-arrow-right"]

How to comply with the EU GDPR

[fa icon="calendar'] Wednesday, 28 September 2016 / by Lars Neupart under eu general data protection regulation, eu gdpr

[fa icon="comment"] 0 comments

The new EU GDPR is one of the most substantial security initiatives in many years. This is on the one hand due to the scope of the regulatory work in the EU has been comprehensive and a long time coming. On the other hand, this is also due to the consequences of the EU GDPR having important implications for both the private and public sectors in Europe. The EU GDPR identifies many things. One common denominator and the overall conceptual framework behind the EU GDPR is that it is considered an exercise in confidence. An exercise in confidence entails the registered party ”borrowing” his sensitive data to the data controller, and then the data controller acknowledges that confidence by taking care of the data, and by always being able to explain - in a meaningful and understandable manner - the purpose to which the information is to be used. This last part has not always been standard practice in the past.

More [fa icon="long-arrow-right"]

Risk Assessments - What are they for?

[fa icon="calendar'] Monday, 27 June 2016 / by Jakob Holm Hansen under Risk assessments, risk treatment, Risk management

[fa icon="comment"] 0 comments

It is now considered good practice to perform risk assessments - or at very least to acknowledge that they should be done.

Unfortunately, far too often we see that businesses only conduct risk assessments in order to satisfy some sort of compliance requirement or other types of requirements (audit, contract, statute etc.). If you are lucky, you might have the resources to conduct them once per year. 

Typically, you will conduct your risk assessment, speak with your organisation and then finally you submit a fancy report. And then your "project" is done. However, it would be wrong to consider the risk assessment as a project. Risk assessments should be a process. It is a process that involves feedback and continual adjustments.

More [fa icon="long-arrow-right"]

EU Data Protection Regulation - How Hard Can It Be?

[fa icon="calendar'] Tuesday, 12 April 2016 / by Lars Neupart under Best practice, Information Security Management, ISMS

[fa icon="comment"] 0 comments

Granted, the wording of the new Data Protection Regulation we have just received
is complex. The new act entails many requirements as to how companies must process and protect personal data, and not least which processes must function within the companies. The Neupart team at KMD is experienced in finding practical solutions in simplifying compliance with information security requirements. We would like to present Neupart’s approach employed in the development of this application.

 

Get our 7-step guide to easy implentation of the EU GDPR

 

The EU regulation requirements are incorporated into the SecureAware ISMS application. Using our latest addition you can conduct your first gap analysis of the EU directive.

In the below SecureAware window, the regulations are shown on the left-hand side, while on the right-hand side you will see a series of links to your information security manual. 

If your information security manual is in SecureAware ISMS, a large part of your
manual is already mapped to the new personal data requirements.

 

The reason why you can do the gap analysis so easily is that we have placed the EU regulations into the requirements library in SecureAware along with the other requirements already within.

The EU Data Protection Regulation is located in the SecureAware ISMS requirement library. 

 

However, there is even more good news. Once you know where the "holes" are in relation to the new regulations, we have made it possible to connect an efficient task management to your gap analysis. The task management allows you automatically to monitor and easily to report on your compliance status.

Efficient task management: Tasks are connected to the particular requirements. A task
can be anything from a simple "execute" task to a recurring process.

 

You can also use the task management to control ongoing, recurring tasks. Tasks related to your ongoing compliance with the new regulations.

Large companies supervise by means of periodically conducting an internal audit; this is also an area that is supported by the task management function within the application. 

It is easy to verify, inspect and conduct an internal audit. 
There is a history of who-what-when on the red-yellow-green progress.

 

This way, the processes that will run in each company that handles personal data can be facilitated. 

PS! We have an added benefit for those companies having their IT manuals in SecureAware: We have mapped a large part of your manual onto the new personal data requirements in advance.

At the present moment, the most recent revision of the regulation is placed in SecureAware ISMS. Now the final text is complete, SecureAware will soon be updated with that.

 

Learn more

Take part in our webinar and receive a number of shortcuts to how your company can more easily follow the new rules for personal data protection.

Learn more and register

 

Learn about SecureAware ISMS

More [fa icon="long-arrow-right"]

Hacking online meetings

[fa icon="calendar'] Monday, 09 November 2015 / by Lars Neupart under Information risk management, Risk assessments, Risk management

[fa icon="comment"] 0 comments

By Gaffri Johnson, Neupart

Why risks related to information sharing via calendars and online meeting tools should be included in your annual it risk assessment.

More [fa icon="long-arrow-right"]

Risk assessment is a process - 3 reasons to do it again (and again)

[fa icon="calendar'] Friday, 10 July 2015 / by Lars Neupart under Information risk management, Risk assessments, Risk management

[fa icon="comment"] 0 comments

Information security risk assessments are an integral part of managing information security. Unfortunately, it is not uncommon for businesses to consider risk assessment as something they need to get over with in order to meet certain requirements. 

More [fa icon="long-arrow-right"]

Can you make IT security sexy? - a Guide to Awareness Campaigns

[fa icon="calendar'] Tuesday, 09 June 2015 / by Lars Neupart under Best practice, Information Security Management, ISMS

[fa icon="comment"] 0 comments

Once you have read my article, you will have a good idea on how to approach your IT security awareness campaign. You will get concrete advice on choosing topics, forming alliances and how to measure how well your campaign worked.

IT security is hardly known for being the world's sexiest topic. In the eyes of many, it is time-consuming, limiting and boring. 

A boring housewife on a TV programme can get the help of a hairdresser, a stylist and fashion experts in highlighting her interesting sides. Similarly, you can give IT security a makeover in order to make the topic more accessible, relevant and exciting.

This is what you do:

  • get the support of the management
  • choose the right topics
  • meet people where they are 

The support of management

You must first and foremost ensure the involvement of the management. There are two reasons for this: 

For one thing, the employees should hear from the management why IT security is important. The message then carries more weight.

For another thing, awareness campaigns are not free. They cost the organisation time. You will only get the resources you need, if you make it clear to the management as to why you need an awareness campaign. If an IT audit has resulted in findings and recommendations or if you need to follow ISO 27001, you will have a compelling argument. Awareness is a requirement set out in ISO 27001 and ISO 27002, so there is no way around this. A focus on IT security can furthermore save you time and money. Both your finances and your image take a hit when a user error causes a data leak or system breakdown.

Moreover, awareness is about communication. If this is not your strong side, you should become good friends with your communications or marketing department, if you have those in the company. They will be able to help you to reach out to the employees in a language they understand.

Choose the right topics

With the backing of your new allies, you should now figure out the areas on which your awareness campaign should focus. There are many topics from which to choose, some heavier than others, and unnecessary information needs to be removed. 

Consider the problems you have experienced based on the ignorance of users. A few examples may be:

  • Guests to the company are not registered when they arrive and they walk around without access cards.
  • Documents with confidential information are lying around in an unlocked room.
  • Sensitive personal information is not sent through secure email (encrypted).

If you are unsure of anything, get hold of HelpDesk or IT support if you have those functions. They can tell you what employees most often ask about and of what they are unsure. You can also consider whether you recently began to use new systems or carry out tasks in a new manner. Have the employees become familiar with this or are there many mistakes?

You will possibly find more problems than you can address in a single awareness campaign. Focus on the most important parts and save the less important ones until your next campaign. We must make sure to use simple and powerful messages. Prepare short campaigns with simple themes, and then run campaigns more often. 

Meet people where they are

Now you need to go out and meet people where they are. The employees sit in front of their computers, they eat in the cafeteria and they go to Friday morning meetings. This is where you should meet them. One way to do this is by means of:

  • Happenings - Little funny things that get people talking. This can involve small figures or other such things placed on the employees’ table, or by handing out chocolate bars in exchange for them agreeing never to share their passwords with anybody. The possibilities are limited only by your imagination and it does not even have to be especially expensive.
  • Messages with good advice - E-mails that briefly describe a problem area and how the employee should act.
  • Postings on the intranet - Again: make them short and useful. Once the posting is read, the employee shall know precisely what he should (or should not) do and why it is important.
  • Posters in the cafeteria - The posters make employees aware of the campaign and get the employees (hopefully) to talk about why IT security is important.
  • Morning meetings - If everyone is assembled to a weekly morning or Friday meeting, you can try to squeeze in a little speech of your own.
  • Quizzes - A quiz has the benefit of involving the participants. Put up some wine or chocolate as a prize to the employee or department that does the best.

An employee awareness quiz can also show management that your awareness campaign has had an effect on people. Set a realistic goal for yourself. If half of all the employees take the quiz, you have done a great job! A quiz also shows you the areas in which you need to do more to train the employees.

So, can you make IT security sexy? You can at least come a long way when you make it accessible, relevant and interesting.

There are many programs that can help you make quizzes. The new SecureAware Quiz module from Neupart not only makes it possible for you to write your own questions and answers, but also follows up on how many have been answered correctly. You also get an entire library of questions/answers concerning IT security from which you can pick. This way you efficiently ensure that the employees are made familiar with the relevant policies and rules, as well as any compliance with standards, such as ISO 27001. Read more here

Read more about the new Quiz module here

Other resources

Sign up for our other webinars and events here

Contact us for a personal demonstration of SecureAware


About the Author: Lone Forland is a product specialist at Neupart and offers instruction in awareness campaigns, among other topics. Lone Forland furthermore helps Neupart's customers get started with Neupart's ISMS tool, SecureAware, and serves as a liaison between customers and development.

More [fa icon="long-arrow-right"]

Good enough IT risk management

The Neupart blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.