A change of culture

By | Monday July 4th, 2016

One of the possible future consequences of the entry into force of the GDPR will be the likely disappearance of minimum measures, a well-defined list of security measures that surely had the merit of spreading the knowledge of basic security concepts.

The concept of minimum measures was properly introduced to avoid that with a simple self-assessment, under Article 31, the owners wouldn’t be sufficiently motivated to activate proper security measures.

Therefore, also the criminal defense for failing to follow these 29 rules, including the much-discussed DPS (that had the great merit of forcing in some way the ownwrs to carry out a mapping of their data processing and to perform a risk analysis), that subsequently was “decriminalized” by being eliminated from the list.

In these years the envisaged obligations were subject to many interpretations, or the total omission of some, such as the mm 25:

Measures of protection and guarantee 25.

The holder adopting the minimum security measures making use of external parties to its structure, to provide for execution by the installer receives a written description of intervention performed to verify compliance with the provisions of this technical discipline.

Which I’ve seen respected in a really limited number of cases in recent years.

A few days ago I was still asked if an application that does not require a password for access is or isn’t compliant to the regulatory requirements.

I answered as I always do in these cases: 95% of applications, in particular those of individual productivity, have no password but no one ever thought about not using word or open office for this reason nor do they consider them non-compliant.

The current policy provides for the assignment of one or more authentication credentials to each appointee to access A SINGLE OR A SET OF TREATMENTS.

So it is reasonable to assume that credentials that allow access to a specific are enough to allow the use of all the data and applications on the workstation without the need for additional application authentication. This clearly indicates how much there is still to be done to bridge the gap between theory and practice, and how often, in the application of rules, we rely on what has been aseptically learned in some book or conference, instead of the actual regulatory text.

Adopting the GDPR will require increasing responsibility on the part of Controller and Data Processors, who will have to account for the implemented measures.

Category: Legal framework

About Giancarlo Butti

Deals with ICT, organization and legislation since the early 80s covering different roles: security manager, project manager, auditor at banking groups, consultant in security and privacy to companies of different sectors and sizes. Performs regular activity of dissemination through articles (over 700), books (21 between books and white papers also used as university texts, 11 collective works within the ABI LAB, Oracle Community for Security and CLUSIT), technical manuals, courses, seminars, conferences… participates in working groups to ABI LAB on Business Continuity, Risk and GDPR, ISACA-AIEA on GDPR and 263, Oracle Community for Security, UNINFO, ASSOGESTIONI and the Committee of experts for the innovation of OMAT360. He is a member of the faculty of ABI Training. He is a partner and proboviro of ISACA-AIEA Member of CLUSIT and BCI. He is certified (LA BS7799), (LA ISO IEC 27001:2013), CRISC, ISM, DPO, CBCI, AMBCI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.