ATTENTION: SIEM Engineers, Project Managers, and Compliance Auditors
(CISA)
Only because I have not seen anything since this judgment was handed down,
and effects SO MANY processes, procedures, and policies. Please note, this is
only applicable to companies with international (cross border) presence in their
transaction, monitoring and\or reporting data footprints. I decided to write a
quick summary, as it will have the most impact on shops that have implemented
the ITILv3 framework. Your service catalogue won’t need to change, however, your
methods of delivering services will.
Can you say ‘Call Centers’, Jimmy?
A couple of months ago, October 2015, the International
Safe Harbor act was deemed invalid. In short, this agreement held the legal
principles for the handling of personally identifiable data, or PII
as its more commonly known as, and either gave access or limited methods of
parsing, usage, storing etc…
This affects me, and couple peers in a Security group because we have international offices, transactions, processes and\or custom API’s that interact with this data from – “Cross Border Source Origination”.
“Who cares?”, you may say. Here are a few examples from a
SIEM guy’s perspective:
As you read, please keep in mind that, in any scenario, knowing precisely
where data is at any given time is key to a company being compliant and adhering
to the previous EU data privacy regulations. Company’s, vested personnel,
infrastructure, budgets and compliance enforcement procedures with need to be
either:
·
· Revisited
· Re-validated and verified via third party resources
· Purchase more equipment
· Get more personnel
· Change, recreate or append correlation methodologies
· Change business & billing models and workflows
· Separate logging, zoning, notification and baseline logic components
· COMPLETELY redesign zones
· Purchase resources to store logs abroad
· Double the granularity of auditing
· Monitor, and log ALL flows
· Develop API’s that may interact with the dataset
Now, SLA’s, projects for deployment, security monitoring and logging will need to change current implementations, or edit any plans that may be already out of the door.
Here are some references:
- · http://thehill.com/policy/cybersecurity/258182-eu-us-strike-deal-in-principle-on-new-data-sharing-pact
- · http://thehill.com/policy/cybersecurity/258182-eu-us-strike-deal-in-principle-on-new-data-sharing-pact
- · https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles#References
- · https://safeharbor.export.gov/list.aspx
- · http://export.gov/safeharbor/eg_main_018241.asp
- · http://export.gov/safeharbor/eu/index.asp
Just a quick FYI, in case you need to scream, point fingers or just blame someone, blame Facebook. The catalyst behind this was a law suit over how Facebook handled someone’s personal data and the judge ruled in his favor. Which puts many engineers, SLA’s, projects in peril unless changed. Please take a moment to read some of the references, definitions, and FAQ’s on what you should do, by utilizing the URL’s I have included above.
Joe Piggeé Sr.
GCIH, VCP5DVC, MCSE, ITILv3
Systems Security Engineer
No comments:
Post a Comment