Compliance to Enablement - SABSA & GDPR

Compliance to Enablement

Enterprise Security Architecture & GDPR

Maurice Smit

SABSA Instructor &

Principal Consultant

SABSA Framework & Methodology

Methodology for developing business-driven, risk and opportunity focused enterprise security & information assurance architectures, and for delivering security infrastructure solutions that traceably support critical business initiatives

Comprised of a number of integrated frameworks, models, methods and processes

© 2017 David Lynas Consulting Ltd 2

The World’s Leading Security Architecture

Free use methodology and framework

6000+ certified Architects in 50+ countries

Formal regulated professional Institute

Official & de facto standard Government, Finance & Industry


Change the Landscape of Security & Risk Management, Enable Business and Bring Demonstrable Value to Your Security Program

www.SABSA.org

Top 10 SABSA Applications

Security Architecture

Enterprise Architecture

Traceability & Alignment of Solutions to Business Requirements

Enterprise Risk & Opportunity Management

Assurance, Compliance & Audit

Governance & Policy Architecture

Technical Solution Design

Integration & Alignment of approaches, frameworks & standards

Security Service Management / Security Programme Management

Critical National Infrastructure Strategy


Concepts, Models & Frameworks

Business Attributes Profiling

Threat & Opportunity Model

Multi-Tiered Control Strategy

Two-way Traceability

Extended RACI Matrix

Policy Framework

Domain Modelling


Approaches to Traceability

A flawed approach Stakeholder “I need to sell more product”

Security “Then you need a firewall”


A credible approach Collect business drivers, goals and objectives

Stakeholder “I need to sell more product”

Security “We can sell more product if security enhances the core product through higher levels of trust and ease of use

SABSA Business Attributes Profiling

Provide an engineering technique for modelling Business Requirements into normalised, measurable, demonstrable, re-usable, reportable form

The “Things that matter most”

Instinctive to stakeholders at all levels

Measurable to define performance targets and risk appetite

Populates the missing link between Business and Security


SABSA Attributes Profiles

Attributes need a :

Name

Definition

Classification/Category

Measurement Approach

Metrics type

Performance Target


Attributes for Two-way Traceability


Attributes for Threat & Opportunity Management


Attributes for Strategic Planning / Roadmap


Attributes for Executive Reporting


SABSA Applied


Business Targets – Enterprise Strategy

Empower people to stay a step ahead in life and in business

Banking should be possible anytime and anywhere

Customers need to understand their choices, and the implications, both today and for the future

Our strengths include our well-known, strong brand with positive recognition from customers in many countries, strong financial position, omni-channel distribution strategy and international network

We are Honest – We give honest, clear and frank advice to our customers. We respect the law and the rules we set for ourselves. We tell the truth


Business Targets – Enterprise Strategy

Empower people to stay a step ahead in life and in business [Empowered]

Banking should be possible anytime and anywhere [Accessible, Continuous]

Customers need to understand their choices, and the implications, both today and for the future [Informed, Intelligible]

Our strengths include our well-known, strong brand with positive recognition from customers in many countries, strong financial position, omni-channel distribution strategy and international network [Branded, Reputable, Sustainable]

We are Honest – We give honest, clear and frank advice to our customers. We respect the law and the rules we set for ourselves. We tell the truth [Honest, Trustworthy, Compliant]


Business Attributes

Empowered

Branded

Sustainable

Informed

Intelligible

Trustworthy

Honest

Compliant

Reputable

Accessible© 2017 David Lynas Consulting Ltd 16

Cascading the Strategy






Integrated Compliance Framework


BalancedScoreCards

CapabilityMaturityModels

Financial ModelsROI/NPV/IRR

ISO27005ISO31000Business

LegislationBusiness

SectorRegulation

COSO

Total Quality Framework

Labelling


Big Data


Processing Customer Information

The EU’s General Data Protection Regulation (GDPR) is the most stringent and burdensome privacy mandate in the world. The penalty for major violations can be up to 20 million euros or 4% of your company’s annual global revenue.

You have until May 2018 to centralise unstructured data governance across on-premises and cloud (3rd Party)


GDPR – Example Articles

Once passed the appointment of Data Protection Officer, Legal Basis for Processing, and more like:Right of Access by the Data Subject (15)

Right to Rectification (16)

Right to Erasure/to be Forgotten (17)

Right to Restriction of Processing (18)

Right to Object (21)

Standard of consent

(numbers are articles from : REGULATION (EU) 2016/679 / Directive 95/46/EC)


Standard of Consent

In GDPR Regulation document, page 8:

“(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular, in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC (1) a declaration of consent pre- formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”


Standard of Consent

In GDPR Regulation document, page 8:

“(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular, in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC (1) a declaration of consent pre- formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”


GDPR Attributes

Demonstrable

Intelligible

Accessible

Identified


Threat & Opportunity Model


Overall

likelihood

of loss

Likelihood of

threat

materialising

Likelihood of

weakness

exploited

Negative

Outcomes

Threats

Loss Event

Positive

Outcomes

Opportunities

Beneficial Event

Overall

loss

value

Asset

value

Negative

impact

value

Overall

benefit

value

Asset

value

Positive

impact

value

Overall

likelihood

of benefit

Likelihood of

opportunity

materialising

Likelihood of

strength

exploited

Attributes

Risk Context

Threats and Opportunities to GDPR Attributes

Threat to Demonstrable and Intelligible: Consent is incomplete regarding data actually stored/processed.

Threat to Accessible: Consent is not easily accessible, unclear process for viewing consent.

Opportunity of Demonstrable and Intelligible: Data Subject is informed about what we do in clear and readable words

Opportunity of Accessible: Data Subject and Controller both have quick access to boundaries of

data stored/processed


Multi-Tiered Attributes for Compliant


Threats and Opportunities to Traceable and Labelled


Attribute Threats Opportunities

Traceable - Gathered data is not linked to Data Subject Profile- Gathered data contains other Data Subject information,

disclosing unwanted information

- Provide real-time/efficient processing of Data Subject consent,rejection, deletion.

- Exchange data with 3rd Party/Data subject easily.

Labelled - Storing unstructured data (without real purpose) - Structured and labelled data provides relevant picture of customer using product(s), increasing productivity and product development

- Increase of Trustworthiness due to smooth data processing- Efficient data exchange with 3rd Parties

Multi-Tiered Attributes and Systemic relations


More GDPR

Another GDPR example: Article 72: “[..]secure personal data in a manner that takes account of

the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation [..]

In other words, we need to at least prevent unauthorised access


Attribute Secure in GDPR


Conclusion

Using SABSA techniques, models and concepts can help us demonstrably enable business while showing effect of regulations on elements, goals and targets of the organization.

We showed that with an architected approach, it is possible that compliance can enable business and help achieve goals.


David Lynas Consulting Ltd17 Ensign HouseAdmirals WayLondonE14 9XQUK

@SABSAcourses

davidlynas.com

[email protected]

+44 (0) 207 863 7834

SABSAcourses

Technology

Compliance to Enablement - SABSA & GDPR