Two weeks ago we wrote about GDPR and the requirement to address USB Data Loss. This week we will be diving deeper into the specifics of GDPR, our interpretation and how secRMM can help.
As a recap, GDPR is the new regulation to protect EU citizens’ personal data, replacing the current directive from 1995 and establishing a single set of rules across the European Union.
GDPR outlines a set of obligations organizations have with respect to data encryption and storage, handling personal data as well as record keeping and breach notification. Failure to meet those obligations can be costly, with fines ranging up to €20 million, or 4% of a company’s total worldwide sales, whichever is greater. Non-European companies don’t escape the reach of GDPR either. By having even a single European customer a non-EU based company is required to meet the GDPR requirements.
Below we will highlight the specific GDPR articles that relate to USB Data Loss, our interpretations of the requirements and how we can help.
Article 30 – Records of Processing Activities
GDPR specifies: 1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information. g) a general description of the technical and organizational security measures referred to in Article 32(1).”
“2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing d) where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
Out interpretation: Records are fundamentally audit logs. When it comes to copying data on and off USB devices it is critical that very detailed audit records are created and stored.
How secRMM can help: secRMM has unrivaled audit capability. All data being copied to USB devices is fully audited and stored to the windows event log. From the source perspective, this includes full path information, including network path as well as machine and user identifiers. From the USB destination perspective this captures device identifier and manufacturer.
Article 32 – “Security of processing” – Part 1 a,b
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
=> Article: 4
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
Our interpretation: As it applies to USB devices, this part of article 32 fundamentally means encryption. Confidentiality is about protecting the information from disclosure to unauthorized parties. When it comes to USB, the best mechanism to do that is to block copying of data to removable devices or to ensure that any data copied to those devices is encrypted.
How secRMM can help. secRMM has robust controls to manage access to USB and attached removable devices. secRMM has the capability to deny write access to non-encrypted storage. You have the ability to block or allow devices by vendor ID and device ID. With smartphones replacing thumb-drives as an easily accessible removable media, you can even require on-device authentication using the secRMM app to be sure that only authorized users are able to copy files to only authorized removable devices. Additionally this allows you to continue to support USB and not completely block use of it so that you do not hamper employee productivity with unnecessary roadblocks.
Article 32 – “Security of processing” – Part 2
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
Our interpretation: This part is about preventing data leakage. From a USB perspective this is a requirement to prevent the “USB device found in parking lot with customer data” from happening in the future.
How secRMM can help – secRMM is a Data Loss Prevention solution for USB and Removable Media. Similar to above with confidentiality which is ultimately about preventing unauthorized disclosure. Using secRMM’s capabilities to require encryption, specific supported secure devices and on-device authentication via our smartphone app will allow you to meet this requirement when it comes to USB and removable media. Additionally, secRMM has controls to prevent writing of data to USB devices by file type or name, providing an additional level of control to prevent unauthorized copying of personal data to removable devices.
Article 32 – “Security of processing” – Part 4
4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
Our interpretation: From a USB and policy point of view, this requires that actions taken to move personal data to USB removable storage are done so on instruction from the controller. From a technology implementation perspective this is addressed by deploying policy around how information may be accessed and copied to USB, and modifications to those policies are logged into audit log.
How secRMM can help: secRMM provides the facility to not only audit and control the capabilities to access and write to USB removable media, it also audits the modification of the policies. This ensures that any action taken by the administrator – in this case you could interpret as the controller or under the authority of the controller. In this case you can be sure that all changes to policy are logged and recorded to support your adherence to this requirement.
GDPR is coming quickly and will be enforced May, 2018. Take the time now to ensure that USB and removable media are part of your data protection plan.
What to do next?
Contact us to see a demonstration of our solution.
Or watch an overview of the secRMM integration with Microsoft Systems Center.
Or if you’re really impatient, jump right to downloading the trial.