GDPR score card report

The EU General Data Protection Regulation (GDPR) is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizen's data privacy and to reshape the way organizations across the region approach data privacy. Various articles about the EU GDPR, as well as information on its business impact, can be found throughout the web.

BMC Defender SIEM Correlation Server and BMC AMI Command Center for Security, as Security Information and Event Management (SIEM) systems, assist with satisfying the intent of GDPR, and can further furnish evidence of an organization's compliance (or deficiencies in compliance) necessary to assist with supporting this EU Regulation, as discussed in this section.

Description

The BMC Defender Server contains multiple elements necessary to support GDPR security and other requirements with no modification or adaptation of the software. In particular, the server system includes elements needed to furnish and verify data security, as well as furnish compliance with ISO-27001 standards.

In addition to these standard functions, a pre-configured GDPR package is available, that can be added to the server system to create a GDPR Score Card, and furnish additional elements to assist with demonstrating and monitoring GDPR compliance. This package includes correlation threads and Score Card templates. This feature, while not strictly required to establish compliance with GDPR, is useful as a means of organizing the SIEM data around the detailed precepts of GDPR as defined by the EU regulations.

Caveat

The data in this section furnishes essential functionality to assist the implementing organization to achieve GDPR compliance.

The other steps associated with GDPR compliance, such as the ability to purge user data (such as to support the right to be forgotten), as well as other elements (such as specific controls related to protecting children and minors) might require additional attention as part of the compliance strategy.

GDPR and ISO-27001

An important aspect of GDPR is its close association with compliance requirements set forth in ISO-27001 and other codified security standards, related to general security and risk assessment associated with the managed enterprise.

The ISO 27001 standard is a framework for information protection and security, stating policies and procedures that include legal, physical, and technical controls involved in an organization's information security and risk management processes. For implementation of the ISO 27001, that identify personal data as a controlled item, the GDPR requirements is largely (but not wholly) covered. In particular, GDPR specifically requires the user and controller to implement a security framework, as stated in Recital 81. Also Article 32: The adherence of the processor to an approved code of conduct or an approved certification mechanism might be used as an element to demonstrate compliance with the obligations of the controller.

The preceding statement, drawn from Recital 81 and Article 32 of the GDPR legislation, requires the organization to use an accepted and standards based security standard. The principle standard used in the EU is the ISO 27001 specification, that is cited throughout the score card. Other compliance standards (such as PCI-DSS) might also be acceptable; the score card could be modified accordingly if needed.

GDPR Score Card description

The central component of the GDPR support software is the GDPR Score Card, that maps the various correlation and message collection items of the BMC Defender Server system to GDPR compliance requirements.

In general, BMC Defender Server score cards furnish explicit mapping to compliance requirements, so that an auditor or manager easily verify each category of required compliance. The reports permit easy identification of the security standard requirements and show that the data gets collected for that requirement.

A detailed description of the general score card function that includes a discussion of PCI-DSS, HIPAA, and other compliance standards are in the BMC Defender Audit Report Generation Manual that can be found in the More > User Manuals screen. The Score card facility itself gets accessed through the Reports > Audit > Score Cards tab of the system.

The BMC Defender GDPR Score Card furnishes twelve broad categories of required compliance, that appear on the score card, and are listed in the following:

• GDPR #01 - Identification of Data Stores—Devices containing or processing private information shall be identified, monitored, and controlled. ( Ref: GDPR Recitals 1, 26, 30; and GDPR Article 5 )
  
• GDPR #02 - Network Controls—(ISO 27001.A.10.6.1) Networks shall be adequately managed and controlled, including information in transit. (Ref: GDPR Recitals 49, 81; and GDPR Articles 44, 48)
  
• GDPR #03 - Security of Network Services—(ISO 27001.A.10.6.2) Security features, service levels, and management requirements of all network services shall be identified and included. (Ref: GDPR Recitals 39, 49, 81; and GDPR Article 32 )
  
• GDPR #04 - Audit Logging—(ISO 27001.A.10.10.1) Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period. ( Ref: GDPR Recital 81; and GDPR Articles 28, 30, 32 )
  
• GDPR #05- Monitoring of System Usage—(ISO 27001.A.10.10.2) Monitoring of information processing facilities shall be established and reviewed. ( Ref: GDPR Recital 81; and GDPR Articles 30, 32, 39)
• GDPR #06 - Protection of Log Information—(ISO 27001.A.10.10.3) Logging facilities and log information shall be protected against tampering and unauthorized access. (Ref: GDPR Recitals 19, 81; and GDPR Article 23)
  
• GDPR #07 - Administrator and Operator Controls—(ISO 27001.A.10.10.4) System administrator and system operator activities shall be logged. ( Ref: GDPR Recital 39; and GDPR Articles 28, 32, 40)
  
• GDPR #08 - Fault Logging—(ISO 27001.A.10.10.5) Faults shall be logged, analyzed, and appropriate action taken. (Ref: GDPR Recital 39; and GDPR Articles 32, 40)
  
• GDPR #09 - Data Store Integrity—The integrity of all data stores containing personal data shall be continuously monitored. ( Ref: GDPR Recital 81; and GDPR Articles 32, 83 )
  
• GDPR #10 - Data Transfer Monitoring—All data transfers of private personal data, outside of the managed organization, by any means, shall be logged and monitored. ( Ref: GDPR Recitals 1, 39; GDPR Articles 30, 32, 48 )
  
• GDPR #11 - Security Notifications—The chief data protection officer shall be notified of any breaches or events related to the integrity or security of personal data. ( Ref: Recitals 85, 87; GDPR Articles 37, 39, 57 )
  
• GDPR #12 - Security Reviews—Security officers and IT personnel shall receive and review daily reports pertinent to the GDPR process, and shall verify that the intents of GDPR are satisfied. (Ref: Recitals 11, 74; GDPR Articles 24, 41 )

Each GDPR requirement sites a particular MAJOR requirement of the GDPR regulation (a Recital, an Article, or both). Additionally, for those items that relate to the GDPR security requirements, an ISO 27001 specification is included that furnishes further guidance.

GDPR detailed discussion

The twelve categories listed are intended to help organize the GDPR requirements and are not explicitly part of the GDPR specification. The categories are derived from the GDPR specification and represent a well-organized approach to GDPR compliance, but not the only type of organization that could be achieved.