It is now widely recognised that security is not a product but a continuous process: all the evidence shows that security and confidentiality are two fundamental properties of corporate systems, and that necessary resources are necessary in order to guarantee them, but above all periodic revisions, re-evaluation and consequent re-implementation, not making the process trivial. With such awareness, the recent legal framework has strongly evolved following the approval of the “(EU) REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL” of the 27th of April 2016, better known as “GDPR” (General Data Protection Regulation), officially applicable from 25 May 2018. The 2nd paragraph of art. 5 GDPR defines the principle of “accountability”, or “accountability” for the Data Controller: the principle provides that the Controller is competent regarding paragraph 1 of the same article, which provides, inter alia, the principle of “integrity and confidentiality”, namely that the Controller’s acts “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. Paragraph 1 of Art. 32 GDPR then details ulterior security measures, such as (subparagraph a) “the pseudonymisation and encryption of personal data” and (subparagraph d) “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”.
It is thus necessary to acknowledge what is meant by an “adequate” security or an “efficient” measure: GDPR sets out indeed significative sanctions in case of non-compliance, and it is thus extremely necessary to initiate the path of technical alignment with such a regulation.
In order to conduct the Cybersecurity Gap Analysis in the GDPR perspective, our methodology proceeds from the definition of the corporate perimeter. It therefore rests on three fundamental steps: the evaluation of safety checks, security risk assessment and corporate applications census along with their security measures.
The first step is articulated with three actions: firstly, the system administrators functions management check (the November 27, 2008 Italian Data Protection Authority Decision and its successive amendments, available on the website page of the Data Protection Authority: www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1577499), a list of minimum security measures re-elaborated by the now repealed Annex B of the Privacy Code and the verification of the even broader security measures in the GDPR perspective, defined as a synthesis of the ISO / IEC 27001: 2013 standard and of the eminent “Technical Guidelines for the implementation of minimum security measures for Digital Service Providers” of ENISA (www.enisa.europa.eu/publications/minimum-security-measures-for-digital-service-providers). Where possible, we proceed to find evidence and to document the compliance with each control. Please note that we will assist you in collecting all the material and information at your request.
The second step of the methodology consists in the security risk analysis. Conducted in coherence with the ISO/IEC 27005:2018 standard, it highlights the main risks, those which will then be treated along with an outline of possible mitigation.
The third step of the methodology consists in the census of all the privacy impact applications used within the Company, namely all the software through which it is possible to process personal data, and in the verification of the relative security measures applied.
All the information and documents received during the three steps of the methodology will be analysed by us in order to picture the state of the art about the security measures of the Company, any gaps (“gap”), as well as the emerging risks that endanger data and assets within the perimeter of the company: this will be fully described in a detailed Activity Report, which will include the methodology performed in order to be able to periodically re-implement all the gaps encountered with the related recommendations in order to increase the level of company safety, as well as simple and intuitive graphs to identify critical and safe areas.
Such a report does not serve exclusively the “mere” alignment with art. 32 GDPR of the perimeter of the company, but it remains a reference document in the event of inspections, future audits and a solid starting point in order to undertake certification processes on the company’s IT security, also thanks to the recorded evidence and to the information contained therein.