2018 has already proven to be a BIG year for cybersecurity. It’s no surprise that with the influx and advancements of major technologies requiring cloud storage–a model of digital data– comes the simultaneous influx of cybersecurity vulnerabilities. This includes chip security susceptibilities, which inevitably prompts such initiatives such as the upcoming release of the European Union’s General Data Protection Regulation (GDPR). How can you be sure your data is protected with Gensuite by your side?
Recent Chip Security Vulnerabilities
In response to the recently discovered hardware vulnerabilities with several tech providers (Intel/ARM chips; Meltdown and Spectre), Gensuite has planned actions to minimize such cybersecurity risks.
Gensuite has been actively working with vendors and service providers to obtain and properly test patches to these vulnerabilities as quickly as possible. We have completed our assessment and verified that Gensuite hardware/devices directly accessible from the Internet are not affected by Spectre and Meltdown. We’ve also currently halted installation of any software on all infrastructure and enhanced the oversight and monitoring of our highly privileged user accounts. Gensuite does not run in a shared multi-tenant environment and all Gensuite hardware is strictly dedicated for Gensuite use. The hardware which is susceptible to Spectre sits behind our protected firewalls and is not directly accessible from the Internet.
Gensuite will also be rolling-out hypervisor patches to a private cloud. All Windows patches are currently scheduled to be applied during our January 20th maintenance window. Since there are currently no active exploitations, we don’t feel the need to do immediate patching and cause downtime for our users. However, if an active exploit is released we will expedite the patching window.
EU General Data Protection Regulation
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from when the original 1995 directive was established. Here are the key principles of the updated directive:
- Increased Territorial Scope: Applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.
- Penalties: Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
- Consent: The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions.
- Breach Notification: Breach notifications will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”.
- Right to Access: Part of the expanded rights is the right for data subjects to obtain from the data controller confirmation whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
- Right to be Forgotten: Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Data Portability: The right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine-readable format‘ and have the right to transmit that data to another controller.
- Privacy by Design: Calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
- Data Protection Officers: It will not be necessary to submit notifications/registrations to each local DPA of data processing activities, nor will it be a requirement to notify/obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there will be internal recordkeeping requirements.
The EU GDPR is set to take effect on May 25th, 2018 and the Gensuite system will ensure compliance with GDPR by the May 2018 deadline. Gensuite is continuously committed to maintaining a comprehensive data protection scheme that is compliant with the laws of all applicable jurisdictions, including the EU’s GPDR. We are currently in the process of identifying and implementing appropriate changes to our system.
Gensuite will continue to be actively engaged throughout 2018 to ensure that we are a top provider in the security compliance and management systems functional space. For all your security management needs, visit https://www.gensuite.com/security/ and contact us today!