[MUSIC PLAYING] Hi, I'm Colin Truran from Quest Software, principal technology strategist. And today, we're going to talk about GDPR. This is the second of three videos. We're going to talk about what we need to be looking at, as far as an organization is concerned. So the first thing we need to do-- GDPR is a process. It's not a software solution. You can't solve this with software. You can help with software.
So organizations need to establish a GDPR or framework. They need to be going through a discovery and assessment phase. They need to be designing and informing all of the people that are involved. They need to be transforming their business. They need to be operating that business, then understanding that transformation's affect, evaluating it. And then, they need to make sure that they're conforming. So they need to feed that back in. It's a never ending cycle.
GDPR is not a one stop process. So a data protection officer-- or whoever is responsible in your organization-- needs to be keeping in mind some of those key principles. And they're going to be looking at things as well at the top of their mind-- things like audit failures. You need to prove that you are secure to the data protection authority. So you need to not fail audits. You need to produce the right documentation.
You need to make sure you have the facilities to service the data subjects, to make sure you can have data created. Make sure you can respond to data subject access requests. You need to make sure that they've got the right to opt in and opt out of things. And then, also, top of their mind-- and certainly, right from the beginning-- is security breach. So really do not want a security breach, because it's a very public thing, and it's going to have a very, very detrimental effect on your entire business.
So let's dive into security breach as well. What does security breach mean? What is the definition of a security breach? Well, we've got the obvious one. It's the unauthorized access of data. That's when either someone internally or externally gains access to information they shouldn't have gained access to.
So the other one that's a little more unusual is the unauthorized or accidental destruction of data. So a data breach is also the loss of the data. And then, finally, it's the integrity of the data as well. The unauthorized tampering of data is a security breach. If you can imagine the impact of someone changing someone's marital status, or religious beliefs, or anything, that could then be used for a detrimental effect for that individual.
So let's have a look. We talked about security breach. And we often hear the term 72 hours. You have 72 hours to respond to a breach. Well, that's not strictly true. It's only if that breach poses a significant risk. If it poses significant risks, you need to be able to respond quickly to the data protection authority to let them know.
If it poses a significant risk to the data subject, you need to notify the data subjects as well within a timely fashion. So in the light of this, data protection authorities are saying that you need to have in process the ability to detect and report on the scope and understanding of a breach when it happens. And you need to be able to do that quickly.
So let's have a quick recap of what a breach may look like. So quite often, we're looking at people coming in, gaining access very quickly to a system. They're going to propagate their access throughout their environment very, very quickly. They're going to add rights to groups. They're going to gain access. They're going to use stepping stones. They're going to be trying to get to the goal-- this data that they need-- very, very quickly. And then, they're going to exfiltrate that data in whatever means they can.
And quite often, security systems are focused on that final step-- the actual attack. But you need to understand how that attack was set up. Because you need to stop that attack from happening in the future.
So you need to be able to look a long way back in time as well, because it could have been that there's a privileged account was created and then not administered properly. People know the credentials for it or it's set up on an unsecure service as a server. There could be a system that's unpatched, it's dropped out of group policy, or it's just not receiving updates or not secured properly. so it has vulnerabilities-- an administrative error that accidentally opens things up or does something by accident to allow other people access that shouldn't have.
And then also, credential failure. So this is where credentials of an individual have been compromised-- either captured, or shared accidentally in some way. So those are the reasons why systems can be compromised in the beginning that lead to the attack. And that can happen months in advance. So we need to be aware of what that is.
So when considering solutions for GDPR, the most important thing is to make sure that you have an understanding of what is happening in your environment, how it's happened, to be able to respond very, very quickly. Thank you very much.