cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inside (ISC)² with Charles Gaughf

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inside (ISC)² with Charles Gaughf

Re: Web Logs

Kaity
Community Manager

This is your chance to get Inside (ISC)² as managers from our organization will be swinging by the Community to answer your questions. Joining us today is Charles (Chuck) Gaughf, senior manager of security at (ISC)².

 

Chuck heads up our security group, and is currently knee-deep in the privacy sphere as he leads our GDPR preparations. He holds several of our certifications (CISSP, SSCP and CCSP), so he’s a member as well as an employee!

 

Reply to this post with your questions and Chuck aka @geekwise will be answering them from 1-1:30pm EST. 

 

And join us again next month (March 28) when Adrian Davis, CISSP – our Cybersecurity Advocate in EMEA – will be joining us!

29 Comments
Ymusaji
Viewer II

Do you have a webinar going?

 

Early_Adopter
Community Champion

Hi Charles,

 

What are your thoughts on the IAPPs CIPP/E/US and CIPM in relation to the GDPR and other regulation? In addition, will you be attending the Summit in Washington at the end of this month?

 

Nice Avatar BTW ^^

 

TVM

Ymusaji
Viewer II

How does my firm register to perform an audit of GDPR?

 

geekwise
ISC2 Former Staff

@robert-sisson this is a tough one. Most websites need IP information for transactional purposes. Many sites have their cookie consent pop-ups implemented and ready for GDPR. Similar to IP can we prevent people from using or accessing our site if they do not consent to cookies. As far as logging is concerned this is a transaction with a user of a service for the fulfillment of that service. As long as there are processes to be able to respond to a SAR and that the data is adequately protected there should be no cause for alarm. 

geekwise
ISC2 Former Staff

@Sheffeld You need certain data for processing a transaction. This may include a number of data elements to include their home address. However the bigger question is when a salesperson manually inputs a user into your CRM, does it flag them for future communications. Will these individuals be directly marketed to in the future? Did we adequately capture their consent for that purpose?

 

 

Kaity
Community Manager

I received some questions from a Community member who couldn't participate live. Could you answer these, Chuck? 

 

1) Given that we are in the throes of Digital Transformations and its disruptive demands to organisations, there are many different interpretations of what GDPR actually means. Can you be absolutely explicit and explain exactly what you understand GDPR actually is and why you have to undergo the privacy by security and security by design processes internally to ensure you are protecting the data subjects?

 

2) There are many vendors, who state their tools are "GDPR ready"? But what does this mean? How can the mere mortal human being actually prove this?

 

3) I come from a very large international organisation, myself, and I fully appreciate the processes, and controls inherent within each contract and a complete change in culture required within an organisation to deal with GDPR. Do you think the experience has changed (ISC)²'s perspective too?

 

geekwise
ISC2 Former Staff

@Ymusaji We have a webinar coming up in the next few weeks. I will say to everyone on the board that I'm tackling this from a security perspective, but it has taken the work of our entire organization to get us GDPR compliant. Legal and I have been attached at the hip since last August. This can't be purely a security problem, it is an organizational challenge that will take unprecedented amounts of cross-functional coordination. 

geekwise
ISC2 Former Staff

ouch, if people are only now getting started than they have a tough road ahead of them. The place I started was with DFDs. Organization need a comprehensive view of the PII data flows in and out of their systems and with their third parties. ALso where organizations will spend a lot of time, or at least for us, was with direct marketing and sales. 

geekwise
ISC2 Former Staff

@Canopy_Privacy Okay this just goes to show how complex systems can be. There is some organizations who may have to keep records for an indefinite amount of time. Example: A member sends us a SAR for the erasure of their data. If they are certified and we remove their data we have no way of managing their certification. On the flip side if someone loses their certification due to an ethics violation and they send us a removal request how are we going to keep the information about the ethicscomplaintt in a compliant manner so that they could not simply recertify. This is just one example and other organizations out there are going to have similar problems and will need to work through these cases individually.  

geekwise
ISC2 Former Staff

@jtny internally we built an audit for Compliance. There are the backend artifacts such as evidence of encryption, breach notification processes. Then the most important piece is what is exposed to your customers. This includes cookie notification, consent opt-ins, very clear and understandable privacy policies, and being transparent about what you do with the users' data. I have seen a number of sites who have developed a user journey for their customers that breaks down how their data is processed. This is huge in being absolutely transparent with users. Lastly, a formal process for excepting SARs and communicating how your org will handle these reqs. Keep in mind... you have to respond to a SAR no matter how it is submitted. This means staff training on understanding when they receive this type of req. 

geekwise
ISC2 Former Staff

Great Certifications. A number of people here, myself included, are working towards these certifications. GDPR is just the start. It isn't really a matter of compliance it is about giving back control to your customers regarding their data. 

geekwise
ISC2 Former Staff

As far as I am aware there is no certification process as with other standards. We went external and had a 3rd party audit of our processes, and then developed an internal control audit. I would imagine that very soon we may see a standardization around GDPR "Certification". For now, privacy shield is likely the closest thing. 

Kaity
Community Manager

Thanks everyone! And thank you @geekwise

 

ure to join us next month when Adrian Davis aka @adriandavis will be stopping by to talk about his new role as Director of Cybersecurity Advocacy in EMEA! 

Canopy_Privacy
Newcomer I

@geekwise Can you share the links for a couple of those sites that are providing the user/data processing journey for customers? I would love to see examples and model something for my GDPR clients. Thanks!