Most likely, by now you have signed data processing agreements with your suppliers of managed IT services. But, are you prepared if your suppliers’ subcontractors move outside Europe and you are in breach with the GDPR?
May 25, 2018 was the deadline for GDPR compliance in most parts of Europa. A few countries including Norway and Luxembourg will catch up soon.
Hard GDPR work has been performed, which most of us have witnessed in our email inboxes. Almost everyone has explained how they process personal data and asked for permission to keep sending you information about products and services.
Maybe you are among those who have been working late hours to get everything ready in time within your own organization? And you feel pretty happy about taking care of other concerns for a while?
If so, pardon us for addressing GDPR issues again and spoiling the fun of being through. But we have some questions to ask. They might not lead to short term pleasure but rather to long time joy.
The questions concern subcontractor responsibilities.
Most companies controlling and owning data have signed data processing agreements with their managed IT service suppliers which have turned to public cloud service providers like Google Cloud, AWS and Microsoft Azure for back-to-back agreements.
Basefarm compliance advisor Patrick Tahiri has guided several organizations into the GDPR regime. He explains:
“When managed IT service providers such as Basefarm applies public cloud subcontractors as part of their hybrid cloud services, they need back-to-back agreements to secure your responsibilities as data controller through the entire value chain.”
What is paid less attention to is that public cloud subcontractors provide services from their own subcontractor. If so, Tahiri advises subcontractor agreements to be secured also on this level.
“Be aware that such subcontractors of subcontractors might move their service production out of Europe. Then, you might be in breach with the GDPR. Through recent work, we in Basefarm have witnessed many customers overlooking this potential security problem,” says Tahiri.
A likely scenario? Not what you would expect regularly, but still something to prepare for through contracts and access to skills for moving your services from one cloud to another.
1. Expect most subcontractors to handle GDPR professionally. Still, in the end you are responsible as data controller. Assess risks proactively when evaluating subcontractors. Check if they understand their responsibilities and have GDPR compliance capabilities.
2. See to it that agreements include early warning regulations if a subcontractor moves its services out of the European GDPR zone.
3. Routinely control if the subcontractors actually follow up your agreements. You might perform such controls yourself through questionnaires or team up with others to share GDPR audit work and costs. Basefarm will perform audits on behalf of several customers.
4. Be prepared to move your entire cloud installation to another cloud services provider. Connect appropriate skills. And, as with any backup/restore routine, test that you are able to perform a movement procedure.
In this post there is specific focus on an infamous threat that resurfaced during the summer. Following several news articles in Nordic media of phishing attacks towards public services in late august and, in addition, sources that indicate that the Emotet trojan resurfaced in mid-july, several sources online are now indicating a massive campaigning not […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT) Currently the biggest exposure to threats in the cyber domain is presented via mail. Phishing attacks tricks out the credentials for legitimate users and then gain access to the mail account, and some actors […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT) A new CyberCrime group nicknamed RedCurl has been discovered after over two years of operation, attacking at least 14 organizations in over 26 attacks. They are known to attack companies in at least six […]
Published: 2020-07-29MITRE CVE-2020-10713 GRUB 2 is a “boot loader”, it precedes the actual operating system and allows for multiple options in what operating system to load and with what parameters given. An attacker with administrative privileges on a system, or physical access, can use this vulnerability to bypass the check of cryptographic signatures and run […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT) This week we get a unique insight into a threat actors inner working as IBM’s X-Force IRIS security team uncover a 40GB cache of data belonging to a threat actor called “ITG18” (overlaps with […]
Published: 2020-07-01MITRE CVE-2020-5902 “The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.” “This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create […]
Published: 2020-06-25MITRE CVE-2020-11996 “A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.” CVSS Base score: 7.5 (or 5.9 if Attack Complexity turns out to be High)CVSS Temporal Score: 6.5 as of […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT) ESET researchers are warning about targeted phishing attacks agains high-profile aerospace and military companies in Europe. The attacker will approach individual personnel about possible job vacancies, some file-sharing then commences with the pretense of […]
BF-SIRT Newsletter 2018-26 
Photo by John-Mark Smith from Pexels
Water Droplets on Spider Web - CC0 by Pixabay
Image by Martin Pecar from Pixabay
Photo by Noelle Otto from Pexels
Photo by Tim Mossholder on Unsplash
Image by David Mark from Pixabay
"Soldier Holding Rifle" at Pixabay