Most likely, by now you have signed data processing agreements with your suppliers of managed IT services. But, are you prepared if your suppliers’ subcontractors move outside Europe and you are in breach with the GDPR?
May 25, 2018 was the deadline for GDPR compliance in most parts of Europa. A few countries including Norway and Luxembourg will catch up soon.
Hard GDPR work has been performed, which most of us have witnessed in our email inboxes. Almost everyone has explained how they process personal data and asked for permission to keep sending you information about products and services.
Maybe you are among those who have been working late hours to get everything ready in time within your own organization? And you feel pretty happy about taking care of other concerns for a while?
If so, pardon us for addressing GDPR issues again and spoiling the fun of being through. But we have some questions to ask. They might not lead to short term pleasure but rather to long time joy.
The questions concern subcontractor responsibilities.
Most companies controlling and owning data have signed data processing agreements with their managed IT service suppliers which have turned to public cloud service providers like Google Cloud, AWS and Microsoft Azure for back-to-back agreements.
Basefarm compliance advisor Patrick Tahiri has guided several organizations into the GDPR regime. He explains:
“When managed IT service providers such as Basefarm applies public cloud subcontractors as part of their hybrid cloud services, they need back-to-back agreements to secure your responsibilities as data controller through the entire value chain.”
What is paid less attention to is that public cloud subcontractors provide services from their own subcontractor. If so, Tahiri advises subcontractor agreements to be secured also on this level.
“Be aware that such subcontractors of subcontractors might move their service production out of Europe. Then, you might be in breach with the GDPR. Through recent work, we in Basefarm have witnessed many customers overlooking this potential security problem,” says Tahiri.
A likely scenario? Not what you would expect regularly, but still something to prepare for through contracts and access to skills for moving your services from one cloud to another.
1. Expect most subcontractors to handle GDPR professionally. Still, in the end you are responsible as data controller. Assess risks proactively when evaluating subcontractors. Check if they understand their responsibilities and have GDPR compliance capabilities.
2. See to it that agreements include early warning regulations if a subcontractor moves its services out of the European GDPR zone.
3. Routinely control if the subcontractors actually follow up your agreements. You might perform such controls yourself through questionnaires or team up with others to share GDPR audit work and costs. Basefarm will perform audits on behalf of several customers.
4. Be prepared to move your entire cloud installation to another cloud services provider. Connect appropriate skills. And, as with any backup/restore routine, test that you are able to perform a movement procedure.
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT). Twice a year, an international contest called Pwn2Own – the Olympic Games of competitive hacking, if you like – gives the world’s top bug-hunters a chance to show off their skills. The word pwn, […]
Cyber-crime is everywhere in a world where businesses are relying on IT to provide value for the business and customers. Data has become as key to business survival as the classic economic theory factors for production; land, labor and capital, and protecting it is vital. Most businesses already do a lot, but the truth is […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT). Police in the Netherlands announced on Tuesday that they’ve broken the encryption used on an cryptophone app called IronChat. The Dutch police made the coup a while ago. They didn’t say when, exactly, but […]
In this monthly post, we try to make you aware of five different security related products. This is a repost from my personal website Ulyaoth. This month we have choosen for the following: * Naxsi * OSSEC * Forseti Security * Security Monkey * OWASP Zed Attack Proxy Naxi Naxsi is a module that you […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT). Advanced attackers, most likely from Russia, seem to be in the reconnaissance phase of a cyber war, according to a research report from threat hunting firm Vectra. The attackers are using stealthy tactics seemingly […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT) According to Tara Seals in an article for threatpost.com: “Half of Execs Feel Unprepared to Respond to a Cyber-Incident.” “Nearly half (46 percent) of executives in a Deloitte poll say their organizations have experienced […]
Wondering how to fix web security vulnerabilities? Scan regularly with tools like Detectify, do in-depth fixing and establish a security directed culture. This is easier with DevOps tools.
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT) According to Mike Kun in an article for threatpost.com: “Cloud computing is creating new challenges among security professionals as attackers embrace the “as-a-service model”, giving unsophisticated cybercriminals a leg up in carrying out attacks.” […]
This blog post is a summary of this weeks Information Security News put together by our Security Incident Response Team (SIRT). “Most dynamic content attacks are launched against content delivery networks. The attacker uses networks of infected hosts or botnets to request non-cached content from the target. If enough of these requests are made, the […]
In this monthly post, we try to make you aware of five different security related products. This is a repost from my personal website Ulyaoth. This month we have chosen the following: * Hiawatha * Shodan * GRR * Cloudfail * AbuseIO Hiawatha Hiawatha is a cool lightweight webserver that has a very easy syntax […]
BF-SIRT Newsletter 2018-26 
https://unsplash.com/license