Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/22/2020
02:00 PM
Rajesh Ganesan
Rajesh Ganesan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why DPOs and CISOs Must Work Closely Together

Recent data protection laws mean that the data protection officer and CISO must work in tandem to make sure users' data is protected.

With strict data protection laws in place around the world (including GDPR and CCPA), it's vital that the data protection officer (DPO) and CISO work closely together. Although part of the DPO's job is to audit the CISO's security policies, it is essential that the DPO and CISO have a good rapport. Essentially, CISOs are concerned with security and confidential data, and DPOs are focused on privacy and personal data.

The CISO examines security issues from a business and operations' standpoint. While bolstering an organization's cybersecurity posture, the CISO strives to ensure that all company information is securely processed. The DPO is primarily concerned with how the organization handles personal data. This can include data minimization, communication with data subjects, rights management, storage minimization, data collection, and data processing.

Data Minimization
One of the DPO's main goals is to ensure that no unnecessary customer data is processed. If any personal data is processed, it should not be kept beyond a certain date (as per the commitment mentioned in the privacy policy), and customers must be informed about the nature of the data processing.

Data minimization involves storing less personal data, which shrinks the overall attack surface. This is important when it comes to the collaboration between the DPO and CISO. With the DPO helping to minimize the amount of collected data, the CISO is able to maintain a higher level of security.

For example, perhaps your organization issues a sign-up form that asks for an email address, phone number, and Social Security number. The CISO will mostly be concerned with how the data is protected. Conversely, the DPO will likely ask questions such as, "Why are we even collecting this information?" and "Do we need to process (store, use, or transfer) this data?" By asking questions like these, the DPO helps the CISO's security team effectively — and proactively — protect data.

Create an Activity Register
In modern digital organizations, there are many data flows coming from a variety of different sources. By creating a register, the DPO can help the CISO monitor the various data flows. An effective activity register will answer questions such as "Where exactly is this information being used?," "Who is using it?," and "To whom is this data being transferred?" Again, the CISO is interested in this information from a security standpoint, and the DPO has privacy concerns.

During the creation of an activity register, assess whether the data is personal in nature. Sometimes, whether the data is personal depends on the context. For example, perhaps a customer only provides a company with her home address. If this home address can be traced back to the individual, then it's personal data. Due to nuances like these, it's helpful to have a DPO with a legal background.

Data Protection by Design
Another way that the DPO and CISO can effectively work together is during product inception. By working closely with an organization's developers, the DPO and CISO can proactively build data protection into the company's products.

For example, during the creation of essential and nonessential cookies, the CISO will have concerns related to security vulnerabilities, and the DPO will have privacy concerns. From a security perspective, the CISO wants to ensure that the essential cookies — those used for tracking logged-in sessions and providing user-related functionality — are protected. This way, no impersonation can occur.

And from a privacy perspective, the DPO will be concerned about nonessential cookies, such as advertising cookies used to display ads. The DPO must ensure that the list of cookies is displayed to the website users, and that users can opt out of some cookies without significantly degrading website performance.

Thus, close collaboration between the CISO and the DPO during the cookie creation process can be effective from both a privacy and a security standpoint.

Handling Breaches and Privacy Violations
Another instance in which DPOs and CISOs should work closely together is in the event of a data breach or privacy violation. Incidentally, these are often disparate events. For example, perhaps a customer is given a contact form, and the phone number is used later to sell him or her a product. If there was not a link to the privacy policy on the contact form, this would be a privacy violation, but not a breach. Alternatively, perhaps there was a data breach; however, only source code was stolen. This would be a data breach but not a privacy violation.

Nevertheless, to assess the situation, the DPO and the CISO should closely collaborate. This is especially important during a breach, as fines can incur if the company doesn't alert authorities about an incident in time.

Impact Assessments
After a breach, organizations should conduct a risk assessment during which the DPO functions in an advisory role. In addition to auditing the CISO's existing security infrastructure, the DPO should offer advice for the future. With the help of the CISO, the DPO can answer questions such as "Can an incident like this happen elsewhere?," "How can we protect against this moving forward?," and most importantly, "Should we be collecting this personal data at all?"

Conclusion
By working closely, the DPO can help the CISO secure data more efficiently by collecting only the most necessary data and keeping customers well-informed about the transfer and usage of data. With the DPO and CISO working together, the transfer of data from one place to another can be transmitted securely and legally, greatly reducing the chance of a security breach occurring and ultimately helping the organization save time and money.

Related Content:

 

Rajesh Ganesan is Vice President at ManageEngine, the IT management division of Zoho Corporation. Rajesh has been with Zoho Corp. for over 20 years developing software products in various verticals including telecommunications, network management, and IT security. He has ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8109
PUBLISHED: 2020-10-01
A vulnerability has been discovered in the ace.xmd parser that results from a lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. This can result in denial-of-service. This issue affects: Bitdefender Engines version 7.84892 and prior vers...
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
CVE-2019-20903
PUBLISHED: 2020-10-01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.