GDPR (2): But, what security measures are appropriate?

Regulation demands its application, but without defining any

In this second post in our blog about the contribution of LEET Security to the efficient compliance with RGPD, we discuss an aspect that will be of interest to those who must provide security by design (how?) to the data processed.

The Regulation establishes that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate” (Art 32.1). This is a consequence of the accountability principle, which exudes all the regulation. But, unlike the well-known LOPD, it leaves in your hands, and without any reference model, the determination of which are those appropriate measures.

The flexible control framework by LEET Security offers an unbeatable tool for controllers and processors when applying both the organizational measures and appropriate procedures, and at the same time evaluating the technical measures required by the regulation. On the one hand, its set of controls based on best practices and international standards (ISO 27001, ISO 27002, TIA-942, LOPD, PCI DSS, ENS, NIST 800/53, etc.), provides a comprehensive basis for the application of security by design, helping in the determination of appropriate security measures (Art 24.1 and Art 32.1).

The more than 1,000 controls included in the methodology are classified according to several criteria, as the level: D, C, B, A and A +; the dimension of the security they supervise: confidentiality, integrity or availability (Art 32.1.b), and the security domain to which they are addressed: security management, systems operation, personnel security, facilities security, process outsourcing, resilience, compliance, malicious code protection, monitoring, network controls, access control, secure development, incident management, and cryptography.

Both the Rating Guide, and the full set of controls are available for download, providing the solution in order that controllers and processors take as reference model a set of security measures appropriate to the processing carried out. For example, if as a result of your risk analysis you need to establish a medium level security level, you can select the measures corresponding to level B, with levels D and C suitable for a low level, and level A when a high level security is required.

For illustrative purposes, the following are some of the controls in which the different demand degree is observed according to the level
 
For these reasons, LEET Security's control framework allows to identify in a simple manner the security measures of the appropriate level in every case, contributing to improve the efficiency and the information security in the field of privacy and personal data protection, and consequently, it is presented as a tool of excellent value for controllers and processors in the compliance with this regulation.