From Jamie Pease CISA, CISM, CISSP, CITP, MBCS - Principal Security Consultant at RSM Partners
The General Data Protection Regulation (GDPR) has been in the making for a few years. It was put together by the European Union to enhance data protection rights for EU citizens and harmonizes data protection laws across all 28 EU member states. GDPR is EU law as of May 25, 2018, and there are potentially very large fines for organizations who suffer a data breach. GDPR applies to all organizations who process personal data for EU citizens, regardless of which country the organization operates in. Yes, that means American businesses, too.
Organizations were given plenty of notice to prepare for GDPR. In fact, they had two years, as the EU committed to GDPR back in 2016. Yet recent audits and discussions with mainframe customers show that many organizations are still falling short of GDPR requirements.
At a recent conference we asked several clients two questions:
- Does your mainframe “process” personal data: that is, data which may be used to identify an individual (EU citizen), either directly or indirectly, or as part of data spread across multiple systems? (Examples include name, email address, bank account details, IP address.)
- As a security team, have you been engaged by stakeholders in your company to understand the current security posture of the mainframe, with a view to raising concerns if your systems do not provide appropriate levels of protection for personal data?
For the first question, everyone said yes, and for the second question, everyone said no. This is alarming, given some employees know they have vulnerabilities on their mainframe that could be used to compromise personal data. It is clear that the mainframe is not exempt from GDPR.
When you consider that mainframes all around the world are processing personal data 24/7/365, the mainframe is very much under the microscope of GDPR.
Ask yourself this question: Is your organization taking appropriate steps to protect personal data? This includes measures to prevent unlawful use, loss, theft and damage. For example, if you currently have an insecure z/OS UNIX System Services (USS) or TCP/IP environment; poor controls around major sub systems such as CICS, DB2, IMS; or inadequate security monitoring, then you are not taking appropriate steps to protect personal data.
GDPR Article 32 defines “Security of Processing” as: the principles for processing personal data securely by means of “appropriate technical and organizational measures.” If you have an insecure TCP/IP environment through which personal data might flow, or an insecure Db2 subsystem where personal data might reside, you do not have appropriate technical measures in place.
We’ve referenced the word “appropriate” a few times in this article. If you suffer a data breach, the investigating team is going to look for the steps your organization is taking to protect personal data. For example, if you know you have significant control issues, but you are fixing them through a fully funded security improvement program, you are at least demonstrating some reasonable steps to improving controls, and this may help.
For mainframers, protecting personal data is not something new; it’s something we’ve been doing for decades. However, massive amounts of personally identifiable information (PII) reside on the mainframe. The point to note is that GDPR makes organizations accountable – you are required to implement “appropriate technical and organizational measures” to be able to “demonstrate” compliance with the regulation. The question is, are you able to?
Getting on the right side of GDPR is not a one-time project. It should be embedded as part of everyday operations, so think “continuous improvement.” We must do better at protecting client data—and that includes your personal data, too!