What “State of the Art” in IT Security will satisfy European Regulators?

Mar 21, 2019

WireWheel is adding to our stable of experts on privacy! We’re excited to have Gabriela join us as a regular contributor on deeper technical topics.

 

The European Agency for Network and Information Security (ENISA) and the German IT Security Association (TeleTrusT) recently published comprehensive guidelines describing what is the “State of the art in IT security” (Guidelines), an important factor to take into account for compliance with data security obligations under the General Data Protection Regulation (GDPR). These Guidelines provide much-needed clarity around this otherwise vague concept by defining it and listing actual technical and organizational measures considered to be “state of the art”.

One of the biggest changes brought by the GDPR in May 2018 was recognizing the importance of accountability for data protection compliance. Organizations are expected to act as trusted “data keepers” and proactively take steps to account for every personal data item that enters their care. The GDPR enshrines several obligations that contribute to accountability, including an obligation in Article 32 for organizations to implement “technical and organizational measures to ensure a level of security appropriate to the risk”, taking into account “the state of the art” in IT security. Non-compliance with Article 32 can lead to administrative fines up to € 10 million or up to 2% of the global annual turnover of the organization for the preceding year.

But what does “state of the art” mean in this context? 

As a piece of legislation that intends to be technically neutral, the GDPR does not itself establish what is the state of the art of IT security. This is good news, since both technology and security threats constantly evolve. However, organizations whose activity falls under the GDPR still need to figure out what it means, since it represents a presumably objective indicator of the robustness of their security program, and, hence, their compliance with Article 32. Data Protection Supervisory Authorities, like the UK ICO and the French CNIL, also refer in their data security guidelines to this concept, but without defining it.

This is where the ENISA – TeleTrusT Guidelines step in and fill the gap, even if they are meant to support compliance with both the GDPR and the 2015 German IT Security Act (therefore, they also refer to some specific obligations of the German law).

First of all, the Guidelines explain that, in general, “state of the art” of technology is a concept “situated between the more innovative existing scientific knowledge and research technology level and the more established generally accepted rules of technology level”, and it must be “independently measurable”. The Guidelines define “state of the art” as “the procedures, equipment or operating methods available in the trade in goods and services for which the application thereof is most effective in achieving the respective legal protection objectives”. But most of the Guidelines’ value actually rests in identifying specific technical and organizational measures which can be considered “state of the art” for 2019.

Under technical measures, the authors of the Guidelines catalog state of the art security measures for many operations, including but not limited to server hardening, password strength assessment, multi-factor authentication, encryption of files and folders, securing electronic data communications with a Public Key Infrastructure (PKI), cloud-based data exchange, network monitoring using Intrusion Detection System, web traffic protection and remote network access and maintenance. For each of the cataloged operation they also look at known security threats and they explain the protection objective covered by the measure, like availability, integrity, confidentiality or authenticity.

For example, with regard to cloud-based data exchange, the most common threats identified are unauthorized access and inspection by the operator of the service; hacking by third parties while the data is transported through the internet; and theft or unauthorized use of the identity that was agreed on with the cloud service. To prevent such risks from happening, the appropriate measures identified are:

  • encrypted transmission of files to and from the data exchange service;
  • client-side, end-to-end encryption of data for the recipient prior to transfer to the cloud, either through encryption integrated into the data exchange service in the client software that is part of the cloud, or through separate client end-to-end encryption software.

As for organizational measures, the Guidelines make clear that having security measures in place, even if they are “state of the art”, will not actually achieve data security without staffing measures and a system of methods, procedures and rules for managing corporate information security. These rules should be adopted and systemized within an Information Security Management System, which should also include “methods for regular inspection and documentation of organizational and technical changes”. The Guidelines identify what are considered state of the art internal processes to achieve data security, such as security organization (establishing a management framework), requirements management (legal, contractual or other types of requirements), or knowledge and competency management.

The authors even draw a map of security specific roles that can be attributed within an organization and list their main responsibilities, from upper management (who has strategic responsibility), to the Chief Information Security Officer, Information Security Officers, the Information Security Management team/Security steering committee, to the Audit Manager. As for the Data Protection Officer, the authors highlight that this role “should not necessarily be seen as part of IS management team, but instead as an important contact in matters regarding compliance, ideally regularly involved in the IS management process”.

Will following these Guidelines satisfy European regulators enforcing the GDPR that an organization is using “state of the art” IT security?

This could be the case, considering that they are backed by an authoritative voice of European network security, ENISA. The Guidelines certainly provide for a solid baseline, especially in the absence of advice from DPAs. However, organizations always need to pay attention to the specific guidance issued by their Lead DPA, if they have one, or by the DPAs whose jurisdictions cover the organizations’ activity. It is notable, though, that the European Data Protection Board did not include any guidance on data security or Article 32 GDPR in its recently published busy work program for 2019-2020. In the absence of harmonized advice on state of the art security from the DPAs, reports issued or endorsed by ENISA will be the closest available resource to follow at European level.

Here is a list of further resources that can be helpful for identifying the “state of the art” in IT security for GDPR compliance purposes:

EDPS (EU institutions) – Guidelines on the protection of personal data in IT governance and IT management of EU institutions
CNIL (France) – Security of Personal Data, 2018 edition
ICO (UK) – Data Security Checklists and Guidance on Encryption
DPC (Ireland) – Data Security Guidance



Sign up to hear from WireWheel