Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/22/2020
02:00 PM
Rajesh Ganesan
Rajesh Ganesan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why DPOs and CISOs Must Work Closely Together

Recent data protection laws mean that the data protection officer and CISO must work in tandem to make sure users' data is protected.

With strict data protection laws in place around the world (including GDPR and CCPA), it's vital that the data protection officer (DPO) and CISO work closely together. Although part of the DPO's job is to audit the CISO's security policies, it is essential that the DPO and CISO have a good rapport. Essentially, CISOs are concerned with security and confidential data, and DPOs are focused on privacy and personal data.

The CISO examines security issues from a business and operations' standpoint. While bolstering an organization's cybersecurity posture, the CISO strives to ensure that all company information is securely processed. The DPO is primarily concerned with how the organization handles personal data. This can include data minimization, communication with data subjects, rights management, storage minimization, data collection, and data processing.

Data Minimization
One of the DPO's main goals is to ensure that no unnecessary customer data is processed. If any personal data is processed, it should not be kept beyond a certain date (as per the commitment mentioned in the privacy policy), and customers must be informed about the nature of the data processing.

Data minimization involves storing less personal data, which shrinks the overall attack surface. This is important when it comes to the collaboration between the DPO and CISO. With the DPO helping to minimize the amount of collected data, the CISO is able to maintain a higher level of security.

For example, perhaps your organization issues a sign-up form that asks for an email address, phone number, and Social Security number. The CISO will mostly be concerned with how the data is protected. Conversely, the DPO will likely ask questions such as, "Why are we even collecting this information?" and "Do we need to process (store, use, or transfer) this data?" By asking questions like these, the DPO helps the CISO's security team effectively — and proactively — protect data.

Create an Activity Register
In modern digital organizations, there are many data flows coming from a variety of different sources. By creating a register, the DPO can help the CISO monitor the various data flows. An effective activity register will answer questions such as "Where exactly is this information being used?," "Who is using it?," and "To whom is this data being transferred?" Again, the CISO is interested in this information from a security standpoint, and the DPO has privacy concerns.

During the creation of an activity register, assess whether the data is personal in nature. Sometimes, whether the data is personal depends on the context. For example, perhaps a customer only provides a company with her home address. If this home address can be traced back to the individual, then it's personal data. Due to nuances like these, it's helpful to have a DPO with a legal background.

Data Protection by Design
Another way that the DPO and CISO can effectively work together is during product inception. By working closely with an organization's developers, the DPO and CISO can proactively build data protection into the company's products.

For example, during the creation of essential and nonessential cookies, the CISO will have concerns related to security vulnerabilities, and the DPO will have privacy concerns. From a security perspective, the CISO wants to ensure that the essential cookies — those used for tracking logged-in sessions and providing user-related functionality — are protected. This way, no impersonation can occur.

And from a privacy perspective, the DPO will be concerned about nonessential cookies, such as advertising cookies used to display ads. The DPO must ensure that the list of cookies is displayed to the website users, and that users can opt out of some cookies without significantly degrading website performance.

Thus, close collaboration between the CISO and the DPO during the cookie creation process can be effective from both a privacy and a security standpoint.

Handling Breaches and Privacy Violations
Another instance in which DPOs and CISOs should work closely together is in the event of a data breach or privacy violation. Incidentally, these are often disparate events. For example, perhaps a customer is given a contact form, and the phone number is used later to sell him or her a product. If there was not a link to the privacy policy on the contact form, this would be a privacy violation, but not a breach. Alternatively, perhaps there was a data breach; however, only source code was stolen. This would be a data breach but not a privacy violation.

Nevertheless, to assess the situation, the DPO and the CISO should closely collaborate. This is especially important during a breach, as fines can incur if the company doesn't alert authorities about an incident in time.

Impact Assessments
After a breach, organizations should conduct a risk assessment during which the DPO functions in an advisory role. In addition to auditing the CISO's existing security infrastructure, the DPO should offer advice for the future. With the help of the CISO, the DPO can answer questions such as "Can an incident like this happen elsewhere?," "How can we protect against this moving forward?," and most importantly, "Should we be collecting this personal data at all?"

Conclusion
By working closely, the DPO can help the CISO secure data more efficiently by collecting only the most necessary data and keeping customers well-informed about the transfer and usage of data. With the DPO and CISO working together, the transfer of data from one place to another can be transmitted securely and legally, greatly reducing the chance of a security breach occurring and ultimately helping the organization save time and money.

Related Content:

 

Rajesh Ganesan is Vice President at ManageEngine, the IT management division of Zoho Corporation. Rajesh has been with Zoho Corp. for over 20 years developing software products in various verticals including telecommunications, network management, and IT security. He has ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.