Protecting Your Integrity and Getting Value from GDPR 2 June 2017 - - PowerPoint PPT Presentation

2 June 2017

Protecting Your Integrity and Getting Value from GDPR

AGENDA

9.30am Arrival 10.00am Karen Patterson, BBC Journalist, Host Introduction 10.05am Shauna Dunlop, Regional Manager Northern Ireland, Information Commissioner’s Office GDPR Accountability – Privacy and Innovation 10.25am David Kemp, GDPR Business Consultant, HPE Exposing the technology challenges of GDPR for defence as well as business advancement 11.00am Coffee Break 11.20am Bill McCluggage, Digital Leader and CIO/CTO Using GDPR as a platform for change 11.45am Judith Millar, Business Development Manager, CSIT The evolving cyber threat landscape 12.10pm Panel Session 12.45pm Q & As 13.00pm Karen Patterson, BBC Journalist Close 13.05pm Lunch

Karen Patterson Journalist, BBC

Introduction

Shauna Dunlop, Regional Manager Northern Ireland, Information Commissioners Office

GDPR Accountability – Privacy and Innovation

GDPR Accountability: Privacy and Innovation

Shauna Dunlop Information Commissioner’s Office

Privacy and Innovation

The protection of natural persons in relation to the processing of personal data is a fundamental right

Accountability

Fair, Lawful and Transparent Processing . . .

Individuals' rights : The right to be informed The right of access The right to rectification The right to erasure The right to restrict processing The right to data portability The right to object Rights related to automated decision- making and profiling

GDPR Consent at a glance

Higher standard Genuine choice & control Positive opt-in Clear and specific Easy to withdraw Evidence of consent

Right to be

• forgotten. . .

Breach notification in a digital world

Children’s Privacy

Accountability

Privacy and Innovation

ico.org.uk

https://ico.org.uk/for-

• rganisations/data-

protection-reform/

David Kemp, GDPR Business Consultant, HPE

Exposing the technology challenges

• f GDPR for defence as well as

business advancement

Exposing the real technology challenges of GDPR for defence as well as business advancement

David Kemp EMEA Specialist Business Consultant

June 2017

Why does GDPR matter to Business?

28

What is GDPR?

“General Data Protection Regulation”

• GDPR replaces previous Data Protection Directive
• Data Protection Directive created to regulate

control of Personally Identifiable Information (PII)

• GDPR will harmonize data protection laws across

27 EU member states

• Clearer rules for data transfer across borders
• Better control over individual’s data

GDPR enacted to help protect EU citizen data from risk

30

New pan European Regulation designed to protect the privacy

• f EU citizens

Reduces complexity for

• rganizations dealing

with Personally Identifiable Information (PII) Applies also to companies

• utside the EU

that deal with EU citizens’ data Introduces requirements of privacy by design and the ‘right to be forgotten’ Enterprises must start preparing for the enforcement data of May 2018 The risk of non-compliance

− Fines of up to 4% of parent company annual revenue (max. 20 million Euros) − Mandatory breach notification within 72 hours unless the PII was encrypted

Some exceptions for enterprise with less than 250 employees

EU General Data Protection Regulation (GDPR)

Key Changes

• Data Protection Officer (DPO)
• Increased responsibility around security breach notification
• Heavy non-compliance sanctions – 2- 4% of Global Sales
• Privacy by design and privacy by default
• Right to erasure and data portability
• A single set of rules and a single data protection authority
• EU Regulation will apply across borders
• Greater compliance requirements

• Corporate Governance monitoring and enforcement
• Social media monitoring - internal & external where permitted
• Ability to freeze data across a complex IT legacy architecture
• Cross-media visibility and comprehension
• De-duplication, clustering and synthesis of mass data
• Necessity to respect national and international data privacy

standards

• Fast and effective response to the Business

What technical delivery does GDPR compliance require for effectiveness?

How does one get the Senior Management “on board” for GDPR compliance – and in which verticals?

33

How ready is the World for GDPR?

Globally – Gartner - January 61% of corporates have no strategy 51% think Security is Compliance Italy – Osservatore Polytechnica di Milano – from 136 CISOs and DPOs - February 23% Don’t know of GDPR 22% Know but no action 55% Understand the requirements 9% Have started a project UK – Financial Times - February 55% of corporates will wait till May 2018 Norway – Top Management Survey - March 33% Don’t know of GDPR 50% Know but unaware how to start an effectiveness programme 17% Addressing the issue with planning

Compelling Business Logic for GDPR Compliance

35

GDPR

Revenue Generation

• Fine
• Reputation hit
• Government contract

pre-requisite

• Enforcement action
• Client Audit
• Strategic records

management

• Cloud accelerator
• M & A accelerator
• Due diligence

Brand Loyalty & Data Mining & Data Exploitation

Which “Entities” should be most engaged in GDPR preparation?

B2C corporates Those acquiring personally identifiable information from private citizens in the normal course of business e.g.

a. Retailers - supermarkets b. Gaming, Tourism & hotels

• c. FSI: Personal insurance & retail banks
• d. Mass Transport & logistics – rail / air / ferry
• e. Healthcare / Pharma / Hospitals
• f. Telcos

B2B corporates

a. Those with a large workforce where the PII is employee data b. Those which have agents who are B2C

Government agencies Those who acquire PII due to their engagement with the public e.g.

a. National Hospitals b. Municipal Authorities

AND OUTSOURCEES!

Engaging Personas

37

Persona Key Challenges CISO

• Internal surveillance and monitoring to avoid employee negative impact on PII
• Automate application of policy to security

VP/Director of Security Operations

• Comprehensive view of all existing data and applications
• Monitoring and insight into enterprise-wide threat landscape

CIO/IT

• Determine what information is subject to GDPR requirements
• Ensure backup and recovery is aligned to GDPR requirements

CDO/CIGO

• Defensibly delete information that has no value to the organization – aligns to “right to be forgotten”
• Manage information based on policy throughout its lifecycle

Legal & Compliance

• Determine what information is subject to GDPR requirements
• Proactively prepare for litigation and investigations by consolidating information in a centralized

repository

Risk Management

• Comply with policy-based management requirements of in-scope information throughout the

information lifecycle

• Supervise employee communication

Data Protection Officer

• Alerting facility to enable early breach identification
• Synchronization with legal / compliance / risk / business / security to enable compliance

+ HR, Communications, Audit, Finance?

HPE GDPR Programme

38

What challenges / business outcomes does GDPR create?

RECORDS MANAGEMENT

• What PII do I have, what format and where in my IT real estate?
• How do I isolate and classify it?
• How do I manage it in a form which enables me to execute PII tasks?

SECURITY

• Externally: How effective is my outer cyber defence shield?
• Internally: How can I prevent accidental or deliberate misuse of PII?

• 1. Identification of Key GDPR Programme steps
• AWARENESS: Brief the board so they are aware of the risks to the business and what

needs to happen over the next 16 months to get GDPR effective.

• STAFFING: Appoint / train a Data Protection Officer – 28,000 still to be appointed in EU.

* LEGAL OPINION: Translating the GDPR into deliverables & functionalities + local law

• DATA DISCOVERY: Conduct a PII location / format / security assessment vs. Opinion
• PROGRAMME PREPAREDNESS: Assessment of exposure & potential mitigants
• POLICY GAP ANALYSIS: Review and update existing data protection policies, training,

privacy notices etc

• TECHNICAL GAP ANALYSIS: Where can IT solutions accelerate GDPR “effectiveness”?
• IMPLEMENTATION: Acquiring & installing IT solutions and services
• PRIORITISED SEQUENTIAL SOLUTIONING: Or “Farming”

• 1. Functionality-Legal Map

We have reviewed the core functionality of a range of the selected products, to understand how they operate and what they do. Having gained this knowledge, we have “mapped” the functionality to the GDPR’s articles and recitals, to identify the extent to which it can be argued as a matter of law that they provide compliance solutions (the “functionality-legal map’’). The GDPR can be broken down into two key building blocks: Privacy Architecture and Privacy Principles: 1. Privacy architecture – the structures that are in place across the organisation to facilitate compliance, including Governance, Roles and Responsibilities, Registers, Policies, or Procedures. 2. Privacy principles – the fundamental principles that serve as the foundation for an organisation’s proper system of behaviour with regards to personal data. The Functionality-Legal Map has been structured by reference to Privacy Architecture and Privacy Principles. Business issue Legal GDPR Article GDPR Recital Business Solution Products Product redesign /remediation Governance The need for data protection programme workflow management, including management information and reporting. Article 5.2 requires an entity to be able to proactively demonstrate compliance with the principles set

• ut in Article 5.1. This will require

entities to be able to demonstrate all programme components and related progress and outcomes. 5 Implement a programme management tool. This review has not included a system that supports programme workflow management The ability to comply with conflicting global legislation Article 5.2 requires an entity to be able to proactively demonstrate compliance with the principles set

• ut in Article 5.1. This will require

entities to be able to demonstrate that they have taken steps to implement relative provisions and minimise reliance on manual processes and the impact of human error. 5 Define data actions according to policy and automate implementation Policy Centre Data feeds from Iron Mountain Policy Centre do not currently support modelling policies and rules against GDPR compliance.

• 2. Obtain Essential Authority for the HPE Programme:

The Functionality Legal Map

Consisting of a mapping of the GDPR articles & recitals to deliverables Then identification of the functionalities required Then matching HPE Security and Information Management & Governance solution delivery for GDPR execution

Product mapping: solutions vs GDPR use cases (IM&G)

Use Case Pain Points HPE Solutions

Personal Data Assessment

• What and where is the information that

will fall under these regulations?

• HPE ControlPoint
• HPE Structured Data Manager

Defensible Disposition

• How do I identify information for

disposition, in accordance with “the right to be forgotten”

• HPE ControlPoint
• HPE Structured Data Manager
• HPE / IM Policy Centre

Secure Content Management

• How do I best apply and enforce

policies to manage information through its lifecycle?

• HPE ControlPoint
• HPE Structured Data Manager
• HPE Content Manager
• HPE Policy Center
• HPE Archiving

Litigation Readiness and Response

• How can I quickly and cost-effectively

respond to legal matters requiring information under my management?

• HPE ECA
• HPE eDiscovery
• HPE Legal Hold

Backup and Recovery

• How do I best ensure sensitive data is

protected, stored and backed up securely?

• HPE Data Protector
• HPE Storage Optimizer
• Backup Navigator
• HPE Connected Backup/CMX

Product mapping: solutions vs GDPR use cases (ESP)

Use Case Pain Points HPE Solutions

Encryption & Pseudonymisation

• How can I grow my business while

ensuring sensitive data is protected?

• How can I protect my brand and

business reputation by neutralizing damaging data breaches?

• How do I manage the volumes of

sensitive data-at-rest?

• ESKM (Enterprise)
• SecureData ( Voltage )
• SecureMail

Breach Response & Reporting

• How do I know if I have already been

breached?

• How to quickly know that a breach has

taken place and enable the security team to take steps to contain it, recover and find the root cause.

• ArcSight, UBA & DMA
• SecureData
• SecureMail
• ESKM

Breach Prevention & Neutralization

• How can I neutralize the impact of a

data breach?

• How is it possible to protect my data

and neutralize the impact of data breach, including the need for breach notification?

• ArcSight
• Fortify on Demand
• Fortify Application Defender
• SecureData
• SecureMail
• ESKM

• 3. GDPR Programme Assessment = HPE Journey to Value

Opportunity Discovery / Creation Mapping GDPR Compliance Requirements to Technology by; –Understand as-is capabilities –GAP Analysis vs. HPE GDPR Framework –Discuss & Guide to get there “to-be”

45

Assessments Tools, Processes & Organization Roadmap & Recommendations

46

• Mgmt. and Security)

• Mgmt. and Security of Personal Data.

• f capability for mapping the Personal Data and processing activities to

• Data. Solutions implemented identify and protect personal data subject to legal

• Large-scale processing of Sensitive Personal Data
• Automated Profiling
• Systematic Monitoring
• CCTV monitoring of public spaces

• Processing Personal Data of Vulnerable Individuals Automated Profiling
• Systematic Monitoring

• Processing Sensitive Personal Data
• Processing Personal Data of Vulnerable Individuals
• Large Scale Processing of Personal Data

• Large Scale Processing of Personal Data
• Anonymized Data
• Pseudonymised data

• Anonymized Data
• Pseudonymised data
• Secure-small scale processing

• applications. Governance & automated control by processes & policies.

• rganization.

• f any new processing activity. Implementation and progress is closely follow-

GDPR PREPAREDNESS ANALYSIS

Data Processing & Lifecycle Mgmt. Programme status

47

0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 Consent Structure and Management Obtaining Methodology and Coverage Registry and Mapping Accuracy Purpose Limitation Data Minimisation Pseudonymisation / Anonymisation Storage Limitation Transfer Controls Lawful & Transparent Processing Legal base for Data Processing Contractual Necessity Data Retention Management Archival Management Right to be Forgotten Records Mgmt. for Personal Data Data Flow Mapping Records Mgmt. for Personal Data processing

Data Processing / Lifecycle Mgmt.

Data Porcessing / Lifecycle Mgmt. Sub-Capability Risk Score Consent Structure and Management 5 Obtaining Methodology and Coverage 5 Legal base for Data Processing 5 Data Flow Mapping 5 Records Mgmt. for Personal Data processing 5 Registry and Mapping 4 Purpose Limitation 4 Data Minimisation 4 Storage Limitation 4 Right to be Forgotten 4 Pseudonymisation / Anonymisation 3 Transfer Controls 3 Data Retention Management 3 Records Mgmt. for Personal Data 3 Accuracy 2 Lawful & Transparent Processing 2 Contractual Necessity 2 Archival Management 2

Data Processing / Lifecycle Mgmt. Sub-Capability Risk Score

Data Processing & Lifecycle Mgmt. Risk Map

48

0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 Consent Structure and Management Obtaining Methodology and Coverage Registry and Mapping Accuracy Purpose Limitation Data Minimisation Pseudonymisation / Anonymisation Storage Limitation Transfer Controls Lawful & Transparent Processing Legal base for Data Processing Contractual Necessity Data Retention Management Archival Management Right to be Forgotten Records Mgmt. for Personal Data Data Flow Mapping Records Mgmt. for Personal Data processing

Data Processing / Lifecycle Mgmt.

Data Porcessing / Lifecycle Mgmt. Sub-Capability Risk Score Consent Structure and Management 5 Obtaining Methodology and Coverage 5 Legal base for Data Processing 5 Data Flow Mapping 5 Records Mgmt. for Personal Data processing 5 Registry and Mapping 4 Purpose Limitation 4 Data Minimisation 4 Storage Limitation 4 Right to be Forgotten 4 Pseudonymisation / Anonymisation 3 Transfer Controls 3 Data Retention Management 3 Records Mgmt. for Personal Data 3 Accuracy 2 Lawful & Transparent Processing 2 Contractual Necessity 2 Archival Management 2

How to Use Output?

49

Use Cases – As Best Practices High Risk Areas Roadmap Follow-on Projects GAP Analysis

Follow-on Projects

• Domain based JTVs
• IM&G
• Security
• Demo
• Pilot & PoC

GAP Analysis

• Use Cases as Best Practices
• Dependencies between High

Risk Areas

• Impact & Prioritization

2017 2018 2019 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Extended Value Long Term Short Term Quick Wins Outcomes and plan based on Detailed Privacy Focused Assessment (privacy > security controls)

High Level Roadmap for Recommendations

50

Personal Data Inventory – structured, unstructured information / PII Continous Privacy by Design Data Minimization (Data Collection Limitation – legal check for minimum required data for customers) Data Consolidation E-mail Security, BYOD Security Incident & Event Management Extended encryption and data masking

Unlock value of current investment Sustained returns Strategic Outcomes High Impact ROI, Rapid Time to Value

Securing the most important information – structured, unstructured PII Start of Privacy by Design – short review of security parameters of new / existing services

Strategic Tactical

Naming DPO ( if not yet announced) Preparation for possible data breach – be able to detect and report Detailed Privacy Focused Assessment (to fugre out detailed long-term plan even after May 2018) Justify client facing areas (consent, front-end service, portals, etc.) Identity management deployment Application Security (portals, web security) Policies justifications, policy management Other extended-value controls Information Governance strategy

2017 2018 2019 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Extended Value Long Term Short Term Quick Wins Outcomes and plan based on Detailed Privacy Focused Assessment (privacy > security controls)

High Level Roadmap for Recommendations

51

Personal Data Inventory – structured, unstructured information / PII Continous Privacy by Design Data Minimization (Data Collection Limitation – legal check for minimum required data for customers) Data Consolidation E-mail Security, BYOD Security Incident & Event Management Extended encryption and data masking

Unlock value of current investment Sustained returns Strategic Outcomes High Impact ROI, Rapid TTV

Securing the most important information – structured, unstructured PII Start of Privacy by Design – short review of security parameters of new/old services

Strategic Tactical

Naming DPO (just in case it is not named yet) Preparation for possible data breach – be able to detect and report Detailed Privacy Focused Assessment (to fugre out detailed long-term plan even after May 2018) Justify client‘s facing areas (consent, front-end service, portals, etc.) Identity management deployment Application Security (portals, web security) Policies justifications, policy management Other extended-value controls Information Governance strategy

Executing what is urgent and should be a priority: Mapping the inventories, minimizing the data stored, securing main PII, starting Privacy by Design strategy Short-term activities which need to be done first: Activities needed to be executed by May 2018 to be ready and possibly safe from major breaches, fines, etc. Execution of a sensibly planned implementation programme: Further privacy and other security steps on a long-term journey towards safe and trusted IT environment. Enhancing the environment: Other controls such as securing email, BYOD and continuous Privacy by design are also very important.

• 4. HPE Security & IM&G Product mapping

Report Compliance Get Consent

Find Govern Classify

Manage Data In Scope (Personal Data) Secure Personal Data

Security

Records Repository

Information Management & Governance

Data Repositories

• Data Security
• Application Security
• Security Intelligence

(Breach Detection)

Complete HPE GDPR Platform

Analyse Record Repository

Classify

Data Repositories

Messaging Email Files Read SharePoint

Action

Applications Data Warehouses Document Management

Data Archive

Social Media Web Content Apply Store Eligible Records Declare

Data Encryp tion

Find Govern

SecureData ESKM Content Manager SDM

Control Point UD: (HPE ITOM) Universal Discovery SDM: (HPE IM&G) Structured Data Manager ESKM: (HPE Data Security - Atalla) Enterprise Secure Key Manager

UD Content Manager

Apply Retention rules Compliance, Legal Hold & Audit

SDM

Control Point Policy Center

Third Party Database

Example of a Defensible Treatment Solution

54

App1 App2 App3 App4 App n

SDM SDM SDM SDM SDM

Delete

RM

“Proxy” Records Approve Deletion Get eligible deletion list Metadata Feed Redact Delete Redact Delete

….

JDBC API Script Retention Policy

Security Intelligence

Breach Detection

Application Security

Breach Prevention

Data Security

Encryption / Pseudonymization

Application-, Data- and Information- Security

SAST: (HPE Security - Fortify) Static Application Security Testing DAST: (HPE Security - Fortify) Dynamic Application Security Testing RASP: (HPE Security - Fortify) Runtime Application Self-Protection

Data Repositories Records Repository Find Classify Govern

SecureData ESKM ArcSight ADP/ESM Fortify SAST / DAST / RASP SecureMail

Assessment of the Business Case

• SIZE: In terms of volume of retail customers and / or employees, do they pose a significant GDPR

exposure?

• TIMING: Is there already Main Board buy-in and Steering Committee appointment?
• EXISTING MITIGANTS: Is the corporate business one which is already used to data privacy /

protection standard maintenance e.g. Pharma clinical trials?

• PARALLEL PROJECTS: Are there other Information Life Cycle Management projects either planned
• r in execution which could be accelerated by GDPR effectiveness?
• IMPACT UNDERSTANDING: Does the Business see the value of the 3 drivers of Compliance,

Operational Efficiency and Revenue?

• RISK EXPOSURE: To what extent are there both financial and medical records involved e.g.

Insurance / Hospitals / Employee HR data / Pharma / Municipalities?

• DECISION-MAKING: In country or overseas?
• BUDGET & TIMING: To what extent are CIOs / CISOs already funded / authorised to achieve

“policy enforcement” and by when?

In summary, HPE is strongly positioned to address GDPR

– Broad technology set covering all phases of protection – Robust, cross-silo data classification – Deep information insight for automated policy setting – Advanced analytics for value creation – Partnership strategy to deliver maximum value – Solutions mapped to GDPR-specific use cases for simplicity

57

GDPR collateral

58

Solutions mentioned

Links

• A. SECURITY

– Check Point Capsule Docs: https://www.checkpoint.com/downloads/product-related/datasheets/ds-capsule-docs.pdf – HPE SecureData Enterprise – https://www.voltage.com/resource/hpe-securedata-enterprise/ – HPE ArcSight - https://saas.hpe.com/en-us/software/siem-security-information-event-management – Securing SaaS (incl. Salesforce) – Symantec CASB and Cloud Data Protection Gateway – https://www.symantec.com/products/web-and-cloud-security/cloud-application-security-cloudsoc – https://www.symantec.com/content/dam/symantec/docs/solution-briefs/cloud-data-protection-security-tokenization-en.pdf

• B. INFORMATION MANAGEMENT & GOVERNANCE
• HPE Control Point: https://saas.hpe.com/en-us/software/file-analysis-dark-data-cleanup
• HPE Structured Data Manager: https://saas.hpe.com/en-us/software/application-database-archiving
• HPE Content Manager: https://saas.hpe.com/en-us/software/enterprise-content-management
• C. GENERAL HEWLETT PACKARD ENTERPRISE GDPR PROGRAMME
• Main internet site: https://www.hpe.com/us/en/campaigns/gdpr-compliance.html

59

Thank you

David Kemp kemp@hpe.com Tel: +44 (0) 7867 558680

60

Coffee Break

Bill McCluggage, Digital Leader and CIO/CTO

Using GDPR as a platform for change

The government has promised sweeping changes to the way data is secured across Whitehall in the wake of the missing discs review.

Judith Millar, Business Development Manager, CSIT

The Evolving Cyber Threat Landscape

Judith Millar

Business Development Manager

2nd June 2017

A Global Innovation Hub for Cyber Security

‘The Evolving Cyber Threat Landscape’

CSIT – Nationally recognised

UK’s National Innovation and Knowledge Centre (IKC) for cyber security

GCHQ certified “Academic Centre of Excellence in Cyber Security Research Queen’s Anniversary Prize for “strengthening global cyber security” UK Cyber Growth Partnership - sole academic partner NI Organised Crime Task Force (OCTF)

Securing our Digital Tomorrow

CSIT’s Industry Membership Programme

Securing our Digital Tomorrow

Securing our Digital Tomorrow

‘Innovation is key’

UK Government Strategy

A Global Innovation Hub for Cyber Security

Increasing threats

Protection rackets = DDOS Blackmail = Ransomware Con artist = Spear Phishing Bank job = APT malware

Old crimes, new technologies

UK company management perception of cybersecurity threats

Nation state actors Inside attackers - suppliers Terrorist organisations Competitors Activists Inside attackers - employees Hobbyist hackers Professionals - organised crime or fraud groups ITDM – IT Decision Makers

Source: The Intelligence Disconnect, The 2017 Cyber Defence Monitor: A Global Perspective, BAE Systems

Securing our Digital Tomorrow

Cost of cyber crime

Up to £35 Million in

• ne off costs

£240 Million wiped of shareholder value

• Financial

Highly profitable Reduced barriers and costs of attacks – ‘malware for sale’

• Political

Information warfare; state sponsored attacks Hacktivism

• Social

Insider threat Bring Your Own Device (BYOD) Kudos of hackers Social media – ‘leaking data’

• Technical

Increasing connectivity - IoT Robust authentication required

Why are cyber threats increasing?

Securing our Digital Tomorrow

“In 10-20 years we will look back and say that THIS was the real revolution. The first was merely a prelude!”, Philip Moynagh Director IoT, Intel the internet of screens

Securing our Digital Tomorrow

Securing our Digital Tomorrow

Technologies for a Future Digital Society

And…

Securing our Digital Tomorrow

Quantum computing

Securing our Digital Tomorrow

The world’s first quantum computer?

Bought by Lockheed Martin & Google/NASA Difficult to verify if performing quantum

• perations or not!

Has helped to advance research in Quantum Computing Exponential leap in processing power will crack some cryptography

Securing our Digital Tomorrow

August 2015

Update: Jan 2017 - NIST issued a Call for Quantum-Resistant Cryptographic Algorithms for new public-key cryptography standards. Draft standards expected in 5 years.

Quantum-Safe Cryptography

CSIT is leading SAFEcrypto - Horizon 2020 project, developing practical, robust and secure post-quantum cryptographic solutions. CSIT is at forefront of standardisation work:

• ISO/IEC SC27 WG2 – Quantum-resistant Cryptography
• ETSI TC CYBER QSC – Quantum Safe Cryptography

CSIT leading development of quantum-safe cryptography

Securing our Digital Tomorrow

Consider:

• Data could be captured today for later decryption
• Systems with long operational lifetimes are already vulnerable
• What algorithms and third party libraries are in place today?
• Opensource stack
• Key material
• Key sizes
• Migration plan – implementation, testing

Securing our Digital Tomorrow

Intelligence led investment in security

• What data is critical to your business - and who has access to it?
• Factor cyber security into all planning, procurement and projects
• Investments in Smart [Anything] should factor in 15% for security and resilience
• Understanding the specific risks
• Understanding the specific vulnerabilities

The way ahead for your business

Securing our Digital Tomorrow

Panel Session

Shauna Dunlop, Bill McCluggage, David Kemp, Judith Millar and Jeff Peel

Karen Patterson Journalist, BBC

Close

Lunch