Oct 062017
 October 6, 2017  Posted by at 11:45 am Not So Stupid Questions  Add comments


This question is tricky, because the answer isn’t as clear as with the previous question. The answer is: it depends. A company should take ‘appropriate measures’- but what is appropriate, who decides this? And how?

To answer the GDPR question we need to define what appropriate measures is. And a first place to look for answers is ENISA. The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe. They provide guidelines and recommendations, such as GDPR compliant guidelines for SMEs (Small and medium-sized enterprises).

SMEs represent 99% of all businesses in the EU, and is defined as a company that has less than 250 employees or under 250 million euro in annual revenue.

Who decides what appropriate is? That would be you, the company, responsibility. However, ENISA has, based on expertise and experience, provided several documents for various types of assessment, to help you decide what appropriate measures are.

We need to think about the scope, nature, context, spread, volume and type of data when we do a risk assessment. In the risk assessment, you would identify the security threats and the data in question, and then score each item in terms of impact it would have, and a score for probability. The two scores combined yield what is referred to as a risk level- the calculated risk. And that calculated risk will be the basis for deciding appropriate security measures that should be implemented and maintained.

For access control and authentication, the recommended security measures are color coded to represent the risk level score. Green symbolizes basic measures such as

Avoiding common user accounts

Username and password should be required

Password should be complex

At the next level, yellow, the recommendation is that a password policy should be defined and documented. Also, passwords should be stored hashed.

When the risk level is high, color coded as red, two-factor authentication is recommended, and to take it even further, device authentication is recommended.

So….? Is two-fac required? Yes and no. I believe that for many companies the risk assessment will show that two-fac would be a recommended security measure.

What are your thoughts?

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



What is 12 + 4 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)