Have you asked yourself what the GDPR information security requirements mean?
We now have an answer for it.
ENISA – the European Network and Information Security Agency has released comprehensive guidelines about the meaning of “State of the Art” Technical and Organizational Measures (TOMs).
The guidelines refer specifically to the requirements under the GDPR, as well as under the German IT Security Law.
The GDPR requires that controllers and processors will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature of the processing and the risks involved.
ENISA’s guidelines form an extensive effort to fill the GDPR’s general requirements with substance.
ENISA defines “State of the Art” measures as: “procedures, equipment or operating methods available in the trade in goods and services for which the application thereof is most effective in achieving the respective legal protection objectives.”
The guidelines provide a robust description of measures acceptable as “State of the Art” while addressing known cybersecurity-related risks. These measures include server hardening, password management, authentication, encryption, data transmission, cloud storage, portable devices, web traffic, application protection, and remote access.
Drill-down recommendations include, for example, email encryption best practices.
Email transmission recommendations include the use of the current TLS version for email transmission encryption, inspection of the applicable certificates’ validity of the other side using DANE (RFC 7671), review of TLS-related recommendations by the BSI’s Technical Guidelines TR-02102-02 and the use of the AES-256 encryption standard, while avoiding the use of insecure encryption methods such as the RC4. Email content (end-to-end encryption) recommendations include using the S/MIME or OpenPGP standards.
Enisa provides further guidance on the internal corporate governance required to be established to maintain sound information security practices. These include a management framework, legal support, definition of the roles of the management, information security team, and auditors and the deployment of on-going inspection and documentation processes.
While the guidelines are not mandatory, they are likely to serve as a basis to assess the readiness of companies to confront cyber security risks and the related GDPR requirements.
Therefore, companies should pay close attention to these guidelines, while addressing additional relevant guidelines issued by EU data protection regulators, such as the UK ICO’s security guidance and the Irish DPC’s guidelines.