Français (French)Deutsch (German)
English
Google+
LinkedIn
YouTube
Contact
CIL-BY-TNP2

Security Obligations

Data Controller’s Security Obligations (Art. 34 of French Data Protection Act)

The Data Controller must adopt all and any necessary precautionary measures with regard to the nature of the data collected and the risks presented by the data processing in order to preserve the security of the data. These measures must prevent the data from being deformed, damaged or accessed by non-authorized third parties.

The Data Processor must provide the adequate safeguards to ensure the implementation of security and confidentiality measures provided for by Article 34.

Security Obligations within the European Data Protection Regulation (Article 32 of the GDPR)

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of data processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:

  • the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data;
  • a process for regularly testing, assessing and evaluating the effectiveness of these measures.

Examples of measures taken: encryption and pseudonymisation

The adherence to an approved code of conduct or an approved certification mechanism provides evidentiary proof of a company’s compliance with the data security requirements.

Notification of Personal Data Security Breaches (Art. 33 and 34 of the GDPR)

Notification of personal data breaches to competent supervisory authorities:

  • Who? The Data Controller
  • Why? The breach presents risks for the rights and liberties of individuals
  • When? Without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.
  • Exceptions? If the breach is unlikely to result in a risk to the rights and freedoms of individuals.

The Data Processor notifies the Data Controller no later than 72 hours after having become aware of the breach.

Notifying Data Subjects:

  • Who? The Data Controller
  • Why? The breach is likely to result in a high risk to the rights and freedoms of individuals.
  • When? Without undue delay.
  • Exception? The Data Controller has implemented protective measures that either render the personal data unintelligible, such as encryption or ensure that the high risk is no longer likely to materialize.

Security Obligations for Payment Service Providers and Notification of Breaches (PSD2)

Payment service providers are responsible for the adoption and execution of security measures. In order to receive an authorization as a payment institution, an application must be submitted to competent authorities of its home Member State along with the following information: (…)

  • A description of the procedure in place to monitor, handle and follow up on a security incident and security related customer complaints, including an incidents reporting mechanism,
  • A description of the process in place to file, monitor, track and restrict access to sensitive payment data as well as the tracking of the access logs.
  • A description of the business continuity provisions,
  • A security policy document, including a detailed risk assessment.
Technical Security Tests
Security Tools
Information Security Counsel
Organisational and functional audit On-Site

Technical Security Tests

Objectives : factual and technical state of play of the active security level of a system, of an application or a computer infrastructure

Mandate :

  • Highlighting of the vulnerabilities of an application or of an infrastructure with the level of associated risks
  • Recommendations allowing to reduce the risks

Performances :

CIL CONSULTIING offers you 4 test modules à la carte:

  • Mapping the vulnerabilities
  • Intrusion tests
  • Applications tests (automated and manual tests)
  • Denial of service (DDos)

Security Tools

In collaboration with other French partners, CIL CONSULTING proposes divers data security tools.

Logs and Incidents Management Tool in a SaaS mode

A software solution capable of automatizing and rationalizing the process of collecting, archiving and analyzing log books from divers sources of information systems:  applications, operating systems, network equipment and security measures.

The tool is equipped with:

  • A graphical interface allowing for the detection of abnormalities:
  • A real-time, alert system, and
  • A full text search engine facilitating the retrieving of logs by simple keywords that is capable of handling large volumes of events

SIEM

Security information and Event Management (SIEM)

A security and incident monitoring tool for the information system which enables the user to find the abnormalities and suspicious behaviors by improving the detection and prevention of cyber threats and cyber attacks.

  • Real-time behavioral analysis of the threat (online real-time)
  • Detection of Advanced Persistent Threats (APT), Advanced Evasion Techniques (AET) and stealth threats;
  • Personalizable reporting and interactive dashboards.

Information Security Counsel

Objectives :

  • Help define and steer the security strategy.
  • Implement a security governance.
  • Continuously support the project groups, taking into account of security issues at the earliest possible.
  • Introduce the security requirements in an anticipated manner while conducting the project.
  • Maintain the security conditions.

Mandate :

  • Contribution to the implementation of a security governance.
  • Advices on the methods to implement.
  • Contribution to the definition of the setting of the security viewpoint.
  • Contribution to the security deliverables (security requirements; reviewing calls for tenders; security aspects of the settings file …)

Search for security solutions adapted to the project.

Performances :

  • Tailored consulting: Support of project groups in the event of a key stage.
  • Comprehensive consulting: Support of projetct groups with an end-to-end service.

Organisational and functional audit On-Site

Conduct of audit modelled on the state-of-the art (ISO 27002 & 27001, ISO 27018) or on internal (ISSP) or external (PCI DSS, HIPPA, Healthcare Data Host…) policies or standards.

The security audit on-site allows assessing compliance of an external performance with the contractual security requirements taken by the provider.

The recommendations will be given on the basis of the results of the audit.

Performances :

  • Procedure of the security audit and organisation:
  • Allows assessing compliance of an external performance with contractual security requirements taken by the provider.

Technical security audit :

  • Allows verifying whether the technical elements retrieved by the providers (configuration files: Firewall, servers, applications and logo files) comply with the state-of-the-art.
  • Internal scan of the network.

X