Host Intrusion Detection System Really Necessary?

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by Paul Rowling, Jan 18, 2018.

  1. Paul Rowling

    Paul Rowling UKBF Newcomer Free Member

    1 0
    Hi,

    Under the GDPR it states that any data breach must be reported within 72 hours which is fine, however how do you identify that a breach has actually occurred? It seems to me that a Host Intrusion Detection System (HIPS) will need to be deployed on client networks. This is a big expense for small firms, so I'm wondering if this kind of system is required or would it be considered overkill?

    Many Thanks

    Paul
     
    Posted: Jan 18, 2018 By: Paul Rowling Member since: Jan 18, 2018
    #1
  2. tony84

    tony84 UKBF Big Shot Free Member

    5,149 867
    I think it only needs to be reported if the data is not encrypted.
     
    Posted: Jan 18, 2018 By: tony84 Member since: Apr 14, 2008
    #2
  3. Andrew Smith Corpdata

    Andrew Smith Corpdata UKBF Newcomer Free Member

    10 6
    If you are a smaller firm, and the data is not especially confidential / sensitive you could probably satisfy the requirement by having a few "seeds" within the data so you detect the breech retrospectively by seeing the data being used. This is a question of risk-assessment and risk management, and it very reasonable to achieve a "good" system to cope with the risks involved rather than feeling forced to fund a sledgehammer to crack a nut.
    Whatever you do though, document it and your thinking behind it - you might one day need to explain it to the ICO / a judge.
     
    Posted: Jan 19, 2018 By: Andrew Smith Corpdata Member since: Jan 12, 2018
    #3
  4. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    80 20
    It is within 72 hours of becoming aware of it rather than it occurring. Obviously if you are not aware, you can't report it. In most cases of malicious breaches will have occurred months, if not years prior to discovery. Obviously an inadvertent 'oops sent that spreadsheet to the wrong recipient' scenario will require good reporting and incident management procedures.

    The key guidance from the ICO is here;

    "The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible."

    and

    "You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals."

    All the controls you implement (including 'breach detection') should be relevant to the risk of the data. If you process millions of data subjects' information then probably a robust technical control (such as Host intrusion detection) should probably be implemented. On the other hand, having a good well documented reporting solution for smaller companies may be sufficient.

    Focus on the risk rather than translating requirements to technical solutions (that's my advice).
     
    Posted: Jan 19, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #4