discoveranother
asked on
GPDR Compliance I.T. Support
Hello, I have just recently taken over IT Support for a couple of small education schools. GPDR is kicking in very soon and I just wonder how this affects the I.T. in terms of encryption i.e. Office 365 emails or emails in general, USB sticks, logging into PCs, ipads, antivirus, backups etc, etc
Does the GPDR state that EVERYTHING has to be encrypted i.e. PC\laptop hard drives or just confidential data onsite and data that is going offsite, do all USB sticks need to be encrypted ? Data on the server does this need to be encrypted i.e. word and excel files, what is the rule regarding these areas please ? It's a minefield.
Any help would be most grateful,
Thanks guys.
Does the GPDR state that EVERYTHING has to be encrypted i.e. PC\laptop hard drives or just confidential data onsite and data that is going offsite, do all USB sticks need to be encrypted ? Data on the server does this need to be encrypted i.e. word and excel files, what is the rule regarding these areas please ? It's a minefield.
Any help would be most grateful,
Thanks guys.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Think about it: Public Key Encryption requires a two keys a private one and a public one the private one should be in your head (or wallet).
The public key can be spread far & wide. Oh btw you will also need parents/pupils to start mailing with PGP.
But the private key cannot be on a public place like a web based mail system. Giving the Private key to a mail server defeats the precise thing a private key provides confidentiality.
So no GMAIL, Office365, Roundcube, Facebook .... all web based providers can never provide this without you giving up your (and your mail parties) confidentiality.
PGP is a tool with which you have an infra structure for exchanging public keys, and keeping private keys on you own system.
It will encrypt files and those files ca be sent as attachment (or content in an e-mail. Mind that you don't divulge data in subject etc.
Lookup GNUPG, it is the best release atm.. It is an application on the enduser system.
USB sticks are basically "data at rest". The only effective way for that is encryption, like it is for laptop's (whole disk encryption, not only certain files).
For servers this might be moot, unless they are stolen of turn off then the data on disks is also data at rest.
When an OS is running the OS should protect the data. Generic windows makes every user ADMIN so there is not real security.
You will need a domain setup, with proper access management. (You will need to identify users of your systems anyway as you need to log who access information.
For encryption you need keys, same for decryption..., for proper use you need procedures and ways to have some secure storage of those.
and maybe you need keys for "teacher-form1-2017" "teacher-form1-2018" and renew those yearly...and keep a secure record of those in an off-line safe.
The public key can be spread far & wide. Oh btw you will also need parents/pupils to start mailing with PGP.
But the private key cannot be on a public place like a web based mail system. Giving the Private key to a mail server defeats the precise thing a private key provides confidentiality.
So no GMAIL, Office365, Roundcube, Facebook .... all web based providers can never provide this without you giving up your (and your mail parties) confidentiality.
PGP is a tool with which you have an infra structure for exchanging public keys, and keeping private keys on you own system.
It will encrypt files and those files ca be sent as attachment (or content in an e-mail. Mind that you don't divulge data in subject etc.
Lookup GNUPG, it is the best release atm.. It is an application on the enduser system.
USB sticks are basically "data at rest". The only effective way for that is encryption, like it is for laptop's (whole disk encryption, not only certain files).
For servers this might be moot, unless they are stolen of turn off then the data on disks is also data at rest.
When an OS is running the OS should protect the data. Generic windows makes every user ADMIN so there is not real security.
You will need a domain setup, with proper access management. (You will need to identify users of your systems anyway as you need to log who access information.
For encryption you need keys, same for decryption..., for proper use you need procedures and ways to have some secure storage of those.
and maybe you need keys for "teacher-form1-2017" "teacher-form1-2018" and renew those yearly...and keep a secure record of those in an off-line safe.
More info here: https://www.gdpr.associates
This the regulation as seen from australian eyes.
https://www.sibenco.com/gdpr-change-to-european-privacy-laws-and-its-impact-on-australian-businesses/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-Original
Official website:
https://www.eugdpr.org/
This the regulation as seen from australian eyes.
https://www.sibenco.com/gdpr-change-to-european-privacy-laws-and-its-impact-on-australian-businesses/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-Original
Official website:
https://www.eugdpr.org/
ASKER
All great advice
ASKER
Thank you a very informative and well written article.
So Microsoft don't include a way of encrypting office 365 emails as example ? I was sure I read that they were putting this in place but maybe not. So PGP allows emails going out to be encrypted ? Is this an application that is installed on a users PC for example or on a email server ? Sorry to ask, just need to know.
Also, I assume with USB sticks that you mean using more than a good encryption is being sensible about data and how it is stored and transmitted ?
Thank you