{"id":633,"date":"2018-02-23T17:06:41","date_gmt":"2018-02-23T17:06:41","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=633"},"modified":"2020-05-06T10:27:08","modified_gmt":"2020-05-06T17:27:08","slug":"part-1-4-practical-advice-to-network-and-security-operations","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/community\/part-1-4-practical-advice-to-network-and-security-operations\/","title":{"rendered":"[Part 1\/4] Practical Advice to Network and Security Operations Pros Regarding GDPR Compliance"},"content":{"rendered":"

Part 1 – Introduction<\/h1>\n

The\u00a0General Data Protection Regulation\u00a0or GDPR\u00a0<\/a>is due to take effect on May 25, 2018. Although the regulation was designed by the\u00a0European Parliament<\/a>, the\u00a0Council of the European Union<\/a>\u00a0and\u00a0for the individuals within the European Union, the impact of the regulation will be global. What follows is a four-part series containing some practical advice to support the efforts in achieving GDPR compliance in the core of your network operations and security.<\/p>\n

First, let\u2019s\u00a0be clear, Infoblox does not have a magic wand or solution that makes your organization GDPR compliant. This is because no one has a \u201csolution\u201d for GDPR because it involves a combination of people, process, and technology. There are of course tools to help with GDPR compliance to a greater or lesser extent and certainly, Infoblox technology can help in a network security context. But the suggestions presented here are applicable whether you are an Infoblox customer or not and are intended for network and security teams as you focus on supporting compliance.<\/p>\n

It is important to view compliance as an opportunity rather than an overhead. It is a chance to improve things you have been putting off and acts as a driver to check you are adhering to standard or \u201cbest\u201d practice.<\/p>\n

You may remember implementing ISO 9000 accreditation (BS 5750 in the UK). One of the key principles was to document what you were actually doing and ensure there was documentation showing you did what you said you did.<\/p>\n

The requirements of the GDPR are reminiscent of ISO 9000 accreditation, particularly the need to disclose any breach within 72 hours, along with the need for the details outlined in Article 33 of the GDPR. Working backward from the disclosure requirement, the assessment of any malicious activity becomes paramount. Processes around assessment will be critical in the context of GDPR, as will the evidence that they are being carried out.<\/p>\n

There is a compliance element to network security, including services such as DNS, DHCP and IP Address Management (DDI). In some cases, these services, and the processes and security they facilitate involve data relating to an identified data subject (\u201cpersonal data\u201d as defined by the GDPR). Data gathered from these services is critical to security (and hence GDPR) and the positive news is that DDI data is not \u201csensitive data\u201d as defined by GDPR, which is subject to additional protections and restrictions.<\/p>\n

There are 3 topics that reside at the intersection of GDPR and DDI:<\/p>\n