Expired

GDPR, PCI/DSS and DrayTek

Expired

GDPR Banner

GDPR

GDPR is the set of new European regulations which are due to take effect from May 2018 relating to data and information security. The regulations cover how you handle and protect data (electronic or otherwise) and include storage, sharing, usage, permission, disclosure and erasing.

There is much publicity and media interest in the topic, warning companies to ensure that 'they are ready'. A whole industry has sprung up in advising on GDPR and offering compliance audits on business operations. You cannot be hack-proof but GDPR is all about lowering your risk and changing corporate culture to be more aware and take greater responsibility. As such, compared to PCI/DSS (see later) which mandates some very specific technical requirements, GDPR is less specific - requiring appropriate controls and systems for your particular business. The 'Cyber Essentials' scheme, which is a government scheme adopted by many of the testing/audit companies includes 5 main areas (remember these are not specific GDPR madates):

  • Secure your Internet connection (router/firewall)
  • Secure your devices and software (your PCs, tablets, phones)
  • Control access to your data and services (control who has access to your devices, network and server)
  • Protect from viruses and other malware (Hardware or software products)
  • Keep your devices and software up to date (patch your software/update your firmware)

You can get certified under the cyber essentials scheme which may give your own customers confidence that you're aware of your responsibilities and have taken action however, being certified does not negate your ongoing responsibilities under GDPR, nor guarantee that you are or will remain compliant. Also, if you process data in the cloud, you need to ensure that your cloud providers are maintaining appropriate compliance.

GDPR is very wide ranging and we cannot give you specific guidance on compliance without your own company however part of its provisions do apply to your IT equipment and routers/firewalls. Apart form the 5 areas above, you should have processes in place to ensure that they all happen regularly. You should make use of all security features that your IT equipment provides, in particular with access control and using the strongest security methods that your hardware provides. Consider content filtering to block compromised or likely problematic sites.

There is some more information on this site, though it's not a highly technical guide. The ICO guide on GDPR preparation is here. The ICO is planning to update its guides specificallt on security for GDPR but offers its previous ones for the Data Protection Act (DPA) which is superceded and is included in the new GDPR. Here are the guides on A practical guide to IT security: ideal for the small business, A practical guide to IT security for the small business and Guidance on data security breach management.

DrayTek's Own GDPR Commitment

DrayTek too process and store customer information as part of providing service and products to you. DrayTek Corp. (including head office and our regional UK offices) are committed to the requirements of GDPR, including security and the handling of personal data, breach reporting requirements, error correction, erasure rights, quality requirements and your right to request data held on you as a data subject. Any formal requests should be made to our current Data Protection Officer.

Cyber Essentials Requirements

The previously mentioned scheme does have some specific recommendations in relation to firewalls/router and all of these are already our recommended methods in our Router Security Guide which we strongly recommend reading, sharing and following the advice within. the Cyber Essential list includes:

  • Every device that is in scope must be protected by a correctly configured firewall
  • Change any default administrative passwords to strong passwords

  • Prevent access to the administrative interface from the Internet, unless there is a clear and documented business need and the interface is protected by either an IP address whitelist or 2FA (Two factor authentication)
  • Block unauthenticated inbound connections by default (stateful firewall)
  • Ensure inbound firewall rules are approved and documented by an authorised individual; the business need must be included in the documentation
  • Remove or disable permissive firewall rules quickly, when they are no longer needed.
  • Use a host-based firewall on devices (eg. a software based firewall running on the device itself) which are used on untrusted networks, such as public Wi-Fi hotspots.
  • Remove and disable unnecessary user or admin accounts or VPN profiles/users when no longer needed
  • Install 'critical' or 'high priority' firmware updates within 14 days

Our previously mentioned Router Security Guide is really a lot more comprehensive than the above list.

PCI/DSS

PCI/DSS are the existing, but constantly evolving regulations mandated by the credit card industry to help protect credit/debit card data and processing. Requirements within that cover how you handle customer's card infiormation but also how your IT systems connect to the outside world. That part is directly relevant to your broadband routers/firewalls and most auditing/testing bodies will check your router 'from the outside' (WAN) regularly for any access which they consider to be unacceptable. DrayTek routers can be set to be fully PCI compliant (as per the 2017 spec), but they can also be set up in ways which are not (for example if you set a VPN with a weak cypher, which we obviously wouldn't recommend) so it's not possible to say that a specific product (from any vendor) "is compliant". Generally, if your audit identifies a service or response from your router which they object to, if you need help in turning that off, please contact our support dept. for advice.

How do you rate this article?

1 1 1 1 1 1 1 1 1 1