Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Published on September 1, 2022 AUTHOR - Privacy Research Team
Qatar's upcoming 2022 FIFA World Cup represents an incredible economic, social, and PR opportunity for the Middle Eastern country. Hence, it is no surprise that the country has spent billions in ensuring every aspect of the event is up to and, in some cases, exceeds the modern global standards. Data privacy and security is one such area.
Naturally, with millions of football fans flocking to the country for the showpiece event, their data will be a vital asset they’ll be bringing along with them. While Qatar has its own data protection law (Personal Data Privacy Protection or “PDPPL”), the country has released a dedicated framework, aptly titled FIFA 2022 World Cup Cybersecurity Framework (Cybersecurity Framework), explicitly aimed at addressing the data-related issues posed by the World Cup.
This Cybersecurity Framework was released by the Supreme Committee for Delivery & Legacy (SCDL) in 2018, and it highlights the standard that all FIFA World Cup participants should adhere to. SCDL will oversee the Cybersecurity Framework implementation. Its additional responsibilities include delivering and maintaining the required digital infrastructure in support of the 2022 World Cup.
The Cybersecurity Framework focuses on developing and integrating "must have" capabilities and competencies that are necessary across all organizations that are a part of the world cup ecosystem. The 2022 FIFA World Cup Qatar ecosystem has been defined as:
The Cybersecurity Framework presents a unified system of cybersecurity safeguards for the involved stakeholders. The entities providing services in the World Cup ecosystem should implement these cybersecurity safeguards to mitigate any risk. The fundamental pillars of this framework are prevention, detection, and response to data breaches and any other form of unauthorized access or use of data.
Also, the two most important capabilities from a data privacy compliance perspective (and discussed in detail later) include Data Protection and Data Privacy. The former refers to processes that ensure that the data is accurate, reliable, and accessible for those with authorized access (and cannot be accessed by unauthorized individuals). The latter refers to the appropriate use of personally identifiable information for the agreed purposes. Hence to ensure data privacy, data protection is necessary.
Entities are expected to contextually view the entire Cybersecurity Framework keeping in view the lessons learned from previous national events, Qatari National Cybersecurity strategy and standards, and risks prevalent in geographical regions. Subsequently, entities also need to follow industry-leading cybersecurity best practices whilst integrating and utilizing cutting-edge technologies.
After this, the entities should proceed with implementing cybersecurity governance programs. To implement the Cybersecurity Framework, entities need to undergo the following two steps :
The most important aspect for any entity providing world cup services is to remain in abidance with laws and regulations applicable to them, and this implementing Cybersecurity Framework, though not mandatory, would help entities ensure compliance with applicable laws.
Cybersecurity Governance addresses the enterprise's reliance on cyberspace from a strategic perspective. It is a canopy for all capabilities defined within the Cybersecurity Framework. Following the structure and practices within the Cybersecurity Framework allows entities smoothly implement and operationalize their cybersecurity capabilities. Three cybersecurity governance functions help achieve this:
Brief Understanding of Capabilities
The Cyber Security Framework lays down cybersecurity capabilities based on operational layers. All capabilities have certain prerequisites to fulfill before that capability is fully implemented. Moreover, to implement these capabilities, it is advised entities must have all qualified personnel that have the relevant skills and certifications.
This capability is used to identify and stop the unauthorized use of confidential information before it leaves the entity's boundaries. This capability aims to build sustainable data protection programs by implementing technologies and processes aligned with the businesses and the most pertinent data protection matters with respect to the services provided by entities.
The Data Protection capability model breaks down basic cybersecurity operational activities into distinct layers. These layers include:
Data protection service pertains to various activities to be conducted for the effective implementation of the Data Protection Capability. This service will apply to all data/information flow at every level (entity/sector/national). Before these activities are carried out, some prerequisites need to be completed as follows.
Following this, data protection service activities can be carried out. These include
This capability ensures adherence to binding international and Qatari privacy standards for the protection of personally identifiable information, including the EU General Data Privacy and Regulations (GDPR). It will help with implementing the processes and technologies required for a sustainable data privacy model that is aligned with business objectives as well as in compliance with General Data Privacy and Regulations.
Once this is done, the same activities as for Data Protection capabilities can be carried out. The model for Data Privacy is also divided into three distinct layers (Business, application, and Technology) as Data Protection capability.
Endpoints refer to the servers, desktops, laptops, wireless devices, mobile devices, and other OT/IoT devices connected to the Internet that may be subject to cyber threats. The Cybersecurity Framework obligates the entities to develop the capability to implement processes, controls, and technologies required to build a sustainable endpoint protection program.
Application security is another essential element of the Cybersecurity Framework as it involves the entities’ ability to prevent/detect/correct security weaknesses during the development, acquisition of applications, and using existing applications deployed during the World Cup.
Network security is a critical aspect of the Cybersecurity Framework as it oversees the entire mechanism and practices in place to protect the infrastructure and the hardware being used across the network and devices connected to the network, both internally and externally. A reliable and robust network security program that implements the relevant processes, controls, and technologies while being aligned with the business needs of the system is pivotal to the smooth functioning of online services during the world cup.
Expectedly, the Cybersecurity Framework places requirements on entities regarding having protocols that ensure adequate recovery and continuity in case any digital assets and services are the subject of an attack. It identifies all credible threats and the necessary recovery strategies the entities must have.
Identity & access management (IAM) ensures that only the relevant and appropriate individuals access critical resources at the right time. IAM fulfills the need to ensure appropriate access to physical and logical assets, and associated facilities are limited to authorized users, processes, and devices concerning services provided. Entities should have mechanisms to implement IAM.
With cloud computing becoming an increasingly important aspect of the modern Internet, entities need to have the relevant capabilities in place to ensure the cloud fabric is robust enough to deal with any potential threats as well as flexible enough to accommodate the model security architectures that need to be implemented as a result of the endpoint and other security related requirements.
Most entities involved in the World Cup will be using the Infrastructure-as-a-Service (IaaS) model to leverage the cloud capabilities as well as the virtual computing resources such as memory and storage allocation. The infrastructure cloud service model must complete a data classification exercise, contract a cloud service provider and sign NDAs and SLA, agree on roles, responsibilities, and processes and finally test a DRP to accommodate where cloud-based services are not available.
Users are now more educated and aware of their digital rights. Owing to a plethora of regulations passed globally, organizations now have an obligation to provide adequate protection to their users online via a secure infrastructure and data privacy practices that ensure their data is adequately protected at all times.
However, that is easier said than done, owing to the sheer volume of data involved. This problem is further exacerbated when it comes to mega events such as the FIFA World Cup about to be held in Qatar in 2022. Users from across the world will be in Qatar for more than a month, requiring organizations to radically overhaul and transform their cybersecurity and data privacy infrastructure and capabilities.
Attempts to approach this challenge via the traditional methods will not only fail but leave organizations ruinously unprepared to meet their obligations towards their users. Naturally, organizations must consider radical solutions that promise more effective and efficient results.
This is where Securiti can help.
Securiti is a pioneer and market leader in providing enterprise solutions in data governance and compliance. Its slew of privacy-centric products ranges from third-party vendor risk assessment and data mapping to DSR automation and universal consent. Securiti can aid your compliance efforts regarding the Cybersecurity Framework.
Most importantly, Securiti can offer your organization access to its state-of-the-art Sensitive Data Intelligence (SDI) resource to help you secure and regulate all your collected data on both cloud and on-premises systems.
From discovering and cataloging all your sensitive and dark data across your storage to creating People Data Graphs that help you gain real-time insights into your obligations towards users at the individual level, SDI can significantly alleviate your data protection and privacy concerns.
Request a demo today to see how else Securiti can help you address your data obligations per the Cybersecurity Framework.