Organizations must manage risk from third parties such as contractors and suppliers, and from internal staffers and teams, as part of their compliance program for the EU’s General Data Protection Regulation (GDPR).

The need to manage vendor risk in particular is stressed repeatedly throughout the text of the GDPR, a strict and broad regulation which went into effect last week. GDPR applies to any organization worldwide that controls and processes personal data of EU residents, whose security and privacy the regulation is designed to defend.

In GDPR lingo, “data controllers” must vet the “data processors” they share EU customer information with, and assume joint responsibility for what happens to it. So your organization is liable if one of your third parties gets breached for failing to adhere to GDPR requirements and your EU customers’ personal data gets compromised.

GDPR states that controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures” and stresses that controllers must detail in contracts how their processors will handle customer data.

In this third installment of our GDPR compliance blog series, we’ll explain the importance of  carefully and continuously assessing the GDPR compliance levels of your third parties and internal staff. We’ll also explain how Qualys can help you beef up these foundational security practices so you can shrink your risk of data breaches that could put your organization on the wrong side of GDPR.

Continue reading …

The EU’s General Data Protection Regulation (GDPR) goes into effect  today, imposing strict security requirements on any company worldwide that handles the personal data of EU residents. Qualys Security Assessment Questionnaire (SAQ) – a Qualys app that helps you with this type of procedural risk assessment — has been enhanced with new GDPR-specific templates.

Assessing  procedural controls can be challenging. However, a huge amount of time and money can be saved if you have out-of-the-box questionnaire templates that you can distribute as is or slightly modify as necessary, instead of having to craft questionnaires from scratch.  

This is one of the ways that Qualys SAQ can help you carry out holistic assessments of GDPR procedural compliance and generate reports based on responses.

Continue reading …

To comply with GDPR, organizations typically must overhaul and update a number of internal processes and systems, but they can’t ignore a critical area: risk from vendors and other third parties such as contractors, partners, suppliers and service providers.

It’s a point that’s stressed repeatedly throughout the 88-page text of the EU’s General Data Protection Regulation (GDPR), which goes into effect in May 2018 and requires that organizations worldwide properly identify, track and protect their EU customers’ personal data.

In GDPR lingo, “data controllers” must vet the “data processors” they share this customer information with, and assume joint responsibility for what happens to it. In other words, you’re liable if one of your third parties gets breached for failing to adhere to GDPR requirements and as a result your customers’ personal data gets compromised.

Continue reading …

As you roll out Security Assessment Questionnaire to your vendors and internal stakeholders, it is necessary to avoid lengthy questionnaires containing many sections with questions that are not relevant to their area of work. It is important that respondents don’t get overwhelmed and spend a lot of time and effort in sifting through all the questions deciding for themselves whether a section or a question is relevant or applicable to them. Invariably, this results in delays in getting their responses back to you.

The latest version of Security Assessment Questionnaire enables you to use a gating mechanism for controlling the flow of your questionnaire. You can now decide which questions or sections a respondent can see, based on his response to a question or a combination of questions. This makes it easier for respondents to see and respond to only relevant sections and questions thereby making the entire exercise more time-efficient for them. It is also easier for you to analyze all the consolidated responses.

Continue reading …