The looming deadline for complying with the EU’s General Data Protection Regulation (GDPR) is shining the spotlight on a foundational InfoSec best practice: A comprehensive IT asset inventory.
The reason: GDPR places strict requirements on the way a business handles the personally identifiable information (PII) of EU residents. For example, companies must know what PII they hold on these individuals, where it’s kept, with whom they’re sharing it, how they’re protecting it, and for what purposes it’s being used.
An organization can’t expect to comply with GDPR if it lacks full visibility into the IT assets — hardware and software — that it’s using to process, transmit, analyze and store this data.
“If you don’t know what IT assets you’ve got, how can you effectively find the data on your network that you need to meet GDPR requirements?” said Darron Gibbard, Qualys’ Chief Technical Security Officer for the EMEA region, during a recent webcast.
Complete visibility of your IT environment and a detailed inventory of all your assets is key for a strong security and compliance posture, because the things that pose the highest risk are the ones that you don’t know are there.
No wonder the CIS (Center for Internet Security) tops its 20 Critical Security Controls list with two asset inventories — one of all devices, the other of all software, said Qualys Director of Product Management Jimmy Graham during the webcast, titled “Gain Visibility & Control of IT Assets in a Perimeterless World.”
According to CIS, organizations can cut their risk of cyber attack by a whopping 85 percent if they apply the first five controls on the list. But even controls 3, 4 and 5 are dependent on the first two, according to Graham.
“Asset inventory is key to this,” he said.
The GDPR Regulatory Burden
Once GDPR goes into effect on May 25 of next year, companies worldwide — not just in the EU — need to be ready at any moment to promptly and comprehensively respond to requests about their PII holdings on EU residents.
These requests can come from individuals and from government agencies. For example, individuals can invoke a “right to be forgotten” and demand that their PII be deleted from a company’s IT systems.
“It’s a far ranging and far reaching regulation,” Gibbard said.
While there is no lack of documentation for GDPR preparedness, Gibbard recommends this guide with 12 steps published by the U.K.’s Information Commissioner’s Office, which touches on a variety of aspects, including:
- Updating your procedures and planning for handling people’s data-access requests
- Identifying the legal basis for your data processing methods
- Reviewing how you seek, obtain and record people’s consent to process their PII
- Ensuring you have the right procedures to detect, report and investigate PII data breaches
- Learning how to do “privacy by design” and how to conduct privacy impact assessments
It’s essential for the IT department to not just focus solely on its realm, Gibbard said. Instead, IT should get proactive creating awareness about GDPR among all business units — human resources, marketing, sales, finance, customer service, and so on.
For example, has the marketing department — without consulting the IT department — put up a website where it’s collecting customer information? If so, how is that data being processed and stored? It’s this type of stealthy Shadow IT initiative off the IT department’s radar that may land an organization in deep GDPR trouble, Gibbard said.
Keep in mind that penalties for GDPR violations can be crushing to a business, including a fine of up to 4% of the company’s annual revenue, or up to €20 million, whichever is higher.
IT Asset Visibility
It’s not just Shadow IT that puts you at risk of GDPR failure. Digital transformation technologies and trends — such as cloud computing, mobility, BYOD and IoT — have blurred traditional network perimeters, making IT environments hybrid, distributed and decentralized.
While they have made businesses more agile and innovative, digital transformation efforts have reduced visibility into many organizations’ IT assets, making it difficult to account for, monitor and properly protect customers’ PII, as mandated by the GDPR.
So what do you need in order to regain this visibility? A cloud-based IT asset inventory system that automates collection and categorization of data, according to Graham. Specifically, he said, the system should provide the following capabilities:
- Complete visibility of your IT environment
- Deep visibility into assets
- Continuous and automatic updates
- Asset criticality rankings
- Interactive, customizable dashboarding and reporting
- Integration with your CMDB
Qualys AssetView, one of the products whose development Graham manages, contains all these capabilities.
AssetView gives you a comprehensive, detailed and continually updated inventory of all your IT assets — hardware and software — wherever they reside: on-premises, in the cloud, or on mobile endpoints.
To continuously collect and update this data, Qualys uses a variety of sensors, including:
- Physical and virtual appliances that scan IT assets located on-premises, in private clouds, or in virtualized environments
- Cloud appliances that remotely scan your infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) instances in commercial cloud computing platforms
- Lightweight, all-purpose cloud agents installed on IT assets that continuously monitor them
Thus, AssetView gives you a complete “horizontal” list of IT assets as well as deep “vertical” details on each asset, including hardware specs, installed software, network connections, approved users, applied patches, and open vulnerabilities.
AssetView also lets you perform ad-hoc searches against its inventory database, as well as generate customized reports and create personalized dashboards.
With this expansive and complete view, you can see the internal IT asset landscape where all your customers’ data is stored, processed, accessed and transmitted, and build your GDPR readiness efforts upon this clarity.
The Time to Prepare is Now
Although GDPR goes into effect a year from now, organizations need to realize that getting ready for it is a complex, lengthy process.
“Get your GDPR programs started now,” Gibbard said. “Don’t wait for January to decide what to do.”
To learn more about the essential elements of cloud-based asset inventory, read the whitepaper, “Cloud-Based IT Asset Inventory: A Solid Foundation for InfoSec Infrastructure“ and watch the recorded webcast.
For answers to your GDPR compliance questions, sign up for our May 24 webcast, “Countdown to GDPR: Reduce Your Risk” with Jonathan Armstrong, Compliance and Technology Lawyer/Partner at Cordery.