From the first page, the EU’s General Data Protection Regulation stresses the importance it places on the security and privacy of EU residents’ private information. The 88-page document opens by referring to the protection of this personal data as a “fundamental right” essential for “freedom, security and justice” and for creating the “trust” needed for the “digital economy” to flourish.
The stakes are sky-high for EU regulators tasked with enforcing GDPR, and for organisations that must comply with it. The requirements outlined in the document amount to what some have called “zero-tolerance” on mishandling EU residents’ personally identifiable information (PII) and apply to any organisation doing business in the EU, regardless of where they are based.
Both data “controllers” — those who collect the data — and data “processors” — those with whom it’s shared — must implement “appropriate technical and organisational measures” and their IT networks and systems must “resist, at a given level of confidence, accidental events or unlawful or malicious actions.”
Bottom line: Organisations are expected to have technology and processes in place to prevent accidental or malicious incidents that compromise the “availability, authenticity, integrity and confidentiality of stored or transmitted personal data.”
As we’ve discussed in this GDPR preparedness blog series, while the regulation’s document is light on specific prescriptive information security controls and technologies, organisations must have solid InfoSec foundations in place to comply with this regulation, which goes into effect in May 2018.
In prior installments, we’ve discussed the importance for GDPR compliance of IT asset inventory, vulnerability management, prioritization of remediation based on current threats, and vendor risk assessment. Today, we’ll focus on another core component for preparing for GDPR: policy compliance.
IT Policy Compliance and GDPR
When an organisation deploys and manages its IT environment according to applicable government regulations, industry standards and internal requirements, it is engaging in IT policy compliance.
For organisations, it’s critical to establish a lifecycle for managing assets and controls to protect the data they contain. One must continuously: identify IT assets and scope, define control objectives, automate control assessment, prioritize fixes, and ultimately remediate the security configuration problems. To be effective, this entire process must be trackable by auditors and must maintain the proper reports and dashboards necessary to drive continuous improvement.
In the specific case of GDPR, organisations must know what EU resident personal data they hold, where it’s stored, why it was collected, how it’s being used and with whom it’s being shared. That’s a tall order.
Organisations must have this knowledge not only to properly protect this data — the regulation’s core goal — but also to comply with other GDPR requirements, such as:
- verifying consent was properly obtained from the EU residents whose personal data was collected
- quickly detecting and reporting data breaches
- proving data is being processed legally
- abiding by the principles of data protection by design and by default
- generating comprehensive reports for auditors and regulators
- fulfilling demands from individual EU residents to, for example, access, control, receive, delete and/or correct their personal data
After gaining complete visibility into their IT assets, organisations can create data maps and decide which technical controls it needs to secure EU residents’ personal data in a way that meets GDPR’s considerable expectations and strict requirements.
Qualys Policy Compliance Can Help with GDPR
With Qualys Policy Compliance (PC), organisations can validate and track access to the files and databases on the systems involved in the storage and processing of this data, wherever it resides — on premises, in clouds or on endpoints.
Qualys PC also helps organisations eliminate security configuration exposures, thus reducing the risk of unauthorized access, and enforce proper security controls with out-of-the-box mandate-based reporting for GDPR requirements.
Among its many features and capabilities, Qualys PC provides organisations:
- complete visibility of their IT assets’ compliance status on premises, in cloud instances, and endpoints
- native templates and custom controls tailored for particular regulations including GDPR and other EU regional standards, as well as industry standards such as CIS Benchmark and DISA STIG, simplifying your compliance process
- the ability to automate the evaluation of requirements against multiple standards, so organisations can identify issues quickly and prevent configuration drift
- a repeatable and auditable process for compliance management with prioritized remediation reports and exception management workflow
- compliance data available in dashboards and reports for different constituents: CxOs, auditors, risk managers, IT
Considering the stiff penalties for GDPR violations — including fines of up to €20 million or 4% of annual revenue, whichever is higher — organisations should cut their risk for “compliance drift” by avoiding manual assessments on months-long cycles.
In addition to GDPR, Qualys PC can help you comply with many other regulatory, industry and internal IT policy requirements. It covers more than 100 CIS certified policies, more than 40 vendor and mandate policies and over 100 versions of 60-plus technologies.
This breadth of coverage and versatility makes Qualys PC uniquely qualified to help your organisation overcome the challenges of IT policy compliance today, caused by trends such as:
- IT compliance requirements are increasing in number and complexity, as governments issue more regulations, industry groups release more mandates and organisation’s own internal departments generate more policies.
- IT environments that were previously homogeneous, residing mostly on premises, are increasingly hybrid and distributed, as organisations pursue digital transformation benefits via the adoption of technologies such as cloud computing, mobility, IoT and others.
- The threat landscape is constantly changing, as hackers get more aggressive and their attacks more sophisticated, while the consequences of suffering security breaches are increasingly dire for affected organisations.
As part of the highly-scalable Qualys Cloud Platform, PC doesn’t require any software to install nor maintain — it’s accessed from the cloud via a web browser — and supports both remote scanning or agent-based assessment.
Along with PC, Qualys offers a growing suite of cloud-based, self-managed security and compliance apps for the needs of all your InfoSec and compliance teams, including those in charge of protecting on premises systems, public cloud infrastructure, web apps, DevSecOps environments and endpoint devices.
Let Qualys Assist You with GDPR Preparedness
With Qualys PC, you will end up with the right controls and a repeatable assessment process for GDPR, so you can define compliance objectives, prioritize and remediate fixes, and document compliance in reports.
To learn more about how Qualys solutions can help you become GDPR compliant, visit qualys.com/gdpr where you can download our free guide and watch our webcast.
(Tim White is a Director of Product Management at Qualys)