Organizations must manage risk from third parties such as contractors and suppliers, and from internal staffers and teams, as part of their compliance program for the EU’s General Data Protection Regulation (GDPR).
The need to manage vendor risk in particular is stressed repeatedly throughout the text of the GDPR, a strict and broad regulation which went into effect last week. GDPR applies to any organization worldwide that controls and processes personal data of EU residents, whose security and privacy the regulation is designed to defend.
In GDPR lingo, “data controllers” must vet the “data processors” they share EU customer information with, and assume joint responsibility for what happens to it. So your organization is liable if one of your third parties gets breached for failing to adhere to GDPR requirements and your EU customers’ personal data gets compromised.
GDPR states that controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures” and stresses that controllers must detail in contracts how their processors will handle customer data.
In this third installment of our GDPR compliance blog series, we’ll explain the importance of carefully and continuously assessing the GDPR compliance levels of your third parties and internal staff. We’ll also explain how Qualys can help you beef up these foundational security practices so you can shrink your risk of data breaches that could put your organization on the wrong side of GDPR.
Third party risk assessments: manual vs. automated
These business-process control assessments are conducted via surveys to poll third parties on things like their business continuity plans, regulatory compliance and data security safeguards. After collecting and analyzing the survey responses, an organization can determine the level of risk involved in giving particular third parties access to its systems and data.
Historically, these polls have been conducted manually, usually by emailing survey questionnaires and tracking responses on spreadsheets. But manual processes are arduous, erratic and costly. To conduct your third-party risk assessments efficiently, accurately and frequently, you need a solution that centralizes management of these campaigns and automates the entire process.
Qualys’ Security Assessment Questionnaire (SAQ) has been designed to do just that.
With SAQ, you can scale and accelerate the third-party risk assessment lifecycle, including survey design, response monitoring, data aggregation and report generation.
SAQ lets you poll your cloud providers, partners, contractors, vendors, suppliers, consultants and other third parties to make sure they’re handling the EU personal information you share with them according to GDPR requirements.
SAQ automates tedious manual tasks, yields unparalleled accuracy and speeds up campaigns. It lets organizations quickly and precisely identify security and compliance gaps among third parties, as well as internally among its employees.
Internal risk assessments
SAQ also helps you make internal assessments through the review of process controls, policies and procedures for Infosec, and data classification and gathering. With SAQ, you can automate and streamline the entire process of collecting information about EU residents’ data from your internal teams, and understand the location, user access and security controls for any personal data in your network, a key GDPR requirement.
Internally, organizations also may need to do data privacy impact assessments for individual apps, ensure they have the appropriate records regarding data processing, and document where the data will be stored, where it will be transferred to, and how it will be protected.
Many organizations have hundreds of apps both behind the firewall and exposed via the Internet, so obtaining pertinent information to show GDPR compliance can be a major undertaking. This is a fairly complex task that will involve choreographing data collection from dozens or hundreds of individuals inside and outside of your organization.
With SAQ, organizations can automate assessment and data gathering, perform internal risk and readiness assessments, collect information to classify and validate data, ensure data privacy considerations are applied, and verify procedural controls regularly.
They can do this by building custom questionnaires, or by tapping Qualys SAQ’s extensive content library, as well as hundreds of templates for assessing vendor risk and for checking compliance with many other audit frameworks such as NIST 800.53.
SAQ features — a closer look
Here’s a snapshot of SAQ features and capabilities that can assist organizations with GDPR compliance efforts:
- GDPR templates
SAQ has GDPR questionnaire templates that break down requirements into granular detail and helps you assess your business readiness for compliance, including:
GDPR Business Readiness Self-Assessment: Designed to identify key areas where operational changes will be required and to assist the organization in prioritizing efforts for the GDPR compliance.
GDPR Data Inventory and Mapping: Helps in assessing the process to identify, locate, classify and map the flow of GDPR-protected data.
GDPR Accountability and Responsibility Assessment: Helps in assessing the process of accountability and responsibility in terms of data governance as per GDPR requirements.
GDPR Data Privacy Assessment in Operations: Focuses on assessing the appropriate technical and organizational measures to protect EU residents’ personal data from loss or unauthorized access or disclosure.
GDPR Third-Party Vendor Assessment: Helps to identify and assess the requirements of the third-party vendors you share personal data of EU residents with.
GDPR Data Incident and Breach Notification Assessment: Helps in the assessment of GDPR’s data breach notification and communication requirements.
GDPR Data Protection and Privacy Impact Assessment: Helps organizations in the assessment of the privacy risks and data protection safeguards of new projects.
With these templates, all you have to do is identify your area of concern and leverage the appropriate template with built-in content for procedural assessments. You can also customize the questionnaires to suit your organization’s specific organizational requirements or workflows. With the questionnaire responses that you receive, you can generate proof of GDPR compliance with detailed reports.
- Intuitive and flexible design of questionnaires and campaigns
SAQ’s wizard walks organizations through the creation of campaigns. Questions can have different formats. Survey designers can require that evidence files be attached to certain answers. By simplifying the design of campaigns, and making it possible to tailor questionnaire elements, organizations will increase the likelihood of receiving clear and well documented answers that accurately reflect an internal team’s or a third party’s capacity to comply with GDPR requirements.
- Simplified questionnaire distribution
SAQ eliminates the need to set up user accounts, because it auto-provisions the surveys. Respondents complete surveys on browser-based forms, and can delegate questions they can’t answer. Administrators can trigger reminder emails to respondents, and set up recurring campaigns. These features will make the experience of filling out a questionnaire convenient for respondents, and give survey administrators the tools to make sure questionnaires are distributed and answered on a timely basis, all important elements for a complex regulation like GDPR.
- Automated campaign tracking
SAQ captures responses in real time and aggregates them in one central management console. It displays charts that are updated in real time, and lets administrators drill down to individual survey responses, and slice and dice results, giving them more control and visibility into the process of assessing third parties’ and internal teams’ level of GDPR preparedness. SAQ also generates proof of compliance with detailed reports, and caters to a variety of users, including upper management via executive-level dashboards, and auditors with more detailed views of the data, all key constituencies for such a high profile regulation as GDPR. Administrators can create custom dashboards and from the central console track and manage simultaneously multiple concurrent campaigns, staying in control of their progress.
- Question gating
Simply create rules while configuring the template to dynamically show or hide questions. When a questionnaire using this template is sent to the responder, questions, sections or subsections will be dynamically hidden or shown, depending on the answers given.
SAQ lets you assign criticality levels to questions, and affix scores for answer options in the questionnaire templates. The question criticality scale is customizable with labels and answer weights. When generating reports, organizations can filter by question criticality and answer scores to derive an overall risk score or identify high- risk areas. This helps your team zero in on potential problems with your third parties’ or internal teams’ abilities to protect your customers’ data, which could in turn land you in trouble with GDPR regulators.
- Assessments for all types and stages of vendor relationships
SAQ lets you quickly and easily design and deploy risk assessment campaigns for all types of vendor relationships, and for every stage in your contractual engagement. As previously stated, this is key for complying with GDPR, which demands that “data collectors” know exactly who is processing their customers’ data, for what purpose, in what manner and with which protections and precautions. That includes any third party with access to that data, ranging from a large, multinational cloud computing provider you’ve been doing business with for many years, to a small contractor you’ve just hired.
Leverage SAQ for your GDPR compliance
With SAQ, you can adopt a uniform, automated process — including design of questionnaires, distribution of surveys and tracking of campaigns — that every department in your organization can follow to do frequent and in-depth assessments of GDPR compliance.
In summary, Qualys gives you single-pane visibility of your risk both internally, and across third-party data processors, helping your organization maintain continuous visibility of their GDPR compliance state.
In our next post in this blog series, we’ll look into the importance for GDPR compliance of assessing the security configurations of IT systems throughout your network.
(Pushpak Pradhan is a Qualys Product Manager)
To learn more about how Qualys solutions can help you become GDPR compliant, visit qualys.com/gdpr where you can download our free interactive guide.
Read the other blog posts in this GDPR series: