Qualys Blog

www.qualys.com
2 posts

Countdown to GDPR: IT Policy Compliance

From the first page, the EU’s General Data Protection Regulation stresses the importance it places on the security and privacy of EU residents’ private information. The 88-page document opens by referring to the protection of this personal data as a “fundamental right” essential for “freedom, security and justice” and for creating the “trust” needed for the “digital economy” to flourish.

The stakes are sky-high for EU regulators tasked with enforcing GDPR, and for organisations that must comply with it. The requirements outlined in the document amount to what some have called “zero-tolerance” on mishandling EU residents’ personally identifiable information (PII) and apply to any organisation doing business in the EU, regardless of where they are based.

Both data “controllers” — those who collect the data — and data “processors” — those with whom it’s shared — must implement “appropriate technical and organisational measures” and their IT networks and systems must “resist, at a given level of confidence, accidental events or unlawful or malicious actions.”

Bottom line: Organisations are expected to have technology and processes in place to prevent accidental or malicious incidents that compromise the “availability, authenticity, integrity and confidentiality of stored or transmitted personal data.”

As we’ve discussed in this GDPR preparedness blog series, while the regulation’s document is light on specific prescriptive information security controls and technologies, organisations must have solid InfoSec foundations in place to comply with this regulation, which goes into effect in May 2018.

In prior installments, we’ve discussed the importance for GDPR compliance of IT asset inventory, vulnerability management, prioritization of remediation based on current threats, and vendor risk assessment. Today, we’ll focus on another core component for preparing for GDPR: policy compliance.

Continue reading …

Examining the Current State of Database Security

Considering that database systems hold extremely valuable and sensitive information, one would assume that most organizations would fiercely protect these “crown jewels” with great care. Unfortunately, that is not the case.

Throngs of databases in organizations worldwide are unsafe, at high risk of being breached by malicious hackers, rogue employees and crooked partners. This sorry state of database security puts financial data, customer information, health records, intellectual property treasures and more in grave danger.

Below we’ll discuss the two main causes for database security breakdowns — unpatched vulnerabilities and configuration errors — along with helpful tips for reducing the risk of database breaches.

Continue reading …