Most discussions about the EU’s General Data Protection Regulation (GDPR) have naturally focused on best practices for achieving compliance and avoiding penalties.
With GDPR now a reality for all companies that store and process personal data of EU residents, an often overlooked aspect has been the overall business advantage of GDPR preparedness.
In this GDPR blog series’ last installment, Hariom Singh, Director of Policy Compliance at Qualys, delves into this topic. Later, we round up major areas covered in previous posts, and summarize how Qualys can help with GDPR compliance.
With organizations aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, protecting these environments is critical for complying with the EU’s General Data Protection Regulation (GDPR).
GDPR, which went into effect in May, imposes strict requirements on millions of businesses worldwide that control and process the personal data of EU residents.
Public cloud platforms are being used to power digital transformation initiatives across many business functions where EU residents’ personal data is likely to be stored, processed and shared.
Thus, organizations need complete visibility into their public clouds, and they must have a solid security and compliance posture in these environments that includes vulnerability management, asset inventory, web app scanning, DevSecOps pipeline protection, and IT configuration controls.
With web and mobile apps becoming a preferred vector for data breaches, organizations must include application security in their plans for complying with the EU’s General Data Protection Regulation (GDPR.) GDPR went into effect in May, imposing strict requirements on millions of businesses worldwide that control and process the personal data of EU residents.
While GDPR makes only a few, vague references to technology, it’s clear that, for compliance, infosec teams must demonstrate that their organizations are doing their best to prevent accidental or malicious misuse of EU residents’ personal data.
Thus, organizations must have a rock-solid security foundation for superior data breach prevention and detection, and web application security has to be a core component of it.
In this blog series, we’re discussing solid security practices that are key for General Data Protection Regulation (GDPR) compliance, and today we’ll address another crucial one: Indication of compromise (IOC).
In a nutshell, IOC can help customers who are dealing with unauthorized access to customer personal data by an external threat actor or adversary.
This makes IOC particularly relevant to GDPR’s stringent requirements for providing integrity, control, accountability and protection of EU residents’ personal data.
Read on to learn why IOC is critical for complying with GDPR, which went into effect in May, and how Qualys can help you.
In this latest post of our series on the EU’s General Data Protection Regulation, we’ll explain how file integrity monitoring (FIM) can be crucial in helping organizations comply with this severe regulation.
GDPR, which went into effect in May and applies to organizations worldwide that handle EU residents’ personal data, provides few details of specific security technologies and processes organizations should adopt.
However, it’s clear from the GDPR text that the regulators expect organizations to demonstrate that they’re doing all they can to protect their EU customers’ personal data from malicious and accidental misuse. For InfoSec teams this means providing a rock-solid security foundation that gives their organizations superior data breach prevention and detection.
File integrity monitoring (FIM) specifically provides security controls in three key areas for GDPR:
Ensuring integrity of data stored in filesystems
Protecting confidentiality of data by detecting changes to filesystem access controls
In prior installments of this GDPR compliance blog series, we’ve discussed the importance of key security practices such as IT asset inventory and vulnerability management. Today, we’ll focus on another core component for GDPR: policy compliance.
As we’ve stated before, to comply with the EU’s General Data Protection Regulation (GDPR), organizations must show they’re doing all they can to protect their EU customers’ personal data. Thus, InfoSec teams must provide a rock-solid security foundation that gives organizations superior data breach prevention and detection.
With a strong IT policy compliance program, organizations can deploy and manage their IT environment according to applicable government regulations, industry standards and internal requirements.
For organizations, it’s critical to establish a lifecycle for managing assets and controls to protect the data they contain. One must continuously: identify IT assets and scope, define control objectives, automate control assessment, prioritize fixes, and ultimately remediate the security configuration problems.
To be effective, this entire process must be trackable by auditors and must maintain the proper reports and dashboards necessary to drive continuous improvement. Organizations must have this knowledge not only to properly protect their EU customers’ personal data — the regulation’s core goal — but also to comply with other GDPR requirements.
After gaining complete visibility into their IT assets, organizations can create data maps and decide which technical controls it needs to secure EU residents’ personal data in a way that meets GDPR’s considerable expectations and strict requirements.
Organizations must manage risk from third parties such as contractors and suppliers, and from internal staffers and teams, as part of their compliance program for the EU’s General Data Protection Regulation (GDPR).
The need to manage vendor risk in particular is stressed repeatedly throughout the text of the GDPR, a strict and broad regulation which went into effect last week. GDPR applies to any organization worldwide that controls and processes personal data of EU residents, whose security and privacy the regulation is designed to defend.
In GDPR lingo, “data controllers” must vet the “data processors” they share EU customer information with, and assume joint responsibility for what happens to it. So your organization is liable if one of your third parties gets breached for failing to adhere to GDPR requirements and your EU customers’ personal data gets compromised.
GDPR states that controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures” and stresses that controllers must detail in contracts how their processors will handle customer data.
In this third installment of our GDPR compliance blog series, we’ll explain the importance of carefully and continuously assessing the GDPR compliance levels of your third parties and internal staff. We’ll also explain how Qualys can help you beef up these foundational security practices so you can shrink your risk of data breaches that could put your organization on the wrong side of GDPR.
The EU’s General Data Protection Regulation (GDPR) goes into effect today, imposing strict security requirements on any company worldwide that handles the personal data of EU residents. Qualys Security Assessment Questionnaire (SAQ) – a Qualys app that helps you with this type of procedural risk assessment — has been enhanced with new GDPR-specific templates.
Assessing procedural controls can be challenging. However, a huge amount of time and money can be saved if you have out-of-the-box questionnaire templates that you can distribute as is or slightly modify as necessary, instead of having to craft questionnaires from scratch.
This is one of the ways that Qualys SAQ can help you carry out holistic assessments of GDPR procedural compliance and generate reports based on responses.
To provide the level of data protection required by the EU’s General Data Protection Regulation (GDPR), your organization must continuously detect vulnerabilities, and prioritize their remediation.
Why? An InfoSec team that’s chronically overwhelmed by its IT environment’s vulnerabilities and unable to pinpoint the critical ones that must be remediated immediately is at a high risk for data breaches, and, consequently, for GDPR non-compliance.
The Center for Internet Security (CIS) ranks “Continuous Vulnerability Assessment and Remediation” as the fourth most important practice in its 20 Critical Security Controls. “Organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised,” CIS states.
In fact, hackers constantly exploit common vulnerabilities and exposures (CVEs) for which patches have been available for weeks, months and even years. The reason: Many organizations fail to detect and remediate critical bugs on a timely basis, leaving them like low-hanging fruit for cyber data thieves to feast on.
In this second installment of our GDPR compliance blog series, we’ll explain the importance of vulnerability management and threat prioritization, and how Qualys can help you solidify these practices so you can slash your risk of data breaches.
Turned into law in 2016, the EU’s General Data Protection Regulation (GDPR) finally goes into effect this week, slapping strict requirements on millions of businesses and subjecting violators to severe penalties. The complex regulation applies to any organization worldwide — not just in Europe — that controls and processes personal data of EU residents, whose security and privacy GDPR fiercely protects.
GDPR calls this data’s protection a “fundamental right” essential for “freedom, security and justice” and for creating the “trust” needed for the “digital economy” to flourish. Its requirements amount to what some have called zero-tolerance on mishandling EU residents’ personal data.
A PwC survey found that more than half of U.S. multinationals say GDPR is their main data-protection priority, with 77% planning to spend $1 million or more on GDPR readiness. “Data protection has been a thing organizations know about, but GDPR has brought it all to the forefront,” Richard Sisson, Senior Policy Officer at the U.K.’s Information Commissioner’s Office (ICO) said during a recent GDPR roundtable.
Most discussions about the EU’s General Data Protection Regulation (GDPR) have naturally focused on best practices for achieving compliance and avoiding penalties.