Qualys Blog

First discussed in the 1990s and turned into law last year, the EU’s General Data Protection Regulation (GDPR) finally goes into effect in May 2018, imposing strict requirements on millions of businesses and subjecting violators to severe penalties.

The complex regulation is of concern not just to European businesses. It applies to any organization worldwide that controls and processes the data of EU citizens, whose privacy the GDPR is meant to protect.

A recent PwC survey found that more than half of U.S. multinationals say GDPR is their main data-protection priority, with 77% of them planning to spend $1 million or more on GDPR readiness and compliance.

“The GDPR is putting data protection practices at the forefront of business agendas worldwide,” Steve Durbin, Information Security Forum’s managing director, wrote recently.

In other words, it’s crunch time for companies that fall within the GDPR’s broad scope and that haven’t completed their preparations to comply with this regulation. Gartner estimates that about half of organizations subject to the GDPR will be non-compliant by the end of 2018. You don’t want to be in this group of laggards.

Continue reading …

With 2017 still in its infancy, plenty of time remains for InfoSec practitioners to make concrete strides toward better security and compliance in their organizations. That’s why to help you start off the year on the right foot, we’ve shared best practices, ideas and recommendations in our Qualys Top 10 Tips for a Secure & Compliant 2017 blog series.

Continue reading …

As we continue our Qualys Top 10 Tips for a Secure & Compliant 2017 blog series, we zoom in on the all important area of compliance and risk monitoring, a key element of any comprehensive security program.

IT compliance and risk managers don’t have it easy. You face an increasingly complex regulatory landscape, constantly evolving industry standards and a technology environment that’s changing at a dizzying pace. It falls on your shoulders to make sure your organizations follow rules, regulations, laws, standards and practices in areas of IT across all business functions.

In this post, we’ll offer tips 5 – 7 on our list, to help you:

• Ensure internal and external IT compliance

• Assess procedural and technical controls among vendors to reduce the risk of doing business with them

• Comply with the Payment Card Industry Data Security Standard (PCI DSS)

Continue reading …

Vulnerabilities can be serious threats. Once found, system administrators try everything to restore security, such as patching and mitigating. Patching is always the first choice since it’s normally the definitive way to resolve the vulnerability. However, system administrators will sometimes need to mitigate, especially in two cases:

Case 1. A patch has not been released by the vendor.
Case 2. Patching the vulnerability isn’t a high priority in the customer’s environment but still needs to be addressed.

Many vulnerabilities can be mitigated by changing a specific configuration setting in the OS or application. In this blog post, I use HTTPoxy as an example of how Qualys Policy Compliance can play an important role in this type of mitigation by identifying and reporting on all your systems that don’t have the desired configuration.

Continue reading …