Qualys Blog

From the first page, the EU’s General Data Protection Regulation stresses the importance it places on the security and privacy of EU residents’ private information. The 88-page document opens by referring to the protection of this personal data as a “fundamental right” essential for “freedom, security and justice” and for creating the “trust” needed for the “digital economy” to flourish.

The stakes are sky-high for EU regulators tasked with enforcing GDPR, and for organisations that must comply with it. The requirements outlined in the document amount to what some have called “zero-tolerance” on mishandling EU residents’ personally identifiable information (PII) and apply to any organisation doing business in the EU, regardless of where they are based.

Both data “controllers” — those who collect the data — and data “processors” — those with whom it’s shared — must implement “appropriate technical and organisational measures” and their IT networks and systems must “resist, at a given level of confidence, accidental events or unlawful or malicious actions.”

Bottom line: Organisations are expected to have technology and processes in place to prevent accidental or malicious incidents that compromise the “availability, authenticity, integrity and confidentiality of stored or transmitted personal data.”

As we’ve discussed in this GDPR preparedness blog series, while the regulation’s document is light on specific prescriptive information security controls and technologies, organisations must have solid InfoSec foundations in place to comply with this regulation, which goes into effect in May 2018.

In prior installments, we’ve discussed the importance for GDPR compliance of IT asset inventory, vulnerability management, prioritization of remediation based on current threats, and vendor risk assessment. Today, we’ll focus on another core component for preparing for GDPR: policy compliance.

Continue reading …

If your organization needs a compelling reason for establishing or enhancing its vulnerability management program, circle this date in bold, red ink on your corporate calendar: May 25, 2018.

On that day, the EU’s General Data Protection Regulation (GDPR) goes into effect, intensifying the need for organizations to painstakingly protect EU residents’ data from accidental mishandling and foul play.

While complying with GDPR involves adopting and modifying a variety of IT systems and business processes, having comprehensive and effective vulnerability management should be key in your efforts.

Why? Too many preventable data breaches occur because hackers exploit well-known vulnerabilities for which patches are available but haven’t been installed.

Continue reading …

To comply with GDPR, organizations typically must overhaul and update a number of internal processes and systems, but they can’t ignore a critical area: risk from vendors and other third parties such as contractors, partners, suppliers and service providers.

It’s a point that’s stressed repeatedly throughout the 88-page text of the EU’s General Data Protection Regulation (GDPR), which goes into effect in May 2018 and requires that organizations worldwide properly identify, track and protect their EU customers’ personally identifiable information (PII).

In GDPR lingo, “data controllers” must vet the “data processors” they share this customer information with, and assume joint responsibility for what happens to it. In other words, you’re liable if one of your third parties gets breached for failing to adhere to GDPR requirements and as a result your customers’ personal data gets compromised.

Continue reading …

The EU’s GDPR (General Data Protection Regulation) demands that organizations stringently protect EU residents’ data they hold, share and process, which requires having solid InfoSec practices, including threat prioritization.

No, there is no specific mention of prioritization of vulnerability remediation in the regulation’s text. In fact, only a few InfoSec technologies and practices are mentioned by name.

What is stressed throughout the 88-page document is the call for both data “controllers” and data “processors” to protect this customer information by implementing “appropriate technical and organisational measures”, a phrase repeated multiple times.

Continue reading …

Anyone questioning the importance of IT asset visibility in an organization’s security and compliance postures ought to review the EU’s General Data Protection Regulation (GDPR), which goes into effect next year.

With the severe requirements the GDPR places on how a business handles the personal data of EU residents, it’s clear a comprehensive IT asset inventory is a must for compliance.

Specifically, companies must know what personally identifiable information (PII) they hold on these individuals, where it’s stored, with whom they’re sharing it, how they’re protecting it, and for what purposes it’s being used.

In this second installment of our blog series on GDPR readiness, we’ll explain how organizations need full visibility into all hardware and software involved in the processing, transmission, analysis and storage of this PII data, so they’re able to protect it and account for it as required by the regulation.

Continue reading …

First discussed in the 1990s and turned into law last year, the EU’s General Data Protection Regulation (GDPR) finally goes into effect in May 2018, imposing strict requirements on millions of businesses and subjecting violators to severe penalties.

The complex regulation is of concern not just to European businesses. It applies to any organization worldwide that controls and processes the data of EU citizens, whose privacy the GDPR is meant to protect.

A recent PwC survey found that more than half of U.S. multinationals say GDPR is their main data-protection priority, with 77% of them planning to spend $1 million or more on GDPR readiness and compliance.

“The GDPR is putting data protection practices at the forefront of business agendas worldwide,” Steve Durbin, Information Security Forum’s managing director, wrote recently.

In other words, it’s crunch time for companies that fall within the GDPR’s broad scope and that haven’t completed their preparations to comply with this regulation. Gartner estimates that about half of organizations subject to the GDPR will be non-compliant by the end of 2018. You don’t want to be in this group of laggards.

Continue reading …

The looming deadline for complying with the EU’s General Data Protection Regulation (GDPR) is shining the spotlight on a foundational InfoSec best practice: A comprehensive IT asset inventory.

The reason: GDPR places strict requirements on the way a business handles the personally identifiable information (PII) of EU residents. For example, companies must know what PII they hold on these individuals, where it’s kept, with whom they’re sharing it, how they’re protecting it, and for what purposes it’s being used.

An organization can’t expect to comply with GDPR if it lacks full visibility into the IT assets — hardware and software — that it’s using to process, transmit, analyze and store this data.

“If you don’t know what IT assets you’ve got, how can you effectively find the data on your network that you need to meet GDPR requirements?” said Darron Gibbard, Qualys’ Chief Technical Security Officer for the EMEA region, during a recent webcast.

Continue reading …

As we continue our Qualys Top 10 Tips for a Secure & Compliant 2017 blog series, we zoom in on the all important area of compliance and risk monitoring, a key element of any comprehensive security program.

IT compliance and risk managers don’t have it easy. You face an increasingly complex regulatory landscape, constantly evolving industry standards and a technology environment that’s changing at a dizzying pace. It falls on your shoulders to make sure your organizations follow rules, regulations, laws, standards and practices in areas of IT across all business functions.

In this post, we’ll offer tips 5 – 7 on our list, to help you:

• Ensure internal and external IT compliance

• Assess procedural and technical controls among vendors to reduce the risk of doing business with them

• Comply with the Payment Card Industry Data Security Standard (PCI DSS)

Continue reading …

On May 26th 2011, a new EU directive was adopted that requires web sites to gain consent from visitors before they can store cookies or other information used to track a user’s actions. While the EU Cookie legislation went into effect last year, the UK’s Information Commissioner’s Office (ICO) set May 26th of 2012 as the enforcement date.  The ICO is the body responsible for enforcing the UK regulation, with authority to levy fines on web site owners up to £500,000.

A Better Way to Identify Cookies

In order to comply with the EU regulations and avoid the UK ICO fines, organizations need to understand what cookies their web sites are issuing and the conditions in which they are issued.  Most web application scanning solutions will report the cookies that a web site is issuing. This includes cookies that may be issued by 3rd party sites that have embedded content commonly used to track users for marketing purposes.  QualysGuard WAS has provided this information for some time via the Information Gathered (IG) QID 150028 (Cookies Collected).  However, the way that the cookies are collected for QID 150028 as well as the way other web application scanners gather cookies may lead to the inclusion of cookies that were issued after the scanner automatically triggered the explicit user consent action.   This is because web application scanners typically follow all links, including those that are most commonly used to obtain user consent.  What organizations that wish to to gain a user’s explicit consent really need is a way to identify only the cookies that are issued without automatically issuing any user consent actions.  In order to address this use case, QualysGuard WAS has implemented a new test (QID 150099), which avoids the most common user consent techniques while gathering cookies from the web site.  In doing so, QualysGuard WAS provides organizations with information about the cookies they are issuing without the user’s consent.

Steps to Identify Cookies Issued Without User Consent

The best thing about the new test is that WAS includes it as a standard check during all scans run on or after 26 May, 2012.  So organizations using WAS do not need to alter their scan configuration to take advantage of the new test.

To view the cookies issued without user consent in QualysGuard WAS, follow these steps:

1. Log into QualysGuard WAS v2 and navigate to the “Scans” tab.

2. Use the filter panel date selection on the lower left to filter scans to those run on or after 5/26/2012

3. Select the scan and using the quick action menu, choose “View Report”

4. Once the report is open, select the “Results” tab

5. In the filter panel on the left,check the box next to the ‘1’ in the “Information Gathered Levels” section

6. You should see a number of results that are level 1 Information Gathered (IG) items – click on the one with QID 150099.  This will show you the cookies that were identified as being issued without any user consent.

Compliance with the Regulation

If you identify any cookies that are subject to the regulation that require user consent – the next step is to set up specific user consent prompts within the web site such that the user can make an informed decision whether to accept or reject the cookies that are being set.  The implementation of this will usually take the form of a pop up dialog or prompt, but the actual implementation details will vary based on the organization.

See more information on the new EU Cookie Law and the UK ISO enforcement.