Organizations must manage risk from third parties such as contractors and suppliers, and from internal staffers and teams, as part of their compliance program for the EU’s General Data Protection Regulation (GDPR).

The need to manage vendor risk in particular is stressed repeatedly throughout the text of the GDPR, a strict and broad regulation which went into effect last week. GDPR applies to any organization worldwide that controls and processes personal data of EU residents, whose security and privacy the regulation is designed to defend.

In GDPR lingo, “data controllers” must vet the “data processors” they share EU customer information with, and assume joint responsibility for what happens to it. So your organization is liable if one of your third parties gets breached for failing to adhere to GDPR requirements and your EU customers’ personal data gets compromised.

GDPR states that controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures” and stresses that controllers must detail in contracts how their processors will handle customer data.

In this third installment of our GDPR compliance blog series, we’ll explain the importance of  carefully and continuously assessing the GDPR compliance levels of your third parties and internal staff. We’ll also explain how Qualys can help you beef up these foundational security practices so you can shrink your risk of data breaches that could put your organization on the wrong side of GDPR.

Continue reading …

To comply with GDPR, organizations typically must overhaul and update a number of internal processes and systems, but they can’t ignore a critical area: risk from vendors and other third parties such as contractors, partners, suppliers and service providers.

It’s a point that’s stressed repeatedly throughout the 88-page text of the EU’s General Data Protection Regulation (GDPR), which goes into effect in May 2018 and requires that organizations worldwide properly identify, track and protect their EU customers’ personal data.

In GDPR lingo, “data controllers” must vet the “data processors” they share this customer information with, and assume joint responsibility for what happens to it. In other words, you’re liable if one of your third parties gets breached for failing to adhere to GDPR requirements and as a result your customers’ personal data gets compromised.

Continue reading …

Third-party security assessments drastically reduce your organization’s risk of suffering a data breach. When carried out properly, these assessments identify poor InfoSec and privacy practices among your vendors, partners, contractors, and other third parties with access to your IT systems and data. Unfortunately, many businesses conduct these assessments manually, using email and spreadsheets, which makes them labor-intensive, slow and imprecise. This manual approach strains InfoSec teams and creates a backlog of security evaluations.

In a recent webcast, “Streamlining Third Party Risk Assessments in the Cloud,” a Qualys customer discussed how his organization tackled this challenge in a way that improved productivity, efficiency, visibility, and risk analysis. Below are the answers to the questions asked by participants during the Q&A portion of the presentation, provided by speakers Jonathan Osmolski, Manager of Enterprise Records and Information Governance at Pekin Insurance, and Hariom Singh, Director of Product Management for Qualys Security Assessment Questionnaire (SAQ).

Continue reading …

As your organization enthusiastically adopts cloud and mobile services from multiple new vendors, are your already-busy security and compliance teams scrambling to assess the risks of using these new providers’ products?

Are you still using a manual process for conducting these vendor evaluations, even though you’re being asked to do more of them, and to complete them more quickly?

This is an increasingly common scenario in enterprises globally, and it creates a challenge for InfoSec teams: How to do more vendor risk assessments, and faster, so that business units can deploy these new cloud and mobile services quickly and gain the desired competitive edge?

Pekin Insurance, a provider of life, business, auto, home and health coverage, found itself in this position last year: Using a manual process that taxed its InfoSec team members and didn’t scale.

Continue reading …

The SANS Institute recently released its 2017 report on cybersecurity trends. We examined the report’s six threat trends in a recent blog post, as well as in a webcast with the report’s author, security analyst John Pescatore, and with Qualys Product Management Vice President Chris Carlson. Now, we’re providing you with a useful checklist to help put you in a better position to respond these trends, which are expected to continue to dominate this year.

Continue reading …

We conclude our series on assessing third-party risk, where we’ve described scenarios in which an automated, cloud-based system can help you identify security and compliance gaps among vendors, partners and employees.

As we have outlined in this blog series, CISOs and their infosec teams need clarity and visibility not only into their IT environments, but also across their roster of trusted vendors. Organizations that don’t properly assess and manage the risk of doing business with their vendors, partners, suppliers, contractors and other third parties make their IT network and data vulnerable to hackers.

Continue reading …

We continue our series on assessing third-party risk, where we’re describing scenarios in which an automated, cloud-based system can help you identify security and compliance gaps among vendors, partners and employees.

In addition to protecting their organization’s IT environment, CISOs must also closely monitor the security and compliance policies and procedures of trusted third parties.

Continue reading …

We continue our series on assessing third-party risk, where we’re describing scenarios in which an automated, cloud-based system can help you identify security and compliance gaps among vendors, partners and employees.

As discussed in this series’ first installment, it’s short-sighted to put great effort into protecting your IT environment while ignoring the security and compliance policies and procedures of your trusted third parties.

We illustrated this principle with the hypothetical example of two CISOs — Jane and Emily — who almost simultaneously hire the same outsourcer, and grant it privileged access to their respective companies’ sensitive data and IT systems.

Continue reading …

Jane and Emily are CISOs at two large companies which about five years ago almost simultaneously hired a well-known outsourcer that provides back office business services. Both companies entrusted the outsourcer with sensitive corporate data and granted it special access to their IT systems.

Both Jane and Emily had spent a lot of time, effort and money boosting their respective companies’ physical and IT security, and tightening their compliance with external regulations and internal rules.

However, these two successful CISOs differed in a key area: third party risk management. Jane had given short shrift to this important but overlooked area. Meanwhile, Emily had made it a priority to create a formal, comprehensive, centralized and automated program for assessing third-party risk.

Continue reading …