Why PT is so important for your business

Why penetration testing is so important for your business

The vast majority of businesses with any sort of online presence or electronic network are waking up to the urgency of maintaining security in cyberspace. Abilities developed by hackers in recent years have even put small-medium-size business in their scopes, even if the cyber stories you hear about in the media focus on high-profile companies and government institutions being targeted.

While some sophisticated hackers focus their efforts on larger companies and institutions to make a social statement or just to cause disruption on the largest scale possible, others go for easier prey: smaller entities with less protection. For these smaller businesses, the disruption caused by a cyberattack can be just as damaging, if not more than for large entities.

That means everyone needs to keep their systems safe. Profits and customers are at stake and just one successful attack could set you back months while you scramble in damage-control mode. And the best tool businesses have to defend themselves is to preempt attackers with penetration testing.

Penetration tests safely simulate a gauntlet of different attacks on your networks and online connections with the goal of finding security flaws before any hackers have the opportunity to take advantage of them and cause you harm.

Reviewing your code just doesn’t cut it

But why penetration testing? What makes this method so effective at keeping you protected? Penetration tests bring several advantages and benefits to the table. The bottom line is that reviewing your code visually to try and spot vulnerabilities just doesn’t cut it. Reviewing code this way is notoriously difficult and long lines of code interacting with one another can behave in unpredicted ways, leaving hidden back doors unlocked to attackers.

Penetration testing gives you the ability to get in the mind of the hackers and think like they do. When the military draws up war plans and formulates strategies, they simulate the whole thing with massive exercises. Some of the troops play the part of the enemy and a full-blown simulation is enacted while every possible scenario is considered and acted out so the generals know best how to prepare themselves. The same is true of penetration testing.

Without careful penetration testing, you leave your business open to any attackers with the ability to locate and take advantage of vulnerabilities in your systems. That could mean losing customer data and therefore public trust; you could have technology or even money stolen right from under your nose; and the network your computers rely on could be brought to a complete standstill along with your business operations.

In any of these scenarios, you face major setbacks that could be very difficult to recover from. Penetration testing is all about putting you ahead of the threats you face and making sure you can continue to prosper free of worry.

Different kinds of PT

All the kinds of pen testing you should know about

If you’re here, you’re probably turning your attention to your company’s cybersecurity. Welcome, and good job – you’re doing the right thing. Cybersecurity is a major issue for every business to confront these days and it’s an increasingly complex topic, requiring input from industry professionals who understand the kinds of threats posed to companies with any kind of electronic network.

But what do such experts do to keep you safe? The first step is diagnosing the problem – in other words, finding the vulnerabilities in your systems, and that means penetration testing, or pen testing. By safely simulating an attack on your systems, pen testers are able to infiltrate your operations and show you how they did it so the vulnerability they took advantage of can be fixed. Here are the different kinds of pen testing you should be aware of:

Network services

This type of pen test can be both internal and external, looking for vulnerabilities in your networks, systems, hosts and network devices like routers that hackers could infiltrate to extract data or even take control of for their own purposes. Think your clients’ data is safe in your network? Network services pen tests will tell you for sure, by examining things like:

  • Firewall configuration
  • Stateful analysis
  • Firewall bypass
  • IPS evasion
  • DNS attacks

A big part of keeping your network safe is examining your wireless connections. A password on your Wi-Fi often isn’t enough to keep out a sophisticated hacker. That’s why experts look into the use of wireless devices at your office to see how they could be used to hack into your cyber infrastructure and cause damage. Wireless protocols, wireless access points and administrative credentials are all checked in this process.

Web application

Web application pen tests go deeper than the network services tests, looking for security flaws in web-based applications. Expect this test to take longer due to its complexity. But the time spent is well worth it as web application tests dive into important components like ActiveX, Silverlight and Java Applets.

This type of testing can also look at issues within your workspace. What if your laptop fell into the wrong hands or your personal computer was successfully hacked from outside? Suddenly, a lack of security at your own workstation turns into a security liability for the entire company. Web browsers on your computer and installed software are scanned to make sure there are no backdoors from your device to infiltrate the company’s infrastructure.

Native mobile app testing

There are also all kinds of clever ways to tests those high-performance mobile apps that store lots of sensitive information. A vulnerable financial app could leave credit card information or bank account details exposed to hackers without doing your due diligence. For an app like that, a serious breach could be the end of the line.

A word about black, white and gray box testing

As you educate yourself about your company’s cybersecurity, you’re also likely to come across the terms black box penetration testing, white box penetration testing and gray box penetration testing. These are more general terms that refer to how much knowledge a hacker has of your systems and therefore what conditions a tester needs to simulate.

In black box testing, it’s assumed that the hacker knows next to nothing of your cyber infrastructure. A full-on attack is launched at your entire system to try and locate a weakness. It’s good old-fashioned trial and error. In white box testing, testers simulate a situation in which a hacker has full knowledge and access to key elements like the source code and software architecture of a web application. Gray box testing sits somewhere in the middle, assuming that a hacker has obtained partial knowledge of your systems and how they work. Considering which angle to approach pen testing is important to locate any threats that a hacker could find and exploit.

It’s often best to periodically do a full sweep, making sure that all of these systems are as safe as can be and keeping you protected from whatever new tools and methods hackers may have come up with. Whatever the case may be, security is always a top priority.

What is penetration testing?

Who knows more about security than those who are able to breach it? The thief who gets the jewel from the museum must have utilized some flaw in the security system that no one recognized before and the hacker that steals data or plants a virus does so thanks to a cyber vulnerability that slipped through the cracks.

While thievery and hacking are harmful to any business that falls victim to a security vulnerability, the one upside they produce is bringing that same vulnerability out into the open. It’s an odd cycle: Without thieves and hackers, you wouldn’t need cybersecurity, but falling prey to them makes you aware of the threats you face. Once your system has been hacked one way, it’s up to you to do your due diligence and analyze the vulnerabilities they took advantage of. After fixing them, any other hacker that comes along will need to find a new approach to slow you down.

That’s why, in a roundabout way, hackers and thieves are performing penetration tests. By breaking into your system, they reveal the flaws that you might have missed, and the result is stronger security for the future. But not everyone capable of breaking into your system means to do you harm. Why allow dangerous individuals to break into your system when you could authorize experts and professionals to penetrate your operations with the purpose of locating vulnerabilities and helping you resolve them?

Now we’ve arrived at the essence of penetration testing, otherwise called pen testing. True pen testing isn’t just an action, it’s an intention. While thieves and hackers want to harm you, pen testers want to help you stay ahead of threats technologically. To meet this goal, they use all the tools in their cyber arsenal to see if and how they can break into your system – not to steal or cause harm, but to come up with ways to make your system safer.

That’s why pen testers like those at GRSee don’t just hack into your system and prove that you have a vulnerability, they show you what they did and how they got in before recommending ways to fix the issues that were found.

What better way to beat the hackers than to think like them and use their weapons against them? As long as cyber assets continue to grow in importance, ill-intentioned individuals will try to find vulnerabilities to benefit from. The best way to get ahead of them is to simulate an attack on your system before a real one can take place.

From creeping worms to costly viruses: The evolution of cybersecurity

As with every other major technology developed by mankind, it didn’t take us long to demonstrate how the digital world could be used for nefarious means. Cyberspace was conceived of as a sort of utopian, open, free space for instant global communication – and that ideal is still alive in the minds of many users and entrepreneurs. But the last 30+ years have shown us that even the greatest of utopias need a defense force to protect it.

You reap what you creep

Did you own a computer in the 70s? Probably not. Did you know what the internet was? Definitely not, because it was called ARPANET back then: the earliest evolutionary ancestor of our interconnected lives. But while you remained in a state of blissful ignorance, it wasn’t only the internet that was being put together; a foundation for the digital virus was being laid.

Today, we fear internet-borne viruses like the plague and the threat of hackers disabling important infrastructure like electrical grids is very real. But it didn’t start out with such harmful intent. In fact, it was downright innocent behavior that created history’s first worm, called “Creeper”. It was nothing more than simple code written by BBN Technologies engineer Bob Thomas that reached computers connected to ARPANET (of which there were only a few) and playfully displayed the words “I’m the creeper: catch me if you can!” on the screen.

But the world’s first worm gave rise the world’s first cybersecurity mechanism, a slightly more sophisticated code from Bob’s colleague Ray Tomlinson that moved between computers on ARPANET, copied itself in the process and did nothing more than deleting Creeper. This countermeasure would forevermore be known as “Reaper”.

Early internet vulnerabilities

Creeper and Reaper had set a theoretical precedent for cyber threats and cybersecurity, but the digital space still wasn’t outright dangerous, as highlighted by the “Morris Worm” in 1989 – the first major case of a denial-of-service (DoS) attack. Robert Morris, the author of the new generation worm, argued in court that his code was only designed as a way to measure the size of the internet at the time. Whatever his intentions, the worm slowed infected computers and infected them multiple times until they became inoperable.

The Morris worm may have infected a whole 10% of computers connected to the internet and clean up was estimated to have cost anywhere from $100,000 to $10,000,000. Cybersecurity was caught unprepared and removing the worm required the entire internet to be shut down for several days on a regional basis. Industry experts, with both positive and negative intentions, were waking up to the power of cyber threats.

Cybersecurity on the backfoot

It would take a while for cybersecurity measures to catch up to the threats of viruses. In the same why firefighters are on duty to put out fires where they pop up, the Morris worm taught everyone that the internet needed its own emergency response team. CERTs (Computer Emergency Response Teams) were established to fill this role, but the early 90s saw them reacting to threats rather than trying to prevent them.

Antivirus software finally hit the market in the middle of the decade, offering a simple preventative solution to most basic viruses that could be installed on any computer. At that point, the internet had become saturated with viruses created by less-than-savory players in the industry who knew they could get away with simple harmful activity. While antivirus programs helped put an end to this proliferation, they also triggered an arms race.

As the capabilities of hackers and viruses became more and more sophisticated, awareness of potential threats and investment in protection increased. Things went well for over a decade until a series of complex attacks in recent years seemed to show that at least a few of those with malicious intent had gotten a step ahead of antivirus and security experts.

Target was hit, along with the British healthcare system and a number of other large institutions that employed the largest security companies using the most sophisticated defense techniques. But the good guys have learned from these incidents and stepped up their game even further. Will any network ever be 100% secure? Possibly not, but the consequences of ignoring cybersecurity are too big to ignore and large, complex attacks only highlight the need for businesses in the digital space to work closely with cyber experts who continuously keep themselves up to date with developments in the industry and keep the hackers on their toes.

Simply put: How we at GRSee increase your security

Running a business means focusing on growth. You want to bring your products and services to as many people as possible because you believe in what you do; you want to increase profits to hire more workers and expand operations, so you invest your efforts in PR and customer care. These activities make sense and, performed correctly, directly contribute to your prosperity.
Ideally, you should be free to focus on these kinds of initiatives that directly support growth. But without a solid behind-the-scenes backbone of security, compliance and risk management, even great momentary success can be painfully reversed in the blink of an eye. GRSee addresses these concerns for you, so you can pursue other tasks safe in the knowledge that none of these three critical areas are being ignored.

Your freedom, our focus

While you dive into all the other business activities you need to pursue to thrive, GRSee handles three elements that are even built into our name. GRSee stands for GRC, or Governance, Risk management and Compliance. Without solid footing in these three areas, your business could face future losses to legal problems encountered when trying to adhere to new and complex regulations or cyber-attacks and other related threats. It’s best to put these concerns to rest before encountering any real mishaps.
Let’s take a closer look at what we do every day to ensure that businesses like yours are safe, compliant and built to weather any storm:

  1. Compliance – GRSee aims to bring your business into full compliance with security standards and related information and data regulations. ISO 27001 directly addresses the overall security of your systems and governance while PCI DSS is a standard that must be met by any business accepting card payments. Meanwhile, Europe’s GDPR helps protect user data and the CCPA aims to do the same in California.
  2. Cyber security – In our connected world, even the best business concepts can be brought down by ignorance of potential cyber threats. Depending on who you are and what you do, these threats could come from individual hackers looking to steel or cause trouble just for fun, politically motivated groups that aim to disrupt or corrupt your efforts, or even advanced and well-coordinated governments around the world. Maintaining cyber security has never been more important for a business or its customers.

GRSee offers a wide range of cyber services and a team of experts with over 20 years’ experience in the field. With penetration testing and Advanced Persistent Threat Simulation, we simulate attacks on your computer system, application infrastructure or otherwise to ensure that defenses are up to snuff and to reveal any vulnerabilities that need paying attention to. We also review the entire architecture of your digital infrastructure to identify potential weaknesses that could be exploited.

  1. Risk management – This is closely related to our cyber security work. Our experts provide ongoing analyses and assessments of the risks your business faces and aims to help you keep operations in line with global information security standards. Meeting them tells everyone else that your business is safe.

To this end, we also give businesses the opportunity to adopt one of our experts as their CISO (Chief Information Security Officer), who takes charge of security operations and acts as an ongoing advisor and consultant for all cyber security issues as well as formulating and overseeing tailor-made long-term security strategies.
We can tackle all of these issues with you, making sure your business is following the best practices that boost confidence and reduce the number of unforeseen but completely avoidable roadblocks you might encounter on the road to success. Based in California, New York and Israel, we already provide service to global brands like 888, Fiverr and Amdocs. In this way, our work doesn’t only make you free to focus on other areas of business, our involvement also contributes in more direct ways to your growth and prosperity.

How to Avoid These Five PCI-DSS Pitfalls

Kudos to you for taking credit card data security seriously! You’re likely feeling good about taking that big step to properly secure your customer’s credit card data by becoming PCI DSS accredited. And you should! However, did you know that compliance alone does not necessarily guarantee data security? Here are five things to look out for to ensure the credit card data is truly secure and that you don’t find yourself caught in one of these common pitfalls.

1. Failing to review firewall rules and perform penetration segmentation tests every half year

According to the PCI DSS standard, service providers must review firewall rules and perform penetration segmentation tests every half year. Though most companies remember to do the PTs leading up to the audit at the end of the year, they often fail to do the proper checks mid-way through the year. Mark it in your calendar so you don’t forget these important steps in your PCI compliance!

2. Failing to Manage Vulnerabilities

As part of the PCI DSS standard, vulnerability checks need to be performed on a quarterly basis. Additionally, any vulnerabilities that are found need to be remediated during the same quarter. Failure to do so leaves credit card data vulnerable and increases the chances of a security breach. Unlike the initial certification which requires a vulnerability check during the last quartey only, when being recertified, checks are required on a quarterly basis.

3. Improper Scoping

When it comes to PCI the ‘scope’ is the cardholder data environment (CDE) and includes all of the systems, people, processes, and technologies that handle cardholder data. It is important to note that systems that support & secure the Cardholder Data Environment must also be included in the scope of PCI DSS. Examples include antivirus, patch management, vulnerability scanners and the like.

4. Storing SAD (Sensitive Authentication Data) After Authorization

During the payment process, service providers collect Sensitive Authentication Data (SAD) to authorize the payment. However according to PCI Regulations, you are only allowed to use SAD strictly to process the payment and may not store the data after completing the authorization.

5. Addressing PCI DSS Compliance During Audit Period Only

PCI should be part of your annual work plan and not reserved for a once-a-year security check. In order to be compliant and truly keep sensitive credit card data secure, the requirements delineated within the PCI DSS Standards should be followed and managed throughout the year.

Why Do I need to be ISO 27001 Certified?

Have you been thinking about having your organization ISO 27001 certified but not sure if it’s really “worth the hassle?” For those less familiar with ISO 27001: 2013, it is the global information security standard that delineates the best practices to manage information security risk.

Below are 4 items to consider before making your final decision.

1. It’s good business!

Being accredited by ISO 27001 gives you a competitive edge and is proof to existing and future customers that you are taking a proactive approach to protecting their data from information security threats. Winning or losing a tender can weigh heavily on whether or not you have this certification. Being ISO 27001 certified expedites the sales cycle, rather than stalling it due to compliance requirements that have not been met. Lastly, access to global markets may also be dependent on whether you are certified, due to ISO 27001 requirements in some countries.

2. Manage risks to safeguard data & intellectual property

Maintaining data privacy and other assets is a top priority for most organizations, especially for those that are holding private client information. ISO 27001 has set up the most systematic approach to identify, store, access and manage this data safely. By utilizing the ISO 27001 method of safeguarding data, the organization greatly reduces the severity of threats on its information.

3. Avoid financial losses and penalties associated with a data breach

Are you worried about how much ISO 27001 accreditation is going to cost you? Well, opting not to get accredited can cost you a lot more in the long run! You need to weigh the cost of compliance against the cost of potential fees associated with fixing a data breach as well as possible interruption of business.

4. Improve your processes

Companies are growing and changing fast and before you know it roles and responsibilities relating to data and other assets get blurred. As part of the process of ISO 27001, definition of roles and responsibilities are clearly spelled out thereby strengthening the organizational structure of your organization and allowing for clear and concise steps going forward.

Being ISO 27001 certified forces your organization to take a hard look at what’s working and what’s not when it comes to information security and create a clear and concise roadmap to improve processes going forward . The benefits of this process extend not only to the information security of the organization, but also opens up doors for increased revenue going forward.

A Worthwhile Resolution for 2019

New Year’s Resolutions. We all have them. They often sound something like this:

“This year I’m going to eat less, exercise more, and be a better spouse/parent/employee/person…” and the list goes on. Sometimes we follow through for a week, or even a month. But usually we don’t stick to it for very long.

Well here is a resolution that you can and should be making and sticking to in 2019 for both your personal and professional safety and benefit. It is time to take cybersecurity seriously. With the Identity Theft Resource Center (ITRC) reporting 1,027 breaches which includes 57,667,911 records compromised as of November 2, 2018, the statistics are pretty baffling.

Personal Security

Enable 2FA (Two Factor Authentication) whenever possible – This requires a name and password + an additional type of verification needed in order to access private info. This usually simple step of for ex: verification via your cell phone can greatly decreases the chance of a personal breach.

Manage passwords safely – Guess what?! Using your sweetheart’s name and birthdate for all your passwords while perhaps cute is not the smartest (or safest) way to keep your personal data safe. To really keep your information safe, you need to create unique passwords for each of your applications, e-mail, accounts etc. There are many password tools out there that can help keep all of your passwords safely in a single location.

Organizational Security

Risk Assessment – Are you able to make heads or tails as to where your organization is standing from a security standpoint? How well are your data and assets protected? Do we have the right policies and procedures in place to prevent a breach? Performing a risk assessment will provide your organization with an overview of your current security posture so you can then create a security roadmap and prioritize accordingly.

Penetration Testing – There are two major reasons that your organization will benefit from doing penetration testing:

1) Having a penetration test performed on your environment (aka ethical hacking), allows you to see how a potential attacker sees your organization and its vulnerabilities. With security breaches making headlines throughout 2018, now would be a good time for you to check!

2) You are looking to offer your product/services to companies A, B, & C. In most cases, the companies you’ll want to do business with require mandatory penetration testing. Be prepared today so you can sign new customers tomorrow!

Here’s to a safe and productive 2019!

Your company is going international. What about your cybersecurity?

If your company is approaching new markets overseas, cybersecurity should be a primary concern. Regulatory environments, compliance, and privacy laws differ significantly from country to country and protecting your data, as well as that of your customers, are of great importance.

Being prepared in advance will help you enter your new market quickly so you can hit the ground running.

Risk management: it’s a game-changer

Risk management is crucial, whether you are in a compliance-heavy industry or not. Having a good understanding of the regulatory environment in the countries you are doing business in is a good place to start.

Penetration testing (PT)

Assessing your risk is an important first step towards compliance. Penetration testing, sometimes known as a pen test, is a way to determine your risk through authorized hacking. Pen tests are conducted to find exploitable weaknesses in your system so that you can be better prepared for any potential threats.

The results of your PT will help you to address any security issues before you pursue the appropriate certifications.

Here are some of the essential credentials and standards you should be aware of when taking your company international:

ISO 27001 certification

ISO is an organization that deals with international standards. ISO 27001 is specifically geared to information security management and is recognized as a worldwide protocol to help companies manage risk to their data assets. ISO 27001 certification is a best-practices approach that shows your company is managing their data security in line with the highest international protocols.

PCI DSS compliance

PCI is a standard for securing the data surrounding online payments. It applies to all companies that process and store payment data for their customers and vendors and also covers third-party vendors who might also have access to this data. If you accept payments online with any type of payment card, PCI DSS standards apply to you.

GDPR compliance

The General Data Protection Regulation (GDPR) becomes law in May of 2018. This regulation protects the personal data of all EU citizens and businesses and any company that does business with EU people or entities must comply.

HIPAA compliance

The Healthcare Insurance Portability and Accountability Act (HIPAA) applies specifically to personal healthcare and medical data. If you store protected health information for your employees, you must be HIPAA compliant. This includes healthcare providers, healthcare insurance providers, and companies that handle third-party billing or data processing for any of the above.

Don’t let non-compliance be a show-stopper

Compliance with international standards is essential to your business continuity. In most cases, until you comply and show a certification, all contracts, deals or any other relations with partners or customers will be on hold.

Here are some of the methods you can use to ensure compliance and data safety:

Penetration testing (PT)

GRSee uses proven methods to discover vulnerabilities in your system through our own Application Penetration Test model.

IT Security Questionnaires

OWASP CISO Survey

The Open Web Application Security Project (OWASP) questionnaire asks a range of questions to help you determine your level of risk. Most of those questionnaires are based on the ISO 27001 standard, so if you are already in compliance with ISO, it will save you a lot of work. keep in mind, however, that your answers are simply a snapshot in time, so revisiting the questions periodically is always a good idea.

To help you manage the survey, GRSee offers CISO (chief information security officer) as a service. The CISO we assign will be in charge of answering the questionnaires and will provide solutions to any issues that are identified, functioning in a capacity that best suits your needs.

Bottom line, if your company is going international, you need to be prepared to answer to international compliance standards. GRSee Consulting is dedicated to supporting your compliance from every possible angle with specialized expertise and SaaS solutions you can depend on. Call today to schedule your cybersecurity audit.

Preparing for the GDPR: What You Need to Know

The GDPR becomes law in May of 2018. If your company does business with any EU citizen or entity, you need to be prepared for this new law, which is designed to protect and strengthen the privacy for all individuals residing in the European community.

The law applies to any business or public-sector entity that retains the personal or payment data of EU citizens. Under the law, companies will be required to be able to directly access this information for correction or deletion purposes and customers whose data is being held will have the option to “be forgotten” – meaning, if one of your customers asks for their data to be deleted, you must comply.

This is only one aspect of this very complex law, but it is a significant one. As a company looking to become compliant, it will be necessary to develop a workflow that makes it easy to accomplish these requests.

For many, this means a digital transformation will be necessary if indeed you have not yet initiated such as process. Modernization of data storage and security is absolutely crucial, especially for SMBs or enterprise, as the sheer volume of stored data will necessitate a capable data classification system in order to allow admins to isolate, manipulate, and delete data when needed.

KEY ELEMENTS OF THE GDPR

While this is by no means a complete guide to GDPR compliance, we have put together an
overview that covers the key points:

1. Data flow mapping & analysis

In order to understand what kind of data your organization processes, it will be necessary to create a data flow map to show the flow of your data from one interaction point to the next – for instance, from the supplier to the shipper, to the customer, and so on. This is meant to identify
any potential unintended use for the data and therefore requires that you consider what parties may be using the information and for what purpose.

2. Data type analysis

Your data flow maps should include the type of information being collected and how it was obtained – for instance, through a web form, direct data entry, or over the phone. Data needs to be analyzed as to the risk it may pose so that adequate measures are put in place. Being able to classify the type of data you are storing is key to assessing risk.

3. Analysis of currently implemented controls

This phase examines the legal and risk controls that you have currently implemented from a legal, organizational, physical, and technical point of view. This is primarily to control any identified risks prior to any processing of any new data.

4. Identify scope – processor or controller

The extent to which your company is liable under the GDPR largely depends on whether you are a “controller” or a “processor” of data. A data processor handles data on behalf of the data controller and so is not subject to as many obligations where the data is concerned. Though the
data controller is largely responsible for the disposition of this data, the data processor may still be liable to a degree if they are storing data on their servers, for instance, or are providing any other 3rd party service (such as a shipper).that uses the data.

5. Review of privacy policies

Data controllers will need to be more specific in crafting their privacy policies. According to the GDPR, you must provide clear information on how you are using your customer’s data. This information must be:

  • Concise, easy to understand and easily accessible
  • Written in plain language that would allow even a child to understand it
  • Provided free of charge

6. Review of third parties’ policies

The privacy policies of any 3rd party your company does business with should be thoroughly reviewed to ensure that their policies comply with GDPR regulations. This is meant to prevent unauthorized use of customer data. Article 28 of the regulation outlines in great detail how processor-controller contractual relationships should be worded.

7. Privacy review in SDLC

In addition to all the customer-facing data issues covered by the GDPR, the law also affects software development lifecycle and processes for any IT company that seeks to do business with or provide information systems for the EU. The GDPR has technical and functional implications that require a high degree of planning in the initial phases of SDLC. The earlier in the process that these items are addressed, the less complicated and costly it will be in the long run.

8. Reviewing core GDPR issues

  1. The Right to be forgotten: Article 17 of the GDPR states that customers whose data is being held have the right to ask for it to be removed.
  2. Data roaming: This issue affects the transfer of data on the open internet, as may happen in a mobile computing environment.
  3. User’s consent: users must consent to their data being used. This may take several forms, depending on how your organization used this data.
  4. Data destruction: data destruction poses a significant risk, especially when dealing with a hard copy (paper documents). If you use an asset disposal service (classified as a data processor under the GDPR) you must ensure they are compliant with GDPR regulations to reduce your risk.
  5. Review of special categories: this involves data that relates to a wide range of variables, including human resources and employee data, data relating to children, and health records for example. This area is quite complex, but it seeks to safeguard the privacy of the individuals whose data is being collected.
  6. Dispute resolution: article 65 of the GDPR sets forth the process for dispute resolution by the Board if the supervisory body finds any infringement.
  7. Cookie consent: the GDPR calls into question the current EU cookie consent laws. The GDPR sees cookies as a unique identifier, and so consent rules do apply. If cookie data is used for more than one purpose, there may be a need to establish separate consent for each use.

CREATION OF GDPR ALIGNMENT WORK PLAN

If you have not yet begun to map out your plan for GDPR alignment, GRSee can help. Though the law is multi-faceted and complex, as experienced auditors who have performed hundreds of compliance projects, including GDPR alignment projects, we have created an efficient and proven methodology that will get you up to speed quickly.

WHAT’S THE SMOKING GUN? FINES OF UP TO 20 MIL EUROS!

With so much at stake, it is imperative that your security practices need to be in place as soon as possible. Some of the mechanisms you can implement right away include privacy by design at the SDLC (development lifecycle) level, pseudo anonymization, opt-out mechanisms, redacting data, and destroying old or redundant data.

Boosting internal security is always a good idea as well, especially if you retain hard copies of any personal, payment, or other sensitive information that needs to be protected. Locked cabinets and file rooms are a good start, but establishing a secure digital storage solution is also important. Furthermore, for those who are ISO 27001 compliant, you’ve already fulfilled some of the requirements necessary for GDPR. For those not yet ISO compliant, it’s a great opportunity to kill two birds with one stone.

There’s never been a better time to start your digital transformation. Call GRSee today to set up a free consultation.