The GDPR is now in full effect. While enterprises have put in a lot of effort to be compliant as of 25 May 2018 when the regulation took effect, compliance with the GDPR isn’t a tick-box activity and so organisations need a comprehensive and ongoing approach to privacy management. They must also document how they collect, process and store personal data. In addition to the GDPR, security fundamentals are essential for other regulations too such as the Payment Card Industry (PCI) Data Security Standard, Health Insurance Portability and Accountability Act (HIPAA) and ISO 27001. Non-compliance has the potential to make the cost of failure far greater than it’s ever been.
Many of the risks are in the data itself and the processes used to manage it. So, these are essential parts of a corporate initiative towards Data Security. Here are 10 ways to improve security compliance with data privacy regulations:
1. Create and maintain accurate inventory of software assets
A complete view of installed software can drive consolidation of the software portfolio to reduce security risks by reducing the attack surface for software vulnerabilities. Identify and remove freeware and unauthorised software which could pose a security risk. To this end, undertake a full audit to collect comprehensive hardware and software inventory data as well as identify which applications are using personal data and the people that are using those applications. This will enable the organisation to ensure that data that doesn’t comply with the Data Protection standards in use is reviewed.
2. Know what Open Source Software (OSS) is used in internally developed apps
Typically, organisations know less than 10 percent of the software that’s actually used. Software engineers use open source components to expedite their work – but they often don’t understand the software vulnerability risks they may contain. Take control of, and manage use of, OSS and third-party components.
3. Track and respond to alerts on software assets
Keep abreast of known software vulnerabilities and their criticality. Ensure that there’s a list of software installed that needs to be monitored for vulnerabilities; and then understand the OSS components that have been used in the internally developed apps, so that alerts to vulnerabilities can be acted on.
4. Administer vulnerability assessment against all systems frequently
Identify vulnerable, unpatched software on desktops, laptops and servers. Cut through the noise to focus the research and alerts on the software assets identified in the organisation’s inventory. Thereafter, detect and assess the security state of applications to react faster.
5. Prioritise and remediate the most critical vulnerabilities first
Implement vulnerability management policies and workflows. Drive and report on remediation processes from end-to-end to ensure Service Level Agreements are met. By applying the right patches, organisations close the main external intrusion method for cyberattacks. Reducing the attack surface for cyber-criminals reduces the risk and costly consequences of personal data breaches.
6. Remove local administrator rights from employee devices
Removing local administrator rights will further limit the organisation’s exposure to risk. Use of administrative rights is a primary means for hackers to spread malware inside the enterprise. If an employee has local administrator rights on their device, they can be tricked into opening malicious email attachments or downloading apps from malicious Websites. If the victim user’s account has administrative rights, the attacker can take over the device completely, install software and look for sensitive personal data.
7. Impose corporate policies using an enterprise app store
Foremost, prevent users from downloading apps from unknown sources. Deploy only authorised software and enforce corporate policies using an enterprise app store. An enterprise app store can ensure that governance is in place to install only authorised applications. An app store can also check software licence availability and obtain proper approvals. In addition to installing new applications, an app store can be used to remove unlicenced and black-listed applications from employee devices.
8. Only deploy new software that’s free from known vulnerabilities
As the number, frequency and complexity of applications in an enterprise portfolio grows, so do the risks of releasing new apps into the environment. Desktop engineering, software procurement and IT security each have a role to play in reviewing these risks and determining whether apps are approved for release or require further mitigation. As part of the change control process, evaluate risks when deploying new and updated apps into an enterprise environment and ensure they contain no known vulnerabilities.
9. Uninstall software that is End of Life, before the vendor stops support
When software reaches its End of Life (EOL), vendors stop patching security holes. Detect software that is EOL and upgrade to a supported version or remove it entirely from the device. Because EOL programmes are no longer maintained and supported by the vendor, there are no security updates, and hence are insecure.
10. Share data between systems, collaborate
Ensure IT Security and IT Operations have consistent data, yet custom views, to effectively collaborate on the latest research, assessed vulnerabilities and remediation activities. Automatically create service desk tickets to track and confirm remediation.
Gartner says that “through 2020, 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” Proactive management of vulnerabilities is therefore vital to data security and compliance. The GDPR deadline may have passed, but organisations need to keep their eye on the ball to ensure continuous compliance.
By Vincent Smyth, Senior Vice President EMEA , Flexera
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.