Posts in

Data Integrity

How to Prepare Your Organization for GDPR and Data Privacy?
Apr 8, 2021
4
Minutes

When the internet and technology are the lifeblood of modern business operations, it is no wonder that data privacy has taken the  center stage. According to a Pew Research Center report, 79% of consumers have raised concerns about personal data that organizations collect. These concerns have as much to do with discrimination and law as they do with ethics and policy. Across the EU, UK, USA, China, Singapore, and virtually every other location on the planet, the regulatory landscape for data privacy has changed and continues to evolve. In the EU, the General Data Protection Regulation (GDPR enforceable in 2018) and its policies have effected change worldwide.

EU regulators and legislators indicated that businesses' almost laissez-faire approach toward data protection compliance had gone on for far too long and that the GDPR would rectify this. And it did. Today, the cost of data privacy infractions can amount to a hefty penalty of up to €20 million or 4% of the company's annual global turnover. Moreover, on account of the GDPR's broad territorial scope, it is regarded as a standard globally, and businesses invest heavily to keep up with the compliance regulations.

However, despite efforts, a report published by DLA Piper states that data breach fines and notifications between January 2020 and 2021 increased by 40% and 19%, respectively. Naturally, this double-digit growth isn't conducive to healthy business operation and implores the question, 'What can or should companies do to mitigate losses due to data privacy non-compliance?' For insight on the matter, read on to know how companies can prepare for the inevitable progression of GDPR or any other such data privacy laws and regulatory guidelines.

Define the role and responsibilities of a data protection officer

The first approach companies could take is to hire a data protection officer or DPO. This is a relatively new role for most institutions and should exist, especially considering how quickly regulatory reforms can occur. A data protection officer is a professional tasked with doing all the heavy lifting in ensuring that the organization remains compliant with the GDPR. As a matter of fact, it is a mandatory requirement by the GDPR that a company must hire a DPO if it handles personal data of EU residents. 

Ideally, companies should look inwards at personnel working within the IT or legal departments for the role of DPO. A DPO's responsibilities often overlap with those of a Chief Data Officer and these professionals serve as viable candidates for the job. However, to be effective, it is important that the DPO receives formal training on GDPR. Organizations such as the Association of Data Protection Officers and the International Association of Privacy Professionals (IAPP) offer courses on data privacy and security. There is a talk that the GDPR will likely create entities that offer certification for such courses in the near future.

Ditch all age-old, legacy systems that make data management tedious

In a bid to save on costs, it is quite common for companies to take legacy systems forward with every passing year. While this may have worked a decade ago, it definitely won't in today's environment. Legacy systems used to track, enter, and monitor data make staying compliant difficult, especially when dealing with a breach. The solution here is to evaluate the efficacy of existing data management tools with today's standards. 

A good starting point would be to get rid of systems that don't easily integrate with workflow automation. Manual inputs and processes increase the risk of noncompliance, and new-age tools can help address this problem. One smart and effective solution is the VComply GRC software suite. VComply allows you to establish a centralized data model, where a single repository of all critical documents may be maintained. This enables easy management, tracking and can aid quick breach redressal when dealing with risk data.  

Ensure that the privacy impact assessment isn't lacking

An effective way to stay ahead of GDPR changes is ensure that the current documentation is maintained with maximum accuracy and as per requirements. Under the GDPR, all data-intensive projects must have privacy impact assessment (PIA) documentation, which must be accessible to everyone involved in a project. This is non-optional as it is a process that accounts for all the privacy risk present with any data a company collects from consumers. 

 Ideally, a comprehensive PIA should be able to document all key data-related information. Here is a table that highlights the main verticals and the type of data that should be documented.

Prioritize security above all

It comes as no surprise that data security is a key part of the GDPR compliance journey. To stay ahead of the ever-changing environment, companies should design all security measures with privacy as a priority. Common measures include creating workflows that govern data access, both on-site and remotely. As per the GDPR, an external data breach can even be a situation where an unvetted temporary employee is granted full access to data through a generic log in. 

 

Such cases of unsecured data access can be solved by implementing clearly defined user access controls. Besides these, security measures extend to monitoring and logging. This is another branch of data collection, albeit internal, and should be handled in keeping with the GDPR.

Review existing risk assessment controls and revamp as needed

Before the GDPR took hold, data privacy may have not been a key part of the risk assessment and management strategy. This needs to change in order to adapt to the modern-day requirements and data privacy should be given its fair share of importance within these protocols. This includes designing specific risk assessment models, having controls to mitigate risks, and understand the impact of these risks and the extent of their exposure. 

 

Considering that the GDPR guidelines will continue to evolve with every passing year, it is safe to assume that companies will soon have to learn to adapt on the fly. These 5 measures should help prepare for many reforms, especially if the company has the right tools at its disposal. The VComply GRC software suite offers such a solution to organizations to map their data and efficiently implement controls to track and manage compliance with GDPR regulation. To address any queries or know more about the provision, contact us online.

VComply Editorial Team
Read More
How Does Your Organization Comply with PCI DSS? All You Need to Know
Apr 1, 2021
5
Minutes

According to an analysis by Atlas VPN, credit card fraud cases surged by 104.7% when you compare Q1 of 2019 and 2020. Likewise, Julie Conroy,  a research director at Aite Group, reported that by the end-2020, credit card fraud losses in the US amounted to a staggering $11 billion! These facts make it clear that the digital payment ecosystem is rife with vulnerabilities. After all, security gaps can emerge at various points of handling, storage, and transmission, such as at POS devices, e-commerce apps, Wi-Fi hotspots and personal computers. 


To create a safer payment ecosystem, major players, namely, American Express, JCB, MasterCard, Visa, and Discover formed the Payment Card Industry Security Standards Council (PCI SSC) and subsequently, a standard for data security, the PCI Data Security Standards (PCI DSS). The latest version of PCI DSS is v.3.2.1 and though PCI DSS is not a law, it is expected that the industry needs to be compliant with its requirements as non-compliance entails hefty fines and lost business opportunities and customers.


Do you need to be PCI DSS compliant? 

If you handle, store, process, or transmit credit card data you ought to be PCI DSS compliant. Moreover, your card processing agreement normally requires you to be so. Depending on how much sensitive information visits and resides in your systems, your compliance requirements could be more or less, complex or basic. 


Achieving PCI DSS compliance entails adhering to 12 high-level requirements, and depending on your compliance needs, 300+ controls. Here is more on how to comply with PCI DSS. 


What is needed for PCI DSS compliance?

PCI DSS compliance is validated against a list of PCI DSS requirements. Read on to know more. 


Goal: Build and Maintain a Secure Network and Systems

  1. Use and maintain a firewall configuration: The goal is to protect cardholder data using a network security device (firewall) by controlling incoming and outgoing network traffic. Here, it pertains to traffic within internal trusted networks as well as between internal and external (untrusted) networks. A firewall is your first line of defense, preventing unauthorized access and securing the cardholder data environment.
  2. Ensure proper password protection: Operating systems, routers, POS terminals, etc., often come with vendor-default passwords and accounts. These can help with installation; however, such initial settings are often freely available on the internet or are widely known. Hackers can easily exploit this loophole and hence, change all vendor-supplied passwords and security parameters, and delete default accounts.


Goal: Protect Cardholder Data

  1. Protect stored data: As a rule, it is good to avoid storing cardholder data when it is not necessary. However, some business transactions need you to store sensitive information. In such cases PCI DSS mandates that you employ protection methods like hashing, encryption, masking, and truncation to ensure that in case of unauthorized access, the cybercriminal will not be able to read the data or use it meaningfully.
  2. Encrypt transmitted data: Open, public networks can be accessed by cybercriminals and hence, you should ensure that the data you send over networks like the internet, Bluetooth, GSM, and Wi-Fi, is secure. PCI DSS asks that data be encrypted, and that encryption strength be appropriate, that you use trusted keys/ certificates only, and that you employ a secure protocol for data transmission.


Goal: Maintain a Vulnerability Management Program 

  1. Use and update antivirus software: Today, there is an increased amount of business activity that is susceptible to malicious software attacks. Hence, it is essential to have an antivirus software (which may be supplemented by an anti-malware solution) that can detect, protect against, and remove all known types of viruses, worms, trojans, adware, rootkits, spyware, etc. Since, software threats evolve with each day, regular updates are also a PCI DSS requirement.
  2. Have secure applications and systems: All code is buggy and hence, applications are never “perfect”. Loopholes exist and are discovered, and for this reason, developers frequently release security patches. PCI DSS requires you to install critical patches supplied by vendors within 1 month of release. Also, you need to set in place a process for identifying security vulnerabilities and map them to a risk ranking – “high”, “medium” or “low”.

Goal: Implement Strong Access Control Measures

  1. Restrict access to cardholder data: Risk increases as data exposure increases, and to limit this, PCI DSS proposes that critical data be accessed only by authorized staff, on a need-to-know basis. What is the minimum amount of access that is required to perform a specific job responsibility? That is what you must consider when assigning and approving privileges. A system admin will enjoy more privileges than a call center staff, yet none may require access in a particular scenario.
  2. Assign unique IDs for access: Having unique IDs for users is important to ensuring accountability for actions taken and tracing the cause of issues. Point 8 of PCI DSS also requires that you use sufficiently strong passwords. Inactive IDs are to be removed or disabled in 90 days and passwords are also to be changed within this period.
  3. Limit physical access to data: Restricting and monitoring physical access to cardholder data is important to the integrity and security of the sensitive information you hold. Ensuring a secure cardholder environment could involve everything from installing video security cameras to having password-protected login screens and procedures to authorize visitors.

Goal: Regularly Monitor and Test Networks

  1. Create and monitor access logs: Having audit logs in place allows you to trace suspicious activity and attribute it to a specific user in case of any data compromise. However, PCI DSS also requires that you monitor these logs. Else, you will find yourself backtracking only after a data breach occurs. The goal is to stop it in its tracks.
  2. Test security systems and processes often:  To root out fresh vulnerabilities PCI DSS asks that you conduct tests on your custom software, processes, and system components regularly. In particular, check for the presence of wireless access points, through which an intruder can gain unauthorized access “invisibly”.

Goal: Maintain an Information Security Policy

Document a security policy: Protecting sensitive data is the responsibility of all employees and to set the right tone, PCI DSS requires that you establish, publish, maintain, and disseminate a security policy that educates personnel on what is needed from them.


What are the essential steps of PCI DSS compliance?

Know your compliance level There are 4 PCI DSS compliance levels.
  • Level 1: Merchant processing <20,000 online transactions annually, or up to 1 million total transactions annually
  • Level 2: Merchant processing 20,000 – 1 million online transactions and less than 1 million total transactions 
  • Level 3: Merchant processing 1 – 6 million transactions annually
  • Level 4: Merchant processing over 6 million transactions annually

Depending on your compliance level, you will determine which networks and components are in PCI DSS scope.

Assess system components within scope: Each PCI requirement has corresponding testing procedures, and at this stage you must check for compliance and identify gaps. Level 1 businesses need to conduct an onsite assessment and draft an Annual Report on Compliance (ROC). A Qualified Security Assessor or an internal auditor will be involved in the process. A QSA is a PCI-SSC-approved independent security organization that validates your business’ adherence to PCI DSS.


If you belong to Level 2-4, assess your compliance by filling out an annual Self-Assessment Questionnaire (SAQ). There are 9 SAQs and these comprise Yes-or-No questions for each PCI DSS requirement. You need to use the SAQ relevant to you only. Every quarter or less, businesses at all levels engage the services of an Approved Scanning Vector (ASV) to check for external scanning requirements of PCI DSS.  Depending on the gaps present, you will need to adopt certain security controls and protocols. The 12 PCI DSS security requirements outlined above indicate how you should go about protecting sensitive information.


Report, attest, and submit: After assessing and taking remedial measures, documentation of the SAQ/ ROC and compensating controls occurs. You can then fill out a formal Attestation of Compliance (AOC) and have it verified by a QSA to show that you are in full compliance with PCI DSS. You can submit your SAQ, ROC, AOC, etc., to any organization requesting them with everything in order.


Remember, PCI DSS compliance is not a one-time task. It involves an ongoing process of assessing, repairing, and reporting. It requires you to bring together your legal, technology, finance, and security teams for a common purpose, and a software solution like VComply can help you manage and monitor the 300 odd security controls you may need to set in place. With it, you can easily delegate responsibilities, conduct gap analysis, generate reports, get prompt alerts, and more. With PCI DSS 4.0 slated to arrive in mid-2021, getting compliant today is the best thing you can do to prepare for the future. So, take steps towards securing your cardholder data environment and use VComply to accelerate your compliance efforts manifold!  

Devi Narayanan
Read More