There are few things organisations fear more than data breaches. They cause immediate delays, cost money to put right and could lead to long-term reputational damage.
The stakes were raised with the introduction of the EU GDPR (General Data Protection Regulation) in May 2018. It outlines the best practices for preventing a data breach and has been widely publicised – as has the potential to levy large fines against non-compliant organisations.
Knowing that you need to comply with the Regulation doesn’t necessarily equal easily implementable actions. For example, you might know that you need to improve your staff awareness programme, but you might not know how to do that.
Fortunately, IT Governance is here to help. This blog summarises six tools that are essential for helping you comply with the GDPR, focusing specifically on the prevention of and response to security incidents.
An effective cyber incident response programme helps organisations prepare for and respond to data breaches. Our CIRM (cyber incident response management) service gives you all the advice you need to create an effective programme. You’ll:
- Benefit from the expert guidance and support of an experienced cyber security team;
- Receive an accurate estimate of the work required to build a CIRM programme, allowing you to focus on securing the necessary budget;
- Implement the necessary measures to help you make quick decisions about critical cyber security issues; and
- Develop response capabilities that will keep your organisation operational during a disaster.
You can determine how appropriate your defences need to be by assessing the way information flows through your organisation. Your aim should be to keep as little personal data as possible, and to transmit and store it in as few locations as possible.
To do this, you will need to conduct regular data flow maps. That might sound time-consuming, but you can speed up the process by using Vigilant Software’s Data Flow Mapping Tool. It simplifies the mapping process and makes it easy for you to review, revise and update maps when needed.
With this tool, you can create consistent visual representations of the flow of data through all your business processes without having to resort to more time-consuming methods, such as pen and paper or vector graphics.
Assessing the likelihood and impact of a data breach is best done through a comprehensive information security risk assessment.
Vigilant Software’s vsRisk is a leading information security risk assessment tool that delivers fast, accurate, auditable and hassle-free risk assessments year after year. Fully aligned with ISO 27001, it cuts the consultancy costs typically associated with information security risk assessment.
Under the GDPR, data breaches that involve human error require you to provide the ICO (Information Commissioner’s Office) with details of your staff awareness training programme.
If you don’t have a programme, or want to improve your existing measures, you should take a look at our Information Security Staff Awareness E-Learning Course. It teaches employees about the most important elements of information security, and aims to reduce the likelihood of human error by familiarising non-technical staff with security awareness policies and procedures.
Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, looks for vulnerabilities in the same way a criminal hacker would. It’s essential for rooting out problems before a network or application goes into use.
Our penetration testing packages provide a complete security testing solution for your websites and IT systems. The fixed-cost packages are ideal for small and medium-sized organisations, or those with no prior experience of security testing.
All organisations should consider appointing a DPO (data protection officer) to oversee their data protection practices. Some will be required to do so in order to comply with the GDPR. This will be the case if they:
- Are a public authority or body;
- Regularly and systematically monitor data subjects; or
- Process special categories of data on a large scale.
Finding a qualified professional to fill the role can be difficult. As such, you might consider outsourcing the role with our DPO as a service (GDPR). One of our data protection experts will act as a remote DPO, working with you to understand your organisation and its compliance requirements. They’ll complete the necessary tasks and provide you with guidance whenever you need it.
You can learn more about these products and discover other ways to prepare for a data breach by visiting our #BreachReady page. We break the process down into six easily navigable steps and offer recommendations on the tools and services you can use to complete each task.