Posted on Mar 19, 2018
By Fouad Khalil
With the General Data Protection Regulation (GDPR) effective date around the corner (May 25, 2018), organizations are scrambling to make sure they’re ready. Research shows organizations are planning to spend anywhere from $1 to $10 million on GDPR preparedness. Shockingly, research also shows about 23% of organizations have not started their GDPR compliance efforts. Although the regulation has broad reaching requirements that will take time to address fully, affected organizations should be prioritizing high impact cybersecurity controls that align with the regulations foundational objectives of protecting sensitive personal information. This article discusses three considerations around cybersecurity vendor risk management that organizations should consider as part of a broader GDPR compliance program.
Consideration #1: Understand GDPR Vendor Risk Management Requirements
Security and privacy by design is a clear requirement stated by GDPR. The regulation is pushing organizations to make security and privacy control implementations part of daily business operating procedures, including vendor risk management. As organizations integrate the necessary GDPR mandated controls that help ensure proper protection of personal data, the more out of the box compliant the business will become.
GDPR has a significant focus on ensuring that an affected organization (a “controller” in GDPR language) has proper cybersecurity oversight of their vendors (a “processor” in GDPR language). Working with suppliers and partners involves the exchange of data that may be deemed personal hence in the scope of GDPR. Suppliers or partners that fail to set controls or compliance requirements may force organizations to suspend the relationship or even sever the partnership agreements. GDPR will impact how companies do business today and ensuring strong cybersecurity across a vendor ecosystem is on the GDPR table. Companies must act now in preparing for the GDPR effective date and must initiate the projects to bring teams together and start addressing the requirements, including vast improvement to the oversight of how third parties align their security controls with GDPR requirements.
Consideration #2: Consider Commercial Solutions to Kick-start Vendor Risk Management Program
Unfortunately, there has not been any formal technical control guidance issued that organizations can leverage in addressing GDPR requirements, including guidance around managing third-party risk. Fortunately, many reputable industry organizations (ISACA, IIA) and commercial entities have been proactive in preparing for and issuing their versions of control procedures that enable the march towards compliance. It is expected that a uniform audit program guide will be owned and made available across the globe. Organizations must keep an eye on the GDPR governing body for updates and announcements.
In the meantime, affected organizations should start the path to achieving well-accepted practices in assessing and addressing third-party cybersecurity risk. This effort includes ensuring that any third-party vendor or organization that processes personal data has a strong cybersecurity posture. One option companies can consider commercial solutions like SecurityScorecard, a cybersecurity vendor rating solution that helps organizations assess and address cyberhealth of any organization in a partner ecosystem.
Consideration #3: Do What’s Right to Ensure a Successful Audit
Addressing compliance requirements is a daunting exercise for any organization. The challenge is even more daunting for organizations that do not have a mature information security program. As with meeting any business-related challenge, enlisting outside assistance should always be a consideration. Auditors understand many of the challenges organizations face when addressing compliance requirements and are typically forgiving to organizations that are making a concerted effort addressing regulatory mandates. In the area of vendor risk management organizations should focus on programs that can demonstrate to auditors: (1) which vendors manage GDPR affected personal data, (2) an ability to assess each vendor’s ability to protect the data, and (3) a collaborative process with vendors to address security gaps. It’s beyond the scope of this article to discuss the laundry list of operational and technical security controls that an auditor will want to see, however at a high level they should address cybersecurity concerns at multiple levels including network security, application security, endpoint security, among other areas.
An important consideration, when developing programs in this area, is the frequency at which vendor cybersecurity posture is managed. Auditors recognize that automated programs that deliver continuous management are far more effective than less frequent manual process. Organizations should consider fully automated commercial solutions as part of their efforts to achieve GDPR compliance.
If you are already on the way to GDPR compliance - kudos to you and your team. If you just started or have not yet, you will need all the help you can get to be ready in time. Leveraging external expert resources may be necessary to ensure a successful compliance campaign. Even if you’re not 100% there by May 25, 2018, showing progress and effort toward compliance is a huge win when auditors come knocking. Using SecurityScorecard, organizations can gain operational command of the security posture of their third-parties through continuous, non-intrusive monitoring. SecurityScorecard’s vendor rating SaaS platform offers unmatched breadth and depth in the assessment across a broad range of risk categories such as application security, malware, patching cadence, network security, hacker chatter, social engineering, and leaked information.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 categories of risk. Answer a few simple questions and we'll instantly send your score to your business email.