Compliance & GDPR - RiskIQ

Compliance: GRPR, PII...

Register for the GDPR Webinar

Compliance is a security problem

ChecklistIncreasing scrutiny in the face of data breaches and new, technology-centric regulation have led to security teams being more responsible for compliance tasks. As with all security processes, automation and visibility are key needs to ensure that control validation and remediation of non-compliance are efficient, documented, and easily managed.

Organizations that implement frameworks or are governed by regulations such as GDPR, NIST, NERC, FISMA, or PCI-DSS are all required to maintain asset inventories that detail the location, accessibility, patch level, and ownership of the assets. These requirements cover all digital assets, including those that exist outside the firewall and outside traditional vulnerability scanning technologies. However, you can’t mitigate what you don’t see.

RiskIQ Digital Footprint provides automated discovery and intelligence on internet-facing assets connected to a business, allowing security teams to pinpoint exposures and reduce an organization’s digital attack surface. After discovery, Digital Footprint provides faster prioritization of remediation activities through the correlation of exposed digital assets, vulnerabilities, and and security gaps. Automated analysis classifies and validates security controls, including our new PII/GDPR analytics that tag assets that collect personally identifiable information (PII) or track visitors using cookies.

The comprehensive inventory, advanced analytics, and up-to-date details about external assets gives organizations the confidence that they will have visibility into external assets and be audit-ready.

Are You Collecting Personal Data Securely?

GDPR: The European regulation that affects global businesses

EU DGPREffective May 25, 2018, any organization which collects or stores information about European Union (EU) citizens is required to abide by the General Data Protection Regulation, or GDPR. A way to consolidate European privacy laws governing data, the GDPR applies to most global businesses, including those who don’t necessarily have a physical presence in an EU country.

GDPR introduces strict requirements for how businesses solicit, handle, and secure personal data. The challenge for larger organizations is the sheer volume and complexity of websites and web applications that need to be identified and inspected that collect personally identifiable information (PII). PII, according to the GDPR, includes information that can be used to tie data and activities back to an individual, such as name, address, phone number, email address, social media presence, photos, lifestyle choices and preferences, IP addresses, location data, and more.

Questions that need to be asked when evaluating your security hygiene through a GDPR lens are:

  • What website and webpages are collecting PII data? Are they doing it securely?
  • Do unmanaged and rogue corporate websites exist yielding GDPR and data privacy breach gaps?
  • Are appropriate opt-out messages being issues for PII collection and do they adhere to policy?
  • Do we have accurate PII website and form discovery and insights to help satisfy audit processes?
  • Are any of our websites susceptible to attack, personal data exfiltration, or data breach?

Digital Footprint helps with GDPR compliance by identifying websites within an organization’s footprint that collect and process PII. Digital Footprint provides organizations with the capability to:

  • Discover, inventory, and assess websites, apps and infrastructure where PII is captured and processed
  • Identify and assess PII-collecting website exposures: notices, forms, SSL certificates, frameworks
  • Verify security of the PII-collecting websites with SSL certificates and encryption
  • Comply with persistent cookie requirements on websites (expiration of less than one year)
  • Identify where PII is captured by third-parties using your company/brand as a lure (such as Fake Ads)
  • Highlight security and policy violation exposures enabling security and governance and risk and compliance (GRC) teams to better understand, and in some cases reduce, their attack surface and achieve compliance.

RiskIQ provides the control and visibility needed for modern compliance tasks and risk mitigation

RiskIQ Digital Footprint provides an automated inventory and details about the external assets that belong to an organization that exist outside the safety of the firewall. The details about your external assets can be matched against corporate or industry/government policy to audit compliance and support remediation.

RiskIQ’s proprietary discovery technology automatically identifies and indexes company-owned digital assets—including third-party code and component relationships and dependencies between assets.

With RiskIQ, compliance tasks that used to be time consuming and tedious are now automated and simple:

Verify compliance with industry standards or government regulations, or create your own corporate security policies in real time. Prepare for audits and perform reporting on the external asset inventory and the details about those assets, such as software, frameworks, and vulnerabilities.

Reduce the burden of compliance audits. With additional visibility for page-level policies, organizations can instantly search and pivot within asset inventory to locate or remediate pages or full sites with vulnerable frameworks, CVEs, insecure data collection, or unauthorized third-party web components.

Enrich existing GRC tools. Continuous monitoring from the perspective of end-users interacting with each web page complements compliance tools and provides added visibility into their current external behaviors.

Automate the task of tracking all owned assets such as domain names, pages collecting PII, SSL certificates, associated sites, and their expiration status. Digital Footprint sends real-time alerts about gaps in security and compliance.

Filter external assets based on ownership, brand, policy requirements, criticality, vulnerability (CVE or CVSS score), or custom tags and classifications (like PCI-DSS or GDPR).

Support the initial audit process for mergers and acquisitions with RiskIQ, identifying all websites belonging to an organization, including pages that collect data. RiskIQ also flags situations where data and PII collection is not encrypted, or SSL is configured incorrectly.