Rapid technology advances have brought new challenges for the protection of personal data, and so every organisation needs a comprehensive approach to privacy management. They must also document how they collect, process and store personal data. But too many companies still fall down on the security fundamentals and new regulations such as the General Data Protection Regulation (GDPR), Payment Card Industry (PCI) Data Security Standard, Health Insurance Portability and Accountability Act (HIPAA) and ISO 27001 are making the cost of failure far greater than it’s ever been.
Regulations and directives are unavoidable, and with non-compliance, fines and audits will undoubtedly follow. However, while these regulations feel like a burden, by employing basic security measures, they can be turned into an opportunity.
Many of the risks are in the data itself and the processes used to manage it. So, these are essential parts of a corporate initiative towards Data Security. Here are 10 ways to improve security compliance with data privacy regulations:
- Maintain an accurate inventory of software assets
A complete view of installed software can drive consolidation of the software portfolio to reduce security risks by reducing the attack surface for software vulnerabilities. Identify and remove freeware and unauthorised software which could pose a security risk. To this end, undertake a full audit to collect comprehensive hardware and software inventory data as well as identify which applications are using personal data and the people that are using those applications. This will enable the organisation to ensure that data that doesn’t comply with the Data Protection standards in use is reviewed.
- Know what Open Source Software (OSS) is used in the organisation’s internally developed apps
Typically, organisations know less than 10 percent of the software that’s actually used. Software engineers use open source components to expedite their work – but they often don’t understand the software vulnerability risks they may contain. Take control of and manage use of OSS and third-party components. Use automation to create a formal OSS inventory and policy that balances business benefits and risk management.
- Be vigilant about tracking and responding to alerts on software assets
Keep abreast of known software vulnerabilities and their criticality. To this end, ensure that there’s a list of software installed that needs to be monitored for vulnerabilities; and then understand the OSS components that have been used in the internally developed apps, so that alerts to vulnerabilities can be acted on.
- Run vulnerability assessment against all systems frequently
Identify vulnerable, unpatched software on desktops, laptops and servers. Cut through the noise to focus the research and alerts on the software assets identified in the organisation’s inventory. Thereafter, detect and assess the security state of applications to react faster.
- Prioritise and remediate the most critical vulnerabilities first
Implement vulnerability management policies and workflows. Drive and report on remediation processes from end-to-end to ensure Service Level Agreements are met. By applying the right patches, organisations close the main external intrusion method for cyberattacks. Reducing the attack surface for cyber-criminals reduces the risk, and costly consequences of personal data breaches.
- Remove local administrator rights from employee devices
Removing local administrator rights will further limit the organisation’s exposure to risk. Use of administrative rights is a primary means for hackers to spread malware inside the enterprise. If an employee has local administrator rights on their device, they can be tricked into opening malicious email attachments or downloading apps from malicious Websites. If the victim user’s account has administrative rights, the attacker can take over the device completely, install software and look for sensitive personal data.
- Enforce corporate policies using an enterprise app store
Foremost, prevent users from downloading apps from unknown sources. Deploy authorised software and enforce corporate policies using an enterprise app store. An enterprise app store can ensure that governance is in place to install only authorised applications. An app store can also check software license availability and obtain proper approvals. In addition to installing new applications, an app store can be used to remove unlicensed and black-listed applications from employee devices.
- Only deploy new software that is free from known vulnerabilities
As the number, frequency and complexity of applications in an enterprise portfolio grow, so do the risks of releasing new apps into the environment. Desktop engineering, software procurement and IT security each have a role to play in reviewing these risks and determining whether apps are approved for release or require further mitigation. As part of the change control process, evaluate risks when deploying new and updated apps into an enterprise environment and ensure they contain no known vulnerabilities.
- Uninstall software that is end of life (EOL), before the vendor stops support
When software reaches its End of Life (EOL), vendors stop patching security holes. Detect software that is EOL and upgrade to a supported version or remove it entirely from the device. Because EOL programmes are no longer maintained and supported by the vendor, there are no security updates, and hence are insecure.
- Share data between systems and collaborate
Ensure IT Security and IT Operations have consistent data, yet custom views, to effectively collaborate on the latest research, assessed vulnerabilities and remediation activities. Automatically create service desk tickets to track and confirm remediation.
All the above are fundamental best practices that organisations must follow in the current environment to ensure data security and compliance with data privacy regulations. According to Forrester Research, the top external intrusion method hackers use to gain access to data is through vulnerabilities in software. Similarly, Gartner says that “through 2020, 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” Proactive management of vulnerabilities is therefore vital to data security and compliance.
[su_box title=”About Vincent Smyth” style=”noise” box_color=”#336588″][short_info id=’60585′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.