Investigating and Identifying assets, services and access to produce a risk profile for GDPR Compliance
Much like a financial audit where an auditor would investigate the accounts, inventory and processes of an organisation to ensure compliance and correctness, a Texaport audit will look into the Technical capacity of the organisation in relation to GDPR.
Texaport follows a loose process which allows for flexibility of the investigation for clients working from the “outside” going “in” to the organisation.
Texaport’s initial testing and analysis of the client estate is performed on the periphery of the technical controls deployed to secure and communicate.
Texaport’s Penetration Testing tools are deployed to identify external visibility and vulnerabilities of the client network and connected devices.
This will assist in providing a detailed examination of the security standing of clients particularly for Data.
To minimise business risk clients should be taking a multi-layered approach to security including:
- Gateway Protection
- End Point Protection
- Disabling vulnerable ports
- User Education
- Regular off-site backup of data
Normally following the “External Analysis”, Texaport’s internal analysis will identify any vulnerabilities or pathways behind the outer layer to identify and visualise the impact of a compromised network.
Texaport deploys vulnerability scanning agents to identify:
- Group Policies
- Network Architecture
Other details, assets and processes will be outlined in this. Non-conformances with the initial scoping documents will be noted and brought up with the client to verify rationale, awareness and/or knowledge of the discrepancy.
Texaport provides a “Preparation Booklet” to the client which is completed by the Client “Stakeholders” with knowledge and awareness of the assets, systems, processes and procedures involved. This booklet is instrumental in shaping, identifying and building security and policies for Clients. Contained within this booklet is space and guidance for completing the following information and audit steps.
Texaport will require access to the file storage systems used by the client to evaluate the integrity and security of the structure. This will include assessing permission-based restrictions, data classifications and security measures currently in place.
Business Continuity measures will also be verified at this point along with the policy and processes used.
Texaport will work with a sample of users throughout various business areas to identify awareness and processes used.
Texaport recommends regular user training and awareness of risks to data, hardware and business functions.
Texaport will use the information gathered during the infrastructure analysis and user audit to identify applications present and used on individual machines and in key business areas.
IT Management policies will be identified and verified including application management and lifecycles.
Third Party Audit
Where services are provided by third parties in respect of connectivity, applications, data management or hardware support Texaport will require direct lines of communication to identify any potential vulnerabilities and improvements.
A key component of compliance is the security and management of the entire supply chain which will ensure ongoing integrity of data, processes and systems.
Legal, Regulatory and Policy Audit
Texaport will work with the Stakeholders to locate key operational policies related to the management and protection of data, both personal and confidential. Employees and customers should be aware of these policies and this will be verified with employees during the “User Audit” to ensure compliance, and any non-conformances will be recorded and reported on.
Texaport will advise Clients about standard locations and invocations of data protection statements and disclaimers. Areas to consider would be:
- Employee Contracts
- Supplier Contracts
- Customer Contracts
- Website Statements
- Data Categorisation
- Information Asset Register
- Consideration of Processor/Controller relationship in ALL contracts.
- Subject Access Requests
- Right to be forgotten
Texaport will work with the Stakeholders to identify key operational processes which involve data, both personal and confidential. These processes will be verified with employees during the “User Audit” to ensure compliance, and any non-conformances will be recorded and reported on.
Processes which WILL require to be implemented include:
- Subject Access Requests
- Secure Configurations
- Change Management
- Patching Process
- Supplier Vetting
- Privacy Impact Assessments
- Incident Management
- ICO Reporting
- Business Continuity
Texaport will compile the results of the preceding audits into a Risk Assessment document for Clients which will be incorporated into the resulting report which will be produced.
The risk assessment is an important component for ISO, IASME and GDPR conformance and will provide a “baseline” to work from and update on a regular basis.