19 August, 2020
Penetration testing and vulnerability scanning for GDPR
The General Data Protection Rule – aka the GDPR – was enacted in May 2018 to give consumers in the EU control of their private data being stored and processed by organizations.
In contrast to the NYDFS Cybersecurity Requirements for Financial Services Companies, which explicitly outlines its requirements for penetration testing and vulnerability assessments, the GDPR does not explicitly cover either of these. This leads to a lack of clarity for businesses and organizations conducting business with the EU.
Does the GDPR have a pen testing requirement?
Not explicitly. However, Article 32 describes the outcomes needed to comply with the GDPR. In order to achieve those outcomes, an organization will need to manage internally or outsource GDPR penetration testing and GDPR vulnerability scanning in order to ensure they are continuously meeting their GDPR compliance requirements and prepared for a potential GDPR audit in the future.
Learn more about the GDPR’s security requirements for pen testing in this infographic here: GDPR Requirements for Pen Testing
What exactly does the GDPR Article 32 say?
If you skim the GDPR articles, you might miss the implied requirements for vulnerability scanning and penetration testing.
Delving into the specific language in GDPR Article 32, it reads as follows:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”
GDPR mandates data controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Furthermore, the language specifically outlined in Article 32 includes certain minimum requirements such as “pseudonymization,” “encryption,” “CIA triad,” “resiliency,” and implementing “a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing.”
These cybersecurity requirements will need to be tested routinely for GDPR audit-readiness.
Where does vulnerability scanning and penetration testing fit?
If your organization is processing the personal information of EU residents, GDPR requires you to maintain a resilient IT infrastructure wherein your organizational and security measures are working effectively.
In order to successfully validate GDPR compliance, security and technology leaders can check the efficiency of their organization’s governance, systems, and technical controls by conducting a vulnerability assessment followed by a comprehensive penetration test.
- A vulnerability assessment will establish the baseline for compliance readiness and reveal outstanding weaknesses in the environment that hinder an organization’s ability to achieve GDPR compliance and avoid fines associated with non-compliance.
- A penetration test ensures that the existing vulnerabilities identified in the assessment phase are mitigated before attackers exploit them.
- These measures also help ensure the organization is prepared with audit-ready reports for attestation.
By testing systems for compliance specifications, like the ones included in GDPR Article 32, organizations can establish GDPR compliance-readiness by rapidly remediating any issues that are not meeting GDPR standards and improving overall cyber resiliency.
Establishing GDPR Compliance Readiness
In the current threat landscape, proactive organizational security is not only required for compliance, it’s also a logical investment for companies that have understaffed teams and cash-strapped budgets. Why? Compliance requirements exist to manage critical risks that threat actors have exploited for profit in the past. Over time, legal entities have deemed those historical vulnerabilities and security gaps as highly susceptible to criminals and nation-states who destroy businesses, harm local communities, and disrupt modern society. By meeting compliance requirements, organizations are reducing the risks associated with impactful, expensive security breaches and infringement fines.
Organizations cannot afford to sit and wait for an attack to happen, nor can they afford the fines associated with non-compliance. Security and technology leaders need proactive, offensive security strategies to identify gaps, vulnerabilities, and flaws in their IT infrastructure. Once identified, they can be patched proactively to reduce the likelihood of a security risk being exploited and turning into an impactful, expensive breach. Regular vulnerability scans and periodic penetration tests ensure critical vulnerabilities are discovered and patched in a timely fashion.
With Breachlock’s penetration testing service in place, compliance readiness is easy. You can quickly share findings with both auditors and internal GRC (governance, risk, and compliance) stakeholders. Furthermore, with GDPR compliance readiness established, your busy security and DevOps teams can focus on critical remediation activities instead of chasing down digital artifacts and attestable evidence. BreachLock’s human-led penetration testing removes false positives proactively, ensuring your final report contains only the true-positive digital artifacts you need for remediation and audit readiness.
GDPR Penetration Testing with BreachLock
If GDPR compliance feels like a burden to you – it doesn’t have to be anymore.
From startups to SMBs to global enterprise clients, BreachLock’s customers enjoy comprehensive, affordable pen testing that validates systems, fulfills legal obligations, and provides easy-to-export GDPR compliance reports. With our full-stack suite of pentesting services and cloud-native platform, security and technology leaders can quickly order GDPR penetration tests with just a few clicks in their customer portal, set the frequency of their automated vulnerability scans, and use the 1-click export button for sharing reports.
Pentesting for GDPR compliance is fast, easy, and affordable with BreachLock. Schedule a discovery call with our team today!