In this podcast, Darron Gibbard, Chief Technical Security Officer EMEA at Qualys, discusses third-party risk and how it affects the GDPR compliance of your organization.
Here’s a transcript of the podcast for your convenience.
Hello. My name is Darron Gibbard, and I am the Chief Technical Security Officer at Qualys. In this Help Net Security session today, I am going to be covering third-party risk – how does this affect your GDPR compliance? One are the key tenets of the GDPR is understanding where all of your data is going, who has access to it, and what organizations have access to that data.
The problem for a lot of organizations is that they are dealing with a large number of suppliers: from vendors, outsource partners, and various organizations – even heating ventilation air conditioning organizations that may have access to personal data. So, how as security or compliance team, are you able to look and understand the risks in your supply chain? From my personal experience of having running teams in this area, I’ve worked with organizations where I’ve had 750 suppliers in a year to evaluate, and go back to my governing bodies to help them understand the risks from that supply chain.
The only way the organizations can cover is to automate, and to automate the process away from the traditional spreadsheets, the traditional emails, the constant chasing of suppliers to get them to respond. There are products out there that will help, and from Qualys we have our Security Assessment Questionnaire product that would allow you to automate all of that process. It’s vitally important that with the vast numbers of suppliers, within your respective organizations, you understand what are the critical suppliers.
So, my best advice to any organization would be to tier or to classify your suppliers on the access, the level of access and the volume of data that they have access to. You may have HR providers who have access to a lot of critical and sensitive personal information. They would be automatically classified as a Tier 1 or Level 1 supplier. People just have access using the example from earlier, heating ventilation and air conditioning. They may only have access to job sheets, and you may want to classify those as Tier 2. But the important thing is knowing what questions to ask these suppliers.
So, you’ve rated your suppliers, you tiered them so you know which ones are critical to you, and then you have the daunting task of having to ask all of those to complete questionnaires. As you can imagine, those suppliers are being sent questionnaires from all of their customers as well, those who they provide services to, will also be sending them questionnaires.
It’s a very messy solution for any organization if they are relying on spreadsheets and emails. What needs to happen, and the key thing from a Qualys perspective is having that visibility and understanding the criticality of this supplier, the rating of the data that is being provided to them, and the understanding of the processing that they are doing with that data.
Once we have all of those three, then you will make the alteration of the questionnaire is very easy. By using an automated system that will do all of the sending of the questionnaire, the tiering of the questionnaire, and the ability to provide attachments to that questionnaire, you are taking a lot of legwork away from the individuals that need it, so that they can focus on receiving the questionnaires and risk scoring those questionnaires.
A lot of time is wasted with the chasing the supplier to get an answer. So, removing that bottleneck and removing that time, will speed up your due diligence, your supplier due diligence process.
Once you receive the questionnaires back, it’s vitally important that the risk team gets involved with understanding the data, the types of data they’re being used, and whether there is a need for a commercial contract update, which will then give you legal recourse with the organization in the event of a breach. It also will freeze into your incident response processes because you then have an understanding of where your data is, what the organizations that you’re working with are doing with that data, and you understand what their SLAs are for responding to a breach. Because obviously as we all know, when dealing with breaches or an incident, your head is buried in fixing the problem, rather than understanding and following the flow with the data, and understanding which organizations are impacted.
With a complete program where you understand your suppliers, you have the right commercially agreed arrangements in place, you know where your data is going and you understand where that is. Then will allow you to minimize the risk to your organization for a breach. Thank you for your time.