Last updated at Wed, 13 Dec 2017 18:25:00 GMT
The General Data Protection Regulation’s (GDPR) deadline in 2018 is rapidly approaching, and as companies prepare for GDPR compliance, they’re facing a struggle that’s plagued every security program for years: how to quantify that nebulous, scary thing called “risk.” GDPR compliance specifically talks about “risk” several times in its guidelines, particularly in Article 32 where it states that “Controllers and processors much implement a level of security appropriate to the risk.”
Fortunately, our vulnerability management solution has been built from the ground up to focus on risk and how to measure it, instead of just CVSS scores and other rating systems that don’t take business context into account. Here’s how InsightVM can help you meet your GDPR compliance needs in an automated and efficient way, saving you time to worry about more intricate security concerns.
Automatically prioritize systems that process personal data for remediation
With InsightVM’s criticality tags, you can tag specific systems that process personal data as more important than other systems, amplifying the risk score of the asset and ensuring that the vulnerabilities found on these assets are prioritized for remediation. You can also tag assets by owner or by type (e.g., GDPR - App Server) to make reporting a breeze.
Track remediation progress to ensure GDPR systems are fixed in a timely manner
Remediation projects in InsightVM let the security team assign the right projects to the right people and track live to ensure that SLAs are met and GDPR systems are patched in a timely manner. You can also integrate with ticketing solutions like JIRA and ServiceNow to seamlessly fold remediation into your IT team’s existing workflow.
Live dashboards for tracking GDPR compliance progress
InsightVM’s Liveboard gives you live dashboards that you can customize for any user in your organization—making it easy to obtain a report card on your GDPR systems. These can be further filtered down to create holistic corporate-wide views for a CIO or CISO, or office-specific views for a security director.
Tutorial: Creating a GDPR compliance dashboard in InsightVM
Now that you’ve tagged your GDPR assets as “Critical,” let’s walk through how to create a dashboard for these assets so you can track risk and remediation progress live.
First, we’ll create a general dashboard using one of InsightVM’s pre-built templates. The “Assets Dashboard” is a good place to start as this comes pre-built with most of the cards we would find useful. To do so, click on the dropdown on the dashboards page and click on “Assets Dashboard” under the Rapid7 Recommended section.
Give this new dashboard a relevant name and a description, and click OK to save.
This will give us a default view that looks like this:
Remember, these cards can be freely moved around, added, or removed, so let’s pull one that's particularly interesting for GDPR to the top: “Assets by Vulnerability Severity Over Time” shows how the number of critical, severe, and moderate vulnerabilities have changed over time.
Every card in InsightVM can be filtered using a list of granular filters for anything from specific software detected on a system to open ports and tags. Since we have already tagged all of our GDPR systems as “very critical” using InsightVM’s criticality tags, we can filter this card down to just those assets by expanding the card and using the filter
asset.tags STARTS WITH "very high".
The best part? Now that we’ve done this once, we can click on “Save Filter” to save and easily apply this filter to the rest of the cards in our dashboard, giving us a true GDPR compliance dashboard with just a few minutes of work.
Want additional GDPR compliance tips and tricks? Check out our GDPR toolkit for help on getting ready for May 25th, and of course feel free to reach out to your friendly neighborhood sales rep or Customer Success Manager!
Not an InsightVM customer? You can download a free 30-day trial today to try any of the features that I covered above.
Want more? Get all our GDPR blog content here or add it to your RSS feed.