GDPR Case Study

Home / case-studies / GDPR Case Study

Case Study - GDPR

One of the World’s Largest Pharmaceutical Companies Meets the Challenges of GDPR through an Integrated Approach

Overview
The client is a multinational pharmaceutical company that has operations in Europe and America. In light of the recent Global Data Protection Regulation (GDPR), they had to identify which systems had GDPR data and determine how to do a Privacy Impact Assessment (PIA) on these systems. Instead of manually gathering system and vulnerability data from various sources, InnoSec’s STORM Cyber Risk Management product offered them an automated solution to scope the GDPR PIA and demonstrate the level of confidentiality and integrity of the system using dashboards, reports and workflows, while integrating system and vulnerability data from various sources, and consolidating all of it in a centralized database. This has helped the client get a better, quicker, and more real-time view of GDPR compliance across the global organization.
INTRODUCTION

The GDPR is a relatively new regulation. Companies are unprepared to meet the challenges. Many of the steps that are required are currently largely manual and siloed. Systems must be inventoried and EU personal data identified between various stakeholders. Security assessments are painful and are done manually. DPR, PCI, ISO and HIPAA. The far-reaching consequences include fines of $500K for PCI and 20M+ Euros for GDPR.

Making matters more challenging, the integrity and confidentially of the system must be demonstrated. Additionally, data had to be aggregated from various Security Information and Event Management (SIEM) applications such as IBM QRadar and Vulnerability scanners like Qualys and Rapid7.

Keeping track of all this information at a global level is increasingly challenging for the cybersecurity team. At any given point, it was difficult for them to get a complete, real-time view of GDPR compliance across the enterprise. The team spent considerable time and effort manually gathering system data from various sources, and doing manual assessments.

It quickly became evident that this approach was neither cost-efficient nor scalable. The client needed a new system that would automate GRPR assessments, while also integrating vulnerabilities from across global operations and applications into a central database for complete visibility.

SOLUTION

Among all the cyber security solutions providers evaluated by the client, InnoSec was chosen based on the advanced capabilities and configurability of its offering.

InnoSec’s STORM Cyber Risk Management Application has inventoried approximately 5000 systems in the client organization to measure the onfidentiality and integrity of the systems to ensure they meet article 5 and 32 of the regulation across the global enterprise. The application streamlines and automates the assessment process and cyber security management lifecycle – right from system identification and classification, privacy impact assessment, vulnerability impact, notification, remediation plan management, and resolution.

All cybersecurity team members, including compliance manager, business owners, remediators, and the cyber security team are mapped to their specific roles and processes in STORM, thereby enhancing accountability and transparency. Each user has a dashboard, reports and workflows that allows them to seamlessly work together.

STORM also integrates with SIEM tools such as IBM QRadar, Qualys, Rapid7 and BMC Remedy Software, capturing critical information, including vulnerabilities, potential breaches and SIEM artifacts (affected system logs, incident reports, vulnerability information of affected assets, threat advisories/ zero day alerts). STORM then consolidates this data along with other cyber security risk and assessment information in a centralized database. This has made it easier for the client to track and manage compliance. In addition, a range of advanced reports provide complete, real-time visibility into the status of each system.

Image
GDPR ASSESSMENT INITIATION

Whenever a new assessment is started, STORM identifies all the systems in scope for the assessment by taking data from change management data bases like ServiceNow or BMC and categorizing the data in the systems. STORM allows the location and classification to be logged in the system, and assigns a business and system owner who monitors the system through the assessment.

STORM captures detailed information about the organization, business unit, processes, systems and devices including the purpose of use and demonstrates the relationships in a system tree. This demonstrates multiple levels of information in a parent/child manner. Controls are inherited from lowest to highest allowing a complete assessment down to the device level.

As the assessment is completed, components escalate severity rating, and impact. The confidentiality and the integrity of the system is measured using STORM’s powerful risk engine. It also helps categorize the information into various types based on pre-defined criteria, and can do multiple assessments simultaneously. Users can also add business context to the data (i.e. remediation plan, budget, and business impact). STORM also helps in qualitative and quantitative impact analysis, and supports correlation of the assessment with past data to enable quick analysis, and to support decision-making on the need for remedial action.

FINDINGS

Each finding impacts the residual risk of the system. STORM routes each incident/event for review and analysis to authorized users based on pre- configured rules for review, approval, and disposition. The application’s decision-tree functionality helps identify reportable events, as well as the type of report that needs to be filed. Remediation data is captured from external sources via STORM’s interfaces to third-party products.

Through STORM, remediation project and task owners can add more details about the work, edit its description, and attach further evidence/ files. STORM allows for thresholds that map the findings to the severity level of the findings -- Critical, High, Medium, or Low, supported by a color-coded chart (e.g. Red = Critical, Amber = Medium, Green = Low).

These severity levels indicate how soon the findings needs to be resolved. For instance, a critical finding would need to be resolved in 3 days, while a low severity case can take up to 30 days.

STORM captures the remediation plan for investigating or resolving the finding. For instance, if a virus has infected a system, the remediation plan might be to test the system controls, and was impacted, and whether or not additional controls are required. All these steps are outlined in STORM, and assigned to a task owner along with predefined timelines. Once the action items have been performed, the task owner enters the results in STORM, and routes it to a task approver for final review, approval, and closure.

PRIVACY IMPACT ASSESSMENT AND REPORTING

At each stage of the PIA assessment, STORM tracks the progress/ status of the assessment against pre-defined timelines (i.e. 5 days for analysis, 2 days for validation, 14 days for remediation).

STORM automatically populates the privacy impact assessment report with data. Therefore, at the click of a button, auditors get access to key reports such as a list of all findings across the organization, as well as a remediation work plan and an audit trail report. Powerful dashboards provide in-depth visibility into findings data and statistics such as % compliant, confidentiality scores, integrity scores, risk ratings, severity of findings, outstanding open findings, types of findings, and sources of findings. Users can slice and dice this data from various perspectives to identify trends and areas of concern, and to make informed decisions.

INTEGRATION WITH CHANGE MANAGEMENT DATABASES, SECURITY INFORMATION AND EVENT MANAGEMENT SYSTEMS AND VULNERABILITY MANAGEMENT SYSTEMS

STORM has API connectors that link to Change managements systems like ServiceNow and BMC,SIEM tools such as IBM QRadar and vulnerability scanners like Qualys and Rapid7 that capture and import system information, security incidents and vulnerabilities.



Testimonial

Get ready for the STORM

Our experts will be delighted to analyze your current cyber protection strategy management, answer your questions and schedule a Demo.

Get In Touch!