Audit Guru for GDPR
COMPLIANCE PROCESS AUTOMATION (CPA)
The General Data Protection Regulation (GDPR) presents a huge opportunity for IT service providers, MSPs, MSSPs, and VARs to offer a new set of IT services using Audit Guru for GDPR. With this powerful software appliance connected to your client's network you can provide:
GDPR isn't just a "Europe thing," even though the biggest impact will be on organizations based in the European Union. Literally every business in the world that collects data about any individual living in the European Union is impacted. Organizations that are found to be non-compliant with these sweeping new privacy regulations are subject to significant fines and crippling sanctions. And that's your leverage to sell in your GDPR Compliance services using Audit Guru as your enabler for this lucrative opportunity.
There are many check-list products on the market that provide you with a laundry list of tasks you must perform, and information you need to gather, process, analyze, and validate to be GDPR compliant. But Audit Guru takes the process to the next level by automating the collection of much of the data you need, analyzing it for you, and providing you with dynamic worksheets that are customized based on the results of the collected data.
Audit Guru for GDPR is only sold through Authorized Partners. The Partner Program enables IT service providers, including MSPs, VARs and MSSP organizations to meet the growing demands for GDPR compliance services while also generating new revenue streams without the risk of substantial additional overhead costs.
Audit Guru solves the complex requirements of mandatory reporting, ongoing issues discovery, and breach detection under GDPR. It does this in a highly automated process using a software appliance connected to a client network that acts like a virtual Security Officer. The software coordinates and manages a variety of network tasks that need to be performed on a continual basis, ensuring that your client has complied with the standard.
By partnering with us, Audit Guru reduces the risk of a data breach, streamlines your compliance efforts, and mitigates the financial exposure for your customer and your business.
The Audit Guru partner program provides IT service providers with the foundational tools they need to economically roll-out a robust GDPR compliance service to meet the needs of most businesses.
FOLLOW THIS EASY, PROCESS TO GET UP AND RUNNING QUICKLY
As an Audit Guru for GDPR™ authorized partner you are also immediately eligible for the following program benefits:
There are many check-list products on the market that provide you with a laundry list of tasks you must perform, and information you need to gather, process, analyze, and validate to be GDPR compliant.
Audit Guru takes the process to the next level by automating the collection of much of the data you need, analyzing it for you, and providing you with dynamic worksheets that are customized based on the results of the collected data.
Here are the unique features that make Audit Guru for GDPR so valuable:
Feature and Benefits
|Standardized Internal Assessment Methodology||Our approach walks you through the process.||Repeatable and non-arbitrary approach to performing a GDPR assessment.|
|Automated Scans||Technical scans are performed by the Audit Guru appliance.||Removes human error by having the appliance performing the technical data collection. When humans perform technical assessments, they tend to spot check and not be as thorough.|
|Role-based Assignments||Divides the workload into three primary roles: Internal Auditor, Technician, and Site Admin.||Allows flexibility in how to work with your clients on performing GDPR assessments. The MSP can perform all three roles or divide the roles logically with the staff at the client's site responsible for compliance.|
|On-line Forms and Worksheets||Complete worksheets and forms to provide information that cannot be collected automatically.||Intuitive easy to complete model guides you through the assessment process by just completing forms.|
|Augment Data found from Automated Scans||Forms are created using data from the actual network and not just a generic checklist.||Answer questions about the client's actual environment, users, and computers to provide details that cannot be gather automatically.|
|Task Notification||As tasks are assigned, stake holders are notified via email.||Makes performing the assessment process a no-brainer. Interact with Audit Guru through links in emails telling you when there are tasks that require your attention.|
|Auditor Checklists||Summary documents of compliance with cross-references to other documents.||Easily assesses your compliance position and gives you a document to show Auditors as a starting point to help them easily see how you are going about compliance. Easy to use format and cross-references makes the Auditor's life easier. Happy Auditor, Happy Auditee.|
|Evidence of Compliance||Detailed document showing information from both automated scans, augmented data, and questionnaires.||Gathers evidence into one document to back up the Auditor Checklists with real data.|
|Information Policies and Procedures||A standardized P&P that is designed as a starting place for organizations that might not have a P&P.||One of the first requirements is to have a P&P. Some organizations don't have one or at least one that conforms to GDPR and ISO 27001. We provide an out of the box version for those organizations.|
|Scheduled Scans||Audit Guru performs re-scans on a periodic basis.||Looks for when you might need to update your GDPR documentation to stay current.|
|Risk Treatment Plans||Shows what issues were found and tracks which issues were addressed based upon risk scoring methodology.||Track remediation efforts and provide a paper trail in the event of an audit or request for documentation.|
|Personal Data Scans||Scan systems looking for personal data.||
Identify where personal data is, which is the first step in protecting it. More importantly, find out if there is personal data where you don't expect it.
Personal Data Scans are EU specific and look for National ID numbers using formats from the UK, France, Spain, Italy, Germany, Denmark, and Norway. More to come.
Also, the scan looks for GDPR specific Personal Data, such as external IP addresses in web logs, which most other types of scans will not even look for.
|External Vulnerability Scans||Scan external IP addresses of the organization.||Identify weaknesses that an external attacker can exploit within your network.|
|Internal Vulnerability Scans||Scan internal IP addresses from the Audit Guru appliance.||Identify internal threats that would allow an attacker or malware to exploit.|
|Brandable Reports||Customize logo, colors, templates, and images.||Allows MSPs and consultants to brand GDPR reports.|
|Report Archiving||Audit Guru appliance stores past assessments and reports.||Comply with retention requirements and be able to demonstrate not just current compliance but on-going compliance.|
We call it Audit Guru because we've captured the knowledge and knowhow of the best GDPR compliance experts in our software. Whether you manage your internal network or provide outsourced IT services for your clients, when you combine your IT knowledge with the subject matter expertise built-in to Audit-Guru, you have everything you need to begin offering GDPR compliance services.
We've created a "turn-key" virtual software appliance that automates the production of mandatory compliance reports, provides ongoing issues and breach detection, and manages the manual collection of required information from key stakeholders.
Because much of the network and system data you need is collected automatically with our tool, Audit Guru for GDPR is, hands-down, the fastest and easiest way to perform a GDPR Risk Assessment and stay IT GDPR compliant.
Audit Guru automates the production of mandatory reporting under GDPR, including the results from weekly and daily scans designed to uncover GDPR related network issues and potential breaches.
|Audit Guru for GDPR Checklist||The GDPR Auditor Checklist gives you a high-level overview of how well the organization complies with the GDPR provisions. The checklist details specific compliance items, their status, and helpful references. Use the checklist to quickly identify potential issues to be remediated in order to achieve compliance.|
|ISO 27001-2013 Auditor Checklist||The ISO 27001 Auditor Checklist gives you a high-level overview of how well the organization complies with ISO 27001-2013. The checklist details specific compliance items, their status, and helpful references. Use the checklist to quickly identify potential issues to be re-mediated in order to achieve compliance.|
|EU GDPR Policies and Procedures||One of the first requirements is to have a set of policies and procedures used to implement Personal Data security and compliance with GDPR. Some organisations don’t have a set of data protection policies – or at least one that conforms to GDPR provisions. The tool provides an “out of the box” version of policies and procedures for GDPR for use by those organisations.|
|ISO 27001 Policies and Procedures||Guidance suggests that compliance with ISO 27001 can be used as a means to demonstrate technical compliance with the information security aspects of GDPR. The tool provides an “out of the box” version of policies and procedures for ISO 27001 for use by your organisation. These work in tandem with our GDPR P&P.|
|Risk Treatment Plan||Based on the findings in the GDPR Compliance Assessment, the organization must create a Risk Treatment Plan with tasks required to minimize, avoid, or respond to risks. Beyond gathering information, Audit Guru for GDPR provides a risk scoring matrix that an organization can use to prioritize risks and appropriately allocate money and resources and ensure that issues identified are issues solved. The Risk Treatment plan defines the strategies and tactics the organization will use to address its risks.|
|Data Protection Impact Assessment||The Data Protection Impact Assessment (DPIA) is the foundation for the entire GDPR compliance and IT security program. The DPIA identifies what protections are in place and where there is a need for more. The Risk Analysis results in a list of items that must be remediated to ensure the security and confidentiality of Personal Data at rest and/or during its transmission.|
|GDPR Evidence of Compliance||Compiles compliance information from both automated scans, augmented data, and questionnaires. Gathers evidence into one document to back up the Auditor Checklists with real data.|
|External Port Use Worksheet||This worksheet allows you to document business justifications for all of the allowed external ports, the protocol configured to use a specific port, and the documentation of any insecure configurations implemented and in use for a given protocol.|
|User Access Review Worksheet||The User Access Worksheet is used to augment the user data that was collected during the internal network scan. Complete the worksheet to provide the additional information requested.|
|Asset Inventory Worksheet||The Asset Inventory Worksheet is used to augment the asset data that was collected during the internal network scan. Details include the asset owner, acceptable use, environment, backup agent status, as well as device and sensitive information classification. The Sensitive Information Classification is used to determine the risk to the organization in the event of a security incident where the asset's information is compromised.|
|GDPR Compliance Questionnaire||The GDPR Compliance Questionnaire will collect information about the network and environment that cannot be discovered through automated scans. This includes information about the Data Protection Officer, principles relating to processing of personal data, privacy policies, and third-party information processors.|
|ISO 27001 Compliance Questionnaire||Guidance suggests that compliance with ISO 27001 can be used as a means to demonstrate technical compliance with information security aspects of GDPR. This questionnaire will collect information required to demonstrate ISO 27001 compliance that cannot be discovered through automated scans.|
|Site Walkthrough Checklist||Assess the physical security and the workplace environment as it relates to information security. The worksheet will guide you through your assessment of the physical security. It is best done on-site as it requires identifying risk that may currently exist in the client's environment outside the computer network itself.|
|Personal Data Scan System Selection Worksheet||Understanding where you have Personal Data (PD) is an important component of GPDR compliance. The Personal Data Scan System Selection Worksheet allows you to specify which systems are scanned for PD during the assessment process. A comprehensive scan should be performed annually to help identify and document all potential locations for personal data as defined by GDPR.|
|External Vulnerability Scan Detail by Issue||Detailed report showing security holes and warnings, informational items including CVSS scores as scanned from outside the target network. External vulnerabilities could allow a malicious attacker access to the internal network.|
|Internal Vulnerability Scan Detail by Issue||Detailed report showing security holes and warnings, informational items including CVSS scores as scanned from inside the target network. Closing internal vulnerabilities helps prevent external attackers, once inside a network, and internal users from exploiting weaknesses typically protected by external firewalls.|
Audit Guru partners have access to the RapidFire Tools portal, allowing them to remotely control and manage all their Audit Guru client sites. More than simply a provisioning tool, the Audit Guru admins and techs can access GDPR compliance-specific tasks, forms, reports, audit logs and dashboards for each individual site.
Due to be enforced from May 2018, the General Data Protection Regulation (GDPR) achieves two key goals. First, to protect the rights, privacy, and freedoms of citizens and residents of the European Union. Second, to reduce barriers to business by facilitating the free movement of data throughout the EU.
GDPR requires all data controllers and processors that handle the personal information of EU residents to "implement appropriate technical and organizational measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services."
The result of this legislation is the unification of regulations within the European Union, and replacement of all the disparate directives issued by individual nations. GDPR is stricter and more sweeping than most previous laws. It includes fines of up to 20 million EU or 4% of worldwide revenue, whichever is greater.
Here are some of the frequently asked questions that organizations, and their IT management resources, have about GDPR:
GDPR stands for the General Data Protection Regulation (officially referred to as Regulation (EU) 2016/679). It was adopted on April 27, 2016 by the European Parliament, the Council of the European Union and the European Commission with the intent of strengthening and unifying data protection for all individuals within the European Union (EU).
Yes! GDPR extends the scope of the European Union (EU) data protection law to all foreign companies processing data of EU residents. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of the data controller, e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore, the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents.
According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address."
There are six specific lawful bases for processing personal data:
Most organizations will use the subject's consent as the lawful basis for collecting and processing personal data. Anyone collecting data must be able to prove "consent" (by verified opt-in methods) and provide a vehicle to allow consent may be withdrawn by the subject. When consent is given, it must be explicitly for the data that is being collected, and for the purposes that the data will be used for. Consent for children younger than 13 must be given by the child's parent or guardian.
Under GDPR, all data breaches, regardless of magnitude, must be reported to the Supervisory Authority within 72 hours. But sanctions can also be imposed as the result of audits triggered by random selection or "whistle-blowers." Fines can be as high as 20 million EUR or up to 4% of the violator's worldwide revenue (whichever is greater). There is a wide range of infringements that could trigger fines, including but not limited to:
Under GDPR, any individual has the right to get access to their personal data, as well as information about how their data is being processed and used. Any organization that has collected personal information must provide, upon request, an overview of the categories of data that are being processed, as well as a copy of the actual data. In addition, the organization has to inform the data subject on:
The data subject may also request that their data be erased and/or they may request that their data be transferred to them in a structured and commonly-used open standard electronic format. This includes not only the data that has been "provided" by the subject, but also any other data that has been "collected" or "observed" - such as their behavior.
Although the GDPR encourages the use of encryption (it alternately uses the term "pseudonymizing") to "reduce risks to the data subjects," encryption is not required. Encrypted data is still considered personal data, and therefore remains covered by the GDPR.
Without data encryption, data can still be considered "protected" IF that data protection is designed into the development of business processes for products and services. This requires that privacy settings must be set at a high level by default and that technical and procedural measures should be taken by the organization that collects the data to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation. They should also implement mechanisms to ensure that personal data is only processed when necessary for each specific purpose.
However, if encryption is properly used, then the data protection could be deemed as "protected by default." According to the European Union Agency for Network and Information Security encryption and decryption operations must be carried out locally, not by remote service, because both keys and data must remain in the power of the data owner if any privacy is to be achieved. However outsourced data storage on remote clouds is practical and relatively safe, as long as only the data owner, not the cloud service, holds the decryption keys.
Audit Guru for GDPR, created by RapidFire Tools, Inc., is a purpose-built software solution designed to simplify the process of becoming GDPR compliant. It includes a non-intrusive Audit Guru software appliance that gets attached to the network, and a web-based portal to manage it. With Audit Guru on site, any IT professional can remotely schedule a network scan and the start the GDPR assessment process. The results are used to make necessary changes to the network environment that could impact your compliance status, and to generate the compliance documents that are mandated by GDPR.