UKGDPR can help you evaluate your security through rigorous Penetration Testing and Vulnerability Assessments. Actually, the team has been doing this since 2001 and have conducted hundreds of assessments, both large and small. Talk to us about your objectives and we can help you navigate through the options to get the most out of your budget. Some services we provide;
Web Application Testing
Web applications are uniquely vulnerable as by definition they must be a service directly available to the public. When conducting a security test, each application is unique and must be scoped for an accurate quotation. UKGDPR will use a temporary set of credentials to review the site, including number of pages and scripts, complexity of those scripts and business logic. We then provide you with a quote that is comprehensive and capable of meeting the objectives you have set us.
External Network Testing
An external network penetration test is a standard part of the compliance programme. It ensures the company is maintaining and correctly configuring their public-facing infrastructure. It is now expected for a company to provide evidence to partners and Data Controllers that they are conducting this, and are active in remediating any higher risk issues identified in the test.
The network test happens over several phases, including a reconnaissance process, identifying the digitial footprint, and crafting specific attacks to demonstrate actual compromise is possible.
Internal Network Security Testing
A badly maintained internal network is not only a security risk, but will almost certainly be performing badly. Internal assessments look beyond security patching, to the layout of the network, including segregation, authentication and ability to identify and report malicious behaviour.
The regulators have made it clear that companies must have an ability to detect anomalous behaviour on their systems, yet to be able to do this effectively requires many moving parts to work together. UKGDRP internal assessments can help identify where your gaps are in implementing a practical approach which can use a defense-in-depth strategy to keep hackers out, while also having a robust auditing and monitoring function that alerts them when something doesn't look right on the network.
Each assessment that is run has a report as part of the deliverable. Our reports are in both PDF format as well as an Excel spreadsheet of the issues so remediating them is easy to split between teams.
The PDF report contains both an Executive Summary which clear 'Pass/Fail' parameters, dashboards, and graphs that are sensible and help communicate the current status to a non-technical person.
A following technical section lists each vulnerability, the risk, example of how the risk is exploited, and often screenshots or other evidence of how the vulnerability can be triggered. We provide lists to further reading sources so your team can read more about the issue, as well as full remediation advice, often showing step by step what needs to be done to remove the vulnerability
Security has always been a priority, but since GDPR came into law on May 25th, 2018 the importance has taken a new meaning. Data security risk was previously measured by the potential direct cost to the business of a breach, now the risk is that loss of personal information additionally carries severe penalties, for example;
- Administrative fines from the ICO (up to 4% of global turnover)
- Framework for direct personal compensation even if no material loss is suffered
- Greater impact to brand as customers choose brands that protect their data
Data Protection by Design and by Default (DpBD) is a concept that has finally come of age through the regulation. In brief it requires companies to be accountable and responsible and to ensure security is built into your company’s DNA.
UKGDPR can help you build a security programme for your organisation that makes sense for your business and the context of data that you’re processing. We have a flexible approach, depending on your current position. If you need help starting a building a security programme from the ground up, or whether you have a structure in place, and just need help in some areas such as;
Although Article 32 of the GDPR is a relatively small section of the overall regulation, it still accounts for over 40% of the fines issued by the Information Commissioner.
- Penetration Testing
- Secure Architecture Review
- DPbD (Data Privacy by Design)