ProCheckUp is an approved provider of PCI QSA services.
Today’s data protection regulations (GDPR) and standards (PCI-DSS) places organisations under increased pressure to demonstrate how they safeguard personally identifiable information and sensitive data.
For example, article 30 of the GDPR regulation places a legal requirement on organizations to maintain a record of processing activities under their responsibility and make it available to the relevant supervisory authority on request.
The following information needs to be documented within the record:
- The purposes of the processing;
- A description of the categories of data subjects (customers, patients, etc)
- A description of the categories of personal data being processed (financial information, health data, etc)
- The categories of recipients to whom the personal data have been or will be disclosed (suppliers, credit reference agencies, etc)
- Details of recipients in third countries or international organisations
- Where possible, the envisaged time limits for erasure of the different categories of data (how long the data will be kept for)
- Where possible, a general description of the technical and organisational security measures in place (encryption, access controls, etc)
ProCheckUp’ s risk management experts will take you through a data mapping exercise to identify, classify and discover the data in your organisation, whilst assessing your data risk.
ProCheckUp utilises a standard engagement model for all data discovery engagements using a robust, holistic approach consisting of four phases as defined below: -
This phase helps us define and understand the data types you hold within your organisation. Through a series of interviews and questionnaires with key staff we will identify its location, which business processes handle or store sensitive data and the data types in use.
- What are your data subjects - customers, patents etc.
- What are your data categories - financial, health, business operational or intellectual property?
- What are your data sub categories (or elements)? Name, address, DOB, financial records?
- What format is it in? Emails, forms, letters, spreadsheets, application data or database records?
- What is it used for and how is it processed?
This phase determines how sensitive the data is based upon the damage that would be caused due to a breach of its Confidentiality, Integrity and Availability (CIA). The deliverables will be a measurement of the data’s sensitivity rating, enabling the organisation to classify its data and define its protection requirements for the data.
- How sensitive is the data based on its Confidentiality, Integrity and Availability?
- If lost, does it cause damage to individuals, business operations, or company reputation?
- Rate the data for its sensitivity and determine classification.
We will work together to discover where your data is stored and confirm who receives and processes it.
- Where is the data stored? Is it on a local device, in a database, in an application, hosted in the cloud, or with a partner?
- Where is the data transmitted and to whom?
- Additionally, with the ability to scan files and data stores, our team can identify stored PCI card data, with the option to expand data discovery to cover GDPR and PECR requirements.
On completion, we will provide you with a data inventory matrix showing your locations, data categories, and sensitivity.
- Generate a comprehensive sensitive data inventory matrix from the information gathered.
- Accompanying report summarising the findings and a way forward, creating a platform for a phrase two risk assessment.
Please contact us for more information on how ProCheckUp Data Discovery Services can help you.