GDPR Penetration Testing
A GDPR penetration test ensures your company is compliant with article 32(1.d) of the General Data Protection Act which states that any process that handles data must have its security evaluated and a process of regular testing must be in place. The purpose of this is to make sure that data within that application/system is secure and not vulnerable to a data breach.
What do we test for?
In a GDPR penetration test, the data held within the application is given special attention. We run tests to see if personal information is public when it shouldn’t be, and if an attacker can benefit from it.
Depending on the type of system being tested, penetration testing methodologies such as OWASP, NIST, and PTES will be utilised, identifying not only flaws with personal data storage, but also vulnerabilities in the system itself.
What are the risks?
The risk to the environment and personal data without a penetration test can be quite severe with around 1 in 4 applications having a critical flaw that is discovered during a pen test. This could lead to a data breach as well as a fine from the Information Commissioner’s Office (ICO) for not taking protective measures and securing data correctly. These fines can be up to €20 million or 4% of your gross annual revenue (whichever is highest).
Ensuring your customers’ data is secure within your applications and infrastructure and while it is being processed can ensure that you and your customers are protected from any future breaches.
How we can help
Sencode offers GDPR pen tests in order to ensure the security of all data within the application. We also offer expert remediation recommendations which will allow you to ensure that the data which was exposed is safe and secure in future. On top of remediation help, we offer a free retest which allows us to ensure that the remediation has been successful and effective at protecting your data. Our reports are also written to ensure the best possible outcome for our clients in the most understandable and concise language possible.
The Sencode Way
Contact a member of our consulting team either by phone, email or pidgeon post. We will then discuss whether we can help you and arrange a scoping meeting to discuss your requirements.
Scoping & Proposal
In the scoping meeting our expert consultants will discuss and finalise which digital assets you need testing. We will then put together a project proposal and quote based on the requirements and agree on a schedule for conducting the security assessment.
The testing starts. A member of our penetration testing team will liaise with a member of your company throughout the entire testing process. If we have any questions or concerns, you will be the first to know.
Report & Remediate
A penetration test is useless without a well-written report. Our reports are written in plain english, concise and thoroughly documented. Each report will detail an executive summary, risk ratings, a business risk summary and all of the issues we found throughout the engagement.
Frequently Asked Questions
Article 32 of the GDPR mandates that businesses take technical steps to safeguard data protection. Despite the fact that the article provides examples of security measures, it does not provide a complete list. In light of the continually evolving information security threat landscape, businesses must evaluate, implement, and maintain appropriate security measures.
Article 32 (1) states the following measures must be applied:
- The pseudonymisation and encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
As explained by the ICO “The UK GDPR specifically requires you to have a process for regularly testing, assessing and evaluating the effectiveness of any measures you put in place. What these tests look like, and how regularly you do them, will depend on your own circumstances.” – Article 32 (1) – ICO
Organisations must comply with a number of requirements under the GDPR in order to protect personal information and not risk considerable financial and reputational harm. One such need is to test your information security procedures on a regular basis to guarantee that they stay effective and up-to-date. One way to ensure you have taken appropriate measures is to conduct Penetration Testing.
All types of penetration testing differ in methodology and price. There are a number of factors that go into setting a price for a penetration test, including expenses for the tester and the types of assets being tested. A smaller application will take considerably less time than a large, complex commercial application. We aim to make our pricing as flexible as possible. Sencode will provide our best judgement via accurately scoping your digital assets and making a determination based on our experience testing similar scale assets. Once we have accurately scoped your project, we can provide a project proposal and a quote which will be costed appropriately.
Example 1: A medium sized finance web application comprised of 35 unique pages with user and case management. 5 days of penetration testing. £3000-£4000
Example 2: An external infrastructure penetration test comprised of 10 unique IP addresses. 2 days of penetration testing. £1000-£2000
Example 3: An internal penetration test on 80 IP addresses, 7 days of penetration testing. £5500 – £6500
These prices are variable based upon; Number of IP Addresses being tested, Retesting requirements, After-hours testing and skills required to conduct the engagement
For a medium-sized business, a complete GDPR testing programme might include the following:
- Regular internal and external vulnerability scans.
- Annual penetration testing of all GDPR relevant infrastructure, or ad hoc penetration testing after large scale amendments to your digital assets.
- Simulated phishing attacks should be conducted on a regular basis to identify any training gaps which could be covered by Cyber Awareness Training.
Get a free, no obligation quote from one of our expert staff.