GDPR Penetration Testing
A GDPR penetration test ensures your company is compliant with article 32(1.d) of the General Data Protection Act which states that any process that handles data must have its security evaluated and a process of regular testing must be in place. The purpose of this is to make sure that data within that application/system is secure and not vulnerable to a data breach.
What do we test for?
In a GDPR penetration test, the data held within the application is given special attention. We run tests to see if personal information is public when it shouldn’t be, and if an attacker can benefit from it.
Depending on the type of system being tested, penetration testing methodologies such as OWASP, NIST, and PTES will be utilised, identifying not only flaws with personal data storage, but also vulnerabilities in the system itself.
What are the risks?
The risk to the environment and personal data without a penetration test can be quite severe with around 1 in 4 applications having a critical flaw that is discovered during a pen test. This could lead to a data breach as well as a fine from the Information Commissioner’s Office (ICO) for not taking protective measures and securing data correctly. These fines can be up to €20 million or 4% of your gross annual revenue (whichever is highest).
Ensuring your customers’ data is secure within your applications and infrastructure and while it is being processed can ensure that you and your customers are protected from any future breaches.
How we can help
Sencode offers GDPR pen tests in order to ensure the security of all data within the application. We also offer expert remediation recommendations which will allow you to ensure that the data which was exposed is safe and secure in future. On top of remediation help, we offer a free retest which allows us to ensure that the remediation has been successful and effective at protecting your data. Our reports are also written to ensure the best possible outcome for our clients in the most understandable and concise language possible.
Contact a consulting team member by phone, email, or pigeon post. We will then discuss whether we can help you and arrange a scoping meeting to discuss your requirements.
In the scoping meeting, our team will discuss your requirements in further detail. Our team will ask questions in regards to the following:
Our expert consultants will discuss and finalise which digital assets you need testing in the scoping meeting. Based on the requirements, we will then assemble a project proposal and quote and agree on a schedule for conducting the security assessment. Our proposal document will include the following information:
The Penetration Testing starts. A member of our Penetration Testing team will liaise with a member of your company throughout the entire testing process. You will be the first to know if we have any questions or concerns. Our testing team will be on hand throughout the penetration test lifecycle to answer any questions or concerns. Our tester will:
A Penetration Test is useless without a well-written report. Our reports are written in plain English, concise, and thoroughly documented. The Penetration Test Report is typically furnished within 5 days after the testing phase is complete. If you are interested in seeing an example report, please contact our team.
Each report details the following:
At Sencode, we offer free retesting for every Penetration Test we conduct. You fix the issues; then we will verify they can no longer be exploited by an attacker. Our team will arrange a mutually suitable time to conduct the retest, after the remediation efforts have taken place. Our tester will follow these steps:
Our clients receive a testing certificate that can be shared with partners and customers, showing that their company takes security seriously. The certificate and document are designed to be easily digested by third-party suppliers, the document removes the technical details and can be safely distributed.
The Security Testing Certificate is available on request, after the retest has been complete. The security certificate shows:
Get in touch for a consultation.
Contact a consulting team member by phone, email, or pigeon post. We will then discuss whether we can help you and arrange a scoping meeting to discuss your requirements.
In the scoping meeting, our team will discuss your requirements in further detail. Our team will ask questions in regards to the following:
Frequently Asked Questions
Article 32 of the GDPR mandates that businesses take technical steps to safeguard data protection. Despite the fact that the article provides examples of security measures, it does not provide a complete list. In light of the continually evolving information security threat landscape, businesses must evaluate, implement, and maintain appropriate security measures.
Article 32 (1) states the following measures must be applied:
– The pseudonymisation and encryption of personal data.
– The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
– The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
– Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Source – Article 32 (1) – General Data Protection Regulation
As explained by the ICO “The UK GDPR specifically requires you to have a process for regularly testing, assessing and evaluating the effectiveness of any measures you put in place. What these tests look like, and how regularly you do them, will depend on your own circumstances.” – Article 32 (1) – ICO
Organisations must comply with a number of requirements under the GDPR in order to protect personal information and not risk considerable financial and reputational harm. One such need is to test your information security procedures on a regular basis to guarantee that they stay effective and up-to-date. One way to ensure you have taken appropriate measures is to conduct Penetration Testing.
All types of penetration testing differ in methodology and price. There are a number of factors that go into setting a price for a penetration test, including expenses for the tester and the types of assets being tested. A smaller application will take considerably less time than a large, complex commercial application. We aim to make our pricing as flexible as possible. Sencode will provide our best judgement via accurately scoping your digital assets and making a determination based on our experience testing similar scale assets. Once we have accurately scoped your project, we can provide a project proposal and a quote which will be costed appropriately.
– Example 1: A medium sized finance web application comprised of 35 unique pages with user and case management. 5 days of penetration testing. £3000-£4000
– Example 2: An external infrastructure penetration test comprised of 10 unique IP addresses. 2 days of penetration testing. £1000-£2000
– Example 3: An internal penetration test on 80 IP addresses, 7 days of penetration testing. £5500 – £6500
These prices are variable based upon; Number of IP Addresses being tested, Retesting requirements, After-hours testing and skills required to conduct the engagement
For a medium-sized business, a complete GDPR testing programme might include the following:
– Regular internal and external vulnerability scans.
– Annual penetration testing of all GDPR relevant infrastructure, or ad hoc penetration testing after large scale amendments to your digital assets.
– Simulated phishing attacks should be conducted on a regular basis to identify any training gaps which could then covered by Cyber Awareness Training.
Contact us
Get a free, no obligation quote from one of our expert staff.