WHAT ARE YOU LOOKING FOR?

Data Risk Foresight provides audit and consultancy services in the domains of GDPR implementation within an organization and also the external auditing of a data privacy program that is intended to meet the GDPR requirements.

This is necessary for both a new GDPR but also post-implementation due to the ongoing needs for compliance. Examples here are where systems, processes or methodologies change, or where suppliers are either changed or they change their operating practices for their own purposes.

We also provide ISO/IEC 27001 external auditing services. In the case of an ISO certification, there will be ongoing audit and oversight visits, both leading up to certification and also observation visits during each 3-year term of the certification period. However, in the case of GDPR, the use of ISO 27001 as a form of proving compliance with the requirements of GDPR may require an external view of the ISO 27001 implementation to ensure that this is the case.

In some instances, ISO 27001 Appendix A stipulations can actually trigger GDPR breaches in an anomaly of what the intention is in using ISO 27001 for compliance purposes. An example is where logging of individuals to ensure data security within Appendix A actually creates personally identifiable data, which then comes under the remit of GDPR

We take pride in the fact that we have maintained very long relationships with our clients, regardless of geographic location (we have retained clients in different countries for over 8 years in some instances). Our view is that with rapidly changing environments (technical, regulatory, financial primarily), there will be an ongoing requirement for companies and maintaining a strong working relationship is easier than starting from scratch for all parties.

Our commitment to ongoing customer support gives confidence in our ability to support your organization through changing demands and requirements on an ongoing basis. We also have extensive third party contacts globally who may also be able to assist in areas that are not covered by our services where a client has such needs.

We work in two phases for cyber threat valuation services. The first is to implement our back-end technology that requires in-house I.T. personnel to collaborate with our team in the installation and configuration. This is not a major task generally, since our systems sit outside of your organization’s security perimeter.

The front-end technology is implemented in a rapid fashion, with the actual configuration of it taking the most time. This is because each client has a different business, with proprietary business processes, modes of operation, technical infrastructure and business needs. As such, we work hand-in-hand with your organization’s personnel in reaching the point of hand-over for our systems. At that point, the path is clear and the output is simple to understand.

Where additional users are required, this may entail additional training, which we are able to provide on a day rate basis, with no hidden costs. Our systems have been designed for ease of use and simplicity in order to be usable with a minimum of working knowledge of the underlying technology.

In organizations that have a limited resource or data availability, we are able to provide ongoing support in developing the configuration as required, such as increasing the detail and volume of data inputs in order to increase the accuracy of the predicted cyber threat valuation and trend line for enhancing risk management operations.

There are varying lead times according to the services required, the size of the organization, the scope of the audit and the end objectives desired by each client. Normally, we would evaluate the aforementioned and then be in a position to give a lead time for our services.

As one can imagine, with the GDPR having been in force for nearly 2 years and the large fines that have been issued, most interest is currently in the implementation of data privacy frameworks that can be sure to comply the current and possible forthcoming regulations or changes to the GDPR, in order to avoid the heavy penalties that can be imposed.

We would view a mapping of ISO 27001 to GDPR to be advisable, but it is understandable that the primary focus will be on simply putting into place the processes and requisite documentation as the focus phase of an implementation and updating of the existing program you have, with the add-on activities of ISO mapping and risk transfer (requiring cyber valuation) coming at a later stage once the main thrust of the program has been launched.

For cyber threat valuation, this may be dependent upon the availability of both our client and us in terms of the technicians available for the implementation of some aspects of our networked technology. However, the bulk of implementation falls to the configuration of the systems, which require time at the client location, in conjunction with personnel who are able to provide the necessary information for the systems concerned.

In all cases, we would initially respond to any inquiry regarding our services with an estimation as to costs and time-frame.

We work with your organization to implement the necessary hardware and software systems that facilitate the cyber threat valuation. Since each client will have different systems, processes and infrastructure, there is no one-size-fits-all system that can derive individual cyber risk valuations.

For the above reason, once we have the technology installed at a client’s location, we then work with them to configure the systems to suit the requirements of that particular organization. This will be dependent upon such parameters as the risk appetite of the organization (for risk, the options are to accept; reject; manage – the latter including transferring risk via insurance); the available resources and information; the intention of the exercise in terms of what will a client do with that risk valuation data.

Our technology enables clients to undertake “what-if” scenario changes to enable them to model changes to systems, processes and categories to see the financial impact of such changes. For example, changing the routing of a business process to a system may result in the expected loss from cyber threats to an acceptable level. In other cases, it facilitates a prioritization of capital to the most valuable process the organizations operates.

The proprietary and patented technology that Quantar has developed enables insurers and reinsurers and risk managers to be in a position to offer the correct levels of coverage against breaches, at the correct price. Larger organizations can utilize the data for self-insurance (via captive and sidecar transfers). We are also able to assist organizations in determining which options are best suited to their needs.

It would depend upon the actual service being provided. In terms of auditing, this can take several forms, dependent upon the size and scale of the organization being audited – is it multi-location for example.

Following standard auditing methods, for ISO 27001 external auditing, this would take place both at the client’s premises, with access to all areas and personnel, and also quite possibly, offsite where documentation review is required in detail and where the volume of information requires a structured, in-house team review.

For GDPR implementation and compliance, this is undertaken in much the same manner, except that due to the need to ensure regulatory compliance in order to avoid penalties, this may be executed in a more detailed form and would not necessarily be based upon sampling in the way that ISO auditing is undertaken.

For cyber threat valuation services, this requires both technical/I.T. personnel to be available to work with us, but also key personnel who are able to deliver the relevant information for configuration of the systems. This might include, for example, risk managers, process owners and business continuity managers.

Where suitable data is not available, our technology enables an organization to commence with as much information as they have available and add to the granularity of the cyber threat valuation as that information becomes available. This can occur where there are multiple locations with differences in data availability, which is managed through importing the system data from any number of locations into a central one for a consolidated cyber threat valuation calculation (if individual location values are required, this can also be achieved).

The GDPR is comprised of the Articles and the Recitals and every one of each needs to be taken into account when developing a GDPR compliance program. Whilst in many cases the Article may be fairly specific as to what needs to be done by an organization, sometimes the Recital may give a different twist on the overall interpretation of the relevant Article. It is these circumstances that the greatest danger lies in complying with both.

With the above in mind, Data Risk Foresight does not undertake a tick-box exercise in the manner that some certification audits can reasonably be executed. Because of the punitive levels of fines that can be imposed for breaches of the GDPR, we seek to work to meet both the scope and intent of the regulation when undertaking an implementation, as well as in the case of an external audit service.

Although the GDP may seem extremely onerous, by having the regulation drafted in clearly defined sections, it is possible to undertake a review of each, in a check-box manner as a starting point for a GDPR program – a simple gap analysis in other words. There are a number of tools available on the market that may assist companies in undertaking this, including the U.K. Information Commissioner’s website (see in Resources for links).

In answering the question, since there is scope for interpretation by an external party, the truth is that there then exist spaces for misinterpretation of an element of an organization’s GDPR program. There are many ways to reduce this risk, such as using a proven/certified personal data information scheme; using the model contracts provided by the E.U. itself, using ISO 27001 as proof of compliance; aligning with ISO 31000 Risk Management standards.

Our role is to work with our clients in determining the best means by way the GDPR can be both compliant and demonstrably so.

Our stock answer to this question is that we have been in the business of data risk management since 1999! The fact remains that until the major Sony hack on the 24^th November 2014 and subsequent high-visibility hacks in the U.S. such as Yahoo, Target and Home Depot, resulting in a major financial impact upon listed companies, the subject of hacking and of financial impact was low on a Board agenda.

Prior to Sony, the belief was that hacking was for the I.T. security department to deal with. Post Sony, the mindset changed to one of “when we are successfully hacked, how do we risk manage it?” With this change, there has been an evolution of companies seeking to achieve what we already have.

Our background in security, I.T. strategy, compliance and risk management, coupled to our proprietary systems means that, even today, there is no other company that has the same service offer that we are able to deliver.

Quantar’s technology currently has 10 patents in the fields of the quantification of risk and financial valuation of electronic threats, ranging from the first filing in 2003 to the latest issuing of patent in February 2020. Our depth of knowledge is deep and we have extensive experience in drawing upon the skills of renowned experts in our development of our systems. Many have claimed that they can value the cyber threats of every client on an individual basis; the reality is that we are the ones who can!

This is always a difficult question to answer simply, because it really does depend upon what your organization wants us to do, how long for, with which tools and at how many locations.

However, to give some sort of insight, if there is a single location with non-complex processes and we are asked to view the company to give a current status as to compliance with the GDPR, for example, we would be on-site for a minimum of one day. Analyzing the data and compiling the reports typically takes 2-4 days and are submitted then for review.

We utilize a daily fee basis, so that our clients know that if there is a delay or run-on due to unforeseen circumstances (an example is where key personnel are not available to us for interview or to provide input), then that additional period is carried over within the day rate.

After review of our reports, subsequent activities required of us will determine how we would work with you. There are options at this stage, whether this is purely a regulatory compliance program, or a wider risk management one requiring out systems to be deployed. In turn, these have decisions to be taken on whether these would be permanently deployed or not, and the degree of complexity in implementing any changes to processes, policies, procedures or records.

We price our services on a per-client basis, since each has different needs and timelines, but we always aim to offer a number of options to best suit our clients.