Getting a product to market is not easy for fledgling companies, especially those within regulated industries. One of those challenges involves the documentation of compliance efforts, and it is an area the team at Aptible has been looking to solve, especially now with the EU General Data Protection Regulation in effect.
While Aptible started out helping health care organizations with their HIPAA-compliance efforts, the company moved into other regulatory environments, Aptible Account Executive Shah Kader explained in a phone interview with Privacy Tech.
Aptible's Gridiron toolkit uses automation for the administrative side of compliance. “What we mean by administrative side is risk analysis, risk assessment, policy and procedures, building around specific protocols such as HIPAA, ISO 27001 and GDPR, and then a toolkit and toolset to generate reports that a customer should present in order to pass audits,” Kader explained.
Gridiron helps the drafting of all of the risk documents and policy and procedure manuals for an organization, but before starting, users will receive a GDPR charter. The charter is a 35-day timeline organizations follow to help comply with the GDPR. While the charter is mapped to 35 days, Kader said enterprises can move faster if they feel comfortable. The timeframe is meant for larger companies that need the extra time to tackle more information.
The first section of the charter is the initial training for security officers, which gives an overview of the charter, as well as videos on what they will be doing within the Gridiron tool. “That’s when we come on board, talk to you about the charter itself, as well as Gridiron as a tool itself. It tells a customer what they need to know in terms of the Gridiron product, as well as what they need to understand when it comes to something like GDPR, HIPAA or HITRUST,” said Kader.
Each section of the charter explains what the company will be doing next, offering resources to help companies perform tasks. For example, days one-through-seven are dedicated to building an asset inventory within Gridiron, with a tutorial on the best way to manage assets.
Other training includes assessing the current risk environment, an incident-response workshop, drafting a security plan, finalizing the necessary documents, and conducting a GDPR-gap analysis.
In order to get the documentation they need, a data protection officer or chief privacy officer will need to fill out several sections within the Gridiron tool. First is what Kader calls a security program consideration, which is a bunch of questions about the company, including what the company does and who are the privacy and security officers.
Then a company will list out all of its assets, such as apps, database networks and login services. Organizations will enter each app and database, fill in where they are hosted, and what they are using for storage. For the risk assessment, users will enter any potential risks, and what they have in place for security controls.
“The whole idea of the first version of the risk assessment is you have a lot of that is still not implemented and configured, and that’s totally fine because the first version of all the documentation we create for is a gap analysis,” said Kader. “This is where we are telling you where you are and where you need to be.”
Once the risk assessment is completed, users can see risks they could face, a description of those risks, and the likelihood they will suffer from one of those incidents based on the answers they have provided. The tool will also detail whether the client needs to mitigate the risks in order to move the scale from a potential “very high” to a “low.”
For a policy and procedure manual, users will enter information to get a comprehensive document with information and data security governance plans, breach notification, encryption- and key-management, and a list of access controls. Both the risk assessments and the manuals are living PDFs, meaning any time changes are made, new versions of the documents are drafted.
Gathering all the information needed to create the tools did not come overnight.
“We are doing continuous education. We built this up and mapped it to the systems that we know such as the Consensus Information Security Questionnaire, the Privacy Shield addendums, the GDPR, HIPAA, HITRUST, and the protocols out there, and we went through our own certification processes as well,” noted Kader.
Kader believes Gridiron separates itself from its competitors by building up documentation, conducting training, and offering tools for incident response and vendor management.
Now that the GDPR is in effect, Aptible is doing what many other vendors said they would be doing following May 25: They will watch and wait to see what happens before taking next steps. “We tailor Gridiron for the GDPR regardless,” said Kader. “We are continuing to innovate as we see how enforcement actually happens, who gets charged, what they are looking for, and we are going to update our product accordingly.”
If you want to comment on this post, you need to login.