DATA PRIVACY & PROTECTION Auditor's Perspective ICAI, Mumbai Webcast January 24, 2015 Presented by: Dinesh O Bareja, CISA, CISM, ITIL, Microsoft MVP Introduction & Agenda A note about today’s presentation DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI • We will consider the concepts of “Data” and “Privacy” and take a look at the IT Act w.r.t. Privacy • Then we will review our obligation and skill development as auditors – certifications, client advisories, privacy audit; looking at a few case studies • First the facts and then see how it is to be accounted! DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Dinesh O. Bareja, Microsoft MVP, CISA, CISM, ITIL, BS7799, Cert IPR, Cert ERM Works in the information security domain across all functional areas of audit, awareness, optimization, strategy, solution development, consulting and advisory services. Earlier, over two decades in manufacturing, exports, trading and internet technology A recognized authority and thought leader in cyber security in the country has worked in India and abroad with enterprise and government clients Strongly advocates the use of a common sense based approach to security • Introduction • Data – do we really understand what it is • Privacy – concepts of PII and legislation • The India Scenario • Privacy Regulations and Regulators • Data – Protection, Collection / Transparency Disclosure of Fair Use, Sharing • DSCI Privacy Framework • Privacy Audit – policy audit, fair use, readiness DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Definitions and Facts Data, Privacy, PII, Personal Information DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Unprocessed, collection of numbers, characters, images, raw data, research data, field data (may be collected by observation and recording) DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Information Knowledge Intelligence, Wisdom DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI DATA As Defined in Law. DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI As per the ITAct (Amended) 2008 "Data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Defining the concept and knowing what one is protecting and from what / whom DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI India: What Data Constitutes Privacy Information SPDI = Sensitive Personal Data or Information Global: PII = Personal Identifiable Information / Patient Identifiable Information DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Anonymity Anonymizing Protection This Will Help But how long can you sustain such a work habit as it will be a drag on your productivity DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Personal Information as per ITAA 2008 "Personal information" means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Information Technology Act (Amended) 2008 Section 43A (iii) "Sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI PII as per NIST • Any information about an individual maintained by an agency, including 1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; 2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI International • Canada, the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) • New Zealand, the Privacy Act 1993 • P.R. China - Computer Processed Personal Information Protection Act was enacted in 1995 • Law of the Russian Federation “On Personal Data” as of 27.07.2006 No. 152FZ • UK – European Law, Data Protection Act • USA - not explicitly stated anywhere in the Bill of Rights. Few laws which address privacy • Health Insurance Portability and Accountability Act (HIPAA); • Financial Services Modernization Act (GLBA), • 15 U.S. Code §§ 6801-6810; • Final Rule on Privacy of Consumer Financial Information, • 16 Code of Federal Regulations, Part 313; Fair Credit Reporting Act (FCRA), • 15 U.S. Code §§ 1681-1681u; • Fair Debt Collections Practices Act (FDCPA), • U.S.C. §§ 1692-1692 DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI International • Article 8 of the European Convention on Human Rights (1950) covers the whole European continent (except Belarus and Kosovo) • Protects the right to respect for private life: • "Everyone has the right to respect for his private and family life, his home and his correspondence." • Privacy has been defined and its protection has been established as a positive right of everyone. DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI International • Article 17 of the International Covenant on Civil and Political Rights of the United Nations of 1966 also protects privacy: • "No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Today’s age… DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Thinking Privacy? In today’s age… • NSA Prism • Cookies • CCTV • Personal Pictures • Internet monitoring • Online Search patterns • Social media contributions • Online shopping preferences DATA PRIVACY & PROTECTION • ISP monitoring data d/l or u/l • License on your computer • Lost / stolen phone with pics • PAN number on railway chart • Email addresses, phone numbers DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI The India Scenario • Privacy protection is included in the extended IT Act • Constitution of India (Article 21) guarantees Fundamental Rights - Scope widened to include “Right to Privacy” (UnniKrishnan v/s State of AP) • ITA and Rules address privacy, especially ITA Sec.43A, 66, 72 • Department of Personnel and Training (DoPT) is working on creating privacy legislation • An unofficial draft is has been created and is generally the only document available at present D P &P ATA DATA PRIVACY & PROTECTION RIVACY ROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Rule 3 Sensitive i. Personal Data ii. or iii. Information Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. http://deity.gov.in/sites/upload_files/dit/files /GSR313E_10511%281%29.pdf Password Financial information such as Bank account or credit card or debit card or other payment instrument details Physical, physiological and mental health condition iv. Sexual orientation v. Medical records and history vi. Biometric information vii. Any detail relating to the above clauses as provided to body corporate for providing service DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Sensitive Personal Data or Information Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. viii. Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules. http://deity.gov.in/sites/upload_files/dit/files /GSR313E_10511%281%29.pdf DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Regulators • Adjudicating Officer (ITAA Section 46) • Cyber Appellate Tribunal (ITAA Sec 58 (2)) • Grievance Officer (as per ITAA Rule 5(9) • Courts • Government Privacy Commissioner (Canada) • CPIO / PIO – Privacy Information Officer DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI What are we protecting and from whom DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Let’s delete the previous slide from memory … this is our business and profession and we have advise our clients about risks in all forms and in all places, to the best of our knowledge DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI ITAA Sections That Matter for Privacy 43 Penalty and Compensation for damage to computer, computer system, etc. 43-A Compensation for failure to protect data. 66-A Punishment for sending offensive messages through communication service, etc. 66-C Punishment for identity theft. 66-E Punishment for violation of privacy. 72 72-A Penalty for breach of confidentiality and privacy. Punishment for Disclosure of information in breach of lawful contract. DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Sec 43 … Briefly… • 43 - Establishes framework for liability for penalty and compensation identifying acts and actions; defines data collector, establishes responsibility and liability of the collector • 43A – Compensation for failure or negligence to protect data causing wrongful loss or gain DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Sec 66 … Briefly… • 66A - Establishes liability of using a computer to send offensive, menacing, false information or emails • 66C - Sets liability for identity theft through fraudulent use of electronic signatures, passwords etc • 66E – Capturing / sharing of personal / private pictures without consent and liability of punishment DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Sec 72 …. Briefly… • 72 - Sets penalty guidelines for breach of confidentiality and privacy due to disclosure by trusted entity who collected data • 72A - Framework for disclosure of information in breach of a contract without consent DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Summing up…. • There is stringent punishment awaiting anyone in contravention of these three sections • “Reasonable Security” cannot be defined and is anyone’s guess – a strong prosecution can easily establish that the security effectiveness is “unreasonable” • PRIVACY must be included in the compliance horizon! DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Sec 66a in action DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Another Very Important Privacy Area Patient Information DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI This is especially important as many CA’s will have client BPO’s who are in the business of Medical Transcription, Insurance Claims or any activity where they are handling patient / medical information DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI PHI Definition and Data Elements • Protected Health Information: • The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI). • “Individually identifiable health information” is information, including demographic data, that relates to: • • • • the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, the individual's identity or for which there is a reasonable basis to believe it can be used to identify the individual. • Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI New Age Privacy Intrusion DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI New Age privacy intrusion DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Body Scanners DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI ITAA Reasonable Security Practices and Procedures and Sensitive Personal Data Rules 2011 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI • Defines sensitive personal data Information Technology and reasonable security (Reasonable Security practices and procedures. Practices and Procedures and Sensitive Personal • The Rules require body Data or Information) Rules, corporate to provide policy for 2011 privacy and disclosure of information (Rule 4), obtain consent of user for collection notified on 11th April, of information (Rule 5), prior 2013 under section 43A of permission required from the Information provider of information before Technology Act disclosure of sensitive personal information (Rule D6) P & P ATA DATA PRIVACY & PROTECTION RIVACY ROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Compliance Requirements Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. http://deity.gov.in/sites/upload_files/dit/files/ GSR313E_10511%281%29.pdf 1 Short Title and Commencement 2 Definitions 3 Sensitive personal data or information Rule 4: Body corporate to provide policy for privacy and disclosure of information Rule 5: Collection of information Rule 6: Disclosure of information Rule 7: Transfer of information Rule 8: Reasonable Security Practices and Procedures DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI The Professional Practice PRIVACY DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Privacy – Professional Practice • Readiness • Policy Development • Audit • Breach Response • Governance DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI As a Practitioner The crux of Privacy is in the following: - Data subject CONSENTS to the objective for collection and provides information - Data Collector must be transparent - Why is the data being collected What are you going to do with it How will you store it Audit security effectiveness… etc - Collector must provide a means for review, updating and deletion DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Readiness • Gap Analysis / Current State Assessment • Privacy Policy Document aligned to ITAA Rules and any applicable laws • Review Privacy Policy on website • Establish privacy audit plan, schedule, and guidelines • Empower organization officer as CPIO with training DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Use Defense Privacy in Depth • It is a well known concept practiced by InfoSec teams and can be easily extended to include privacy controls DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Use Defense Privacy in Depth • BY DEFAULT, Controls will include: • PII data is identified at the point of entry • At the development stage PII handling is treated differently • Sensitive data storage is encrypted or segregated and periodically audited • Alongwith secure storage, secure archiving and deletion routines are also established • Use technologies like SIEM, DLP, 2FA DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Use Defense Privacy in Depth • BY DEFAULT, Controls will include: • Ensure compliance at point of data capture with transparent and standardized alerts, information pop-ups, notice of use • Create end-to-end transparency informing use, storage, disposal, movement, sharing, and other changes DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Use Defense Privacy in Depth • BY DEFAULT, Controls will include: • Do not ask or obtain any more information than needed • Provide anonymity mode for persons who are unwilling to share information • Create a data system that is sensitive to collection, change and deletion DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Use Defense Privacy in Depth • BY DEFAULT, Controls will include: • Open communication with person who has provided the data • No hidden archives DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Audit • Carry out privacy audits for compliance with the adopted standard / framework; • Compliance with client requirements • DSCI Privacy framework assessment • Privacy good practices DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Breach Response • Crisis Management • Communication Management • Breach Containment • Negotiations with affected parties • Financial impact and recovery plans • Controls improvement DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Governance • Steering committee • Ombudsman • Policies and procedures • Oversight Process • Assurance for regulators, clients, stakeholders DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Privacy Risks Management, Response and Remediation DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Risks • Cookies collect your information • Browsers provide auto-complete feature • Tagged on Social Media by friends • Stalking • System Breach • Cloud computing risks • Theft of Data, Identity • Malware / APT • Espionage • Phishing • Scams and Frauds DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Do you have a choice (?) when you accept the license terms without reading them DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI That was software … now we take a look at something you hold closer to your heart 24*7 than anything else (your life partner or love interest included) DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Your Cell Phone & Apps Do you have a choice (?) DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI when you are saying okay for anyone to intrude on your private life without knowing them DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI What Does One Advise Clients • This is a paradox – do you tell a client to go back to “chopdis” • How do you handhold the client into a secure business and personal environment • Do we tell them to cut off from the world DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Legal Remediation • Policy and Procedures aligned / compliant to ITAA • Effective Information Security Management System • Complaint / Request to the Corporate Grievance Officer set up in Indian companies • Legal recourse - Under ITA –Adjudicating Officer, Cyber Appellate Tribunal, High Court DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Remediation Advise for Clients • Please keep your Digital Signatures, DIN, TIN numbers yourself • When we say “Yourself” we mean in your OWN custody • If your client cannot do this then you should ask them to hand over cash and bank accounts to you too DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI It is very convenient for clients to keep their digital identities with you, the CA You are the trusted entity but if something goes wrong… then what ? DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Section11 of the IT Act may help to cover your liability BUT It is better to be safe than to be sorry. DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI ITAA 2008: §§11 Attribution of Electronic Records • An electronic record shall be attributed to the originator, (a) if it was sent by the originator himself; (b) by a person who had the authority to act on behalf of the originator in respect of that electronic record; or (c) by an information system programmed by or on behalf of the originator to operate automatically. DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Remediation Advise for Clients • Do not store customer personal data on your mobile device • Mask / encrypt PII • Carry out periodic audits • Keep your certifications valid • Ensure InfoSec in the “spirit” and not in the “letter” DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Remediation Advise for Clients • Use encryption in emails, documents (voice communication too) • When traveling overseas carry a sanitized laptop / device • Use a smartphone (if you have to) but don’t be too smart – stay away from games and smart apps • Remember NOTHING is free in this world DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI More Client Advice • Advise clients about their legal (criminal) liability in event of non-compliance or breach • Ensure that your client enables best practices through standards or common sense • Audit reports must be read by the senior management and not just the Executive Summary which is usually sugar-coated to ensure that the next year assignment is also given to us! DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Stay secure, protect yourself with good practices and processes based on effective standards and frameworks Audit periodically and then ensure that findings are addressed DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Very valuable collation of actions in this infographic from DSCI DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Very valuable collation of actions in this infographic from DSCI DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Privacy Enablement Solution for the Indian Corporate …. until an international guideline / standard is asked for by a client DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI DSCI Privacy Framework © (DPF ) DSCI has taken the lead in defining Privacy practices with consideration of the India business and regulatory scenario, and requirements. The DPF© framework consists of 9 best practice areas which will help data processors / collectors in protecting the information entrusted to them and to provide the necessary assurance of the same to clients and authorities in India and overseas. DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Will help the client organization meet stringent demands of international standards / guidelines as it provides in depth guidance on Privacy Impact Analysis, Incident Management, Contracts, and Implementation The program includes Training and Certification DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI © DSCI DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI DSCI Privacy Principles DSCI principles in the context of the Indian industry. The principles are derived from globally accepted principles of privacy. These principles reflect the need for an assurance level that an organization should create in its transactions with the end customers. NOTICE What is the privacy policy of an organization? These elements fall under the principle of ‘notice’. Notify the data subject if there is a change in the privacy policy. CHOICE & CONSENT Principle of ‘collection limitation’ means collection of only the required set of data elements by fair and lawful means, with the knowledge of the end user. USE LIMITATION The principle specifies that personal data should not be made available or used for any purpose other than what was agreed with the data subject at the time of data collection. ACCESS & CORRECTION This principle assures that his/her information is accurate, is given access to the information, and is provided with the opportunity to correct his/her data. SECURITY This stipulates technical and organizational measures for securing the data and should focus on security of personal data. DISCLOSURE TO THIRD PARTY To ensure privacy in all transactions when using third parties the principles of data protection should be upheld in these relationships. OPENNESS An organization should have a general policy of openness about developments, practices and policies with respect to personal data that it collected to increase the confidence of subjects. ACCOUNTABILITY The data collector is accountable for complying with the measures to comply with the above principles. © DSCI Note – the descriptions are not verbatim reproductions of the DSCI DPF. Please refer to the original document DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI DSCI Assessment Framework (DPF ©) DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI The framework provides for two approaches to provide assurances against: Privacy Competence Implementation of Global Privacy Principles DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI © DSCI DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI We are nearing the end of this presentation So the next question or thought in your mind may be.. DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Anticipated Questions I do not have the (privacy) skills or certification to prove my capability! What do I do? How do I assure my client that I make good sense for their business! DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI SKILL DEVELOPMENT and Professional Certification DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Skill Development • Do you read? • When you read – do you correlate the reading with business issues? • When you correlate with business – do you think about a particular client? • When you think about a particular client – do you think about the industry too with your “risk” glasses? DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Skill Development • When you wear your “risk” glasses – do you scare your client too? • Finally do you then – read together DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Certifications • Certified Information Privacy Professional - CIPP • Certified Information Privacy Manager – CIPM • DSCI Certified Privacy Lead Assessor DSCI-CPLA DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI CIIP, CIPM http://www.privacyassociation.org/ Textbooks Certification Foundation Textbook CIPP Concentration or CIPM Textbook Practice Tests Certification Foundation Practice Test CIPP Concentration Practice Test Exams First-time Certification Foundation Exam First-time Certification Concentration Exam (CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPP/IT, CIPM) Retake Certification Foundation Exam Retake Certification Concentration Exam (CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPP/IT, CIPM) DATA PRIVACY & PROTECTION $65 $65 $25 $25 $275 $275 $162 $162 DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI DSCI Certified Lead Privacy Assessor http://www.dsci.in/ Training Members Rs. 20,0000 Non-Members Rs. 22,500 3 days program includes all materials lunch and refreshments DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI My Personal Mantras Use Common Sense Uncommonly Be Practical Keep It Simple Stay Away From Jargon Talk Business Not GeekSpeak DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI Dinesh O. Bareja, Microsoft MVP, CISA, CISM, ITIL, BS7799, Cert IPR, Cert ERM Professional Positions Pyramid Cyber Security & Forensics (Principal Advisor) Open Security Alliance (Principal and CEO) Jharkhand Police (Cyber Security Advisor) Indian Honeynet Project (Co Founder) Bombay Stock Exchange (Member IGRC) Indian Infosec Consortium (Member Advisor) Professional skills and special interest areas Security Consulting and Advisory services for IS Architecture, Analysis, Optimization; Government and Enterprise Policy development Cyberwar, Cyber-espionage and cybercrime deterrence / investigation Technologies: SOC, DLP, IRM, SIEM… Practices: Incident Response, SAM, Forensics, Regulatory guidance.. Community: mentoring, training, citizen outreach, India research.. Business Continuity, Disaster Recovery Critical Infrastructure Protection Writer, Blogger, Columnist, Photographer Contact Information dinesh@opensecurityalliance.org @bizsprite http://in.linkedin.com/in/dineshbareja +91.9769890505 / +971.52.797-1356 dineshobareja dineshobareja http://www.slideshare.net/bizsprite/ Acknowledgements & Disclaimer The laws, standards, frameworks quoted in this presentation may not be verbatim from the sources . Users should ensure the correctness of the same before quoting from this document. We may have edited the legal statements to make the definitions more concise and usable by the non-legal community. Various resources on the internet have been referred to contribute to the information presented and a few sources have been mentioned in the next slide. Apologies are due to any sources which are not acknowledged and this is not intentional. Similarly, images too have been acknowledged (above) where possible. Any company names, brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or otherwise) by the author(s) by virtue of the mention. Relationships if any, are acknowledged by author(s). We apologise for any infraction, as this would be wholly unintentional, and objections may please be communicated to us for remediation of the erroneous action(s). DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI DATA PRIVACY & PROTECTION DATA PRIVACY & PROTECTION AUDITOR’S PERSPECTIVE JAN 24, 2015 @ ICAI, MUMBAI