Presentation - ICAI | Online Web TV

Report
DATA PRIVACY &
PROTECTION
Auditor's Perspective
ICAI, Mumbai Webcast
January 24, 2015
Presented by: Dinesh O Bareja, CISA, CISM, ITIL, Microsoft MVP
Introduction
&
Agenda
A note about
today’s
presentation
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
• We will consider the concepts of “Data” and “Privacy”
and take a look at the IT Act w.r.t. Privacy
• Then we will review our obligation and skill
development as auditors – certifications, client
advisories, privacy audit; looking at a few case studies
• First the facts and then see how it is to be accounted!
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Dinesh O. Bareja,
Microsoft MVP, CISA, CISM, ITIL, BS7799, Cert IPR, Cert ERM
Works in the information security domain across all functional
areas of audit, awareness, optimization, strategy, solution
development, consulting and advisory services.
Earlier, over two decades in manufacturing, exports, trading
and internet technology
A recognized authority and thought leader in cyber security in
the country has worked in India and abroad with enterprise
and government clients
Strongly advocates the use of a common sense based
approach to security
• Introduction
• Data – do we really understand what it is
• Privacy – concepts of PII and legislation
• The India Scenario
• Privacy Regulations and Regulators
• Data – Protection, Collection / Transparency
Disclosure of Fair Use, Sharing
• DSCI Privacy Framework
• Privacy Audit – policy audit, fair use, readiness
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Definitions and
Facts
Data, Privacy, PII,
Personal
Information
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Unprocessed,
collection of numbers,
characters,
images,
raw data, research
data, field data (may
be
collected
by
observation
and
recording)
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Information
Knowledge
Intelligence,
Wisdom
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
DATA
As Defined in Law.
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
As per the ITAct
(Amended) 2008
"Data" means a representation of information,
knowledge, facts, concepts or instructions which are
being prepared or have been prepared in a
formalized manner, and is intended to be
processed, is being processed or has been
processed in a computer system or computer
network, and may be in any form (including
computer printouts magnetic or optical storage
media, punched cards, punched tapes) or stored
internally in the memory of the computer
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Defining the concept
and knowing what
one is protecting and
from what / whom
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
India:
What Data
Constitutes
Privacy
Information
SPDI = Sensitive Personal
Data or Information
Global:
PII = Personal Identifiable
Information / Patient
Identifiable Information
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Anonymity
Anonymizing
Protection
This Will Help
But how long can you sustain such a
work habit as it will be a drag on
your productivity
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Personal Information
as per ITAA 2008
"Personal information" means any
information that relates to a natural
person, which, either directly or
indirectly, in combination with
other information available or likely
to be available with a body
corporate, is capable of identifying
such person.
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Information Technology
Act (Amended) 2008
Section 43A (iii)
"Sensitive personal data or information"
means such personal information as
may be prescribed by the Central
Government in consultation with such
professional bodies or associations as it
may deem fit.
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
PII as per NIST
• Any information about an individual maintained by an agency,
including
1) any information that can be used to distinguish or trace an
individual‘s identity, such as name, social security number,
date and place of birth, mother‘s maiden name, or biometric
records;
2) any other information that is linked or linkable to an
individual, such as medical, educational, financial, and
employment information
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
International
• Canada, the Federal Personal
Information Protection and Electronic
Documents Act (PIPEDA)
• New Zealand, the Privacy Act 1993
• P.R. China - Computer Processed Personal
Information Protection Act was enacted
in 1995
• Law of the Russian Federation “On
Personal Data” as of 27.07.2006 No. 152FZ
• UK – European Law, Data Protection Act
• USA - not explicitly stated anywhere in the Bill of Rights.
Few laws which address privacy
• Health Insurance Portability and Accountability Act
(HIPAA);
• Financial Services Modernization Act (GLBA),
• 15 U.S. Code §§ 6801-6810;
• Final Rule on Privacy of Consumer Financial Information,
• 16 Code of Federal Regulations, Part 313; Fair Credit
Reporting Act (FCRA),
• 15 U.S. Code §§ 1681-1681u;
• Fair Debt Collections Practices Act (FDCPA),
• U.S.C. §§ 1692-1692
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
International
• Article 8 of the European Convention on Human Rights (1950)
covers the whole European continent
(except Belarus and Kosovo)
• Protects the right to respect for private life:
• "Everyone has the right to respect for his private
and family life, his home and his correspondence."
• Privacy has been defined and its protection has
been established as a positive right of everyone.
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
International
• Article 17 of the International Covenant on Civil and Political
Rights of the United Nations of 1966 also protects privacy:
• "No one shall be subjected to arbitrary or unlawful
interference with his privacy, family, home or
correspondence, nor to unlawful attacks on his honour
and reputation. Everyone has the right to the protection
of the law against such interference or attacks."
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Today’s age…
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Thinking
Privacy?
In today’s
age…
• NSA Prism
• Cookies
• CCTV
• Personal Pictures
• Internet monitoring
• Online Search patterns
• Social media
contributions
• Online shopping
preferences
DATA PRIVACY & PROTECTION
• ISP monitoring data d/l
or u/l
• License on your
computer
• Lost / stolen phone with
pics
• PAN number on railway
chart
• Email addresses, phone
numbers
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
The India
Scenario
• Privacy protection is included in the extended
IT Act
• Constitution of India (Article 21) guarantees
Fundamental Rights - Scope widened to
include “Right to Privacy” (UnniKrishnan v/s
State of AP)
• ITA and Rules address privacy, especially ITA
Sec.43A, 66, 72
• Department of Personnel and Training
(DoPT) is working on creating privacy
legislation
• An unofficial draft is has been created and is
generally the only document available at
present
D
P
&P
ATA
DATA PRIVACY & PROTECTION
RIVACY
ROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Information Technology
(Reasonable security practices
and procedures and sensitive
personal data or information)
Rules, 2011.
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Rule 3
Sensitive
i.
Personal Data ii.
or
iii.
Information
Information Technology
(Reasonable
security
practices and procedures
and sensitive personal
data or information)
Rules, 2011.
http://deity.gov.in/sites/upload_files/dit/files
/GSR313E_10511%281%29.pdf
Password
Financial information such as Bank
account or credit card or debit card or
other payment instrument details
Physical, physiological and mental health
condition
iv. Sexual orientation
v.
Medical records and history
vi. Biometric information
vii. Any detail relating to the above clauses
as provided to body corporate for
providing service
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Sensitive
Personal Data
or
Information
Information Technology
(Reasonable
security
practices and procedures
and sensitive personal
data or information)
Rules, 2011.
viii. Any of the information received under
above clauses by body corporate for
processing, stored or processed under
lawful contract or otherwise
Provided that, any information that is freely
available or accessible in public domain or
furnished under the Right to Information Act,
2005 or any other law for the time being in force
shall not be regarded as sensitive personal data
or information for the purposes of these rules.
http://deity.gov.in/sites/upload_files/dit/files
/GSR313E_10511%281%29.pdf
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Regulators
• Adjudicating Officer (ITAA Section 46)
• Cyber Appellate Tribunal (ITAA Sec 58 (2))
• Grievance Officer (as per ITAA Rule 5(9)
• Courts
• Government Privacy Commissioner
(Canada)
• CPIO / PIO – Privacy Information Officer
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
What are we
protecting
and from
whom
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Let’s delete the previous slide
from memory … this is our
business and profession and
we have advise our clients
about risks in all forms and in
all places, to the best of our
knowledge
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
ITAA Sections That Matter for Privacy
43
Penalty and Compensation for damage to computer, computer system, etc.
43-A
Compensation for failure to protect data.
66-A
Punishment for sending offensive messages through communication service, etc.
66-C
Punishment for identity theft.
66-E
Punishment for violation of privacy.
72
72-A
Penalty for breach of confidentiality and privacy.
Punishment for Disclosure of information in breach of lawful contract.
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Sec 43 … Briefly…
• 43 - Establishes framework for liability for penalty and
compensation identifying acts and actions; defines data
collector, establishes responsibility and liability of the collector
• 43A – Compensation for failure or negligence to protect data
causing wrongful loss or gain
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Sec 66 … Briefly…
• 66A - Establishes liability of using a computer to send
offensive, menacing, false information or emails
• 66C - Sets liability for identity theft through fraudulent
use of electronic signatures, passwords etc
• 66E – Capturing / sharing of personal / private pictures
without consent and liability of punishment
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Sec 72 …. Briefly…
• 72 - Sets penalty guidelines for breach of confidentiality
and privacy due to disclosure by trusted entity who
collected data
• 72A - Framework for disclosure of information in breach
of a contract without consent
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Summing up….
• There is stringent punishment awaiting anyone in
contravention of these three sections
• “Reasonable Security” cannot be defined and is
anyone’s guess – a strong prosecution can easily
establish that the security effectiveness is
“unreasonable”
• PRIVACY must be included in the compliance horizon!
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Sec 66a in action
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Another Very
Important
Privacy Area
Patient
Information
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
This is especially important
as many CA’s will have client
BPO’s who are in the
business of Medical
Transcription, Insurance
Claims or any activity where
they are handling patient /
medical information
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
PHI Definition and Data Elements
• Protected Health Information:
• The Privacy Rule protects all "individually identifiable health information"
held or transmitted by a covered entity or its business associate, in any
form or media, whether electronic, paper, or oral. The Privacy Rule calls this
information "protected health information (PHI).
• “Individually identifiable health information” is information, including
demographic data, that relates to:
•
•
•
•
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,
the individual's identity or for which there is a reasonable basis to believe it can be used to
identify the individual.
• Individually identifiable health information includes many common
identifiers (e.g., name, address, birth date, Social Security Number).
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
New Age Privacy Intrusion
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
New Age
privacy
intrusion
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Body Scanners
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
ITAA
Reasonable
Security Practices
and Procedures
and Sensitive
Personal Data
Rules 2011
http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
• Defines sensitive personal data
Information Technology
and reasonable security
(Reasonable Security
practices and procedures.
Practices and Procedures
and Sensitive Personal
• The Rules require body
Data or Information) Rules, corporate to provide policy for
2011
privacy and disclosure of
information (Rule 4), obtain
consent of user for collection
notified on 11th April,
of information (Rule 5), prior
2013 under section 43A of permission required from
the Information
provider of information before
Technology Act
disclosure of sensitive personal
information (Rule D6) P & P
ATA
DATA PRIVACY & PROTECTION
RIVACY
ROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Compliance
Requirements
Information Technology
(Reasonable security
practices and procedures
and sensitive personal data
or information) Rules, 2011.
http://deity.gov.in/sites/upload_files/dit/files/
GSR313E_10511%281%29.pdf
1
Short Title and
Commencement
2
Definitions
3
Sensitive personal data or
information
Rule 4:
Body corporate to provide
policy for privacy and
disclosure of information
Rule 5:
Collection of information
Rule 6:
Disclosure of information
Rule 7:
Transfer of information
Rule 8:
Reasonable Security
Practices and Procedures
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
The Professional
Practice
PRIVACY
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Privacy – Professional Practice
• Readiness
• Policy Development
• Audit
• Breach Response
• Governance
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
As a Practitioner
The crux of Privacy is in the following:
- Data subject CONSENTS to the objective for collection and
provides information
- Data Collector must be transparent
-
Why is the data being collected
What are you going to do with it
How will you store it
Audit security effectiveness… etc
- Collector must provide a means for review, updating and deletion
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Readiness
• Gap Analysis / Current State Assessment
• Privacy Policy Document aligned to ITAA Rules and any
applicable laws
• Review Privacy Policy on website
• Establish privacy audit plan, schedule, and guidelines
• Empower organization officer as CPIO with training
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Use Defense Privacy in Depth
• It is a well known concept practiced by InfoSec teams and can
be easily extended to include privacy controls
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Use Defense Privacy in Depth
• BY DEFAULT, Controls will include:
• PII data is identified at the point of entry
• At the development stage PII handling is treated
differently
• Sensitive data storage is encrypted or segregated and
periodically audited
• Alongwith secure storage, secure archiving and deletion
routines are also established
• Use technologies like SIEM, DLP, 2FA
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Use Defense Privacy in Depth
• BY DEFAULT, Controls will include:
• Ensure compliance at point of data capture with
transparent and standardized alerts, information pop-ups,
notice of use
• Create end-to-end transparency informing use, storage,
disposal, movement, sharing, and other changes
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Use Defense Privacy in Depth
• BY DEFAULT, Controls will include:
• Do not ask or obtain any more information than needed
• Provide anonymity mode for persons who are unwilling
to share information
• Create a data system that is sensitive to collection,
change and deletion
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Use Defense Privacy in Depth
• BY DEFAULT, Controls will include:
• Open communication with person who has provided
the data
• No hidden archives
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Audit
• Carry out privacy audits for compliance with
the adopted standard / framework;
• Compliance with client requirements
• DSCI Privacy framework assessment
• Privacy good practices
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Breach Response
• Crisis Management
• Communication Management
• Breach Containment
• Negotiations with affected parties
• Financial impact and recovery plans
• Controls improvement
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Governance
• Steering committee
• Ombudsman
• Policies and procedures
• Oversight Process
• Assurance for regulators, clients, stakeholders
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Privacy Risks
Management,
Response and
Remediation
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Risks
• Cookies collect your
information
• Browsers provide
auto-complete feature
• Tagged on Social
Media by friends
• Stalking
• System Breach
• Cloud computing risks
• Theft of Data, Identity
• Malware / APT
• Espionage
• Phishing
• Scams and Frauds
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Do you have a
choice (?)
when you accept the
license terms
without reading them
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
That was software … now
we take a look at
something you hold closer
to your heart 24*7 than
anything else
(your life partner or love
interest included)
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Your Cell Phone & Apps
Do you have a choice
(?)
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
when you are saying okay
for anyone to intrude on
your private life
without knowing them
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
What Does One Advise Clients
• This is a paradox – do you tell a client to go back
to “chopdis”
• How do you handhold the client into a secure
business and personal environment
• Do we tell them to cut off from the world
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Legal Remediation
• Policy and Procedures aligned / compliant to ITAA
• Effective Information Security Management System
• Complaint / Request to the Corporate Grievance Officer
set up in Indian companies
• Legal recourse - Under ITA –Adjudicating Officer, Cyber
Appellate Tribunal, High Court
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Remediation Advise for Clients
• Please keep your Digital Signatures, DIN, TIN
numbers yourself
• When we say “Yourself” we mean in your OWN
custody
• If your client cannot do this then you should ask
them to hand over cash and bank accounts to
you too
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
It is very convenient for
clients to keep their digital
identities with you, the CA
You are the trusted entity
but if something goes
wrong… then what ?
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Section11 of the IT Act
may help to cover your
liability
BUT
It is better to be safe than
to be sorry.
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
ITAA 2008: §§11 Attribution of
Electronic Records
• An electronic record shall be attributed to the originator, (a) if it was sent by the originator himself;
(b) by a person who had the authority to act on behalf of the
originator in respect of that electronic record; or
(c) by an information system programmed by or on behalf of
the originator to operate automatically.
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Remediation Advise for Clients
• Do not store customer personal data on your mobile
device
• Mask / encrypt PII
• Carry out periodic audits
• Keep your certifications valid
• Ensure InfoSec in the “spirit” and not in the “letter”
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Remediation Advise for Clients
• Use encryption in emails, documents (voice
communication too)
• When traveling overseas carry a sanitized laptop /
device
• Use a smartphone (if you have to) but don’t be too
smart – stay away from games and smart apps
• Remember NOTHING is free in this world
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
More Client Advice
• Advise clients about their legal (criminal) liability
in event of non-compliance or breach
• Ensure that your client enables best practices
through standards or common sense
• Audit reports must be read by the senior
management and not just the Executive
Summary which is usually sugar-coated to ensure
that the next year assignment is also given to us!
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Stay secure, protect yourself
with good practices and
processes based on effective
standards and frameworks
Audit periodically and then
ensure that findings are
addressed
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Very valuable
collation of actions
in this infographic
from DSCI
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Very valuable
collation of actions in
this infographic from
DSCI
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Privacy Enablement
Solution for the Indian
Corporate ….
until an international
guideline / standard is
asked for by a client
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
DSCI Privacy Framework
©
(DPF )
DSCI has taken the lead in defining Privacy practices
with consideration of the India business and
regulatory scenario, and requirements.
The DPF© framework consists of 9 best practice areas
which will help data processors / collectors in
protecting the information entrusted to them and to
provide the necessary assurance of the same to
clients and authorities in India and overseas.
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Will help the client organization
meet stringent demands of
international standards / guidelines
as it provides in depth guidance on
Privacy Impact Analysis, Incident
Management, Contracts, and
Implementation
The program includes Training and
Certification
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
© DSCI
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
DSCI Privacy Principles
DSCI principles in the context of the Indian industry. The principles are derived from globally accepted principles of privacy. These principles reflect
the need for an assurance level that an organization should create in its transactions with the end customers.
NOTICE
What is the privacy policy of an organization? These elements fall under the principle of ‘notice’. Notify the data subject if
there is a change in the privacy policy.
CHOICE & CONSENT
Principle of ‘collection limitation’ means collection of only the required set of data elements by fair and lawful means, with
the knowledge of the end user.
USE LIMITATION
The principle specifies that personal data should not be made available or used for any purpose other than what was
agreed with the data subject at the time of data collection.
ACCESS & CORRECTION
This principle assures that his/her information is accurate, is given access to the information, and is provided with the
opportunity to correct his/her data.
SECURITY
This stipulates technical and organizational measures for securing the data and should focus on security of personal data.
DISCLOSURE TO THIRD
PARTY
To ensure privacy in all transactions when using third parties the principles of data protection should be upheld in these
relationships.
OPENNESS
An organization should have a general policy of openness about developments, practices and policies with respect to
personal data that it collected to increase the confidence of subjects.
ACCOUNTABILITY
The data collector is accountable for complying with the measures to comply with the above principles.
© DSCI
Note – the descriptions are not verbatim reproductions of the DSCI DPF. Please refer to the original document
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
DSCI Assessment
Framework
(DPF ©)
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
The framework provides for
two approaches to provide
assurances against:
Privacy Competence
Implementation of Global
Privacy Principles
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
© DSCI
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
We are nearing the
end of this
presentation
So the next question
or thought in your
mind may be..
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Anticipated Questions
I do not have the (privacy) skills or
certification to prove my capability!
What do I do?
How do I assure my client that I
make good sense for their business!
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
SKILL DEVELOPMENT
and
Professional Certification
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Skill Development
• Do you read?
• When you read – do you correlate the reading with
business issues?
• When you correlate with business – do you think
about a particular client?
• When you think about a particular client – do you
think about the industry too with your “risk” glasses?
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Skill Development
• When you wear your “risk” glasses – do you scare
your client too?
• Finally do you then – read together
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Certifications
• Certified Information Privacy Professional - CIPP
• Certified Information Privacy Manager – CIPM
• DSCI Certified Privacy Lead Assessor DSCI-CPLA
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
CIIP, CIPM
http://www.privacyassociation.org/
Textbooks
Certification Foundation Textbook
CIPP Concentration or CIPM Textbook
Practice Tests
Certification Foundation Practice Test
CIPP Concentration Practice Test
Exams
First-time Certification Foundation Exam
First-time Certification Concentration Exam (CIPP/US, CIPP/C, CIPP/E,
CIPP/G, CIPP/IT, CIPM)
Retake Certification Foundation Exam
Retake Certification Concentration Exam (CIPP/US, CIPP/C, CIPP/E,
CIPP/G, CIPP/IT, CIPM)
DATA PRIVACY & PROTECTION
$65
$65
$25
$25
$275
$275
$162
$162
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
DSCI Certified Lead
Privacy
Assessor
http://www.dsci.in/
Training
Members
Rs. 20,0000
Non-Members
Rs. 22,500
3 days program includes all materials lunch and
refreshments
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
My Personal Mantras
Use Common Sense Uncommonly
Be Practical
Keep It Simple
Stay Away From Jargon
Talk Business Not GeekSpeak
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
Dinesh O. Bareja,
Microsoft MVP, CISA, CISM, ITIL, BS7799, Cert IPR, Cert ERM
Professional Positions






Pyramid Cyber Security & Forensics (Principal Advisor)
Open Security Alliance (Principal and CEO)
Jharkhand Police (Cyber Security Advisor)
Indian Honeynet Project (Co Founder)
Bombay Stock Exchange (Member IGRC)
Indian Infosec Consortium (Member Advisor)
Professional skills and special interest areas







Security Consulting and Advisory services for IS Architecture, Analysis, Optimization;
Government and Enterprise Policy development
Cyberwar, Cyber-espionage and cybercrime deterrence / investigation
Technologies: SOC, DLP, IRM, SIEM…
Practices: Incident Response, SAM, Forensics, Regulatory guidance..
Community: mentoring, training, citizen outreach, India research..
Business Continuity, Disaster Recovery
Critical Infrastructure Protection
Writer, Blogger, Columnist, Photographer
Contact Information
[email protected]
@bizsprite
http://in.linkedin.com/in/dineshbareja
+91.9769890505 / +971.52.797-1356
dineshobareja
dineshobareja
http://www.slideshare.net/bizsprite/
Acknowledgements & Disclaimer
The laws, standards, frameworks quoted in this presentation may not be verbatim from
the sources . Users should ensure the correctness of the same before quoting from this
document. We may have edited the legal statements to make the definitions more
concise and usable by the non-legal community.
Various resources on the internet have been referred to contribute to the information
presented and a few sources have been mentioned in the next slide. Apologies are due
to any sources which are not acknowledged and this is not intentional. Similarly, images
too have been acknowledged (above) where possible. Any company names, brand
names, trade marks are mentioned only to facilitate understanding of the message
being communicated - no claim is made to establish any sort of relation (exclusive or
otherwise) by the author(s) by virtue of the mention. Relationships if any, are
acknowledged by author(s). We apologise for any infraction, as this would be wholly
unintentional, and objections may please be communicated to us for remediation of the
erroneous action(s).
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI
DATA PRIVACY & PROTECTION
DATA PRIVACY & PROTECTION
AUDITOR’S PERSPECTIVE
JAN 24, 2015 @ ICAI, MUMBAI

similar documents