Successfully reported this slideshow.
Your SlideShare is downloading. ×

IS17428_ISACA_Chennai_20220910.pptx

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 40 Ad
Advertisement

More Related Content

Similar to IS17428_ISACA_Chennai_20220910.pptx (20)

More from Nanda Mohan Shenoy (20)

Advertisement

Recently uploaded (20)

IS17428_ISACA_Chennai_20220910.pptx

  1. 1. 1 Confidential. For internal use only. Data Privacy Assurance- IS 17428 Nanda Mohan Shenoy Director & CEO 10th Sep-2022
  2. 2. 2 Disclaimer The views expressed in this presentation are purely the personal views of the speaker. It does not represent the views of ISACA Chennai Chapter nor the employer Bestfit Business Solutions Pvt Limited. Participants are requested to exercise necessary due diligence on the subject matter before forming any opinion. The Copyrighted content used in this presentation belongs to the respective owners and is used here purely for educational purpose.
  3. 3. 3 Agenda 1. Opening thoughts & Global Landscape of Privacy 2. Indian Landscape of Privacy 3. Overview of IS 17428 4. Deep Dive –Specific Clauses of IS17428 5. Annx-B Security and privacy considerations for cloud infrastructure 6. Q&A
  4. 4. 4 Confidential. For internal use only. Global Landscape
  5. 5. 5 Opening Thoughts- Confidentiality Vs Privacy Artificial Person Natural Person Confidentiality Privacy Personally Identifiable Information Personal Data Privacy Vs National Security Conundrum Privacy is the _______best friend Richard Posner-
  6. 6. 6 Standards, Frameworks ,Laws & Regulations 6 Information security, cybersecurity and privacy protection — Information security controls
  7. 7. 7 ISO 27701
  8. 8. 8 NIST Framework
  9. 9. 9 Source: https://www.dlapiperdataprotection.com/ USA Territory specific, e.g., SHIELD.,CCPA. Australia Privacy Act Mix of federal & state/territory legislation New Zealand Privacy Act Canada 28 federal, provincial & territorial privacy statutes like PIPEDA China The PRC Cybersecurity law & other laws/regulations Taiwan Personal Data Protection Law Japan The Act on the Protection of Personal Information (APPI) Argentina Personal Data Protection Law South Korea Personal Information Protection Act India Information Technology Act/PDPB Philippines Data Privacy Act HongKong Personal data (Privacy) Ordinance Malaysia Singapore Personal Data Protection Act Turkey Turkish Data Protection Authority (KVKK) Brazil LGPD 9 Privacy Compliance Laws Are Evolving Worldwide
  10. 10. 10 Confidential. For internal use only. Indian Landscape
  11. 11. 11 CICRA Sec 43A added in IT Act 2000 ITACT2000 Amended Data Privacy Framework was launched . DSCI DPF 2005 2008 2010 2016 Indian PrivacyJourney -1of 3 Aadhaar Act Ch-6 INFORMATION PRIVACY PRINCIPLES AND FURNISHING OF CREDIT INFORMATION Rule-4 INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES & PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011
  12. 12. 12 SupremeCourt Verdict Own Sectoral Privacy Guidelines BN Sri Krishna Committee Report Aadhaar does not infringe the right to Privacy SupremeCourt Verdict Mar 2018 Jul Sep Indian PrivacyJourney -2of 3 Privacy Fundamental Right –Art 21 Jul TRAI
  13. 13. 13 DEPA PDPBill Introduced IS 17428 2019 2020 2000 2022 Indian PrivacyJourney -3of 3 Referred to select committee Draft seen. Final not yet published In 2 parts released PDPBill withdrawn Data Empowerment And Protection Architecture
  14. 14. 14 Privacy Activism
  15. 15. 15 Confidential. For internal use only. Overview of IS 17428
  16. 16. 16 Background  Published in 2020  Has two parts  Part 1 Engineering and Management Requirements  Part 2 Engineering and Management Guidelines  Inputs  ISO 29100:2011  ISO 27001:2013  Applicability  Personal Data in electronic form (Clause 1.4)
  17. 17. 17 Comparison Requirements Vs Guidelines # Description Clauses Requirements Guidelines 1 Scope - 2 References - IS-17428-2 & ISO 27001:2013 IS-17428-1 & ISO 27001:2013 3 Definitions - Same as Part-1 4 Privacy engineering 3 5 Privacy management 15 6 Compliance -
  18. 18. 18 Table of Contents 1. SCOPE 2. REFERENCES 3. DEFINITIONS 4. PRIVACY ENGINEERING 5. PRIVACY MANAGEMENT 6. COMPLIANCE 4.1 Development of Privacy Requirements 4.2 Privacy Principles Based Design considerations 4.3 Verification and Testing
  19. 19. 19 PRIVACY MANAGEMENT 5.10 Data Subject’s Request Management (6) 5.11 Grievance Redress(2) 5.12 Staff Competency and Accountability (4) 5.13 Ongoing Regulatory Compliance 5.14 Periodic Audits (3) 5.15 Measurement and Continuous Improvement 5.1 Privacy Objectives 5.2 Data Privacy Function (4) 5.3 Data Privacy Management System (5) 5.4 Policies and Processes(2) 5.5 Records and Document Management 5.6 Privacy Impact Assessments(2) 5.7 Data Processor Management(3) 5.8 Privacy Risk Management (3) 5.9 Privacy Incident Management (3)
  20. 20. 20 Additional Annexures in Guidelines  Annex- A  Clause 4.1.1  LEGAL PROVISIONS IN INDIA ON DATA PRIVACY  Annex-B  Clause 4.2.6, 4.2.7.2  SECURITY AND PRIVACY CONSIDERATIONS FOR CLOUD INFRASTRUCTURE The more your read the more you get Confused
  21. 21. 21 Confidential. For internal use only. Deep Dive Select Clauses
  22. 22. 22 DPF of DSCI DPF-DSCI Privacy Framework 9 Principles
  23. 23. 23 Principles Comparison # IS17428-(9) DSCI-(9) ISACA-(14) ISO 29100- (11) GDPR-(6) Art 5 4.2.1 Personal Data Collection and Limitation (3) 3.Collection Limitation 2.Legitimate Purpose Specification and Use Limitation 4-Data minimization 5.1.c Minimisation 4.2.2 Privacy Notice(6) 1. Notice 5.Openness, Transparency and Notice 7-Openness, transparency and notice Art-13Information to be provided where personal data are collected from the data subject 4.2.3 Choice & Consent(4) 2 1 1-Consent and choice Art-7 -Conditions for consent 4.2.4 Use Limitation(2) 4 2 3-Collection limitation 5.1.b Purpose Limitation 4.2.5 Data Accuracy 5.Access & Correction 4.Accuracy and Quality 6-Accuracy and quality 5.1.d Accuracy
  24. 24. 24 Principles Comparison # IS17428-(9) DSCI-(9) ISACA-(14) ISO 29100-(11) GDPR-(6) Art 5 4.2.6 Security (3) 6 8.Security Safeguards 10-Information security 5.1.f integrity and confidentiality 4.2.7 Disclosure and Transfer(2) 7.Disclosure to Third Party 11.Third- party/Vendor Management 5.1.a lawfulness, fairness and transparency 4.2.8 Personal Data Storage Limitation 5-Use, retention and disclosure limitation 5.1.e storage limitation 4.2.9 Design Considerations to Fulfil Other Rights of Data Subjects
  25. 25. 25 4.2.2 Privacy Notice The organization shall provide privacy notice to the individual prior to collection of personal data. When data collection is indirect or does not involve participation from the individual, the organization shall identify appropriate mechanisms to notify the individual about such collection. 4.2.2.1 Contents 4.2.2.2 Mode of communication 4.2.2.3 Timing of providing notice 4.2.2.4 Accessibility and comprehensibility 4.2.2.5 Ease of readability
  26. 26. 26 4.2.6 Security Personal information should be secured by use of appropriate controls to ensure their confidentiality, integrity, availability and to prevent unauthorized access or disclosure. Organizations should deploy appropriate security measures commensurate to the likely harm caused to individuals’ rights and freedom from a potential breach. 4.2.6.1 Security of data at source • 4.2.6.1.1 Data at rest • 4.2.6.1.2 Data in motion 4.2.6.2 Security of environment 4.2.6.3 Retention of access logs
  27. 27. 27 5.3 Data Privacy Management System (DPMS) The organization shall establish a data privacy management system (DPMS) that acts as a baseline and reference point for determining the data privacy requirements for the organization. 5.3.1 Data Classification 5.3.2 Inventory of Personal Information 5.3.3 Process Depicting Flow of Personal Information 5.3.4 Change in Processing or data inventory 5.3.5 Triggers for Updating DPMS
  28. 28. 28 5.8 Risk Management Vs 5.6 Privacy Impact Assessment Risk assessment is quite similar to privacy impact assessment, except that the former is a periodic exercise, whereas the latter is triggered based on certain events ISO 29100- Definition 2.20 privacy risk assessment overall process of risk identification, risk analysis and risk evaluation with regard to the processing of personally identifiable information (PII) NOTE This process is also known as a privacy impact assessment.
  29. 29. 29 5.8 Risk Management Vs ISO 31000 Risk Management Process 5.8.1 Triggers and Periodicity for Privacy Risk Assessments 5.8.2 Criteria for Risk Evaluation 5.8.3 Privacy Risk Response Strategy
  30. 30. 30 5.10 Data Subject’s Request Management The organization shall establish and document mechanisms to respond to and serve requests from an individual. Such mechanisms shall include: a) Means to verify identity of an individual; b) Providing access to data subject’s information; c) Means to update data subject’s data, including deletion; d) Service level agreement including aspects on time and cost as applicable 5.10.1 Access to View Data 5.10.2 Ability to Update Data 5.10.3 Access to Privacy Notices 5.10.4 Requesting Mechanism 5.10.5 Service Level Agreements 5.10.6 Considerations for Fee
  31. 31. 31 5.12 Staff Competency and Accountability * The organization shall ensure that the staff and contractors handling personal information shall be competent, kept aware and their accountability is established for any actions related to processing of personal information. * 5.10 Accountability of ISO 29100 • providing suitable training for the personnel of the PII controller who will have access to PII; 5.12.1 Traceability to Employee’s Actions 5.12.2 Training and awareness 5.12.3 Employee Declaration 5.12.4 Disciplinary Actions
  32. 32. 32 Confidential. For internal use only. Annex-B Security and privacy considerations for cloud infrastructure
  33. 33. 33 B-2.1 Compliance to Applicable Regulations Organizations should be aware that despite outsourcing the processing activities to the cloud provider, it continues to be a data controller. Data Controller should comply with data protection laws which vary from country to country. Data Processor/Cloud provider is also required to adhere to laws and regulations to the extent applicable and stated as part of the contract. Guidelines
  34. 34. 34 B-2.2 Data Transfer Restrictions In public cloud, organizations may not have control on which employee’s data is located in which jurisdiction at different points of time. There are restrictions imposed by Privacy laws on data transfer between countries, for example, GDPR and other member nation laws put certain restrictions on data transfers outside Europe. Organizations should determine if such restrictions apply to them and if applicable implement appropriate controls to ensure data transfer is as per the applicable regulations. A.12.1 Geographical location of PII The public cloud PII processor should specify and document the countries in which PII can possibly be stored. The identities of the countries where PII can possibly be stored should be made available to cloud service customers
  35. 35. 35 B-2.3 Data Deletion Data deletion may not be effective due to following reasons: a) Data is not strictly wiped. b) Timely data deletion may not be always possible, either because extra copies of data are stored elsewhere, or because the storage media also stores data from other clients. c) In scenarios where organizations use less space than estimated, the part of storage media which usually stores their data could be used for another organization by the cloud provider. d) Organizations should ensure that relevant clauses on deletion are added to the contract and cloud provider effectively deletes the data as per the requirements agreed. A.11.13 Access to data on pre-used data storage space The public cloud PII processor should ensure that whenever data storage space is assigned to a cloud service customer, any data previously residing on that storage space is not visible to that cloud service customer.
  36. 36. 36 B-2.4 Neighbour Subpoena Risk In the event of a subpoena on another customer of the cloud provider, if physical hardware of cloud provider is confiscated by law- enforcement agencies as part of e-discovery, due to the centralized storage as well as shared tenancy of physical hardware, there is a risk of disclosure of organization’s data to unwanted parties. The organization may be required under various regulations to inform their customers about the circumstances of the transfer of personal information to the cloud provider and the purposes of the transfer. Cloud provider should promptly inform the co-tenant of the cloud in case of subpoena and organizations should ensure the same is also added as part of the contract. Guidelines
  37. 37. 37 B-2.5 Data Breach Reporting In the event of a data breach, regulations in certain countries require disclosure to the individuals and regulators. Cloud providers are expected to promptly inform the organizations about the breach and same should also be added in the contract. The cloud provider need to deploy mechanisms to proactively monitor and carry out timely reporting in the event of a data breach. A.10.1 Notification to the customer in case of a data breach Should promptly notify the relevant cloud service customer in the event of any unauthorized access to PII or unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of PII. .
  38. 38. 38 B-2.6 Logs and Audit Trails Logs and audit trails should be maintained by the cloud provider and made available to organization for processing of data in the cloud. A.11.3 Control and logging of data restoration There should be a procedure for, and a log of, data restoration efforts. .
  39. 39. 39 B-2.7, B-2.8 & 2.9 B-2.7 Data Custody Organization should clearly determine the following and take appropriate steps to have this documented in the contract as well: a) Who actually owns the data on cloud? b) What happens to the data if the contract gets terminated by either parties? B-2.8 Data Privacy Clauses Appropriate Data privacy clauses should be agreed and added to the contract between organization and cloud provider. B-2.9 Data Subject Access Data Privacy regulations may require organizations to provide timely access to personal information when requested by employee. Cloud provider should ensure that data retrieval and recovery is in line with customer expectations. 0.4 Selecting and implementing controls in a cloud computing environment Contractual agreements need to clearly specify the PII protection responsibilities of all organizations involved in providing or using the cloud services, including the public cloud PII processor, its sub-contractors and the cloud service customer. A.10.3 PII return, transfer and disposal
  40. 40. 40 https://twitter.com/shenoy_1 https://www.facebook.com/bestfitsolutions/ https://www.linkedin.com/company/bestfit- business-solutions-pvt-ltd/ https://www.youtube.com/channel/UCyxNwXY 8j66H1GUDanv-boQ https://www.slideshare.net/NandaMohanSheno y/ धन्यवाद നന്ദി ধন্যবাদ நன்றி https://samskritham21.com/

Editor's Notes


  • Privacy is the terrorists best friend
    American jurist and economist who was a United States Circuit Judge of the United States Court of Appeals for the Seventh Circuit in Chicago from 1981 until 2017, and is a senior lecturer at the University of Chicago Law School.

    PII Definition-NIST SP800-122
    Privacy Vs National Security
    Personal Data Vs Privacy
    PII is ―any information about an individual maintained by an agency, including
    any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and
    any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
    person
    behavior and action
    communication
    data and image (information)
    thoughts and feelings
    location and space (territorial)
    Privacy of association

  • https://aws.amazon.com/compliance/cloud-act/
  • http://loksabhaph.nic.in/Committee/CommitteeInformation.aspx?comm_code=73&tab=1
  • 11
  • 12
  • 13
  • http://loksabhaph.nic.in/Committee/CommitteeInformation.aspx?comm_code=73&tab=1
  • Figure in bracket sows no of sub sections in Guidelines

×