SlideShare a Scribd company logo
1
Confidential. For internal use only.
Data Privacy Assurance- IS 17428
Nanda Mohan Shenoy
Director & CEO
10th Sep-2022
2
Disclaimer
The views expressed in this presentation are purely the personal views of
the speaker.
It does not represent the views of ISACA Chennai Chapter nor the employer
Bestfit Business Solutions Pvt Limited.
Participants are requested to exercise necessary due diligence on the
subject matter before forming any opinion.
The Copyrighted content used in this presentation belongs to the respective
owners and is used here purely for educational purpose.
3
Agenda
1. Opening thoughts & Global Landscape
of Privacy
2. Indian Landscape of Privacy
3. Overview of IS 17428
4. Deep Dive –Specific Clauses of IS17428
5. Annx-B Security and privacy
considerations for cloud infrastructure
6. Q&A
4
Confidential. For internal use only.
Global Landscape
5
Opening Thoughts- Confidentiality Vs Privacy
Artificial
Person
Natural
Person
Confidentiality
Privacy
Personally Identifiable
Information
Personal
Data
Privacy Vs National Security Conundrum
Privacy is the _______best
friend
Richard Posner-
6
Standards, Frameworks ,Laws & Regulations
6
Information
security,
cybersecurity
and privacy
protection —
Information
security controls
7
ISO 27701
8
NIST Framework
9
Source: https://www.dlapiperdataprotection.com/
USA
Territory specific,
e.g.,
SHIELD.,CCPA.
Australia
Privacy Act
Mix of federal &
state/territory
legislation
New
Zealand
Privacy Act
Canada
28 federal, provincial &
territorial privacy
statutes like PIPEDA
China
The PRC Cybersecurity
law & other
laws/regulations
Taiwan
Personal Data
Protection Law
Japan
The Act on the
Protection of Personal
Information (APPI)
Argentina
Personal Data
Protection Law
South
Korea
Personal Information
Protection Act
India
Information
Technology
Act/PDPB
Philippines
Data Privacy Act
HongKong
Personal data (Privacy)
Ordinance
Malaysia
Singapore
Personal Data
Protection Act
Turkey
Turkish Data Protection
Authority (KVKK)
Brazil
LGPD
9
Privacy Compliance Laws Are Evolving Worldwide
10
Confidential. For internal use only.
Indian Landscape
11
CICRA
Sec 43A
added in IT
Act 2000
ITACT2000
Amended
Data Privacy
Framework
was launched
.
DSCI DPF
2005
2008
2010
2016
Indian PrivacyJourney -1of 3
Aadhaar Act
Ch-6
INFORMATION PRIVACY
PRINCIPLES AND
FURNISHING OF CREDIT
INFORMATION
Rule-4 INFORMATION
TECHNOLOGY (REASONABLE
SECURITY PRACTICES &
PROCEDURES AND SENSITIVE
PERSONAL DATA OR
INFORMATION) RULES, 2011
12
SupremeCourt
Verdict
Own
Sectoral
Privacy
Guidelines
BN Sri Krishna
Committee
Report
Aadhaar does not
infringe the right to
Privacy
SupremeCourt
Verdict
Mar
2018
Jul
Sep
Indian PrivacyJourney -2of 3
Privacy
Fundamental
Right –Art 21
Jul
TRAI
13
DEPA
PDPBill
Introduced IS 17428
2019
2020
2000
2022
Indian PrivacyJourney -3of 3
Referred to
select
committee
Draft
seen.
Final not
yet
published
In 2 parts
released
PDPBill withdrawn
Data Empowerment And
Protection Architecture
14
Privacy Activism
15
Confidential. For internal use only.
Overview of IS 17428
16
Background
 Published in 2020
 Has two parts
 Part 1 Engineering and Management Requirements
 Part 2 Engineering and Management Guidelines
 Inputs
 ISO 29100:2011
 ISO 27001:2013
 Applicability
 Personal Data in electronic form (Clause 1.4)
17
Comparison Requirements Vs Guidelines
# Description Clauses Requirements Guidelines
1 Scope -
2 References - IS-17428-2 & ISO
27001:2013
IS-17428-1 & ISO 27001:2013
3 Definitions - Same as Part-1
4 Privacy
engineering
3
5 Privacy
management
15
6 Compliance -
18
Table of Contents
1. SCOPE
2. REFERENCES
3. DEFINITIONS
4. PRIVACY ENGINEERING
5. PRIVACY
MANAGEMENT
6. COMPLIANCE
4.1 Development of
Privacy Requirements
4.2 Privacy Principles Based
Design considerations
4.3 Verification and Testing
19
PRIVACY MANAGEMENT
5.10 Data Subject’s Request
Management (6)
5.11 Grievance Redress(2)
5.12 Staff Competency and
Accountability (4)
5.13 Ongoing Regulatory Compliance
5.14 Periodic Audits (3)
5.15 Measurement and Continuous
Improvement
5.1 Privacy Objectives
5.2 Data Privacy Function (4)
5.3 Data Privacy Management System (5)
5.4 Policies and Processes(2)
5.5 Records and Document Management
5.6 Privacy Impact Assessments(2)
5.7 Data Processor Management(3)
5.8 Privacy Risk Management (3)
5.9 Privacy Incident Management (3)
20
Additional Annexures in Guidelines
 Annex- A
 Clause 4.1.1
 LEGAL PROVISIONS IN INDIA ON DATA PRIVACY
 Annex-B
 Clause 4.2.6, 4.2.7.2
 SECURITY AND PRIVACY CONSIDERATIONS FOR CLOUD
INFRASTRUCTURE
The more your
read the more you
get Confused
21
Confidential. For internal use only.
Deep Dive Select Clauses
22
DPF of DSCI
DPF-DSCI Privacy Framework
9 Principles
23
Principles Comparison
# IS17428-(9) DSCI-(9) ISACA-(14) ISO 29100-
(11)
GDPR-(6) Art 5
4.2.1 Personal Data
Collection and
Limitation (3)
3.Collection
Limitation
2.Legitimate Purpose
Specification and Use
Limitation
4-Data
minimization
5.1.c Minimisation
4.2.2
Privacy
Notice(6)
1. Notice 5.Openness,
Transparency and
Notice
7-Openness,
transparency
and notice
Art-13Information to be provided
where personal data are
collected from the data subject
4.2.3 Choice &
Consent(4)
2 1 1-Consent and
choice
Art-7 -Conditions for consent
4.2.4 Use Limitation(2)
4 2 3-Collection
limitation
5.1.b Purpose Limitation
4.2.5 Data Accuracy 5.Access &
Correction
4.Accuracy and
Quality
6-Accuracy and
quality
5.1.d Accuracy
24
Principles Comparison
# IS17428-(9) DSCI-(9) ISACA-(14) ISO 29100-(11) GDPR-(6) Art 5
4.2.6
Security (3) 6 8.Security
Safeguards
10-Information security 5.1.f integrity and
confidentiality
4.2.7 Disclosure and
Transfer(2)
7.Disclosure
to Third Party
11.Third-
party/Vendor
Management
5.1.a lawfulness,
fairness and
transparency
4.2.8 Personal Data
Storage Limitation
5-Use, retention and
disclosure limitation
5.1.e storage
limitation
4.2.9 Design
Considerations to
Fulfil Other Rights
of Data Subjects
25
4.2.2 Privacy Notice
The organization shall provide
privacy notice to the individual
prior to collection of personal
data. When data collection is
indirect or does not involve
participation from the individual,
the organization shall identify
appropriate mechanisms to notify
the individual about such
collection.
4.2.2.1 Contents
4.2.2.2 Mode of communication
4.2.2.3 Timing of providing
notice
4.2.2.4 Accessibility and
comprehensibility
4.2.2.5 Ease of readability
26
4.2.6 Security
Personal information should be
secured by use of appropriate
controls to ensure their
confidentiality, integrity,
availability and to prevent
unauthorized access or disclosure.
Organizations should deploy
appropriate security measures
commensurate to the likely harm
caused to individuals’ rights and
freedom from a potential breach.
4.2.6.1 Security of data at source
• 4.2.6.1.1 Data at rest
• 4.2.6.1.2 Data in motion
4.2.6.2 Security of environment
4.2.6.3 Retention of access logs
27
5.3 Data Privacy Management System (DPMS)
The organization shall
establish a data privacy
management system
(DPMS) that acts as a
baseline and reference point
for determining the data
privacy requirements for
the organization.
5.3.1 Data Classification
5.3.2 Inventory of Personal
Information
5.3.3 Process Depicting Flow of
Personal Information
5.3.4 Change in Processing or
data inventory
5.3.5 Triggers for Updating
DPMS
28
5.8 Risk Management Vs 5.6 Privacy Impact Assessment
Risk assessment is quite similar
to privacy impact assessment,
except that the former is a
periodic exercise, whereas the
latter is triggered based on
certain events
ISO 29100- Definition
2.20 privacy risk assessment
overall process of risk
identification, risk analysis and
risk evaluation with regard to
the processing of personally
identifiable information (PII)
NOTE This process is also
known as a privacy impact
assessment.
29
5.8 Risk Management Vs ISO 31000 Risk Management Process
5.8.1 Triggers and Periodicity
for Privacy Risk Assessments
5.8.2 Criteria for Risk
Evaluation
5.8.3 Privacy Risk Response
Strategy
30
5.10 Data Subject’s Request Management
The organization shall establish and
document mechanisms to respond to and
serve requests from an individual.
Such mechanisms shall include:
a) Means to verify identity of an individual;
b) Providing access to data subject’s
information;
c) Means to update data subject’s data,
including deletion;
d) Service level agreement including
aspects on time and cost as applicable
5.10.1 Access to View Data
5.10.2 Ability to Update Data
5.10.3 Access to Privacy Notices
5.10.4 Requesting Mechanism
5.10.5 Service Level Agreements
5.10.6 Considerations for Fee
31
5.12 Staff Competency and Accountability *
The organization shall ensure that
the staff and contractors handling
personal information shall be
competent, kept aware and their
accountability is established for
any actions related to processing
of personal information.
* 5.10 Accountability of ISO
29100
• providing suitable training for the personnel of
the PII controller who will have access to PII;
5.12.1 Traceability to Employee’s
Actions
5.12.2 Training and awareness
5.12.3 Employee Declaration
5.12.4 Disciplinary Actions
32
Confidential. For internal use only.
Annex-B Security and privacy
considerations for cloud infrastructure
33
B-2.1 Compliance to Applicable Regulations
Organizations should be aware that
despite outsourcing the processing
activities to the cloud provider, it
continues to be a data controller.
Data Controller should comply with
data protection laws which vary
from country to country. Data
Processor/Cloud provider is also
required to adhere to laws and
regulations to the extent applicable
and stated as part of the contract.
Guidelines
34
B-2.2 Data Transfer Restrictions
In public cloud, organizations may not
have control on which employee’s data is
located in which jurisdiction at different
points of time. There are restrictions
imposed by Privacy laws on data transfer
between countries, for example, GDPR
and other member nation laws put certain
restrictions on data transfers outside
Europe. Organizations should determine
if such restrictions apply to them and if
applicable implement appropriate controls
to ensure data transfer is as per the
applicable regulations.
A.12.1 Geographical location
of PII
The public cloud PII processor
should specify and document the
countries in which PII can possibly
be stored.
The identities of the countries where
PII can possibly be stored should be
made available to cloud service
customers
35
B-2.3 Data Deletion
Data deletion may not be effective due to
following reasons:
a) Data is not strictly wiped.
b) Timely data deletion may not be always
possible, either because extra copies of data are
stored elsewhere, or because the storage media
also stores data from other clients.
c) In scenarios where organizations use less
space than estimated, the part of storage media
which usually stores their data could be used for
another organization by the cloud provider.
d) Organizations should ensure that relevant
clauses on deletion are added to the contract and
cloud provider effectively deletes the data as per
the requirements agreed.
A.11.13 Access to data on
pre-used data storage space
The public cloud PII processor
should
ensure that whenever data storage
space is assigned to a cloud service
customer, any data previously
residing on that storage space is not
visible to that cloud service
customer.
36
B-2.4 Neighbour Subpoena Risk
In the event of a subpoena on another customer
of the cloud provider, if physical hardware of
cloud provider is confiscated by law-
enforcement agencies as part of e-discovery,
due to the centralized storage as well as shared
tenancy of physical hardware, there is a risk of
disclosure of organization’s data to unwanted
parties. The organization may be required under
various regulations to inform their customers
about the circumstances of the transfer of
personal information to the cloud provider and
the purposes of the transfer. Cloud provider
should promptly inform the co-tenant of the
cloud in case of subpoena and organizations
should ensure the same is also added as part of
the contract.
Guidelines
37
B-2.5 Data Breach Reporting
In the event of a data breach,
regulations in certain countries require
disclosure to the individuals and
regulators. Cloud providers are
expected to promptly inform the
organizations about the breach and
same should also be added in the
contract. The cloud provider need to
deploy mechanisms to proactively
monitor and carry out timely reporting
in the event of a data breach.
A.10.1 Notification to the
customer in case of a data
breach
Should promptly notify the relevant
cloud service customer in the event
of any unauthorized access to PII or
unauthorized access to processing
equipment or facilities resulting in
loss, disclosure or alteration of PII.
.
38
B-2.6 Logs and Audit Trails
Logs and audit trails
should be maintained by
the cloud provider and
made available to
organization for
processing of data in the
cloud.
A.11.3 Control and logging of
data restoration
There should be a procedure for,
and a log of, data restoration efforts.
.
39
B-2.7, B-2.8 & 2.9
B-2.7 Data Custody
Organization should clearly determine the following and
take appropriate steps to have this documented in the
contract as well:
a) Who actually owns the data on cloud?
b) What happens to the data if the contract gets
terminated by either parties?
B-2.8 Data Privacy Clauses
Appropriate Data privacy clauses should be agreed and
added to the contract between organization and cloud
provider.
B-2.9 Data Subject Access
Data Privacy regulations may require organizations to
provide timely access to personal information when
requested by employee. Cloud provider should ensure
that data retrieval and recovery is in line with customer
expectations.
0.4 Selecting and
implementing controls in a
cloud computing environment
Contractual agreements need to clearly specify
the PII protection responsibilities of all
organizations involved in providing or using the
cloud services, including the public cloud PII
processor, its sub-contractors and the cloud
service customer.
A.10.3 PII return, transfer and
disposal
40
https://twitter.com/shenoy_1
https://www.facebook.com/bestfitsolutions/
https://www.linkedin.com/company/bestfit-
business-solutions-pvt-ltd/
https://www.youtube.com/channel/UCyxNwXY
8j66H1GUDanv-boQ
https://www.slideshare.net/NandaMohanSheno
y/
धन्यवाद
നന്ദി
ধন্যবাদ
நன்றி
https://samskritham21.com/

More Related Content

What's hot

2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
Procesy długożyjące - Wzorzec Sagi
Procesy długożyjące - Wzorzec SagiProcesy długożyjące - Wzorzec Sagi
Procesy długożyjące - Wzorzec Sagi
Michał Brzuchalski
 
Overview of Digital Financial Services Landscape
Overview of Digital Financial Services LandscapeOverview of Digital Financial Services Landscape
Overview of Digital Financial Services Landscape
John Owens
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
Mm iso 27001 2013 +annex a
Mm iso 27001 2013 +annex aMm iso 27001 2013 +annex a
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013  An Overview ISO/IEC 27001:2013  An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
PECB
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
What's new in BABoK 3.0?
What's new in BABoK 3.0?What's new in BABoK 3.0?
What's new in BABoK 3.0?
Katarzyna Kot
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 
Cbap babok 2.0 ppt introduction
Cbap babok 2.0 ppt introductionCbap babok 2.0 ppt introduction
Cbap babok 2.0 ppt introduction
Shardul Parulekar, CBAP®
 
Managing barriers to bpr success
Managing barriers to bpr successManaging barriers to bpr success
Managing barriers to bpr success
Sana Fatima
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
Iron Bastion: Preventing business email compromise fraud at your firm
Iron Bastion: Preventing business email compromise fraud at your firmIron Bastion: Preventing business email compromise fraud at your firm
Iron Bastion: Preventing business email compromise fraud at your firm
Gabor Szathmari
 
Blockchain and Accounting-Auditing v1
Blockchain and Accounting-Auditing v1Blockchain and Accounting-Auditing v1
Blockchain and Accounting-Auditing v1
Jaiveer Singh
 
OTIS: Our Journey to Passwordless.pptx
OTIS: Our Journey to Passwordless.pptxOTIS: Our Journey to Passwordless.pptx
OTIS: Our Journey to Passwordless.pptx
FIDO Alliance
 
Комплект документов по ISO 27001-2013
Комплект документов по ISO 27001-2013Комплект документов по ISO 27001-2013
Комплект документов по ISO 27001-2013
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
The Path to Open Banking
The Path to Open BankingThe Path to Open Banking
The Path to Open Banking
MuleSoft
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
mfmurat
 

What's hot (20)

2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
Procesy długożyjące - Wzorzec Sagi
Procesy długożyjące - Wzorzec SagiProcesy długożyjące - Wzorzec Sagi
Procesy długożyjące - Wzorzec Sagi
 
Overview of Digital Financial Services Landscape
Overview of Digital Financial Services LandscapeOverview of Digital Financial Services Landscape
Overview of Digital Financial Services Landscape
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdf
 
Mm iso 27001 2013 +annex a
Mm iso 27001 2013 +annex aMm iso 27001 2013 +annex a
Mm iso 27001 2013 +annex a
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013  An Overview ISO/IEC 27001:2013  An Overview
ISO/IEC 27001:2013 An Overview
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
What's new in BABoK 3.0?
What's new in BABoK 3.0?What's new in BABoK 3.0?
What's new in BABoK 3.0?
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 
Cbap babok 2.0 ppt introduction
Cbap babok 2.0 ppt introductionCbap babok 2.0 ppt introduction
Cbap babok 2.0 ppt introduction
 
Managing barriers to bpr success
Managing barriers to bpr successManaging barriers to bpr success
Managing barriers to bpr success
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
 
Iron Bastion: Preventing business email compromise fraud at your firm
Iron Bastion: Preventing business email compromise fraud at your firmIron Bastion: Preventing business email compromise fraud at your firm
Iron Bastion: Preventing business email compromise fraud at your firm
 
Blockchain and Accounting-Auditing v1
Blockchain and Accounting-Auditing v1Blockchain and Accounting-Auditing v1
Blockchain and Accounting-Auditing v1
 
OTIS: Our Journey to Passwordless.pptx
OTIS: Our Journey to Passwordless.pptxOTIS: Our Journey to Passwordless.pptx
OTIS: Our Journey to Passwordless.pptx
 
Комплект документов по ISO 27001-2013
Комплект документов по ISO 27001-2013Комплект документов по ISO 27001-2013
Комплект документов по ISO 27001-2013
 
The Path to Open Banking
The Path to Open BankingThe Path to Open Banking
The Path to Open Banking
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
 

Similar to IS17428_ISACA_Chennai_20220910.pptx

ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
Operational Excellence Consulting
 
IT Perspectives in Implementing Privacy Framework
IT Perspectives in Implementing Privacy FrameworkIT Perspectives in Implementing Privacy Framework
IT Perspectives in Implementing Privacy Framework
Shankar Subramaniyan
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
John Macasio
 
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
kashifmajeedjanjua
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Nguyễn Đăng Quang
 
Paris wp5 pd-pb_d_case_study
Paris wp5 pd-pb_d_case_studyParis wp5 pd-pb_d_case_study
Paris wp5 pd-pb_d_case_study
Privacy Data Protection for Engineering
 
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
Jerimi Soma
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
Ilesh Dattani
 
AIOTA Certification.pdf
AIOTA Certification.pdfAIOTA Certification.pdf
AIOTA Certification.pdf
demingcertificationa
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?
Patrick Soenen
 
Compliance poster
Compliance posterCompliance poster
Compliance poster
Rui Gomes
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information security
Elkanouni Mohamed
 
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
Jerimi Soma
 
slide-webninar-kik-r2-2 (1).pdf
slide-webninar-kik-r2-2 (1).pdfslide-webninar-kik-r2-2 (1).pdf
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
Adrian Dumitrescu
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
Vuzion
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Security best ways to protect your intellectual capital
Security   best ways to protect your intellectual capitalSecurity   best ways to protect your intellectual capital
Security best ways to protect your intellectual capital
Aconex
 
DEFeND Project Presentation - July 2018
DEFeND Project Presentation - July 2018DEFeND Project Presentation - July 2018
DEFeND Project Presentation - July 2018
DEFeND Project
 

Similar to IS17428_ISACA_Chennai_20220910.pptx (20)

ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
 
IT Perspectives in Implementing Privacy Framework
IT Perspectives in Implementing Privacy FrameworkIT Perspectives in Implementing Privacy Framework
IT Perspectives in Implementing Privacy Framework
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
 
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
 
Paris wp5 pd-pb_d_case_study
Paris wp5 pd-pb_d_case_studyParis wp5 pd-pb_d_case_study
Paris wp5 pd-pb_d_case_study
 
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
 
AIOTA Certification.pdf
AIOTA Certification.pdfAIOTA Certification.pdf
AIOTA Certification.pdf
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?
 
Compliance poster
Compliance posterCompliance poster
Compliance poster
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information security
 
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
 
slide-webninar-kik-r2-2 (1).pdf
slide-webninar-kik-r2-2 (1).pdfslide-webninar-kik-r2-2 (1).pdf
slide-webninar-kik-r2-2 (1).pdf
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
Security best ways to protect your intellectual capital
Security   best ways to protect your intellectual capitalSecurity   best ways to protect your intellectual capital
Security best ways to protect your intellectual capital
 
DEFeND Project Presentation - July 2018
DEFeND Project Presentation - July 2018DEFeND Project Presentation - July 2018
DEFeND Project Presentation - July 2018
 

More from Nanda Mohan Shenoy

Srimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfSrimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdf
Nanda Mohan Shenoy
 
D07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdfD07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdfD06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdfD05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdfD04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdfD03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdfD02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdfD01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx
Nanda Mohan Shenoy
 
03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf
Nanda Mohan Shenoy
 
02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
CEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdfCEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdf
Nanda Mohan Shenoy
 
F 32-Mukundamala- Part-6
F 32-Mukundamala- Part-6F 32-Mukundamala- Part-6
F 32-Mukundamala- Part-6
Nanda Mohan Shenoy
 
F31 Mukundamala Part-5
F31 Mukundamala Part-5F31 Mukundamala Part-5
F31 Mukundamala Part-5
Nanda Mohan Shenoy
 

More from Nanda Mohan Shenoy (20)

Srimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfSrimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdf
 
D07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdfD07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdf
 
D06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdfD06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdf
 
D05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdfD05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdf
 
D04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdfD04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdf
 
D03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdfD03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdf
 
D02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdfD02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdf
 
D01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdfD01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdf
 
09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf
 
08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf
 
07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf
 
06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf
 
05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf
 
04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx
 
03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf
 
02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf
 
01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf
 
CEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdfCEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdf
 
F 32-Mukundamala- Part-6
F 32-Mukundamala- Part-6F 32-Mukundamala- Part-6
F 32-Mukundamala- Part-6
 
F31 Mukundamala Part-5
F31 Mukundamala Part-5F31 Mukundamala Part-5
F31 Mukundamala Part-5
 

Recently uploaded

LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPLAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
RAHUL
 
UGC NET Exam Paper 1- Unit 1:Teaching Aptitude
UGC NET Exam Paper 1- Unit 1:Teaching AptitudeUGC NET Exam Paper 1- Unit 1:Teaching Aptitude
UGC NET Exam Paper 1- Unit 1:Teaching Aptitude
S. Raj Kumar
 
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumPhilippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
MJDuyan
 
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
สมใจ จันสุกสี
 
IGCSE Biology Chapter 14- Reproduction in Plants.pdf
IGCSE Biology Chapter 14- Reproduction in Plants.pdfIGCSE Biology Chapter 14- Reproduction in Plants.pdf
IGCSE Biology Chapter 14- Reproduction in Plants.pdf
Amin Marwan
 
How to Create a More Engaging and Human Online Learning Experience
How to Create a More Engaging and Human Online Learning Experience How to Create a More Engaging and Human Online Learning Experience
How to Create a More Engaging and Human Online Learning Experience
Wahiba Chair Training & Consulting
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
Priyankaranawat4
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
mulvey2
 
Walmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdfWalmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdf
TechSoup
 
How to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint  Presentations.pptxHow to deliver Powerpoint  Presentations.pptx
How to deliver Powerpoint Presentations.pptx
HajraNaeem15
 
Hindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdfHindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdf
Dr. Mulla Adam Ali
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Fajar Baskoro
 
How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17
Celine George
 
Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit InnovationLeveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
TechSoup
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE”           .MARY JANE WILSON, A “BOA MÃE”           .
MARY JANE WILSON, A “BOA MÃE” .
Colégio Santa Teresinha
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
History of Stoke Newington
 
BBR 2024 Summer Sessions Interview Training
BBR  2024 Summer Sessions Interview TrainingBBR  2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview Training
Katrina Pritchard
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
eBook.com.bd (প্রয়োজনীয় বাংলা বই)
 
Constructing Your Course Container for Effective Communication
Constructing Your Course Container for Effective CommunicationConstructing Your Course Container for Effective Communication
Constructing Your Course Container for Effective Communication
Chevonnese Chevers Whyte, MBA, B.Sc.
 
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptxChapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Denish Jangid
 

Recently uploaded (20)

LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPLAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
 
UGC NET Exam Paper 1- Unit 1:Teaching Aptitude
UGC NET Exam Paper 1- Unit 1:Teaching AptitudeUGC NET Exam Paper 1- Unit 1:Teaching Aptitude
UGC NET Exam Paper 1- Unit 1:Teaching Aptitude
 
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumPhilippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
 
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
 
IGCSE Biology Chapter 14- Reproduction in Plants.pdf
IGCSE Biology Chapter 14- Reproduction in Plants.pdfIGCSE Biology Chapter 14- Reproduction in Plants.pdf
IGCSE Biology Chapter 14- Reproduction in Plants.pdf
 
How to Create a More Engaging and Human Online Learning Experience
How to Create a More Engaging and Human Online Learning Experience How to Create a More Engaging and Human Online Learning Experience
How to Create a More Engaging and Human Online Learning Experience
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
 
Walmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdfWalmart Business+ and Spark Good for Nonprofits.pdf
Walmart Business+ and Spark Good for Nonprofits.pdf
 
How to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint  Presentations.pptxHow to deliver Powerpoint  Presentations.pptx
How to deliver Powerpoint Presentations.pptx
 
Hindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdfHindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdf
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
 
How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17
 
Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit InnovationLeveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE”           .MARY JANE WILSON, A “BOA MÃE”           .
MARY JANE WILSON, A “BOA MÃE” .
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
 
BBR 2024 Summer Sessions Interview Training
BBR  2024 Summer Sessions Interview TrainingBBR  2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview Training
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
 
Constructing Your Course Container for Effective Communication
Constructing Your Course Container for Effective CommunicationConstructing Your Course Container for Effective Communication
Constructing Your Course Container for Effective Communication
 
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptxChapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptx
 

IS17428_ISACA_Chennai_20220910.pptx

  • 1. 1 Confidential. For internal use only. Data Privacy Assurance- IS 17428 Nanda Mohan Shenoy Director & CEO 10th Sep-2022
  • 2. 2 Disclaimer The views expressed in this presentation are purely the personal views of the speaker. It does not represent the views of ISACA Chennai Chapter nor the employer Bestfit Business Solutions Pvt Limited. Participants are requested to exercise necessary due diligence on the subject matter before forming any opinion. The Copyrighted content used in this presentation belongs to the respective owners and is used here purely for educational purpose.
  • 3. 3 Agenda 1. Opening thoughts & Global Landscape of Privacy 2. Indian Landscape of Privacy 3. Overview of IS 17428 4. Deep Dive –Specific Clauses of IS17428 5. Annx-B Security and privacy considerations for cloud infrastructure 6. Q&A
  • 4. 4 Confidential. For internal use only. Global Landscape
  • 5. 5 Opening Thoughts- Confidentiality Vs Privacy Artificial Person Natural Person Confidentiality Privacy Personally Identifiable Information Personal Data Privacy Vs National Security Conundrum Privacy is the _______best friend Richard Posner-
  • 6. 6 Standards, Frameworks ,Laws & Regulations 6 Information security, cybersecurity and privacy protection — Information security controls
  • 9. 9 Source: https://www.dlapiperdataprotection.com/ USA Territory specific, e.g., SHIELD.,CCPA. Australia Privacy Act Mix of federal & state/territory legislation New Zealand Privacy Act Canada 28 federal, provincial & territorial privacy statutes like PIPEDA China The PRC Cybersecurity law & other laws/regulations Taiwan Personal Data Protection Law Japan The Act on the Protection of Personal Information (APPI) Argentina Personal Data Protection Law South Korea Personal Information Protection Act India Information Technology Act/PDPB Philippines Data Privacy Act HongKong Personal data (Privacy) Ordinance Malaysia Singapore Personal Data Protection Act Turkey Turkish Data Protection Authority (KVKK) Brazil LGPD 9 Privacy Compliance Laws Are Evolving Worldwide
  • 10. 10 Confidential. For internal use only. Indian Landscape
  • 11. 11 CICRA Sec 43A added in IT Act 2000 ITACT2000 Amended Data Privacy Framework was launched . DSCI DPF 2005 2008 2010 2016 Indian PrivacyJourney -1of 3 Aadhaar Act Ch-6 INFORMATION PRIVACY PRINCIPLES AND FURNISHING OF CREDIT INFORMATION Rule-4 INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES & PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011
  • 12. 12 SupremeCourt Verdict Own Sectoral Privacy Guidelines BN Sri Krishna Committee Report Aadhaar does not infringe the right to Privacy SupremeCourt Verdict Mar 2018 Jul Sep Indian PrivacyJourney -2of 3 Privacy Fundamental Right –Art 21 Jul TRAI
  • 13. 13 DEPA PDPBill Introduced IS 17428 2019 2020 2000 2022 Indian PrivacyJourney -3of 3 Referred to select committee Draft seen. Final not yet published In 2 parts released PDPBill withdrawn Data Empowerment And Protection Architecture
  • 15. 15 Confidential. For internal use only. Overview of IS 17428
  • 16. 16 Background  Published in 2020  Has two parts  Part 1 Engineering and Management Requirements  Part 2 Engineering and Management Guidelines  Inputs  ISO 29100:2011  ISO 27001:2013  Applicability  Personal Data in electronic form (Clause 1.4)
  • 17. 17 Comparison Requirements Vs Guidelines # Description Clauses Requirements Guidelines 1 Scope - 2 References - IS-17428-2 & ISO 27001:2013 IS-17428-1 & ISO 27001:2013 3 Definitions - Same as Part-1 4 Privacy engineering 3 5 Privacy management 15 6 Compliance -
  • 18. 18 Table of Contents 1. SCOPE 2. REFERENCES 3. DEFINITIONS 4. PRIVACY ENGINEERING 5. PRIVACY MANAGEMENT 6. COMPLIANCE 4.1 Development of Privacy Requirements 4.2 Privacy Principles Based Design considerations 4.3 Verification and Testing
  • 19. 19 PRIVACY MANAGEMENT 5.10 Data Subject’s Request Management (6) 5.11 Grievance Redress(2) 5.12 Staff Competency and Accountability (4) 5.13 Ongoing Regulatory Compliance 5.14 Periodic Audits (3) 5.15 Measurement and Continuous Improvement 5.1 Privacy Objectives 5.2 Data Privacy Function (4) 5.3 Data Privacy Management System (5) 5.4 Policies and Processes(2) 5.5 Records and Document Management 5.6 Privacy Impact Assessments(2) 5.7 Data Processor Management(3) 5.8 Privacy Risk Management (3) 5.9 Privacy Incident Management (3)
  • 20. 20 Additional Annexures in Guidelines  Annex- A  Clause 4.1.1  LEGAL PROVISIONS IN INDIA ON DATA PRIVACY  Annex-B  Clause 4.2.6, 4.2.7.2  SECURITY AND PRIVACY CONSIDERATIONS FOR CLOUD INFRASTRUCTURE The more your read the more you get Confused
  • 21. 21 Confidential. For internal use only. Deep Dive Select Clauses
  • 22. 22 DPF of DSCI DPF-DSCI Privacy Framework 9 Principles
  • 23. 23 Principles Comparison # IS17428-(9) DSCI-(9) ISACA-(14) ISO 29100- (11) GDPR-(6) Art 5 4.2.1 Personal Data Collection and Limitation (3) 3.Collection Limitation 2.Legitimate Purpose Specification and Use Limitation 4-Data minimization 5.1.c Minimisation 4.2.2 Privacy Notice(6) 1. Notice 5.Openness, Transparency and Notice 7-Openness, transparency and notice Art-13Information to be provided where personal data are collected from the data subject 4.2.3 Choice & Consent(4) 2 1 1-Consent and choice Art-7 -Conditions for consent 4.2.4 Use Limitation(2) 4 2 3-Collection limitation 5.1.b Purpose Limitation 4.2.5 Data Accuracy 5.Access & Correction 4.Accuracy and Quality 6-Accuracy and quality 5.1.d Accuracy
  • 24. 24 Principles Comparison # IS17428-(9) DSCI-(9) ISACA-(14) ISO 29100-(11) GDPR-(6) Art 5 4.2.6 Security (3) 6 8.Security Safeguards 10-Information security 5.1.f integrity and confidentiality 4.2.7 Disclosure and Transfer(2) 7.Disclosure to Third Party 11.Third- party/Vendor Management 5.1.a lawfulness, fairness and transparency 4.2.8 Personal Data Storage Limitation 5-Use, retention and disclosure limitation 5.1.e storage limitation 4.2.9 Design Considerations to Fulfil Other Rights of Data Subjects
  • 25. 25 4.2.2 Privacy Notice The organization shall provide privacy notice to the individual prior to collection of personal data. When data collection is indirect or does not involve participation from the individual, the organization shall identify appropriate mechanisms to notify the individual about such collection. 4.2.2.1 Contents 4.2.2.2 Mode of communication 4.2.2.3 Timing of providing notice 4.2.2.4 Accessibility and comprehensibility 4.2.2.5 Ease of readability
  • 26. 26 4.2.6 Security Personal information should be secured by use of appropriate controls to ensure their confidentiality, integrity, availability and to prevent unauthorized access or disclosure. Organizations should deploy appropriate security measures commensurate to the likely harm caused to individuals’ rights and freedom from a potential breach. 4.2.6.1 Security of data at source • 4.2.6.1.1 Data at rest • 4.2.6.1.2 Data in motion 4.2.6.2 Security of environment 4.2.6.3 Retention of access logs
  • 27. 27 5.3 Data Privacy Management System (DPMS) The organization shall establish a data privacy management system (DPMS) that acts as a baseline and reference point for determining the data privacy requirements for the organization. 5.3.1 Data Classification 5.3.2 Inventory of Personal Information 5.3.3 Process Depicting Flow of Personal Information 5.3.4 Change in Processing or data inventory 5.3.5 Triggers for Updating DPMS
  • 28. 28 5.8 Risk Management Vs 5.6 Privacy Impact Assessment Risk assessment is quite similar to privacy impact assessment, except that the former is a periodic exercise, whereas the latter is triggered based on certain events ISO 29100- Definition 2.20 privacy risk assessment overall process of risk identification, risk analysis and risk evaluation with regard to the processing of personally identifiable information (PII) NOTE This process is also known as a privacy impact assessment.
  • 29. 29 5.8 Risk Management Vs ISO 31000 Risk Management Process 5.8.1 Triggers and Periodicity for Privacy Risk Assessments 5.8.2 Criteria for Risk Evaluation 5.8.3 Privacy Risk Response Strategy
  • 30. 30 5.10 Data Subject’s Request Management The organization shall establish and document mechanisms to respond to and serve requests from an individual. Such mechanisms shall include: a) Means to verify identity of an individual; b) Providing access to data subject’s information; c) Means to update data subject’s data, including deletion; d) Service level agreement including aspects on time and cost as applicable 5.10.1 Access to View Data 5.10.2 Ability to Update Data 5.10.3 Access to Privacy Notices 5.10.4 Requesting Mechanism 5.10.5 Service Level Agreements 5.10.6 Considerations for Fee
  • 31. 31 5.12 Staff Competency and Accountability * The organization shall ensure that the staff and contractors handling personal information shall be competent, kept aware and their accountability is established for any actions related to processing of personal information. * 5.10 Accountability of ISO 29100 • providing suitable training for the personnel of the PII controller who will have access to PII; 5.12.1 Traceability to Employee’s Actions 5.12.2 Training and awareness 5.12.3 Employee Declaration 5.12.4 Disciplinary Actions
  • 32. 32 Confidential. For internal use only. Annex-B Security and privacy considerations for cloud infrastructure
  • 33. 33 B-2.1 Compliance to Applicable Regulations Organizations should be aware that despite outsourcing the processing activities to the cloud provider, it continues to be a data controller. Data Controller should comply with data protection laws which vary from country to country. Data Processor/Cloud provider is also required to adhere to laws and regulations to the extent applicable and stated as part of the contract. Guidelines
  • 34. 34 B-2.2 Data Transfer Restrictions In public cloud, organizations may not have control on which employee’s data is located in which jurisdiction at different points of time. There are restrictions imposed by Privacy laws on data transfer between countries, for example, GDPR and other member nation laws put certain restrictions on data transfers outside Europe. Organizations should determine if such restrictions apply to them and if applicable implement appropriate controls to ensure data transfer is as per the applicable regulations. A.12.1 Geographical location of PII The public cloud PII processor should specify and document the countries in which PII can possibly be stored. The identities of the countries where PII can possibly be stored should be made available to cloud service customers
  • 35. 35 B-2.3 Data Deletion Data deletion may not be effective due to following reasons: a) Data is not strictly wiped. b) Timely data deletion may not be always possible, either because extra copies of data are stored elsewhere, or because the storage media also stores data from other clients. c) In scenarios where organizations use less space than estimated, the part of storage media which usually stores their data could be used for another organization by the cloud provider. d) Organizations should ensure that relevant clauses on deletion are added to the contract and cloud provider effectively deletes the data as per the requirements agreed. A.11.13 Access to data on pre-used data storage space The public cloud PII processor should ensure that whenever data storage space is assigned to a cloud service customer, any data previously residing on that storage space is not visible to that cloud service customer.
  • 36. 36 B-2.4 Neighbour Subpoena Risk In the event of a subpoena on another customer of the cloud provider, if physical hardware of cloud provider is confiscated by law- enforcement agencies as part of e-discovery, due to the centralized storage as well as shared tenancy of physical hardware, there is a risk of disclosure of organization’s data to unwanted parties. The organization may be required under various regulations to inform their customers about the circumstances of the transfer of personal information to the cloud provider and the purposes of the transfer. Cloud provider should promptly inform the co-tenant of the cloud in case of subpoena and organizations should ensure the same is also added as part of the contract. Guidelines
  • 37. 37 B-2.5 Data Breach Reporting In the event of a data breach, regulations in certain countries require disclosure to the individuals and regulators. Cloud providers are expected to promptly inform the organizations about the breach and same should also be added in the contract. The cloud provider need to deploy mechanisms to proactively monitor and carry out timely reporting in the event of a data breach. A.10.1 Notification to the customer in case of a data breach Should promptly notify the relevant cloud service customer in the event of any unauthorized access to PII or unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of PII. .
  • 38. 38 B-2.6 Logs and Audit Trails Logs and audit trails should be maintained by the cloud provider and made available to organization for processing of data in the cloud. A.11.3 Control and logging of data restoration There should be a procedure for, and a log of, data restoration efforts. .
  • 39. 39 B-2.7, B-2.8 & 2.9 B-2.7 Data Custody Organization should clearly determine the following and take appropriate steps to have this documented in the contract as well: a) Who actually owns the data on cloud? b) What happens to the data if the contract gets terminated by either parties? B-2.8 Data Privacy Clauses Appropriate Data privacy clauses should be agreed and added to the contract between organization and cloud provider. B-2.9 Data Subject Access Data Privacy regulations may require organizations to provide timely access to personal information when requested by employee. Cloud provider should ensure that data retrieval and recovery is in line with customer expectations. 0.4 Selecting and implementing controls in a cloud computing environment Contractual agreements need to clearly specify the PII protection responsibilities of all organizations involved in providing or using the cloud services, including the public cloud PII processor, its sub-contractors and the cloud service customer. A.10.3 PII return, transfer and disposal

Editor's Notes

  1. Privacy is the terrorists best friend American jurist and economist who was a United States Circuit Judge of the United States Court of Appeals for the Seventh Circuit in Chicago from 1981 until 2017, and is a senior lecturer at the University of Chicago Law School. PII Definition-NIST SP800-122 Privacy Vs National Security Personal Data Vs Privacy PII is ―any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. person behavior and action communication data and image (information) thoughts and feelings location and space (territorial) Privacy of association
  2. https://aws.amazon.com/compliance/cloud-act/
  3. http://loksabhaph.nic.in/Committee/CommitteeInformation.aspx?comm_code=73&tab=1
  4. 11
  5. 12
  6. 13
  7. http://loksabhaph.nic.in/Committee/CommitteeInformation.aspx?comm_code=73&tab=1
  8. Figure in bracket sows no of sub sections in Guidelines