SlideShare a Scribd company logo
1
Confidential. For internal use only.
Data Privacy Assurance- IS 17428
Nanda Mohan Shenoy
Director & CEO
10th Sep-2022
2
Disclaimer
The views expressed in this presentation are purely the personal views of
the speaker.
It does not represent the views of ISACA Chennai Chapter nor the employer
Bestfit Business Solutions Pvt Limited.
Participants are requested to exercise necessary due diligence on the
subject matter before forming any opinion.
The Copyrighted content used in this presentation belongs to the respective
owners and is used here purely for educational purpose.
3
Agenda
1. Opening thoughts & Global Landscape
of Privacy
2. Indian Landscape of Privacy
3. Overview of IS 17428
4. Deep Dive –Specific Clauses of IS17428
5. Annx-B Security and privacy
considerations for cloud infrastructure
6. Q&A
4
Confidential. For internal use only.
Global Landscape
5
Opening Thoughts- Confidentiality Vs Privacy
Artificial
Person
Natural
Person
Confidentiality
Privacy
Personally Identifiable
Information
Personal
Data
Privacy Vs National Security Conundrum
Privacy is the _______best
friend
Richard Posner-
6
Standards, Frameworks ,Laws & Regulations
6
Information
security,
cybersecurity
and privacy
protection —
Information
security controls
7
ISO 27701
8
NIST Framework
9
Source: https://www.dlapiperdataprotection.com/
USA
Territory specific,
e.g.,
SHIELD.,CCPA.
Australia
Privacy Act
Mix of federal &
state/territory
legislation
New
Zealand
Privacy Act
Canada
28 federal, provincial &
territorial privacy
statutes like PIPEDA
China
The PRC Cybersecurity
law & other
laws/regulations
Taiwan
Personal Data
Protection Law
Japan
The Act on the
Protection of Personal
Information (APPI)
Argentina
Personal Data
Protection Law
South
Korea
Personal Information
Protection Act
India
Information
Technology
Act/PDPB
Philippines
Data Privacy Act
HongKong
Personal data (Privacy)
Ordinance
Malaysia
Singapore
Personal Data
Protection Act
Turkey
Turkish Data Protection
Authority (KVKK)
Brazil
LGPD
9
Privacy Compliance Laws Are Evolving Worldwide
10
Confidential. For internal use only.
Indian Landscape
11
CICRA
Sec 43A
added in IT
Act 2000
ITACT2000
Amended
Data Privacy
Framework
was launched
.
DSCI DPF
2005
2008
2010
2016
Indian PrivacyJourney -1of 3
Aadhaar Act
Ch-6
INFORMATION PRIVACY
PRINCIPLES AND
FURNISHING OF CREDIT
INFORMATION
Rule-4 INFORMATION
TECHNOLOGY (REASONABLE
SECURITY PRACTICES &
PROCEDURES AND SENSITIVE
PERSONAL DATA OR
INFORMATION) RULES, 2011
12
SupremeCourt
Verdict
Own
Sectoral
Privacy
Guidelines
BN Sri Krishna
Committee
Report
Aadhaar does not
infringe the right to
Privacy
SupremeCourt
Verdict
Mar
2018
Jul
Sep
Indian PrivacyJourney -2of 3
Privacy
Fundamental
Right –Art 21
Jul
TRAI
13
DEPA
PDPBill
Introduced IS 17428
2019
2020
2000
2022
Indian PrivacyJourney -3of 3
Referred to
select
committee
Draft
seen.
Final not
yet
published
In 2 parts
released
PDPBill withdrawn
Data Empowerment And
Protection Architecture
14
Privacy Activism
15
Confidential. For internal use only.
Overview of IS 17428
16
Background
 Published in 2020
 Has two parts
 Part 1 Engineering and Management Requirements
 Part 2 Engineering and Management Guidelines
 Inputs
 ISO 29100:2011
 ISO 27001:2013
 Applicability
 Personal Data in electronic form (Clause 1.4)
17
Comparison Requirements Vs Guidelines
# Description Clauses Requirements Guidelines
1 Scope -
2 References - IS-17428-2 & ISO
27001:2013
IS-17428-1 & ISO 27001:2013
3 Definitions - Same as Part-1
4 Privacy
engineering
3
5 Privacy
management
15
6 Compliance -
18
Table of Contents
1. SCOPE
2. REFERENCES
3. DEFINITIONS
4. PRIVACY ENGINEERING
5. PRIVACY
MANAGEMENT
6. COMPLIANCE
4.1 Development of
Privacy Requirements
4.2 Privacy Principles Based
Design considerations
4.3 Verification and Testing
19
PRIVACY MANAGEMENT
5.10 Data Subject’s Request
Management (6)
5.11 Grievance Redress(2)
5.12 Staff Competency and
Accountability (4)
5.13 Ongoing Regulatory Compliance
5.14 Periodic Audits (3)
5.15 Measurement and Continuous
Improvement
5.1 Privacy Objectives
5.2 Data Privacy Function (4)
5.3 Data Privacy Management System (5)
5.4 Policies and Processes(2)
5.5 Records and Document Management
5.6 Privacy Impact Assessments(2)
5.7 Data Processor Management(3)
5.8 Privacy Risk Management (3)
5.9 Privacy Incident Management (3)
20
Additional Annexures in Guidelines
 Annex- A
 Clause 4.1.1
 LEGAL PROVISIONS IN INDIA ON DATA PRIVACY
 Annex-B
 Clause 4.2.6, 4.2.7.2
 SECURITY AND PRIVACY CONSIDERATIONS FOR CLOUD
INFRASTRUCTURE
The more your
read the more you
get Confused
21
Confidential. For internal use only.
Deep Dive Select Clauses
22
DPF of DSCI
DPF-DSCI Privacy Framework
9 Principles
23
Principles Comparison
# IS17428-(9) DSCI-(9) ISACA-(14) ISO 29100-
(11)
GDPR-(6) Art 5
4.2.1 Personal Data
Collection and
Limitation (3)
3.Collection
Limitation
2.Legitimate Purpose
Specification and Use
Limitation
4-Data
minimization
5.1.c Minimisation
4.2.2
Privacy
Notice(6)
1. Notice 5.Openness,
Transparency and
Notice
7-Openness,
transparency
and notice
Art-13Information to be provided
where personal data are
collected from the data subject
4.2.3 Choice &
Consent(4)
2 1 1-Consent and
choice
Art-7 -Conditions for consent
4.2.4 Use Limitation(2)
4 2 3-Collection
limitation
5.1.b Purpose Limitation
4.2.5 Data Accuracy 5.Access &
Correction
4.Accuracy and
Quality
6-Accuracy and
quality
5.1.d Accuracy
24
Principles Comparison
# IS17428-(9) DSCI-(9) ISACA-(14) ISO 29100-(11) GDPR-(6) Art 5
4.2.6
Security (3) 6 8.Security
Safeguards
10-Information security 5.1.f integrity and
confidentiality
4.2.7 Disclosure and
Transfer(2)
7.Disclosure
to Third Party
11.Third-
party/Vendor
Management
5.1.a lawfulness,
fairness and
transparency
4.2.8 Personal Data
Storage Limitation
5-Use, retention and
disclosure limitation
5.1.e storage
limitation
4.2.9 Design
Considerations to
Fulfil Other Rights
of Data Subjects
25
4.2.2 Privacy Notice
The organization shall provide
privacy notice to the individual
prior to collection of personal
data. When data collection is
indirect or does not involve
participation from the individual,
the organization shall identify
appropriate mechanisms to notify
the individual about such
collection.
4.2.2.1 Contents
4.2.2.2 Mode of communication
4.2.2.3 Timing of providing
notice
4.2.2.4 Accessibility and
comprehensibility
4.2.2.5 Ease of readability
26
4.2.6 Security
Personal information should be
secured by use of appropriate
controls to ensure their
confidentiality, integrity,
availability and to prevent
unauthorized access or disclosure.
Organizations should deploy
appropriate security measures
commensurate to the likely harm
caused to individuals’ rights and
freedom from a potential breach.
4.2.6.1 Security of data at source
• 4.2.6.1.1 Data at rest
• 4.2.6.1.2 Data in motion
4.2.6.2 Security of environment
4.2.6.3 Retention of access logs
27
5.3 Data Privacy Management System (DPMS)
The organization shall
establish a data privacy
management system
(DPMS) that acts as a
baseline and reference point
for determining the data
privacy requirements for
the organization.
5.3.1 Data Classification
5.3.2 Inventory of Personal
Information
5.3.3 Process Depicting Flow of
Personal Information
5.3.4 Change in Processing or
data inventory
5.3.5 Triggers for Updating
DPMS
28
5.8 Risk Management Vs 5.6 Privacy Impact Assessment
Risk assessment is quite similar
to privacy impact assessment,
except that the former is a
periodic exercise, whereas the
latter is triggered based on
certain events
ISO 29100- Definition
2.20 privacy risk assessment
overall process of risk
identification, risk analysis and
risk evaluation with regard to
the processing of personally
identifiable information (PII)
NOTE This process is also
known as a privacy impact
assessment.
29
5.8 Risk Management Vs ISO 31000 Risk Management Process
5.8.1 Triggers and Periodicity
for Privacy Risk Assessments
5.8.2 Criteria for Risk
Evaluation
5.8.3 Privacy Risk Response
Strategy
30
5.10 Data Subject’s Request Management
The organization shall establish and
document mechanisms to respond to and
serve requests from an individual.
Such mechanisms shall include:
a) Means to verify identity of an individual;
b) Providing access to data subject’s
information;
c) Means to update data subject’s data,
including deletion;
d) Service level agreement including
aspects on time and cost as applicable
5.10.1 Access to View Data
5.10.2 Ability to Update Data
5.10.3 Access to Privacy Notices
5.10.4 Requesting Mechanism
5.10.5 Service Level Agreements
5.10.6 Considerations for Fee
31
5.12 Staff Competency and Accountability *
The organization shall ensure that
the staff and contractors handling
personal information shall be
competent, kept aware and their
accountability is established for
any actions related to processing
of personal information.
* 5.10 Accountability of ISO
29100
• providing suitable training for the personnel of
the PII controller who will have access to PII;
5.12.1 Traceability to Employee’s
Actions
5.12.2 Training and awareness
5.12.3 Employee Declaration
5.12.4 Disciplinary Actions
32
Confidential. For internal use only.
Annex-B Security and privacy
considerations for cloud infrastructure
33
B-2.1 Compliance to Applicable Regulations
Organizations should be aware that
despite outsourcing the processing
activities to the cloud provider, it
continues to be a data controller.
Data Controller should comply with
data protection laws which vary
from country to country. Data
Processor/Cloud provider is also
required to adhere to laws and
regulations to the extent applicable
and stated as part of the contract.
Guidelines
34
B-2.2 Data Transfer Restrictions
In public cloud, organizations may not
have control on which employee’s data is
located in which jurisdiction at different
points of time. There are restrictions
imposed by Privacy laws on data transfer
between countries, for example, GDPR
and other member nation laws put certain
restrictions on data transfers outside
Europe. Organizations should determine
if such restrictions apply to them and if
applicable implement appropriate controls
to ensure data transfer is as per the
applicable regulations.
A.12.1 Geographical location
of PII
The public cloud PII processor
should specify and document the
countries in which PII can possibly
be stored.
The identities of the countries where
PII can possibly be stored should be
made available to cloud service
customers
35
B-2.3 Data Deletion
Data deletion may not be effective due to
following reasons:
a) Data is not strictly wiped.
b) Timely data deletion may not be always
possible, either because extra copies of data are
stored elsewhere, or because the storage media
also stores data from other clients.
c) In scenarios where organizations use less
space than estimated, the part of storage media
which usually stores their data could be used for
another organization by the cloud provider.
d) Organizations should ensure that relevant
clauses on deletion are added to the contract and
cloud provider effectively deletes the data as per
the requirements agreed.
A.11.13 Access to data on
pre-used data storage space
The public cloud PII processor
should
ensure that whenever data storage
space is assigned to a cloud service
customer, any data previously
residing on that storage space is not
visible to that cloud service
customer.
36
B-2.4 Neighbour Subpoena Risk
In the event of a subpoena on another customer
of the cloud provider, if physical hardware of
cloud provider is confiscated by law-
enforcement agencies as part of e-discovery,
due to the centralized storage as well as shared
tenancy of physical hardware, there is a risk of
disclosure of organization’s data to unwanted
parties. The organization may be required under
various regulations to inform their customers
about the circumstances of the transfer of
personal information to the cloud provider and
the purposes of the transfer. Cloud provider
should promptly inform the co-tenant of the
cloud in case of subpoena and organizations
should ensure the same is also added as part of
the contract.
Guidelines
37
B-2.5 Data Breach Reporting
In the event of a data breach,
regulations in certain countries require
disclosure to the individuals and
regulators. Cloud providers are
expected to promptly inform the
organizations about the breach and
same should also be added in the
contract. The cloud provider need to
deploy mechanisms to proactively
monitor and carry out timely reporting
in the event of a data breach.
A.10.1 Notification to the
customer in case of a data
breach
Should promptly notify the relevant
cloud service customer in the event
of any unauthorized access to PII or
unauthorized access to processing
equipment or facilities resulting in
loss, disclosure or alteration of PII.
.
38
B-2.6 Logs and Audit Trails
Logs and audit trails
should be maintained by
the cloud provider and
made available to
organization for
processing of data in the
cloud.
A.11.3 Control and logging of
data restoration
There should be a procedure for,
and a log of, data restoration efforts.
.
39
B-2.7, B-2.8 & 2.9
B-2.7 Data Custody
Organization should clearly determine the following and
take appropriate steps to have this documented in the
contract as well:
a) Who actually owns the data on cloud?
b) What happens to the data if the contract gets
terminated by either parties?
B-2.8 Data Privacy Clauses
Appropriate Data privacy clauses should be agreed and
added to the contract between organization and cloud
provider.
B-2.9 Data Subject Access
Data Privacy regulations may require organizations to
provide timely access to personal information when
requested by employee. Cloud provider should ensure
that data retrieval and recovery is in line with customer
expectations.
0.4 Selecting and
implementing controls in a
cloud computing environment
Contractual agreements need to clearly specify
the PII protection responsibilities of all
organizations involved in providing or using the
cloud services, including the public cloud PII
processor, its sub-contractors and the cloud
service customer.
A.10.3 PII return, transfer and
disposal
40
https://twitter.com/shenoy_1
https://www.facebook.com/bestfitsolutions/
https://www.linkedin.com/company/bestfit-
business-solutions-pvt-ltd/
https://www.youtube.com/channel/UCyxNwXY
8j66H1GUDanv-boQ
https://www.slideshare.net/NandaMohanSheno
y/
धन्यवाद
നന്ദി
ধন্যবাদ
நன்றி
https://samskritham21.com/

More Related Content

What's hot

Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
Splunk
 
Tactics of Persuasion & Influence (BGIedu)
Tactics of Persuasion & Influence (BGIedu)Tactics of Persuasion & Influence (BGIedu)
Tactics of Persuasion & Influence (BGIedu)
Christopher Allen
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
IBM Security
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Sqrrl
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Influence - The Psychology of Persuasion
Influence - The Psychology of PersuasionInfluence - The Psychology of Persuasion
Influence - The Psychology of Persuasion
Surinder Kumar
 
Web filtering through Software
Web filtering through SoftwareWeb filtering through Software
Web filtering through Software
university of education,Lahore
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
Andrew Sharpe
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
 
Honeypots
HoneypotsHoneypots
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Roshan Ranabhat
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance Template
Flevy.com Best Practices
 
Data security
Data securityData security
Data security
AbdulBasit938
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsHacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and Threats
Eric Vanderburg
 
Hunter farmer ....a sales model… or competences needed within every business ...
Hunter farmer ....a sales model… or competences needed within every business ...Hunter farmer ....a sales model… or competences needed within every business ...
Hunter farmer ....a sales model… or competences needed within every business ...
Joost Holleman
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
 
Fraud Risk Awareness
Fraud Risk AwarenessFraud Risk Awareness
Fraud Risk Awareness
Adnan Khuram Hayat
 

What's hot (20)

Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Tactics of Persuasion & Influence (BGIedu)
Tactics of Persuasion & Influence (BGIedu)Tactics of Persuasion & Influence (BGIedu)
Tactics of Persuasion & Influence (BGIedu)
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Influence - The Psychology of Persuasion
Influence - The Psychology of PersuasionInfluence - The Psychology of Persuasion
Influence - The Psychology of Persuasion
 
Web filtering through Software
Web filtering through SoftwareWeb filtering through Software
Web filtering through Software
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
 
Honeypots
HoneypotsHoneypots
Honeypots
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance Template
 
Data security
Data securityData security
Data security
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
 
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsHacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and Threats
 
Hunter farmer ....a sales model… or competences needed within every business ...
Hunter farmer ....a sales model… or competences needed within every business ...Hunter farmer ....a sales model… or competences needed within every business ...
Hunter farmer ....a sales model… or competences needed within every business ...
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
 
Fraud Risk Awareness
Fraud Risk AwarenessFraud Risk Awareness
Fraud Risk Awareness
 

Similar to IS17428_ISACA_Chennai_20220910.pptx

ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
Operational Excellence Consulting
 
IT Perspectives in Implementing Privacy Framework
IT Perspectives in Implementing Privacy FrameworkIT Perspectives in Implementing Privacy Framework
IT Perspectives in Implementing Privacy Framework
Shankar Subramaniyan
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
John Macasio
 
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
kashifmajeedjanjua
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Nguyễn Đăng Quang
 
Paris wp5 pd-pb_d_case_study
Paris wp5 pd-pb_d_case_studyParis wp5 pd-pb_d_case_study
Paris wp5 pd-pb_d_case_study
Privacy Data Protection for Engineering
 
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
Jerimi Soma
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
Ilesh Dattani
 
AIOTA Certification.pdf
AIOTA Certification.pdfAIOTA Certification.pdf
AIOTA Certification.pdf
demingcertificationa
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?
Patrick Soenen
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
Compliance poster
Compliance posterCompliance poster
Compliance poster
Rui Gomes
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information security
Elkanouni Mohamed
 
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
PECB
 
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
Jerimi Soma
 
slide-webninar-kik-r2-2 (1).pdf
slide-webninar-kik-r2-2 (1).pdfslide-webninar-kik-r2-2 (1).pdf
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
Adrian Dumitrescu
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
humanus2
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
Vuzion
 

Similar to IS17428_ISACA_Chennai_20220910.pptx (20)

ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
 
IT Perspectives in Implementing Privacy Framework
IT Perspectives in Implementing Privacy FrameworkIT Perspectives in Implementing Privacy Framework
IT Perspectives in Implementing Privacy Framework
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
 
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
 
Paris wp5 pd-pb_d_case_study
Paris wp5 pd-pb_d_case_studyParis wp5 pd-pb_d_case_study
Paris wp5 pd-pb_d_case_study
 
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
My Gap analysis results between ISO27001: 2022 and 2013 version as of 2022 fall.
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
 
AIOTA Certification.pdf
AIOTA Certification.pdfAIOTA Certification.pdf
AIOTA Certification.pdf
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Compliance poster
Compliance posterCompliance poster
Compliance poster
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information security
 
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
 
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
 
slide-webninar-kik-r2-2 (1).pdf
slide-webninar-kik-r2-2 (1).pdfslide-webninar-kik-r2-2 (1).pdf
slide-webninar-kik-r2-2 (1).pdf
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 

More from Nanda Mohan Shenoy

Srimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfSrimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdf
Nanda Mohan Shenoy
 
D07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdfD07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdfD06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdfD05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdfD04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdfD03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdfD02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdfD01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx
Nanda Mohan Shenoy
 
03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf
Nanda Mohan Shenoy
 
02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
CEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdfCEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdf
Nanda Mohan Shenoy
 
F 32-Mukundamala- Part-6
F 32-Mukundamala- Part-6F 32-Mukundamala- Part-6
F 32-Mukundamala- Part-6
Nanda Mohan Shenoy
 
F31 Mukundamala Part-5
F31 Mukundamala Part-5F31 Mukundamala Part-5
F31 Mukundamala Part-5
Nanda Mohan Shenoy
 

More from Nanda Mohan Shenoy (20)

Srimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfSrimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdf
 
D07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdfD07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdf
 
D06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdfD06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdf
 
D05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdfD05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdf
 
D04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdfD04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdf
 
D03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdfD03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdf
 
D02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdfD02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdf
 
D01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdfD01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdf
 
09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf
 
08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf
 
07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf
 
06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf
 
05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf
 
04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx
 
03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf
 
02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf
 
01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf
 
CEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdfCEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdf
 
F 32-Mukundamala- Part-6
F 32-Mukundamala- Part-6F 32-Mukundamala- Part-6
F 32-Mukundamala- Part-6
 
F31 Mukundamala Part-5
F31 Mukundamala Part-5F31 Mukundamala Part-5
F31 Mukundamala Part-5
 

Recently uploaded

Mule event processing models | MuleSoft Mysore Meetup #47
Mule event processing models | MuleSoft Mysore Meetup #47Mule event processing models | MuleSoft Mysore Meetup #47
Mule event processing models | MuleSoft Mysore Meetup #47
MysoreMuleSoftMeetup
 
Benner "Expanding Pathways to Publishing Careers"
Benner "Expanding Pathways to Publishing Careers"Benner "Expanding Pathways to Publishing Careers"
Benner "Expanding Pathways to Publishing Careers"
National Information Standards Organization (NISO)
 
How to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint  Presentations.pptxHow to deliver Powerpoint  Presentations.pptx
How to deliver Powerpoint Presentations.pptx
HajraNaeem15
 
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxBeyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
EduSkills OECD
 
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.pptLevel 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Henry Hollis
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
EduSkills OECD
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
Krassimira Luka
 
math operations ued in python and all used
math operations ued in python and all usedmath operations ued in python and all used
math operations ued in python and all used
ssuser13ffe4
 
Haunted Houses by H W Longfellow for class 10
Haunted Houses by H W Longfellow for class 10Haunted Houses by H W Longfellow for class 10
Haunted Houses by H W Longfellow for class 10
nitinpv4ai
 
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptxBIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
RidwanHassanYusuf
 
Juneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School DistrictJuneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School District
David Douglas School District
 
Standardized tool for Intelligence test.
Standardized tool for Intelligence test.Standardized tool for Intelligence test.
Standardized tool for Intelligence test.
deepaannamalai16
 
Nutrition Inc FY 2024, 4 - Hour Training
Nutrition Inc FY 2024, 4 - Hour TrainingNutrition Inc FY 2024, 4 - Hour Training
Nutrition Inc FY 2024, 4 - Hour Training
melliereed
 
How Barcodes Can Be Leveraged Within Odoo 17
How Barcodes Can Be Leveraged Within Odoo 17How Barcodes Can Be Leveraged Within Odoo 17
How Barcodes Can Be Leveraged Within Odoo 17
Celine George
 
MDP on air pollution of class 8 year 2024-2025
MDP on air pollution of class 8 year 2024-2025MDP on air pollution of class 8 year 2024-2025
MDP on air pollution of class 8 year 2024-2025
khuleseema60
 
HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.
deepaannamalai16
 
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem studentsRHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
Himanshu Rai
 
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptxNEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
iammrhaywood
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Fajar Baskoro
 
The basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptxThe basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptx
heathfieldcps1
 

Recently uploaded (20)

Mule event processing models | MuleSoft Mysore Meetup #47
Mule event processing models | MuleSoft Mysore Meetup #47Mule event processing models | MuleSoft Mysore Meetup #47
Mule event processing models | MuleSoft Mysore Meetup #47
 
Benner "Expanding Pathways to Publishing Careers"
Benner "Expanding Pathways to Publishing Careers"Benner "Expanding Pathways to Publishing Careers"
Benner "Expanding Pathways to Publishing Careers"
 
How to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint  Presentations.pptxHow to deliver Powerpoint  Presentations.pptx
How to deliver Powerpoint Presentations.pptx
 
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxBeyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
 
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.pptLevel 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
 
math operations ued in python and all used
math operations ued in python and all usedmath operations ued in python and all used
math operations ued in python and all used
 
Haunted Houses by H W Longfellow for class 10
Haunted Houses by H W Longfellow for class 10Haunted Houses by H W Longfellow for class 10
Haunted Houses by H W Longfellow for class 10
 
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptxBIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
 
Juneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School DistrictJuneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School District
 
Standardized tool for Intelligence test.
Standardized tool for Intelligence test.Standardized tool for Intelligence test.
Standardized tool for Intelligence test.
 
Nutrition Inc FY 2024, 4 - Hour Training
Nutrition Inc FY 2024, 4 - Hour TrainingNutrition Inc FY 2024, 4 - Hour Training
Nutrition Inc FY 2024, 4 - Hour Training
 
How Barcodes Can Be Leveraged Within Odoo 17
How Barcodes Can Be Leveraged Within Odoo 17How Barcodes Can Be Leveraged Within Odoo 17
How Barcodes Can Be Leveraged Within Odoo 17
 
MDP on air pollution of class 8 year 2024-2025
MDP on air pollution of class 8 year 2024-2025MDP on air pollution of class 8 year 2024-2025
MDP on air pollution of class 8 year 2024-2025
 
HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.
 
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem studentsRHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
 
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptxNEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
 
The basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptxThe basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptx
 

IS17428_ISACA_Chennai_20220910.pptx

  • 1. 1 Confidential. For internal use only. Data Privacy Assurance- IS 17428 Nanda Mohan Shenoy Director & CEO 10th Sep-2022
  • 2. 2 Disclaimer The views expressed in this presentation are purely the personal views of the speaker. It does not represent the views of ISACA Chennai Chapter nor the employer Bestfit Business Solutions Pvt Limited. Participants are requested to exercise necessary due diligence on the subject matter before forming any opinion. The Copyrighted content used in this presentation belongs to the respective owners and is used here purely for educational purpose.
  • 3. 3 Agenda 1. Opening thoughts & Global Landscape of Privacy 2. Indian Landscape of Privacy 3. Overview of IS 17428 4. Deep Dive –Specific Clauses of IS17428 5. Annx-B Security and privacy considerations for cloud infrastructure 6. Q&A
  • 4. 4 Confidential. For internal use only. Global Landscape
  • 5. 5 Opening Thoughts- Confidentiality Vs Privacy Artificial Person Natural Person Confidentiality Privacy Personally Identifiable Information Personal Data Privacy Vs National Security Conundrum Privacy is the _______best friend Richard Posner-
  • 6. 6 Standards, Frameworks ,Laws & Regulations 6 Information security, cybersecurity and privacy protection — Information security controls
  • 9. 9 Source: https://www.dlapiperdataprotection.com/ USA Territory specific, e.g., SHIELD.,CCPA. Australia Privacy Act Mix of federal & state/territory legislation New Zealand Privacy Act Canada 28 federal, provincial & territorial privacy statutes like PIPEDA China The PRC Cybersecurity law & other laws/regulations Taiwan Personal Data Protection Law Japan The Act on the Protection of Personal Information (APPI) Argentina Personal Data Protection Law South Korea Personal Information Protection Act India Information Technology Act/PDPB Philippines Data Privacy Act HongKong Personal data (Privacy) Ordinance Malaysia Singapore Personal Data Protection Act Turkey Turkish Data Protection Authority (KVKK) Brazil LGPD 9 Privacy Compliance Laws Are Evolving Worldwide
  • 10. 10 Confidential. For internal use only. Indian Landscape
  • 11. 11 CICRA Sec 43A added in IT Act 2000 ITACT2000 Amended Data Privacy Framework was launched . DSCI DPF 2005 2008 2010 2016 Indian PrivacyJourney -1of 3 Aadhaar Act Ch-6 INFORMATION PRIVACY PRINCIPLES AND FURNISHING OF CREDIT INFORMATION Rule-4 INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES & PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011
  • 12. 12 SupremeCourt Verdict Own Sectoral Privacy Guidelines BN Sri Krishna Committee Report Aadhaar does not infringe the right to Privacy SupremeCourt Verdict Mar 2018 Jul Sep Indian PrivacyJourney -2of 3 Privacy Fundamental Right –Art 21 Jul TRAI
  • 13. 13 DEPA PDPBill Introduced IS 17428 2019 2020 2000 2022 Indian PrivacyJourney -3of 3 Referred to select committee Draft seen. Final not yet published In 2 parts released PDPBill withdrawn Data Empowerment And Protection Architecture
  • 15. 15 Confidential. For internal use only. Overview of IS 17428
  • 16. 16 Background  Published in 2020  Has two parts  Part 1 Engineering and Management Requirements  Part 2 Engineering and Management Guidelines  Inputs  ISO 29100:2011  ISO 27001:2013  Applicability  Personal Data in electronic form (Clause 1.4)
  • 17. 17 Comparison Requirements Vs Guidelines # Description Clauses Requirements Guidelines 1 Scope - 2 References - IS-17428-2 & ISO 27001:2013 IS-17428-1 & ISO 27001:2013 3 Definitions - Same as Part-1 4 Privacy engineering 3 5 Privacy management 15 6 Compliance -
  • 18. 18 Table of Contents 1. SCOPE 2. REFERENCES 3. DEFINITIONS 4. PRIVACY ENGINEERING 5. PRIVACY MANAGEMENT 6. COMPLIANCE 4.1 Development of Privacy Requirements 4.2 Privacy Principles Based Design considerations 4.3 Verification and Testing
  • 19. 19 PRIVACY MANAGEMENT 5.10 Data Subject’s Request Management (6) 5.11 Grievance Redress(2) 5.12 Staff Competency and Accountability (4) 5.13 Ongoing Regulatory Compliance 5.14 Periodic Audits (3) 5.15 Measurement and Continuous Improvement 5.1 Privacy Objectives 5.2 Data Privacy Function (4) 5.3 Data Privacy Management System (5) 5.4 Policies and Processes(2) 5.5 Records and Document Management 5.6 Privacy Impact Assessments(2) 5.7 Data Processor Management(3) 5.8 Privacy Risk Management (3) 5.9 Privacy Incident Management (3)
  • 20. 20 Additional Annexures in Guidelines  Annex- A  Clause 4.1.1  LEGAL PROVISIONS IN INDIA ON DATA PRIVACY  Annex-B  Clause 4.2.6, 4.2.7.2  SECURITY AND PRIVACY CONSIDERATIONS FOR CLOUD INFRASTRUCTURE The more your read the more you get Confused
  • 21. 21 Confidential. For internal use only. Deep Dive Select Clauses
  • 22. 22 DPF of DSCI DPF-DSCI Privacy Framework 9 Principles
  • 23. 23 Principles Comparison # IS17428-(9) DSCI-(9) ISACA-(14) ISO 29100- (11) GDPR-(6) Art 5 4.2.1 Personal Data Collection and Limitation (3) 3.Collection Limitation 2.Legitimate Purpose Specification and Use Limitation 4-Data minimization 5.1.c Minimisation 4.2.2 Privacy Notice(6) 1. Notice 5.Openness, Transparency and Notice 7-Openness, transparency and notice Art-13Information to be provided where personal data are collected from the data subject 4.2.3 Choice & Consent(4) 2 1 1-Consent and choice Art-7 -Conditions for consent 4.2.4 Use Limitation(2) 4 2 3-Collection limitation 5.1.b Purpose Limitation 4.2.5 Data Accuracy 5.Access & Correction 4.Accuracy and Quality 6-Accuracy and quality 5.1.d Accuracy
  • 24. 24 Principles Comparison # IS17428-(9) DSCI-(9) ISACA-(14) ISO 29100-(11) GDPR-(6) Art 5 4.2.6 Security (3) 6 8.Security Safeguards 10-Information security 5.1.f integrity and confidentiality 4.2.7 Disclosure and Transfer(2) 7.Disclosure to Third Party 11.Third- party/Vendor Management 5.1.a lawfulness, fairness and transparency 4.2.8 Personal Data Storage Limitation 5-Use, retention and disclosure limitation 5.1.e storage limitation 4.2.9 Design Considerations to Fulfil Other Rights of Data Subjects
  • 25. 25 4.2.2 Privacy Notice The organization shall provide privacy notice to the individual prior to collection of personal data. When data collection is indirect or does not involve participation from the individual, the organization shall identify appropriate mechanisms to notify the individual about such collection. 4.2.2.1 Contents 4.2.2.2 Mode of communication 4.2.2.3 Timing of providing notice 4.2.2.4 Accessibility and comprehensibility 4.2.2.5 Ease of readability
  • 26. 26 4.2.6 Security Personal information should be secured by use of appropriate controls to ensure their confidentiality, integrity, availability and to prevent unauthorized access or disclosure. Organizations should deploy appropriate security measures commensurate to the likely harm caused to individuals’ rights and freedom from a potential breach. 4.2.6.1 Security of data at source • 4.2.6.1.1 Data at rest • 4.2.6.1.2 Data in motion 4.2.6.2 Security of environment 4.2.6.3 Retention of access logs
  • 27. 27 5.3 Data Privacy Management System (DPMS) The organization shall establish a data privacy management system (DPMS) that acts as a baseline and reference point for determining the data privacy requirements for the organization. 5.3.1 Data Classification 5.3.2 Inventory of Personal Information 5.3.3 Process Depicting Flow of Personal Information 5.3.4 Change in Processing or data inventory 5.3.5 Triggers for Updating DPMS
  • 28. 28 5.8 Risk Management Vs 5.6 Privacy Impact Assessment Risk assessment is quite similar to privacy impact assessment, except that the former is a periodic exercise, whereas the latter is triggered based on certain events ISO 29100- Definition 2.20 privacy risk assessment overall process of risk identification, risk analysis and risk evaluation with regard to the processing of personally identifiable information (PII) NOTE This process is also known as a privacy impact assessment.
  • 29. 29 5.8 Risk Management Vs ISO 31000 Risk Management Process 5.8.1 Triggers and Periodicity for Privacy Risk Assessments 5.8.2 Criteria for Risk Evaluation 5.8.3 Privacy Risk Response Strategy
  • 30. 30 5.10 Data Subject’s Request Management The organization shall establish and document mechanisms to respond to and serve requests from an individual. Such mechanisms shall include: a) Means to verify identity of an individual; b) Providing access to data subject’s information; c) Means to update data subject’s data, including deletion; d) Service level agreement including aspects on time and cost as applicable 5.10.1 Access to View Data 5.10.2 Ability to Update Data 5.10.3 Access to Privacy Notices 5.10.4 Requesting Mechanism 5.10.5 Service Level Agreements 5.10.6 Considerations for Fee
  • 31. 31 5.12 Staff Competency and Accountability * The organization shall ensure that the staff and contractors handling personal information shall be competent, kept aware and their accountability is established for any actions related to processing of personal information. * 5.10 Accountability of ISO 29100 • providing suitable training for the personnel of the PII controller who will have access to PII; 5.12.1 Traceability to Employee’s Actions 5.12.2 Training and awareness 5.12.3 Employee Declaration 5.12.4 Disciplinary Actions
  • 32. 32 Confidential. For internal use only. Annex-B Security and privacy considerations for cloud infrastructure
  • 33. 33 B-2.1 Compliance to Applicable Regulations Organizations should be aware that despite outsourcing the processing activities to the cloud provider, it continues to be a data controller. Data Controller should comply with data protection laws which vary from country to country. Data Processor/Cloud provider is also required to adhere to laws and regulations to the extent applicable and stated as part of the contract. Guidelines
  • 34. 34 B-2.2 Data Transfer Restrictions In public cloud, organizations may not have control on which employee’s data is located in which jurisdiction at different points of time. There are restrictions imposed by Privacy laws on data transfer between countries, for example, GDPR and other member nation laws put certain restrictions on data transfers outside Europe. Organizations should determine if such restrictions apply to them and if applicable implement appropriate controls to ensure data transfer is as per the applicable regulations. A.12.1 Geographical location of PII The public cloud PII processor should specify and document the countries in which PII can possibly be stored. The identities of the countries where PII can possibly be stored should be made available to cloud service customers
  • 35. 35 B-2.3 Data Deletion Data deletion may not be effective due to following reasons: a) Data is not strictly wiped. b) Timely data deletion may not be always possible, either because extra copies of data are stored elsewhere, or because the storage media also stores data from other clients. c) In scenarios where organizations use less space than estimated, the part of storage media which usually stores their data could be used for another organization by the cloud provider. d) Organizations should ensure that relevant clauses on deletion are added to the contract and cloud provider effectively deletes the data as per the requirements agreed. A.11.13 Access to data on pre-used data storage space The public cloud PII processor should ensure that whenever data storage space is assigned to a cloud service customer, any data previously residing on that storage space is not visible to that cloud service customer.
  • 36. 36 B-2.4 Neighbour Subpoena Risk In the event of a subpoena on another customer of the cloud provider, if physical hardware of cloud provider is confiscated by law- enforcement agencies as part of e-discovery, due to the centralized storage as well as shared tenancy of physical hardware, there is a risk of disclosure of organization’s data to unwanted parties. The organization may be required under various regulations to inform their customers about the circumstances of the transfer of personal information to the cloud provider and the purposes of the transfer. Cloud provider should promptly inform the co-tenant of the cloud in case of subpoena and organizations should ensure the same is also added as part of the contract. Guidelines
  • 37. 37 B-2.5 Data Breach Reporting In the event of a data breach, regulations in certain countries require disclosure to the individuals and regulators. Cloud providers are expected to promptly inform the organizations about the breach and same should also be added in the contract. The cloud provider need to deploy mechanisms to proactively monitor and carry out timely reporting in the event of a data breach. A.10.1 Notification to the customer in case of a data breach Should promptly notify the relevant cloud service customer in the event of any unauthorized access to PII or unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of PII. .
  • 38. 38 B-2.6 Logs and Audit Trails Logs and audit trails should be maintained by the cloud provider and made available to organization for processing of data in the cloud. A.11.3 Control and logging of data restoration There should be a procedure for, and a log of, data restoration efforts. .
  • 39. 39 B-2.7, B-2.8 & 2.9 B-2.7 Data Custody Organization should clearly determine the following and take appropriate steps to have this documented in the contract as well: a) Who actually owns the data on cloud? b) What happens to the data if the contract gets terminated by either parties? B-2.8 Data Privacy Clauses Appropriate Data privacy clauses should be agreed and added to the contract between organization and cloud provider. B-2.9 Data Subject Access Data Privacy regulations may require organizations to provide timely access to personal information when requested by employee. Cloud provider should ensure that data retrieval and recovery is in line with customer expectations. 0.4 Selecting and implementing controls in a cloud computing environment Contractual agreements need to clearly specify the PII protection responsibilities of all organizations involved in providing or using the cloud services, including the public cloud PII processor, its sub-contractors and the cloud service customer. A.10.3 PII return, transfer and disposal

Editor's Notes

  1. Privacy is the terrorists best friend American jurist and economist who was a United States Circuit Judge of the United States Court of Appeals for the Seventh Circuit in Chicago from 1981 until 2017, and is a senior lecturer at the University of Chicago Law School. PII Definition-NIST SP800-122 Privacy Vs National Security Personal Data Vs Privacy PII is ―any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. person behavior and action communication data and image (information) thoughts and feelings location and space (territorial) Privacy of association
  2. https://aws.amazon.com/compliance/cloud-act/
  3. http://loksabhaph.nic.in/Committee/CommitteeInformation.aspx?comm_code=73&tab=1
  4. 11
  5. 12
  6. 13
  7. http://loksabhaph.nic.in/Committee/CommitteeInformation.aspx?comm_code=73&tab=1
  8. Figure in bracket sows no of sub sections in Guidelines