D ATA P RIVACY & P ROTECTION Auditor's Perspective ICAI,
Mumbai Webcast January 24, 2015 Presented by: Dinesh O Bareja,
CISA, CISM, ITIL, Microsoft MVP
Slide 2
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Introduction & Agenda A note about
todays presentation
Slide 3
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI We will consider the concepts of Data and
Privacy and take a look at the IT Act w.r.t. Privacy Then we will
review our obligation and skill development as auditors
certifications, client advisories, privacy audit; looking at a few
case studies First the facts and then see how it is to be
accounted!
Slide 4
Works in the information security domain across all functional
areas of audit, awareness, optimization, strategy, solution
development, consulting and advisory services. Earlier, over two
decades in manufacturing, exports, trading and internet technology
A recognized authority and thought leader in cyber security in the
country has worked in India and abroad with enterprise and
government clients Strongly advocates the use of a common sense
based approach to security Dinesh O. Bareja, Microsoft MVP, CISA,
CISM, ITIL, BS7799, Cert IPR, Cert ERM
Slide 5
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Introduction Data do we really understand
what it is Privacy concepts of PII and legislation The India
Scenario Privacy Regulations and Regulators Data Protection,
Collection / Transparency Disclosure of Fair Use, Sharing DSCI
Privacy Framework Privacy Audit policy audit, fair use,
readiness
Slide 6
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Definitions and Facts Data, Privacy, PII,
Personal Information
Slide 7
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Unprocessed, collection of numbers,
characters, images, raw data, research data, field data (may be
collected by observation and recording)
Slide 8
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Knowledge Intelligence, Wisdom
Information
Slide 9
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI DATA As Defined in Law.
Slide 10
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI As per the ITAct (Amended) 2008 "Data"
means a representation of information, knowledge, facts, concepts
or instructions which are being prepared or have been prepared in a
formalized manner, and is intended to be processed, is being
processed or has been processed in a computer system or computer
network, and may be in any form (including computer printouts
magnetic or optical storage media, punched cards, punched tapes) or
stored internally in the memory of the computer
Slide 11
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Defining the concept and knowing what one
is protecting and from what / whom
Slide 12
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI What Data Constitutes Privacy Information
Global: PII = Personal Identifiable Information / Patient
Identifiable Information India: SPDI = Sensitive Personal Data or
Information
Slide 13
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Protection Anonymity Anonymizing This Will
Help But how long can you sustain such a work habit as it will be a
drag on your productivity
Slide 14
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Personal Information as per ITAA 2008
"Personal information" means any information that relates to a
natural person, which, either directly or indirectly, in
combination with other information available or likely to be
available with a body corporate, is capable of identifying such
person.
Slide 15
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Information Technology Act (Amended) 2008
Section 43A (iii) "Sensitive personal data or information" means
such personal information as may be prescribed by the Central
Government in consultation with such professional bodies or
associations as it may deem fit.
Slide 16
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI PII as per NIST Any information about an
individual maintained by an agency, including 1)any information
that can be used to distinguish or trace an individuals identity,
such as name, social security number, date and place of birth,
mothers maiden name, or biometric records; 2)any other information
that is linked or linkable to an individual, such as medical,
educational, financial, and employment information
Slide 17
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI International Canada, the Federal Personal
Information Protection and Electronic Documents Act (PIPEDA) New
Zealand, the Privacy Act 1993 P.R. China - Computer Processed
Personal Information Protection Act was enacted in 1995 Law of the
Russian Federation On Personal Data as of 27.07.2006 No. 152- FZ UK
European Law, Data Protection Act USA - not explicitly stated
anywhere in the Bill of Rights. Few laws which address privacy
Health Insurance Portability and Accountability Act (HIPAA);
Financial Services Modernization Act (GLBA), 15 U.S. Code
6801-6810; Final Rule on Privacy of Consumer Financial Information,
16 Code of Federal Regulations, Part 313; Fair Credit Reporting Act
(FCRA), 15 U.S. Code 1681-1681u; Fair Debt Collections Practices
Act (FDCPA), U.S.C. 1692-1692
Slide 18
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI International Article 8 of the European
Convention on Human Rights (1950) covers the whole European
continent (except Belarus and Kosovo)BelarusKosovo Protects the
right to respect for private life: "Everyone has the right to
respect for his private and family life, his home and his
correspondence." Privacy has been defined and its protection has
been established as a positive right of everyone.
Slide 19
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI International Article 17 of the
International Covenant on Civil and Political Rights of the United
Nations of 1966 also protects privacy: "No one shall be subjected
to arbitrary or unlawful interference with his privacy, family,
home or correspondence, nor to unlawful attacks on his honour and
reputation. Everyone has the right to the protection of the law
against such interference or attacks."
Slide 20
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Todays age
Slide 21
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Thinking Privacy? In todays age NSA Prism
Cookies CCTV Personal Pictures Internet monitoring Online Search
patterns Social media contributions Online shopping preferences ISP
monitoring data d/l or u/l License on your computer Lost / stolen
phone with pics PAN number on railway chart Email addresses, phone
numbers
Slide 22
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI
Slide 23
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI The India Scenario Privacy protection is
included in the extended IT Act Constitution of India (Article 21)
guarantees Fundamental Rights - Scope widened to include Right to
Privacy (UnniKrishnan v/s State of AP) ITA and Rules address
privacy, especially ITA Sec.43A, 66, 72 Department of Personnel and
Training (DoPT) is working on creating privacy legislation An
unofficial draft is has been created and is generally the only
document available at present
Slide 24
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Information Technology (Reasonable
security practices and procedures and sensitive personal data or
information) Rules, 2011.
Slide 25
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Sensitive Personal Data or Information
Rule 3 i.Password ii.Financial information such as Bank account or
credit card or debit card or other payment instrument details
iii.Physical, physiological and mental health condition iv.Sexual
orientation v.Medical records and history vi.Biometric information
vii.Any detail relating to the above clauses as provided to body
corporate for providing service Information Technology (Reasonable
security practices and procedures and sensitive personal data or
information) Rules, 2011.
http://deity.gov.in/sites/upload_files/dit/files
/GSR313E_10511%281%29.pdf
Slide 26
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI viii.Any of the information received under
above clauses by body corporate for processing, stored or processed
under lawful contract or otherwise Provided that, any information
that is freely available or accessible in public domain or
furnished under the Right to Information Act, 2005 or any other law
for the time being in force shall not be regarded as sensitive
personal data or information for the purposes of these rules.
Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rules, 2011.
http://deity.gov.in/sites/upload_files/dit/files
/GSR313E_10511%281%29.pdf Sensitive Personal Data or
Information
Slide 27
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Regulators Adjudicating Officer (ITAA
Section 46) Cyber Appellate Tribunal (ITAA Sec 58 (2)) Grievance
Officer (as per ITAA Rule 5(9) Courts Government Privacy
Commissioner (Canada) CPIO / PIO Privacy Information Officer
Slide 28
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI What are we protecting and from whom
Slide 29
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Lets delete the previous slide from memory
this is our business and profession and we have advise our clients
about risks in all forms and in all places, to the best of our
knowledge
Slide 30
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI ITAA Sections That Matter for Privacy 43
Penalty and Compensation for damage to computer, computer system,
etc. 43-A Compensation for failure to protect data. 66-A Punishment
for sending offensive messages through communication service, etc.
66-C Punishment for identity theft. 66-E Punishment for violation
of privacy. 72 Penalty for breach of confidentiality and privacy.
72-A Punishment for Disclosure of information in breach of lawful
contract.
Slide 31
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Sec 43 Briefly 43 - Establishes framework
for liability for penalty and compensation identifying acts and
actions; defines data collector, establishes responsibility and
liability of the collector 43A Compensation for failure or
negligence to protect data causing wrongful loss or gain
Slide 32
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Sec 66 Briefly 66A - Establishes liability
of using a computer to send offensive, menacing, false information
or emails 66C - Sets liability for identity theft through
fraudulent use of electronic signatures, passwords etc 66E
Capturing / sharing of personal / private pictures without consent
and liability of punishment
Slide 33
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Sec 72 . Briefly 72 - Sets penalty
guidelines for breach of confidentiality and privacy due to
disclosure by trusted entity who collected data 72A - Framework for
disclosure of information in breach of a contract without
consent
Slide 34
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Summing up. There is stringent punishment
awaiting anyone in contravention of these three sections Reasonable
Security cannot be defined and is anyones guess a strong
prosecution can easily establish that the security effectiveness is
unreasonable PRIVACY must be included in the compliance
horizon!
Slide 35
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Sec 66a in action
Slide 36
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Another Very Important Privacy Area
Patient Information
Slide 37
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI This is especially important as many CAs
will have client BPOs who are in the business of Medical
Transcription, Insurance Claims or any activity where they are
handling patient / medical information
Slide 38
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI PHI Definition and Data Elements Protected
Health Information: The Privacy Rule protects all "individually
identifiable health information" held or transmitted by a covered
entity or its business associate, in any form or media, whether
electronic, paper, or oral. The Privacy Rule calls this information
"protected health information (PHI). Individually identifiable
health information is information, including demographic data, that
relates to: the individuals past, present or future physical or
mental health or condition, the provision of health care to the
individual, or the past, present, or future payment for the
provision of health care to the individual, the individual's
identity or for which there is a reasonable basis to believe it can
be used to identify the individual. Individually identifiable
health information includes many common identifiers (e.g., name,
address, birth date, Social Security Number).
Slide 39
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI New Age Privacy Intrusion
Slide 40
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI New Age privacy intrusion
Slide 41
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Body Scanners
Slide 42
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI ITAA Reasonable Security Practices and
Procedures and Sensitive Personal Data Rules 2011
http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf
Slide 43
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Information Technology (Reasonable
Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011 notified on 11th April, 2013 under section
43A of the Information Technology Act Defines sensitive personal
data and reasonable security practices and procedures. The Rules
require body corporate to provide policy for privacy and disclosure
of information (Rule 4), obtain consent of user for collection of
information (Rule 5), prior permission required from provider of
information before disclosure of sensitive personal information
(Rule 6)
Slide 44
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Compliance Requirements Information
Technology (Reasonable security practices and procedures and
sensitive personal data or information) Rules, 2011. 1Short Title
and Commencement 2Definitions 3Sensitive personal data or
information Rule 4:Body corporate to provide policy for privacy and
disclosure of information Rule 5:Collection of information Rule
6:Disclosure of information Rule 7:Transfer of information Rule
8:Reasonable Security Practices and Procedures
http://deity.gov.in/sites/upload_files/dit/files/
GSR313E_10511%281%29.pdf
Slide 45
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI The Professional Practice PRIVACY
Slide 46
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Privacy Professional Practice Readiness
Policy Development Audit Breach Response Governance
Slide 47
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI As a Practitioner The crux of Privacy is
in the following: -Data subject CONSENTS to the objective for
collection and provides information -Data Collector must be
transparent -Why is the data being collected -What are you going to
do with it -How will you store it -Audit security effectiveness etc
-Collector must provide a means for review, updating and
deletion
Slide 48
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Readiness Gap Analysis / Current State
Assessment Privacy Policy Document aligned to ITAA Rules and any
applicable laws Review Privacy Policy on website Establish privacy
audit plan, schedule, and guidelines Empower organization officer
as CPIO with training
Slide 49
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Use Defense Privacy in Depth It is a well
known concept practiced by InfoSec teams and can be easily extended
to include privacy controls
Slide 50
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Use Defense Privacy in Depth BY DEFAULT,
Controls will include: PII data is identified at the point of entry
At the development stage PII handling is treated differently
Sensitive data storage is encrypted or segregated and periodically
audited Alongwith secure storage, secure archiving and deletion
routines are also established Use technologies like SIEM, DLP,
2FA
Slide 51
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Use Defense Privacy in Depth BY DEFAULT,
Controls will include: Ensure compliance at point of data capture
with transparent and standardized alerts, information pop-ups,
notice of use Create end-to-end transparency informing use,
storage, disposal, movement, sharing, and other changes
Slide 52
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Use Defense Privacy in Depth BY DEFAULT,
Controls will include: Do not ask or obtain any more information
than needed Provide anonymity mode for persons who are unwilling to
share information Create a data system that is sensitive to
collection, change and deletion
Slide 53
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Use Defense Privacy in Depth BY DEFAULT,
Controls will include: Open communication with person who has
provided the data No hidden archives
Slide 54
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Audit Carry out privacy audits for
compliance with the adopted standard / framework; Compliance with
client requirements DSCI Privacy framework assessment Privacy good
practices
Slide 55
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Breach Response Crisis Management
Communication Management Breach Containment Negotiations with
affected parties Financial impact and recovery plans Controls
improvement
Slide 56
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Governance Steering committee Ombudsman
Policies and procedures Oversight Process Assurance for regulators,
clients, stakeholders
Slide 57
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Privacy Risks Management, Response and
Remediation
Slide 58
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Risks Cookies collect your information
Browsers provide auto-complete feature Tagged on Social Media by
friends Stalking System Breach Cloud computing risks Theft of Data,
Identity Malware / APT Espionage Phishing Scams and Frauds
Slide 59
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Do you have a choice (?) when you accept
the license terms without reading them
Slide 60
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI That was software now we take a look at
something you hold closer to your heart 24*7 than anything else
(your life partner or love interest included)
Slide 61
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Your Cell Phone & Apps Do you have a
choice (?)
Slide 62
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI when you are saying okay for anyone to
intrude on your private life without knowing them
Slide 63
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI What Does One Advise Clients This is a
paradox do you tell a client to go back to chopdis How do you
handhold the client into a secure business and personal environment
Do we tell them to cut off from the world
Slide 64
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Legal Remediation Policy and Procedures
aligned / compliant to ITAA Effective Information Security
Management System Complaint / Request to the Corporate Grievance
Officer set up in Indian companies Legal recourse - Under ITA
Adjudicating Officer, Cyber Appellate Tribunal, High Court
Slide 65
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Remediation Advise for Clients Please keep
your Digital Signatures, DIN, TIN numbers yourself When we say
Yourself we mean in your OWN custody If your client cannot do this
then you should ask them to hand over cash and bank accounts to you
too
Slide 66
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI It is very convenient for clients to keep
their digital identities with you, the CA You are the trusted
entity but if something goes wrong then what ?
Slide 67
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Section11 of the IT Act may help to cover
your liability BUT It is better to be safe than to be sorry.
Slide 68
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI ITAA 2008: 11 Attribution of Electronic
Records An electronic record shall be attributed to the originator,
- (a) if it was sent by the originator himself; (b)by a person who
had the authority to act on behalf of the originator in respect of
that electronic record; or (c)by an information system programmed
by or on behalf of the originator to operate automatically.
Slide 69
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Remediation Advise for Clients Do not
store customer personal data on your mobile device Mask / encrypt
PII Carry out periodic audits Keep your certifications valid Ensure
InfoSec in the spirit and not in the letter
Slide 70
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Remediation Advise for Clients Use
encryption in emails, documents (voice communication too) When
traveling overseas carry a sanitized laptop / device Use a
smartphone (if you have to) but dont be too smart stay away from
games and smart apps Remember NOTHING is free in this world
Slide 71
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI More Client Advice Advise clients about
their legal (criminal) liability in event of non-compliance or
breach Ensure that your client enables best practices through
standards or common sense Audit reports must be read by the senior
management and not just the Executive Summary which is usually
sugar-coated to ensure that the next year assignment is also given
to us!
Slide 72
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Stay secure, protect yourself with good
practices and processes based on effective standards and frameworks
Audit periodically and then ensure that findings are addressed
Slide 73
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Very valuable collation of actions in this
infographic from DSCI
Slide 74
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Very valuable collation of actions in this
infographic from DSCI
Slide 75
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI
Slide 76
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Privacy Enablement Solution for the Indian
Corporate . until an international guideline / standard is asked
for by a client
Slide 77
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI DSCI has taken the lead in defining
Privacy practices with consideration of the India business and
regulatory scenario, and requirements. The DPF framework consists
of 9 best practice areas which will help data processors /
collectors in protecting the information entrusted to them and to
provide the necessary assurance of the same to clients and
authorities in India and overseas. DSCI Privacy Framework (DPF
)
Slide 78
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Will help the client organization meet
stringent demands of international standards / guidelines as it
provides in depth guidance on Privacy Impact Analysis, Incident
Management, Contracts, and Implementation The program includes
Training and Certification
Slide 79
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI DSCI
Slide 80
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI DSCI Privacy Principles DSCI principles in
the context of the Indian industry. The principles are derived from
globally accepted principles of privacy. These principles reflect
the need for an assurance level that an organization should create
in its transactions with the end customers. NOTICEWhat is the
privacy policy of an organization? These elements fall under the
principle of notice. Notify the data subject if there is a change
in the privacy policy. CHOICE & CONSENTPrinciple of collection
limitation means collection of only the required set of data
elements by fair and lawful means, with the knowledge of the end
user. USE LIMITATIONThe principle specifies that personal data
should not be made available or used for any purpose other than
what was agreed with the data subject at the time of data
collection. ACCESS & CORRECTIONThis principle assures that
his/her information is accurate, is given access to the
information, and is provided with the opportunity to correct
his/her data. SECURITYThis stipulates technical and organizational
measures for securing the data and should focus on security of
personal data. DISCLOSURE TO THIRD PARTY To ensure privacy in all
transactions when using third parties the principles of data
protection should be upheld in these relationships. OPENNESSAn
organization should have a general policy of openness about
developments, practices and policies with respect to personal data
that it collected to increase the confidence of subjects.
ACCOUNTABILITYThe data collector is accountable for complying with
the measures to comply with the above principles. DSCI Note the
descriptions are not verbatim reproductions of the DSCI DPF. Please
refer to the original document
Slide 81
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI DSCI Assessment Framework (DPF )
Slide 82
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI The framework provides for two approaches
to provide assurances against: Privacy Competence Implementation of
Global Privacy Principles
Slide 83
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI DSCI
Slide 84
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI We are nearing the end of this
presentation So the next question or thought in your mind may
be..
Slide 85
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI I do not have the (privacy) skills or
certification to prove my capability! What do I do? How do I assure
my client that I make good sense for their business! Anticipated
Questions
Slide 86
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI SKILL DEVELOPMENT and Professional
Certification
Slide 87
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Skill Development Do you read? When you
read do you correlate the reading with business issues? When you
correlate with business do you think about a particular client?
When you think about a particular client do you think about the
industry too with your risk glasses?
Slide 88
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Skill Development When you wear your risk
glasses do you scare your client too? Finally do you then read
together
Slide 89
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Certifications Certified Information
Privacy Professional - CIPP Certified Information Privacy Manager
CIPM DSCI Certified Privacy Lead Assessor DSCI-CPLA
Slide 90
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI CIIP, CIPM Textbooks Certification
Foundation Textbook$65 CIPP Concentration or CIPM Textbook$65
Practice Tests Certification Foundation Practice Test$25 CIPP
Concentration Practice Test$25 Exams First-time Certification
Foundation Exam$275 First-time Certification Concentration Exam
(CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPP/IT, CIPM) $275 Retake
Certification Foundation Exam$162 Retake Certification
Concentration Exam (CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPP/IT, CIPM)
$162 http://www.privacyassociation.org/
Slide 91
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI DSCI Certified Lead Privacy Assessor
Training MembersRs. 20,0000 Non-MembersRs. 22,500 3 days program
includes all materials lunch and refreshments
http://www.dsci.in/
Slide 92
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI My Personal Mantras Use Common Sense
Uncommonly Be Practical Keep It Simple Stay Away From Jargon Talk
Business Not GeekSpeak
Slide 93
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI
Slide 94
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI
Slide 95
Professional Positions Pyramid Cyber Security & Forensics
(Principal Advisor) Open Security Alliance (Principal and CEO)
Jharkhand Police (Cyber Security Advisor) Indian Honeynet Project
(Co Founder) Bombay Stock Exchange (Member IGRC) Indian Infosec
Consortium (Member Advisor) Professional skills and special
interest areas Security Consulting and Advisory services for IS
Architecture, Analysis, Optimization; Government and Enterprise
Policy development Cyberwar, Cyber-espionage and cybercrime
deterrence / investigation Technologies: SOC, DLP, IRM, SIEM
Practices: Incident Response, SAM, Forensics, Regulatory guidance..
Community: mentoring, training, citizen outreach, India research..
Business Continuity, Disaster Recovery Critical Infrastructure
Protection Writer, Blogger, Columnist, Photographer Dinesh O.
Bareja, Microsoft MVP, CISA, CISM, ITIL, BS7799, Cert IPR, Cert
ERM
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI Acknowledgements & Disclaimer The
laws, standards, frameworks quoted in this presentation may not be
verbatim from the sources. Users should ensure the correctness of
the same before quoting from this document. We may have edited the
legal statements to make the definitions more concise and usable by
the non-legal community. Various resources on the internet have
been referred to contribute to the information presented and a few
sources have been mentioned in the next slide. Apologies are due to
any sources which are not acknowledged and this is not intentional.
Similarly, images too have been acknowledged (above) where
possible. Any company names, brand names, trade marks are mentioned
only to facilitate understanding of the message being communicated
- no claim is made to establish any sort of relation (exclusive or
otherwise) by the author(s) by virtue of the mention. Relationships
if any, are acknowledged by author(s). We apologise for any
infraction, as this would be wholly unintentional, and objections
may please be communicated to us for remediation of the erroneous
action(s).
Slide 98
D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN
24, 2015 @ ICAI, M UMBAI