d ata p rivacy & p rotection auditor's perspective icai, mumbai webcast january 24, 2015 presented...

D ATA P RIVACY & P ROTECTION Auditor's Perspective ICAI, Mumbai Webcast January 24, 2015 Presented by: Dinesh O Bareja, CISA, CISM, ITIL, Microsoft MVP

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Introduction & Agenda A note about todays presentation

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI We will consider the concepts of Data and Privacy and take a look at the IT Act w.r.t. Privacy Then we will review our obligation and skill development as auditors certifications, client advisories, privacy audit; looking at a few case studies First the facts and then see how it is to be accounted!

Works in the information security domain across all functional areas of audit, awareness, optimization, strategy, solution development, consulting and advisory services. Earlier, over two decades in manufacturing, exports, trading and internet technology A recognized authority and thought leader in cyber security in the country has worked in India and abroad with enterprise and government clients Strongly advocates the use of a common sense based approach to security Dinesh O. Bareja, Microsoft MVP, CISA, CISM, ITIL, BS7799, Cert IPR, Cert ERM

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Introduction Data do we really understand what it is Privacy concepts of PII and legislation The India Scenario Privacy Regulations and Regulators Data Protection, Collection / Transparency Disclosure of Fair Use, Sharing DSCI Privacy Framework Privacy Audit policy audit, fair use, readiness

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Definitions and Facts Data, Privacy, PII, Personal Information

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Unprocessed, collection of numbers, characters, images, raw data, research data, field data (may be collected by observation and recording)

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Knowledge Intelligence, Wisdom Information

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI DATA As Defined in Law.

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI As per the ITAct (Amended) 2008 "Data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Defining the concept and knowing what one is protecting and from what / whom

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI What Data Constitutes Privacy Information Global: PII = Personal Identifiable Information / Patient Identifiable Information India: SPDI = Sensitive Personal Data or Information

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Protection Anonymity Anonymizing This Will Help But how long can you sustain such a work habit as it will be a drag on your productivity

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Personal Information as per ITAA 2008 "Personal information" means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Information Technology Act (Amended) 2008 Section 43A (iii) "Sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI PII as per NIST Any information about an individual maintained by an agency, including 1)any information that can be used to distinguish or trace an individuals identity, such as name, social security number, date and place of birth, mothers maiden name, or biometric records; 2)any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI International Canada, the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) New Zealand, the Privacy Act 1993 P.R. China - Computer Processed Personal Information Protection Act was enacted in 1995 Law of the Russian Federation On Personal Data as of 27.07.2006 No. 152- FZ UK European Law, Data Protection Act USA - not explicitly stated anywhere in the Bill of Rights. Few laws which address privacy Health Insurance Portability and Accountability Act (HIPAA); Financial Services Modernization Act (GLBA), 15 U.S. Code 6801-6810; Final Rule on Privacy of Consumer Financial Information, 16 Code of Federal Regulations, Part 313; Fair Credit Reporting Act (FCRA), 15 U.S. Code 1681-1681u; Fair Debt Collections Practices Act (FDCPA), U.S.C. 1692-1692

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI International Article 8 of the European Convention on Human Rights (1950) covers the whole European continent (except Belarus and Kosovo)BelarusKosovo Protects the right to respect for private life: "Everyone has the right to respect for his private and family life, his home and his correspondence." Privacy has been defined and its protection has been established as a positive right of everyone.

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI International Article 17 of the International Covenant on Civil and Political Rights of the United Nations of 1966 also protects privacy: "No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Todays age

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Thinking Privacy? In todays age NSA Prism Cookies CCTV Personal Pictures Internet monitoring Online Search patterns Social media contributions Online shopping preferences ISP monitoring data d/l or u/l License on your computer Lost / stolen phone with pics PAN number on railway chart Email addresses, phone numbers

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI The India Scenario Privacy protection is included in the extended IT Act Constitution of India (Article 21) guarantees Fundamental Rights - Scope widened to include Right to Privacy (UnniKrishnan v/s State of AP) ITA and Rules address privacy, especially ITA Sec.43A, 66, 72 Department of Personnel and Training (DoPT) is working on creating privacy legislation An unofficial draft is has been created and is generally the only document available at present

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Sensitive Personal Data or Information Rule 3 i.Password ii.Financial information such as Bank account or credit card or debit card or other payment instrument details iii.Physical, physiological and mental health condition iv.Sexual orientation v.Medical records and history vi.Biometric information vii.Any detail relating to the above clauses as provided to body corporate for providing service Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. http://deity.gov.in/sites/upload_files/dit/files /GSR313E_10511%281%29.pdf

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI viii.Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules. Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. http://deity.gov.in/sites/upload_files/dit/files /GSR313E_10511%281%29.pdf Sensitive Personal Data or Information

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Regulators Adjudicating Officer (ITAA Section 46) Cyber Appellate Tribunal (ITAA Sec 58 (2)) Grievance Officer (as per ITAA Rule 5(9) Courts Government Privacy Commissioner (Canada) CPIO / PIO Privacy Information Officer

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI What are we protecting and from whom

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Lets delete the previous slide from memory this is our business and profession and we have advise our clients about risks in all forms and in all places, to the best of our knowledge

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI ITAA Sections That Matter for Privacy 43 Penalty and Compensation for damage to computer, computer system, etc. 43-A Compensation for failure to protect data. 66-A Punishment for sending offensive messages through communication service, etc. 66-C Punishment for identity theft. 66-E Punishment for violation of privacy. 72 Penalty for breach of confidentiality and privacy. 72-A Punishment for Disclosure of information in breach of lawful contract.

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Sec 43 Briefly 43 - Establishes framework for liability for penalty and compensation identifying acts and actions; defines data collector, establishes responsibility and liability of the collector 43A Compensation for failure or negligence to protect data causing wrongful loss or gain

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Sec 66 Briefly 66A - Establishes liability of using a computer to send offensive, menacing, false information or emails 66C - Sets liability for identity theft through fraudulent use of electronic signatures, passwords etc 66E Capturing / sharing of personal / private pictures without consent and liability of punishment

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Sec 72 . Briefly 72 - Sets penalty guidelines for breach of confidentiality and privacy due to disclosure by trusted entity who collected data 72A - Framework for disclosure of information in breach of a contract without consent

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Summing up. There is stringent punishment awaiting anyone in contravention of these three sections Reasonable Security cannot be defined and is anyones guess a strong prosecution can easily establish that the security effectiveness is unreasonable PRIVACY must be included in the compliance horizon!

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Sec 66a in action

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Another Very Important Privacy Area Patient Information

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI This is especially important as many CAs will have client BPOs who are in the business of Medical Transcription, Insurance Claims or any activity where they are handling patient / medical information

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI PHI Definition and Data Elements Protected Health Information: The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI). Individually identifiable health information is information, including demographic data, that relates to: the individuals past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, the individual's identity or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI New Age Privacy Intrusion

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI New Age privacy intrusion

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Body Scanners

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI ITAA Reasonable Security Practices and Procedures and Sensitive Personal Data Rules 2011 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 notified on 11th April, 2013 under section 43A of the Information Technology Act Defines sensitive personal data and reasonable security practices and procedures. The Rules require body corporate to provide policy for privacy and disclosure of information (Rule 4), obtain consent of user for collection of information (Rule 5), prior permission required from provider of information before disclosure of sensitive personal information (Rule 6)

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Compliance Requirements Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. 1Short Title and Commencement 2Definitions 3Sensitive personal data or information Rule 4:Body corporate to provide policy for privacy and disclosure of information Rule 5:Collection of information Rule 6:Disclosure of information Rule 7:Transfer of information Rule 8:Reasonable Security Practices and Procedures http://deity.gov.in/sites/upload_files/dit/files/ GSR313E_10511%281%29.pdf

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI The Professional Practice PRIVACY

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Privacy Professional Practice Readiness Policy Development Audit Breach Response Governance

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI As a Practitioner The crux of Privacy is in the following: -Data subject CONSENTS to the objective for collection and provides information -Data Collector must be transparent -Why is the data being collected -What are you going to do with it -How will you store it -Audit security effectiveness etc -Collector must provide a means for review, updating and deletion

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Readiness Gap Analysis / Current State Assessment Privacy Policy Document aligned to ITAA Rules and any applicable laws Review Privacy Policy on website Establish privacy audit plan, schedule, and guidelines Empower organization officer as CPIO with training

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Use Defense Privacy in Depth It is a well known concept practiced by InfoSec teams and can be easily extended to include privacy controls

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Use Defense Privacy in Depth BY DEFAULT, Controls will include: PII data is identified at the point of entry At the development stage PII handling is treated differently Sensitive data storage is encrypted or segregated and periodically audited Alongwith secure storage, secure archiving and deletion routines are also established Use technologies like SIEM, DLP, 2FA

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Use Defense Privacy in Depth BY DEFAULT, Controls will include: Ensure compliance at point of data capture with transparent and standardized alerts, information pop-ups, notice of use Create end-to-end transparency informing use, storage, disposal, movement, sharing, and other changes

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Use Defense Privacy in Depth BY DEFAULT, Controls will include: Do not ask or obtain any more information than needed Provide anonymity mode for persons who are unwilling to share information Create a data system that is sensitive to collection, change and deletion

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Use Defense Privacy in Depth BY DEFAULT, Controls will include: Open communication with person who has provided the data No hidden archives

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Audit Carry out privacy audits for compliance with the adopted standard / framework; Compliance with client requirements DSCI Privacy framework assessment Privacy good practices

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Breach Response Crisis Management Communication Management Breach Containment Negotiations with affected parties Financial impact and recovery plans Controls improvement

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Governance Steering committee Ombudsman Policies and procedures Oversight Process Assurance for regulators, clients, stakeholders

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Privacy Risks Management, Response and Remediation

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Risks Cookies collect your information Browsers provide auto-complete feature Tagged on Social Media by friends Stalking System Breach Cloud computing risks Theft of Data, Identity Malware / APT Espionage Phishing Scams and Frauds

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Do you have a choice (?) when you accept the license terms without reading them

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI That was software now we take a look at something you hold closer to your heart 24*7 than anything else (your life partner or love interest included)

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Your Cell Phone & Apps Do you have a choice (?)

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI when you are saying okay for anyone to intrude on your private life without knowing them

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI What Does One Advise Clients This is a paradox do you tell a client to go back to chopdis How do you handhold the client into a secure business and personal environment Do we tell them to cut off from the world

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Legal Remediation Policy and Procedures aligned / compliant to ITAA Effective Information Security Management System Complaint / Request to the Corporate Grievance Officer set up in Indian companies Legal recourse - Under ITA Adjudicating Officer, Cyber Appellate Tribunal, High Court

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Remediation Advise for Clients Please keep your Digital Signatures, DIN, TIN numbers yourself When we say Yourself we mean in your OWN custody If your client cannot do this then you should ask them to hand over cash and bank accounts to you too

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI It is very convenient for clients to keep their digital identities with you, the CA You are the trusted entity but if something goes wrong then what ?

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Section11 of the IT Act may help to cover your liability BUT It is better to be safe than to be sorry.

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI ITAA 2008: 11 Attribution of Electronic Records An electronic record shall be attributed to the originator, - (a) if it was sent by the originator himself; (b)by a person who had the authority to act on behalf of the originator in respect of that electronic record; or (c)by an information system programmed by or on behalf of the originator to operate automatically.

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Remediation Advise for Clients Do not store customer personal data on your mobile device Mask / encrypt PII Carry out periodic audits Keep your certifications valid Ensure InfoSec in the spirit and not in the letter

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Remediation Advise for Clients Use encryption in emails, documents (voice communication too) When traveling overseas carry a sanitized laptop / device Use a smartphone (if you have to) but dont be too smart stay away from games and smart apps Remember NOTHING is free in this world

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI More Client Advice Advise clients about their legal (criminal) liability in event of non-compliance or breach Ensure that your client enables best practices through standards or common sense Audit reports must be read by the senior management and not just the Executive Summary which is usually sugar-coated to ensure that the next year assignment is also given to us!

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Stay secure, protect yourself with good practices and processes based on effective standards and frameworks Audit periodically and then ensure that findings are addressed

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Very valuable collation of actions in this infographic from DSCI

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Privacy Enablement Solution for the Indian Corporate . until an international guideline / standard is asked for by a client

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI DSCI has taken the lead in defining Privacy practices with consideration of the India business and regulatory scenario, and requirements. The DPF framework consists of 9 best practice areas which will help data processors / collectors in protecting the information entrusted to them and to provide the necessary assurance of the same to clients and authorities in India and overseas. DSCI Privacy Framework (DPF )

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Will help the client organization meet stringent demands of international standards / guidelines as it provides in depth guidance on Privacy Impact Analysis, Incident Management, Contracts, and Implementation The program includes Training and Certification

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI DSCI

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI DSCI Privacy Principles DSCI principles in the context of the Indian industry. The principles are derived from globally accepted principles of privacy. These principles reflect the need for an assurance level that an organization should create in its transactions with the end customers. NOTICEWhat is the privacy policy of an organization? These elements fall under the principle of notice. Notify the data subject if there is a change in the privacy policy. CHOICE & CONSENTPrinciple of collection limitation means collection of only the required set of data elements by fair and lawful means, with the knowledge of the end user. USE LIMITATIONThe principle specifies that personal data should not be made available or used for any purpose other than what was agreed with the data subject at the time of data collection. ACCESS & CORRECTIONThis principle assures that his/her information is accurate, is given access to the information, and is provided with the opportunity to correct his/her data. SECURITYThis stipulates technical and organizational measures for securing the data and should focus on security of personal data. DISCLOSURE TO THIRD PARTY To ensure privacy in all transactions when using third parties the principles of data protection should be upheld in these relationships. OPENNESSAn organization should have a general policy of openness about developments, practices and policies with respect to personal data that it collected to increase the confidence of subjects. ACCOUNTABILITYThe data collector is accountable for complying with the measures to comply with the above principles. DSCI Note the descriptions are not verbatim reproductions of the DSCI DPF. Please refer to the original document

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI DSCI Assessment Framework (DPF )

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI The framework provides for two approaches to provide assurances against: Privacy Competence Implementation of Global Privacy Principles

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI DSCI

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI We are nearing the end of this presentation So the next question or thought in your mind may be..

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI I do not have the (privacy) skills or certification to prove my capability! What do I do? How do I assure my client that I make good sense for their business! Anticipated Questions

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI SKILL DEVELOPMENT and Professional Certification

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Skill Development Do you read? When you read do you correlate the reading with business issues? When you correlate with business do you think about a particular client? When you think about a particular client do you think about the industry too with your risk glasses?

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Skill Development When you wear your risk glasses do you scare your client too? Finally do you then read together

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Certifications Certified Information Privacy Professional - CIPP Certified Information Privacy Manager CIPM DSCI Certified Privacy Lead Assessor DSCI-CPLA

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI CIIP, CIPM Textbooks Certification Foundation Textbook$65 CIPP Concentration or CIPM Textbook$65 Practice Tests Certification Foundation Practice Test$25 CIPP Concentration Practice Test$25 Exams First-time Certification Foundation Exam$275 First-time Certification Concentration Exam (CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPP/IT, CIPM) $275 Retake Certification Foundation Exam$162 Retake Certification Concentration Exam (CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPP/IT, CIPM) $162 http://www.privacyassociation.org/

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI DSCI Certified Lead Privacy Assessor Training MembersRs. 20,0000 Non-MembersRs. 22,500 3 days program includes all materials lunch and refreshments http://www.dsci.in/

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI My Personal Mantras Use Common Sense Uncommonly Be Practical Keep It Simple Stay Away From Jargon Talk Business Not GeekSpeak

Professional Positions Pyramid Cyber Security & Forensics (Principal Advisor) Open Security Alliance (Principal and CEO) Jharkhand Police (Cyber Security Advisor) Indian Honeynet Project (Co Founder) Bombay Stock Exchange (Member IGRC) Indian Infosec Consortium (Member Advisor) Professional skills and special interest areas Security Consulting and Advisory services for IS Architecture, Analysis, Optimization; Government and Enterprise Policy development Cyberwar, Cyber-espionage and cybercrime deterrence / investigation Technologies: SOC, DLP, IRM, SIEM Practices: Incident Response, SAM, Forensics, Regulatory guidance.. Community: mentoring, training, citizen outreach, India research.. Business Continuity, Disaster Recovery Critical Infrastructure Protection Writer, Blogger, Columnist, Photographer Dinesh O. Bareja, Microsoft MVP, CISA, CISM, ITIL, BS7799, Cert IPR, Cert ERM

[email protected] @bizsprite http://in.linkedin.com/in/dineshbareja +91.9769890505 / +971.52.797-1356 dineshobareja http://www.slideshare.net/bizsprite/ Contact Information

D ATA P RIVACY & P ROTECTION A UDITOR S P ERSPECTIVE J AN 24, 2015 @ ICAI, M UMBAI Acknowledgements & Disclaimer The laws, standards, frameworks quoted in this presentation may not be verbatim from the sources. Users should ensure the correctness of the same before quoting from this document. We may have edited the legal statements to make the definitions more concise and usable by the non-legal community. Various resources on the internet have been referred to contribute to the information presented and a few sources have been mentioned in the next slide. Apologies are due to any sources which are not acknowledged and this is not intentional. Similarly, images too have been acknowledged (above) where possible. Any company names, brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or otherwise) by the author(s) by virtue of the mention. Relationships if any, are acknowledged by author(s). We apologise for any infraction, as this would be wholly unintentional, and objections may please be communicated to us for remediation of the erroneous action(s).