SlideShare une entreprise Scribd logo

Data Privacy Protection Competrency Guide by a Data Subject

Télécharger en tant que PPTX, PDF
John Macasio
John Macasio

Data Privacy Protection Competency Guide shares the belief that the valid, verifiable, and actionable demonstration of respect on the data privacy rights of a data subject, and that the privacy and security of personal information are protected, comes from open guidance that presents the share-able practice standards that guide the right content of understanding, decision, and work of data privacy law compliance. The workplace view of data privacy risks, policy, organization, process, and documentation have to be easily and consistently created and improved with freely available knowledge on the rules and standards of practice. The directly accountable and responsible in the personal data collection, retention, use, sharing, and disposal have to be engaged to experience the applicability of data privacy rules and standards in their filing system, automation program, and technology services.

Technologie
1  sur  83
Data Privacy Protection Competency Guide “The data subject guidance on how to determine, describe, document and demonstrate accountability, responsibility, risks, policy, control, and operation of a managed data privacy and information security in an enterprise or agency of personal data processing.”
Data Privacy Protection Competency Guide Resource Person John Macasio He is a ICT project management consultant who advocates the rule and standard based data privacy and security compliance of information system that respects data privacy rights of a “Data Subject,” and that secure privacy of personal data. In 2014, he was tasked to provide standard based technical training support with enterprise and agency challenged by issues on information security in their ICT services project and operation. He created in 2018 the Data Privacy Protection Guide by a Data Subject to support the whole-of-enterprise data privacy and information security “The data subject guidance on how to determine, describe, document and demonstrate accountability, responsibility, risks, policy, control, and operation of a managed data privacy and information security in an enterprise or agency of personal data processing.”
Personal Data Privacy: The name and email addresses collected, retained, and used in the seminar registration form are to recognize the participants and to send learning materials and training information. The participant during the online live seminar may opt to close his or her camera and simply use the microphone or chat for questions and comments. The online live seminar is not streamed in in Facebook or Youtube. Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers. The provided information about the rules and standards are for educational purpose. The guide is free to use. Notification
Being Competent in Data Privacy Protection the decision and work associated to the mandated function and outcome. “A competent person has definitive understanding, skills and character needed to perform at a given level of performance standard,
Being Competent in Data Privacy Protection to new situations, and to the requirement of collaborative results. It is indicated by the person’s ability to transfer and apply knowledge, skills and attitude
Competency Model on Data Privacy Protection A competency model is about shareable body of knowledge believed to define and differentiate the essential indicators of the required understanding, action and attitude behind the successful delivery of the performance
1. Create privacy and data protection policies, taking into account the privacy impact assessments, as well as Sections 25 to 29 of the implementing rules and regulations. 2. Inform and cultivate awareness on privacy and data protection within the organization of the Personal Information Controller or Processor, including all relevant laws, rules and regulations and issuances of the National Privacy Commission. 3. Conduct a mandatory, agency-wide training on privacy and data protection policies once a year: Provided, that a similar training shall be provided The NPC Circular 16-01 and NPC Advisory 2017-1 have to be recognized and implemented by a business enterprise or government agency that claims to be data privacy compliant. The competency guidance enables the personal information controller and processor, and head of government agency to accomplish the obligation:
Privacy Rule Context of Competency Re NPC Circular 16-01 NPC Advisory 2017-01 Security of Personal Data in Government Agencies Designation of Data Protection Officers
R.A. 10173 –Data Privacy Act 2012 Accountability and ResponsibilityPrivacy and Security Risks Privacy Impact Assessment Process Privacy and Security Controls Privacy and Security Policy Ma Privacy and Security Management Outcome-Process-Procedure -Enable Security Incident Management Breach and Complaint Handlin ata Privacy Protection Competency Guide Data Subject view of Rules and
R.A. 10173 –Data Privacy Act 2012 The Accountable and Responsible Goals of the Data Privacy Law Concern of Data Privacy Law Key Result Areas of Privacy Complian Roles, Accountability and Responsibil
Statutory Goals 1. Protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.2. Ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. R.A. 10173 Implementing Rules and Regulations National Privacy Commission Advisory- Circular Issuances, and Case Resolution R.A. 10173 Chapter 1 Section 2
Whose Interest and Benefit is Data Privacy Act of 2012 R.A. 10173 Participation, Accountability and Responsibility 1. Data Subject Represents the exercise of data privacy rights and main party to associate personal data to be protected with privacy and security 2. National Privacy Commission Creates regulation; monitor compliance; educate the public; enforces rules; and resolve cases on data privacy 3. Personal Information Directs and rules the processing of personal Data Privacy Stakeholders
Whose Interest and Benefit is Data Privacy Act of 2012 R.A. 10173 Participation, Accountability and Responsibility 5. Data Protection Officer Perform the oversight function for the Personal Information Controller to achieve the mandated accountability and responsibility on data privacy 6. Compliance Officer for Privacy Assist in the oversight function to direct, compliance, to monitor breach events, to resolve and report privacy security incidents 7. IT and Provision of the technical measures to secure personal information protection in the location, hardware, software, Data Privacy Protection Stakeholders
1. Compliance Governance 2. Personal Data of a Data Subject 3. Data Privacy Rights of a Data Subject 4. Privacy by Design and Privacy by Default of Personal Data Processing – Filing System and Automated System 5. Data Privacy and Information Security Risks Assessment of Data Processing System 6. Security Measures of Personal Data Protection 7. Privacy and Security Violations and Penalties 8. Privacy Management Program 9. Privacy Breach and Security Incident Response Implementation Concerns of R.A.10173- Data Privacy Act 2012
Rule 1 – Policy and Definitions Rule 2 – Scope of Application Rule 3 – National Privacy Commission Rule 4 – Data Privacy Principles Rule 5 – Lawful Processing of Personal Data Rule 6 – Security Measures Protection of Personal Data Rule 7 - Security of Sensitive Personal Information in Govt Rule 8 - Rights of Data Subject Rule 9 - Data Breach Notification Rule 10 – Outsourcing and Subcontracting Rule 11 - Registration and Compliance Requirements Rule 12 – Rules on Accountability Rules of Data Privacy Implementation
Some Exception Considerations 1. Stated scope limitation of the law in the application of data privacy rules and regulation 2. Legal basis that limits the exercise of the data subject or his or her data privacy rights 3. Necessary and mandated lawful requirements to process personal data of a data subject 4. Legal basis for the “legitimate interest” of the personal information controller to process personal data gathered from a data subject 5. Legal basis that permits the requirements for data sharing or exchange between controller and 3rd
Relevant NPC Circulars and Advisories for the Implementation Concerns1. Designate compliance officer NPC Advisory 2017-1 2. Security of personal data in the government agency NPC Circular 16-01 3. Data sharing agreements involving government agencies NPC Circular 16-02 4. Registry of the data processing system NPC Circular 17-01 5. Privacy impact assessment NPC Advisory 2017-03 6. Privacy management manual NPC Privacy Toolkit
Relevant Rules Circulars and Advisories for Implementation Concerns7. Personal data breach management NPC Circular 16-03 8. Guidelines on security incident and personal data breach reportorial requirements NPC Advisory No. 2018-01 9. Rules of procedures to exercise the right to complain NPC circular 16-04 10.Rules of procedure on requests for advisory opinions NPC Circular 18-01 11.Rules on mediation before the national privacy commission - NPC Circular 18-03 12.Guidelines on compliance checks NPC Circular 18-02
1.ISO 29100 – Privacy Framework 2.ISO 27001 Annex A – Security Framework 3.ISO 27701- Information Security Extended to Privacy 4.ISO 29134 – Privacy Impact Assessment 5.ISO 29190 – Privacy Management Capability Assessment 6.ISO 27035 – Security Incident Management 7.ISO 27036 – Supplier Relationship Security and Privacy 8.ISO 27550 – Privacy in System Development Lifecycle Privacy and Security Standards Normative references of practice
Basic Risks Management Methodology Risks Criteria and Control Requirement Identify, Analyze, Evaluate and Remedy Privacy Impact Assessment Report Privacy and Security Risks Privacy Impact Assessment Process
What is management of data privacy and security risks? (ISO 31000)
What reasons to cause privacy impact assessment?1. The developed, acquired and operated data processing system collects personal data 2. A change in applicable privacy related laws and regulations, internal policy and standards, information system operation, purposes and means for processing data, new or changed data flows. 3. A new or prospective technology, service or other initiative where personal information is, or to be, processed 4. A decision that sensitive personal information is going to be processed 5. A data privacy violation complaint is made against a (ISO 29134)
1. Collection 2. Retention 3. Use 4. Sharing 5. Disposal 1.Privacy Governance 2.Privacy Regulation & Policies 3.Privacy Rights Processes 4.Privacy Principles 5.Criteria Lawful Processing 6.Condition SPI Processing 7.Privacy Impact Assessment 8.Privacy Management System 9.Privacy Breach Management 10.ISO 29100 Privacy
Privacy Threat Incidents Privacy Breach Threats to Personal Data (SANS Threat Survey) Security Controls (R.A. 10173 and GDPR) Privacy Law R.A. 10173 1. Unauthorized processing 2. Negligence in access 3. Improper disposal 4. Unauthorized purpose 5. Unauthorized access 6. Intentional breach 7. Concealed breach 8. Malicious disclosure 9. Unauthorized disclosure 10. Combination of unwanted act 1. Ransomware 2. Elevation of privilege into sensitive systems 3. Breaches in cloud-based, multitenant architectures 4. Denial of service 5. Data tampering 6. Identity theft 7. Insider threat 8. Questionable transactions 9. Corporate or foreign government espionage 10.Information disclosure 11.Compromise of DNS infrastructure enabling stealing and exfiltration of data 12.Anti-malware/Antivirus 1. Security Policy 2. Network Protection 3. Confidentiality, Integrity, Availability, and Resilience Assurance of Processing System 4. Intrusion Detection and Prevention 5. Network Security Monitoring 6. Vulnerability Assessment and Penetration Testing 7. Backup and Data Recovery 8. Identity, Access, Privilege Management 9. Security Incident Management System 10.Data Loss Prevention 11.Encryption and Pseudonymization, Host-based encryption 12.Insider Threat Control 13.Third-Party Risk Management
Security Threat Incidents Violation/Threat Vulnerability/Exploitation (ETSI ISG ISI) Control Measures (CIS Security Controls) Cyber Crime Prevention Law -R.A. 10175 1. Illegal access 2. Illegal interception 3. Data interference 4. System interference 5. Misuse of device 6. Fraud 7. Forgery 8. Identity Theft 9. Cyber-squatting 10. Unsolicited Commercial Communications 1. Website Forgery 2. Spam 3. Phishing 4. Intrusion 5. Website Defacement 6. Misappropriation of Resources 7. Denial of Service 8. Malware 9. Physical Intrusion 10. Malfunction 11. Loss or theft of mobile device 12. Trace Malfunction 13. Internal Deviant Behavior 14. Rights or Privileges Usurpation or Abuse 15. Unauthorized access to servers through remote access points 16. Illicit Access to Internet 17. Deactivating of Logs Recording 18. Non-patched or poorly patched vulnerability exploitation 19. Configuration vulnerability exploitation 20. Security incidents on non-inventoried and/or not 1. Inventory and Control of Hardware Assets 2. Inventory and Control of Software Assets 3. Continuous Vulnerability Management 4. Controlled Use of Administrative Privileges 5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers 6. Maintenance, Monitoring and Analysis of Audit Logs 7. Email and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports, Protocols and Services 10. Data Recovery Capabilities 11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches 12. Boundary Defense 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 16. Account Monitoring and Control 17. Implement a Security Awareness and Training
Data Processing Privacy and Security Impact AssessmentName of Data Processing System: Controller: Processor: [] Outsource {] In source Personal Database Name: Location of Data Processing and Storage: Legal Basis Data Processing: Data Share: SECURITY INCIDENT CONSIDERED AS THREAT TO PRIVACY AND A PENALIZED VIOLATION VULNERABILITIES Privacy Rights Not Respected Privacy Principles Undermined Lawful Criteria to Process Personal Information Not Applied Conditions to Process Sensitive Personal Information Not Applied Data Sharing Condition Not Applied 1.Unauthorized processing 2.Negligence in access 3.Improper disposal 4. Unauthorized purpose 5.Unauthorized access or intentional
Data Processing Privacy and Security Impact AssessmentName of Data Processing System: Controller: Processor: [] Outsource {] In source Personal Database Name: Location of Data Processing and Storage: Legal Basis Data Processing: Data Share: SECURITY INCIDENT CONSIDERED AS THREAT TO PRIVACY AND A PENALIZED VIOLATION VULNERABILITIES Organizational Security Measures Not Instituted Physical Security Measures Not Implemented Technical Security Measures Not Installed CIS Security Control Not Applied OWASP Web Application Security Risks not Remedied 1.Unauthorized processing 2.Negligence in access 3.Improper disposal 4. Unauthorized purpose 5.Unauthorized access or intentional breach
Data Processing Privacy and Security Impact Assessment Name of Data Processing System: Controller: Processor: [] Outsource {] In source Personal Database Name: Location of Data Processing and Storage: Legal Basis Data Processing: Data Share: VIOLATION SOURCE OF SECURITY THREAT EXPLOITED VULNERABILITIE S IMPACT PROBABILITY REMEDY TREATMENT 1.Unauthorized processing Organizational No policy Negligible Unlikely Vulnerability test 2.Negligence in access Physical Poor office design Limited Possible Policy review 3.Improper disposal Technical Lack of procedures Significant Likely Acquire tools 4. Unauthorized purpose Organizational Weak monitoring Maximum Almost certain Organize team 5.Unauthorized access or intentional breach Technical Not segmented network Training people
What to Achieve-Maintain-Prevent-Elim Data Privacy and Security Governance Data Privacy Protection Policy Information Security Policy Privacy and Security Controls Privacy and Security Policy Making
What is to achieve with R.A. 10173? 1. PRIVACY RIGHTS (RA 10173 chapter IV) “Right to be informed” “Right to access” “Right to object” “Right to complain” The rights to be exercised by an individual in the processing of p “Right to rectify” “Right to block” “Right to erase” “Right to data portability” “Right to damages”
Privacy Rights on Personal Data Privacy Rights of Data Subject Respect Indicators 5. The right to erasure or blocking Permission to withdraw and delete personal data 6. The right to rectify Permission to check accuracy and to correct 7. The right to data portability Ability to request and download personal data 8. The right to complain Rules of procedure to file
Privacy Rights on Personal Data Privacy Rights of Data Subject Respect Indicators 1. The right to be informed Notification and consent 2. The right to give consent Written or recorded agreement to process personal data 3. The right to access Permission to view and participate
What is to achieve with R.A. 10173?2. PRIVACY PRINCIPLES (RA 10173 chap III) The foundation of data processing system that is privacy by design Consent and choice Proportionality Transparency Legitimate Purpose Fairness Lawfulness Accuracy Minimization Participation Anonymity Accountability
Privacy Principles of Personal Data ProcessingPrinciples of Transparency, Legitimate Purpose and Proportionality 1. Transparency The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language 2. Legitimate purpose The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy
Privacy Principles of Personal Data ProcessingGeneral principles in collection, processing and retention 1. Collection must be for a declared, specified, and legitimate purpose Consent is required prior to the collection and processing of personal data, subject to exemptions provided by the Act and other applicable laws and regulations. When consent is required, it must be time-bound in relation to the declared, specified and legitimate purpose. Consent given may be withdrawn. The data subject must be provided specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of his or her personal data for profiling, or processing for direct marketing, and data sharing. Purpose should be determined and declared before, or as soon asreasonably practicable, after collection
Privacy Principles of Personal Data Processing2. Personal data shall be processed fairly and lawfully. Processing shall uphold the rights of the data subject, including the right to refuse, withdraw consent, or object. It shall likewise be transparent, and allow the data subject sufficient information to know the nature and extent of processing Information provided to a data subject must always be in clear and plain language to ensure that they are easy to understand and access. Processing must be in a manner compatible with declared, specified, and legitimate purpose Processed personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed Processing shall be undertaken in a manner that ensures appropriate privacy and security safeguards. 3. Processing should ensure data quality. Personal data should be accurate and where necessary for declared, specified and legitimate purpose, kept up to date
Privacy Principles of Personal Data Processing4. Personal Data shall not be retained longer than necessary Retention of personal data shall only for as long as necessary: (a) for the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated; (b) for the establishment, exercise or defense of legal claims; or (c) for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by appropriate government agency Retention of personal data shall be allowed in cases provided by law Personal data shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any
Privacy Principles of Personal Data Processing5. Any authorized further processing shall have adequate safeguards. Personal data originally collected for a declared, specified, or legitimate purpose may be processed further for historical, statistical, or scientific purposes, and, in cases laid down in law, may be stored for longer periods, subject to implementation of the appropriate organizational, physical, and technical security measures required by the Act in order to safeguard the rights and freedoms of the data subject Personal data which is aggregated or kept in a form which does not permit identification of data subjects may be kept longer than necessary for the declared, specified, and legitimate purpose Personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined.
Privacy Principles of Personal Data ProcessingGeneral Principles for Data Sharing 1. Data sharing shall be allowed when it is expressly authorized by law: Provided, that there are adequate safeguards for data privacy and security, and processing adheres to principle of transparency, legitimate purpose and proportionality 2. Data Sharing shall be allowed in the private sector if the data subject consents to data sharing, and the following conditions are complied with: 1.Consent for data sharing shall be required even when the data is to shared with an affiliate or mother company, or similar relationships 2. Data sharing for commercial purposes, including direct marketing, be covered by a data sharing agreement. (a) The data sharing agreement shall establish adequate safeguards for d privacy and security, and uphold rights of data subjects. (b) The data sharing agreement shall be subject to review by the Commission on its own initiative or upon complaint of data subject 3. The data subject shall be provided with the following information p to collection or before data is shared: (a) Identity of the personal information controllers or personal information processors that will be given access to the personal data; (b) Purpose of data sharing; (c) Categories of personal data concerned; (d) Intended recipients or categories of recipients of the personal data; (e) Existence of the rights of data subjects, including the right to access and correction, and the right to object
Privacy Principles of Personal Data ProcessingData collected from parties other than the data subject for purpose of research shall be allowed When the personal data is publicly available, or has the consent of the data subject for purpose of research: Provided, that adequate safeguards are in place, and no decision directly affecting the data subject shall be made on the basis of the data collected or processed. The rights of the data subject shall be upheld without compromising research integrity Data sharing between government agencies for the purpose of a public function or provision of a 1. Any or all government agencies party to the agreement shall comply with the Act, these Rules, and all other issuances of the Commission, including putting in place adequate safeguards for data privacy and security. 2. The data sharing agreement shall be subject to review of the Commission, on its own initiative or upon complaint of data subject
What is to achieve with R.A. 10173? INFORMATION SECURITYThe preservation of the confidentiality, integrity, and availability of information CONFIDENTIALITY Authority is enforced to keep secrecy and privacy of personal data INTEGRITY Trust is assured in the accuracy, completeness, immediacy, usefulness, and reliability of personal data AVAILABILITY Accessibilityis guaranteed in the connectivity, uptime, reach ability, location, protection, and speed of personal information exchange
What is to achieve with R.A. 10173? 3. SECURITY MEASURES (RA 10173 chap V) Organizational Security Physical Security Technical Security 1.Compliance Officers. 1.Policies and Procedures on Limited Physical Access 1.Security policy in processing personal data 2.Data Protection Policies 2.Security Design of Office Space and Room 2.Safeguards to protect computer network again unlawful, illegitimate, and destructive activities 3.Records of Processing Activities 3.Person Duties, Responsibility and Schedule Information 3.Confidentiality, integrity, availability, and resilience of the processing systems and services 4.Processing of Personal Data 4.Policies on transfer, removal, disposal, and re-use of electronic media 4.Vulnerability assessment and regular monitoring for security breaches 5.Personal Information Processor Contracts 5.Prevention policies against mechanical destruction of files and equipment 5.Ability to restore the availability and access to personal data
What is to be prevented-eliminated with R.A. 10173? is illegal or unwanted act that endangers the privacy rights of a person. Data privacy violation is penalized act to be complained through NPC Complaint-Assisted Form.Section 25 Unauthorized processing Section 30 Concealment of breach Section 26 Negligence in access Section 31 Malicious disclosure Section 27 Improper disposal Section 32 Unauthorized disclosure Section 28 Unauthorized Section 33 Combination of 4. PRIVACY VIOLATION (RA 10173 chap VII
Data Privacy Rights Violation 1.Unauthorized processing It is when personal information is processed without the consent of the data subject, or without being authorized using lawful criteria 1.Negligence in access It is when personal information is made accessible due to negligence and without being authorized by any existing law.
Data Privacy Rights Violation 3. Improper disposal It is when personal information is knowingly or negligently disposed, discard, or abandon in an area accessible to the public or has otherwise placed the personal information of an individual in any container for trash collection 4. Unauthorized It is when personal information is
Data Privacy Rights Violation 5. Unauthorized access or intentional breach It is when an individual handling personal information knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information are stored 6. Concealed breach It is when an individual or entity who has knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f) of the Act,
Data Privacy Rights Violation 7. Malicious disclosure It is when an individual or entity with malice or in bad faith, discloses unwarranted or false information relative to any personal information or sensitive personal information obtained by him or her 8. Unauthorized disclosure It is when an individual or entity discloses to third party personal
DATA SUBJECT Maintain Personal Information Inventory PI CONTROLLER PI PROCESSOR THIRD-PARTY Execute Personal Data Processing Privacy Agreement Personal Information Processing Responsibility Flow Personal Information Instruct Processing of Personal Data Receive, Accept and Provide Request for For Personal Information Share Retained or Receive Collected Personal Information Of Data Disclosure or Sharing Agreement Collect Retain Use Disclose Dispose Access Block Erase Change Personal Information Complain Transfer Claim Privacy Regulations Policies Controls Agreements Personal Information
DATA PRIVACY RIGHTS AND PROCESSING POLICYDATA PRIVACY RIGHTS PERSONAL DATA PRIVACY PROCESSING POLICY Collection (Get) Processing (Use) Retention (Store) Sharing (Disclose) Disposal (Delete) 1. To be informed 2. To give consent 3. To have accessed 4. To correct 5. To block or erase 6. To complain 7. To claim damage 8. To transfer rights 9. To claim data 1. Lawful criteria 2. Transparency 3. Legitimate purpose 4. Proportionality 5. Declared, specified, and legitimate purpose. 6. Fair and lawful; 7. Data Quality 8. Not retained longer 9. Adequate 1. Lawful criteria 2. Transparency 3. Legitimate purpose 4. Proportionality 5. Declared, specified, and legitimate purpose. 6. Fair and lawful; 7. Data Quality 8. Not retained longer 9. Adequate 1. Lawful criteria 2. Transparency 3. Legitimate purpose 4. Proportionality 5. Declared, specified, and legitimate purpose. 6. Fair and lawful; 7. Data Quality 8. Not retained longer 9. Adequate 1. Authorized by law 2. Data subject consent 3. Adequate Safeguard 4. For research using publicly available data 5. Data sharing agreement 1. Lawful criteria 2. Transparency 3. Legitimate purpose 4. Proportionality 5. Declared, specified, and legitimate purpose. 6. Fair and lawful; 7. Data Quality 8. Not retained longer 9. Adequate
SECURITY MEASURES POLICY SECURITY MEASURES POLICY Organizational Security Physical Security Technical Security 1.Compliance Officers. 1.Policies and Procedures on Limited Physical Access 1.Security policy in processing personal data 2.Data Protection Policies 2.Security Design of Office Space and Room 2.Safeguards to protect computer network again unlawful, illegitimate, and destructive activities 3.Records of Processing Activities 3.Person Duties, Responsibility and Schedule Information 3.Confidentiality, integrity, availability, and resilience of the processing systems and services 4.Processing of Personal Data 4.Policies on transfer, removal, disposal, and re-use of electronic media 4.Vulnerability assessment and regular monitoring for security breaches 5.Personal Information Processor Contracts 5.Prevention policies against mechanical destruction of files and equipment 5.Ability to restore the availability and access to personal data 6.Regularly testing, assessing, and evaluating the effectiveness of
DATA PRIVACY AGREEMENT POLICY PRIVACY AGREEMENT WITH PERSONAL INFORMATION CONTROLLER DATA SUBJECT DATA PROCESSOR 3RD PARTY DPO Notification and Consent Form Data Processing Agreement Data Sharing Agreement Appointment Contract 1. The purpose 2. The personal data 3. The data processing activities 4. The data processor and 3rd party 5. The exercise of privacy rights 6. The privacy compliance procedures 1. Data privacy rights 2. Data processing privacy principles 3. Personal data security measures 4. Accountability 1. Data sharing principles 1. Authority 2. Accountability 3. Tasks 4. Deliverables
Privacy Management Capability Function-Policy-Process-Documentation Supplier Relationship Management System Development Project Privacy Management Privacy and Security Management Outcome-Process-Procedure -Enabler
Who are the stakeholders of data privacy management?1.Data Subject -personal data -privacy rights -complainant 3.Personal Information Controller -legitimate interest -data processing instruction -privacy law accountability 4.Personal Information Process -data processing system -data processing agreement and execution -privacy law accountability5.Data Protection Officer -privacy compliance oversight -privacy single point of contact -privacy awareness and training 2.National Privacy Commiss -rule making -compliance monitoringg -complaint and investigation -enforcement
What are the stakeholders’ privacy agreement 1.Assets of data privacy to be secured 2.Privacy and security risks to be controlled 3.Privacy protection policies and measures to be maintained 5. Business system and process to be ruled with data privacy and security controls 4. Privacy and security contracts to be enforced 7.Privacy capability building of personnel to be regularly conducted 8. Data privacy and information security ecosystem relationship to maintain 6.Privacy and security management methodology and technology to be acquired
What is to be managed? 1. PRIVACY is freedom from intrusion into the private life or affairs of an individual or person, when that intrusion results from undue or illegal gathering and use of data about that individual. (ISO 2382 – IT Vocabulary)
What is to be managed? represents the definitive act of respecting the person's rights of privacy and the security of personal data that are being collected, processed, retained, shared, and disposed by the personal information controller and processor of business or government 2. PRIVACY PROTECTION
What is to be managed? The identifiable person has a human right called PRIVACY. that represent a set of information that identifies an individual or person.1. Personal Information 2. Sensitive Personal Information 3. Privileged Information 3. PERSONAL DATA
1. Name Given name, middle name, surname, alias 2. Identification number License number, tax number 3. Location data Address, GPS location 4. Online identifier e-mail, IP address 5. Digital identifier Biometric, CCTV data 6. Genetic Data DNA test result 7. Health Data Diagnostic report 8. Research Data Research question, enumerator interview logs 9. Physical factor Height, weight, sex 10. Physiological factor Body chemistry 11. Mental factor Intellectual aptitude test results 12. Economic factor Salary, debts, property 13. Cultural factor Nationality, tribe 14. Social identity Club membership, titles, legal record Personal Data Category
Sensitive Personal Information (RA 10173 sec 3i) 1. Health, education, genetic or sexual life of a person 2. Proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings 3. Individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations 4. Identification document issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns
Personal Data Processing Privacy ProtectionPrivacy Protection Requirements Management Results 1. Personal data and processing system visibility Registry of personal data, filing system, automation program 2. Respect data privacy rights Data privacy rights policy, process, notification, consent 3. Regulated personal data processing lifecycle of personal information and sensitive personal information Inventory of process, system and technology and risks assessment 4. Data privacy principles in personal Data processing privacy
Personal Data Processing Privacy ProtectionPrivacy Protection Requirements Management Results 6. Conditions to process sensitive personal information Privacy policy and system conformity test 7. Accountability in personal data sharing Data sharing agreemnt, and security measures 8. Security measures in personal information protection Organization, physical and technical measures – policy, role, activities, product, services and technology 9. Breach and Privacy violation and corresponding penalties Breach reporting and case management
Data Processing Activities Data Subject Information Controller Information Processor Third Party Data Share Collection Retention Processing Share Dispose Consent Register Instruct Collection Collect Secure Store Secure -Consume Instruct Storage Instruct Processing Instruct Transfer Instruct Deletion Use Secure Disclose Secure Delete Secure Provide Receive PI PI PI PI PI PI PI PERSONAL DATA FLOW PI PI PI
DATASUBJECT GroupThree PICONTROLLERPIPROCESSORPersonal Data Collection and Retention Process Input Personal Data Or Change Request PIPROCESSOR Read Notification Give Consent Instruct Collection and Retention of Personal Data Execute Personal Data Collection and Retention Request to View Block Correct Delete Copy Personal Information Requirement Data Processing Agreement Data Privacy Regulation, Policy and Controls Privacy Rights Principles Capture & Store Rules Personal Data Store Yes No Yes Ready for use and disclosure
DATASUBJECTPICONTROLLER3rdPARTYPersonal Data Use and Disclosure Process Input Personal Data Or Request Access PIPROCESSOR Read Notification Give Consent Instruct Utilization and Sharing of Personal Data Execute the Use and Sharing of Data View Block Correct Delete Copy Complain Personal Information Requirement Data Utilization and Sharing Agreement Data Privacy Regulation, Policy and Controls Legitimate Use Criteria Lawful Processing Privacy Control Yes No Yes Display Processing and Results Personal Data Sharing Store
DATASUBJECTPICONTROLLER3rdPARTYPersonal Data Disposal Process Input Request Access PIPROCESSOR Read Notification Give Consent Instruct Disposal of Stored Personal Information Execute the Disposal or Destruction of Personal Data and Media View Copy Complain Personal Information Requirement Data Retention and Disposal Agreement Data Privacy Regulation, Policy and Controls Disposal Condition Retention Rule Responsible Yes No Yes File Shredded Media Destroyed
Develop Privacy Management Program A privacy management program or system is a definitive and shared understanding, decision and work about the data privacy protection capability and protocols of the business units that are responsible in personal data processing.1. Organized compliance governance 2. Subscribed data privacy and security policies 3. Remediation action based on privacy impact assessment report 4. Continual education on data privacy protection
Data Privacy Management Capability – ISO 291901.Inventory Enterprise and agency understands what compose its processing of personal data. It is able to make visible and account the processes, systems, databases, and third parties involved with processing personal information and sensitive personal information. 2. Policy Enterprise and agency adopted and agreed on their corporate and business unit policies over privacy rights assurance and the security of personal information protection in their collection, retention, transmission, use, disclosure and disposal of personal data.
Data Privacy Management Capability – ISO 291903. Governanc e Enterprise and agency have accepted matrix of roles, accountability, responsibilities and competencies to manage data privacy and security of personal information at the corporate and business unit levels. 4. Risk Manageme nt Enterprise and agency has adopted an approach or methodology for managing privacy risk and business compliance across the organization, addressing the use of technologies, and dealing with the trans-border and multi-jurisdictional challenges
Data Privacy Management Capability – ISO 291905. Procedure s & Controls Enterprise and agency has written and communicated procedures and controls to actively enforce policy and other compliance obligations, and monitoring of those procedures and controls to ensure they remain intact and effective 6. Informatio n Security Enterprise and agency have set up the security information management system that ensure the confidentiality, integrity, and availability of personal information and the related information technology used to collect, store, transfer, use, share, archive, and destroy the personal data.
Data Privacy Management Capability - ISO 291907. Third Party Managem ent Enterprise and agency have 3rd party risk management processes that account for privacy, including performing due diligence during the selection process, putting controls in place—both contractually and for the secure transfer of the information—and building a solid basis of confidence that the third parties using the personal information can protect it and govern its use. 8. Complian ce Enterprise and government has the program to manage compliance with policy, regulations, and other obligations around data privacy assurance and security of personal information protection.
Data Privacy Management Capability – ISO 291909. Incident Managem ent Enterprise and government have standard process, documented in a comprehensive plan, which provides an effective and orderly response to security incidents and potential breach incidents involving personal information. 10. Training & Awarenes s Enterprise and government have general and tailored training related to the organization’s use and protection of personal information, supported by an ongoing awareness program and related guidance
Rule and Standard Based Management of Data PrivacyR.A. 10173 Implementing Rules Data Privacy Policy ISO 29100 Information Security Policy ISO 27001 Annex A Rule 1 – Policy and Definitions Rule 2 – Scope of Application Rule 3 – National Privacy Commission Rule 4 – Data Privacy Principles Rule 5 – Lawful Processing of Personal Data Rule 6 – Security Measures Protection of Personal Data Rule 7 - Security of Sensitive Personal Information in Government Rule 8 - Rights of Data Subject Rule 9 - Data Breach Notification Rule 10 – Outsourcing and Subcontracting Rule 11 - Registration and Compliance Requirements Rule 12 – Rules on Accountability Rule 13 – Penalties Rule 14 – Miscellaneous Provisions 5.2 Consent and choice 5.3 Purpose legitimacy and specification 5.4 Collection limitation 5.5 Data minimization 5.6 Use, retention and disclosure limitation 5.7 Accuracy and quality 5.8 Openness, transparency and notice 5.9 Individual participation and access 5.10 Accountability 5.11 Information security 5.12 Privacy compliance A5 Information security policies A6 Organization of information security A7.Human resource security A8.Asset management A9.Access control A10.Crytography A11.Physical and environmental security A12.Operations security A13.Communications security A14.System acquisition, development and maintenance A15.Supplier relationship A16.Information security incident management A17.Information security aspects of business continuity management
Rule and Standard Based Management of Data PrivacyPolicy Inventory Risks Controls Operation R.A. 10173 -2016 Implementing Rules and Regulation NPC Advisories and Circulars ISO 10007 – Configuration Management ISO 31000 – Risks Management ISO 27005 – Security Risks Management R.A. 10173 Security Measures ISO 29151 – Privacy Controls ISO 27036 – Security Supplier Relationship NPC Circular 16-03 Personal Data Breach Management NYMITY Accountability Framework ISO 29100 – Data Privacy Framework ISO 27001 – Information Security Framework ISO 29190 – Privacy Management Capability NPC Circular 17-01 Registration of Data Processing System and Automated System ISO 29134 – Privacy Impact Assessment ISO 22307 - Finance Sector Privacy Impact Assessment NPC Advisory No. 2017-03 PIA Guidelines ISO 27002 – Security Controls CSI Security CONTROL ISO 27017 – Cloud Security IS0 27018 – Cloud Privacy ISO 27045 – Big ISO 27701 – Privacy Information Management System ISO 27035 – Security Incident Management ISO 27032 – Cyber Security Guidelines ISO 27550 -Privacy Engineering For ETSI Security Indicators
Security Operation Center Configuratio Security Incident Protocol and Breach Rules on Procedures for Complaints Change Management Security Incident Management Breach and Complaint Handling
DATA COLLECT DATA RETAIN PRIVACY RIGHTS DATA PROCESS TRANSMIT TECHNOLOGY INFRASTRUCTURE BUSINESS PROCESS, SYSTEM & TECHNOLOGY CONT DATA DISPOSE 1. Inform 2. Access 3. Block 4. Change 5. Transfer Apps Platform On-PremiseDataCenter Network Database On-cloud Sensors DATA PROCESSING PRIVACY COMPLIANCE 6. Complain 7. Damage 8. Portability 9. Correct 10. Erase Customer Relationship System Enterprise Resource System 1. Compliance Organization 2. Privacy Rights Process 3. Data Processing Privacy Principles 4. Lawful Criteria PI Processing 5. Condition SPI Processing 6. Accountability in Data Share 7. Data Protection Security Measures 8. Breach and Complaint Management Performance Control System DATA SUBJECT PERSONAL INFORMATON CONTROLLER PROCESSOR PI SPI PVI PI SPI SECURITY OPERATION CENTER PVI Republic Act 10173 – DPA 2012 DATA SHARE1,000 Record 250 Personnel
DATA COLLECT DATA RETAIN PRIVACY VIOLATION DATA PROCESS TRANSMIT TECHNOLOGY INFRASTRUCTURE BUSINESS PROCESS, SYSTEM & TECHNOLOGY CONT DATA DISPOSE Apps Platform On-PremiseDataCenter Network Database On-cloud Sensors Organizational Security Measure Technical Security Measures johnmacasio@gmaIL.com Physical Security Measures DATA SUBJECT PERSONAL INFORMATON CONTROLLER PROCESSOR PI SPI PVI PI SPI SECURITY OPERATION CENTER PVI DATA SHAREAccess Record Use Access Record Use 1. Unauthorized processing 2. Negligence in access 3. Improper disposal 4. Unauthorized purpose 5. Unauthorized access 6. Intentional breach 7. Concealed breach 8. Malicious disclosure 9. Unauthorized disclosureSECURITY VIOLATION 1. Illegal Access 2. Illegal Interception 3. Data Interference 4. System Interference 5. Misuse of Devices 6. Cyber Squatting 7. Computer Forgery 8. Computer Fraud 9. Identity Theft
Information Security Layer of Data Privacy Protection Governance, Risks, and Compliance System SIEM, IPS, Email, NAC, Wireless Security VA, AV/Malware, PAM, CMDB, MDM, Host based F RBAC, Encrytion, Source Code Test and Secur Encryption, DLP, Data Backup. dDos Data Center Building Power, Security PERIMETER LAYER COMPLIANCE LAYER NETWORK LAYER HOST LAYER APPLICATION LAYER DATA LAYER PHYSICAL LAYER Next Gen Firewall, VPN, IDP, SSO, MFA Are cyber security and data privacy built-in or add-on in the STRATEGY, SOURCING, DESIGN, BUILD, TEST, INSTALLATION and OPERATION of the digital business process, information system and technology platform as required by the implementation regulations of R.A. 10173, R.A. 10175 and DICT National Cyber Security Plan 2022?
USERS DATA SUBJECT ANONYMOUSREGULATOR FIREWALL SYSTEM ACCESS/IDENTITY CONTROL SYSTEM FILE ENCYRPTION SYSTEM CONNECTIVITY Intranet/Internet – Wired /Wireless INTRUSION DETECTION CYBER SECURITY AND PRIVACY THREAT SCENARIO - vulnerabilities when exploited violate R.A. 10173 , R.A 10175, and GDPR Data and Storage Identity and Privilege Process and Application Connectivity and Access Interoperation Middleware Service Support •Event LOG •Context LOG 1. IDENTIFY-PROTECT 2. DETECT-RESPOND 3.RECOVER-CONTINUE SECURITY INFORMATION and EVENT MANAGEMENT (SIEM) S O C ANTIVIRUS MALWARE INTRUSION PROTECTION EXPLOITATION ANALYTIC USER BEHAVIOR ANALYTIC Governance, Risk, Compliance System HARDWARE SOFTWARE NETWORK SERVICES CMDB SECURED AREAS OF BUSINESS PERFORMANCE PATCH MANAGEMENT APPS CODE TEST LOGS MANAGEMENTVULNERABILITY AND PENETRATION TEST
Internet Provider Cloud Services Border Router Perimeter Firewall Content Filter (WAF) 3.Intrusion Detection System 4. Intrusion Protection System 1.Access Management 2.Identity Management 1.Employee Network 2. Management Network 3. Business unit Network 4. Guest Mobile Network 5. Quarantined Network SECURITY OPERATION CENTRE SIEM System GRC System DATA CENTRE OPERATION 3.Storage 4.Database 5.Application 6.Middleware 7. Agreements Configuration 1.Control 2.Monitor 3.Security 1.Security Tools 2.Security Data Collection Analysis Reporting 3. Security Protection Response Recovery NETWORK ROUTER & SWITCHES NETWORK SEGMENT OF USER CYBER SECURITY & DATA PRIVACY PROTECTION TECHNICAL MEASURES vs. 8 Cyber Threats & 10 Privacy Breaches ON-LINE 1.Customer 2.Providers 3.Employees 4.Anonymous 5.Mobile Social Network 6.Data Subject and Processors IDENTIFY-PROTECT DETECT-RESPONSE 1.DNS 2.Web Services
Behind the Wall of CyberPrivacy Assurance IDENTIFICATION DETECTION PROTECTION RESPONSE DATA PRIVACY STANDARDS ISO 29100 ISO 29101 ISO29190 ISO 29134 ISO 27018 ISO 29151 ISO 31000 CYBER SECURITY STANDARDS ISO 27001 ISO 27002 ISO 27005 ISO 27017 ISO 27004 ISO 27035 ISO 22301 ISO 27032 IS0 19600 RECOVER CONTINUE THREAT INTELLIGENCECVE CISA ALERT CMU SEI CERT
1. Configuration Management Database (CMDB) 2. Governance, Risks, and Compliance System (GRC) 3. Security Information and Event Management (SIEM) 4. File and Data Encryption Management (KPI) 5. Access, Identity and Privileges Management (IAM, PAM) 6. Anti-Virus and Malware Management 7. Log Management System (LMS) 8. Patch Management System 9. Vulnerability Scanners and Penetration Testing Tools (VP) 10.Intrusion Prevention and 11.Firewalls and Next-Generation Firewalls (NGFW) 12.Cyber Threat Intelligence Feeds and Vulnerability Measurement Databases 13.User Behavior Analytics 14.Application Code Security Test 15.End-Point Protection 16.E-mail Gateway Protection 17.Insider Threat Protection Data Vault 18.File and Storage Eraser 19.Data Backup and Recovery 20.CCTV and Control System
` End-to-End Security and Privacy Service Portfolio CMDBSIEM INTRUSION DETECT/PROTECT VULNERABILITY ASSESSMENT LOGS MANAGEMENT EVENT & CONTEXT LOGS PATCH MANAGEMENT DATA LOSS PREVENTION THREAT INTELLIGENCE PKI & DATA/HOST ENCYRPTION APPS CODE SECURITY TESTEND-POINT PROTECTIO N ANTI VIRUS MALWARE FIREWALL WAF & MONITORING IDENTITY MANAGEMEN T EMAIL SECURITY GATEWAYDATA BACKUP & RECOVERY INSIDER THREAT CONTROL
Send now your question messag

Recommandé

Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information PrivacyPerry Slack
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 ChecklistCraig Willetts ISO Expert
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfNapoleon NV
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 

Recommandé

Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information PrivacyPerry Slack
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 ChecklistCraig Willetts ISO Expert
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfNapoleon NV
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Russell_Kennedy
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist QuestionsISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questionshimalya sharma
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & ComplianceAmazon Web Services
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptxISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptxvasidharta
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset SecurityMaganathin Veeraragaloo
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Data Security - English
Data Security - EnglishData Security - English
Data Security - EnglishData Security
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyoneYasir Nafees
 
DATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptxDATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptxJaeKim165097
 
Compliance poster
Compliance posterCompliance poster
Compliance posterRui Gomes
 

Contenu connexe

Tendances

Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Russell_Kennedy
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist QuestionsISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questionshimalya sharma
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptxISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptxvasidharta
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Data Security - English
Data Security - EnglishData Security - English
Data Security - EnglishData Security
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyoneYasir Nafees
 

Tendances (20)

Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist QuestionsISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
ISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptxISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptx
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO Standards
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Data Security - English
Data Security - EnglishData Security - English
Data Security - English
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyone
 

Similaire à Data Privacy Protection Competrency Guide by a Data Subject

DATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptxDATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptxJaeKim165097
 
Compliance poster
Compliance posterCompliance poster
Compliance posterRui Gomes
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)Napier University
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Frank Dawson
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
Key Principles of 27701 Certification
Key Principles of 27701 CertificationKey Principles of 27701 Certification
Key Principles of 27701 CertificationShyamMishra72
 
Data Privacy Laws: A Global Overview and Compliance Strategies
Data Privacy Laws: A Global Overview and Compliance StrategiesData Privacy Laws: A Global Overview and Compliance Strategies
Data Privacy Laws: A Global Overview and Compliance StrategiesShyamMishra72
 
Data privacy Legislation in India
Data privacy Legislation in IndiaData privacy Legislation in India
Data privacy Legislation in IndiaLATHA H C
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014UsmanMAmeer
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?Patrick Soenen
 
Complying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical GuideComplying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical GuideDaniel Li
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Sagar Rahurkar
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorMSpadea
 

Similaire à Data Privacy Protection Competrency Guide by a Data Subject (20)

DATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptxDATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptx
 
Compliance poster
Compliance posterCompliance poster
Compliance poster
 
CIPP
CIPPCIPP
CIPP
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
 
GDPR: The Regulator's Perspective, Peter Brown, ICO
GDPR: The Regulator's Perspective, Peter Brown, ICOGDPR: The Regulator's Perspective, Peter Brown, ICO
GDPR: The Regulator's Perspective, Peter Brown, ICO
 
Key Principles of 27701 Certification
Key Principles of 27701 CertificationKey Principles of 27701 Certification
Key Principles of 27701 Certification
 
Data Privacy Laws: A Global Overview and Compliance Strategies
Data Privacy Laws: A Global Overview and Compliance StrategiesData Privacy Laws: A Global Overview and Compliance Strategies
Data Privacy Laws: A Global Overview and Compliance Strategies
 
Data privacy Legislation in India
Data privacy Legislation in IndiaData privacy Legislation in India
Data privacy Legislation in India
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?
 
Complying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical GuideComplying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical Guide
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services Sector
 

Plus de John Macasio

Project Management Competency Guide for Digital Transformation
Project Management Competency Guide for Digital TransformationProject Management Competency Guide for Digital Transformation
Project Management Competency Guide for Digital TransformationJohn Macasio
 
Teacher Work from Home with Learning Management System
Teacher Work from Home with Learning Management SystemTeacher Work from Home with Learning Management System
Teacher Work from Home with Learning Management SystemJohn Macasio
 
Online Distance Learning Readiness Assessment
Online Distance Learning Readiness AssessmentOnline Distance Learning Readiness Assessment
Online Distance Learning Readiness AssessmentJohn Macasio
 
Social Media of Online Distance Learning with Networked Learner
Social Media of Online Distance Learning with Networked LearnerSocial Media of Online Distance Learning with Networked Learner
Social Media of Online Distance Learning with Networked LearnerJohn Macasio
 
GCIO Competency Model
GCIO Competency ModelGCIO Competency Model
GCIO Competency ModelJohn Macasio
 
Competency Modeling for Business Process Review
Competency Modeling for Business Process ReviewCompetency Modeling for Business Process Review
Competency Modeling for Business Process ReviewJohn Macasio
 
Doing Enterprise Architecture
Doing Enterprise ArchitectureDoing Enterprise Architecture
Doing Enterprise ArchitectureJohn Macasio
 
Information Security at the Workplace
Information Security at the WorkplaceInformation Security at the Workplace
Information Security at the WorkplaceJohn Macasio
 
Learn with the Millenials
Learn with the MillenialsLearn with the Millenials
Learn with the MillenialsJohn Macasio
 
Enterprise Architecture Formulation template
Enterprise Architecture Formulation templateEnterprise Architecture Formulation template
Enterprise Architecture Formulation templateJohn Macasio
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 
Social Media at Workplace
Social Media at WorkplaceSocial Media at Workplace
Social Media at WorkplaceJohn Macasio
 
E services Strategic Planning with Enterprise Architecture
E services Strategic Planning with Enterprise ArchitectureE services Strategic Planning with Enterprise Architecture
E services Strategic Planning with Enterprise ArchitectureJohn Macasio
 
E-Service Planning and Enterprise Architecture
E-Service Planning and Enterprise ArchitectureE-Service Planning and Enterprise Architecture
E-Service Planning and Enterprise ArchitectureJohn Macasio
 
ICT Project Management Status Checklist
ICT Project Management Status ChecklistICT Project Management Status Checklist
ICT Project Management Status ChecklistJohn Macasio
 
E-Services Planning and Enterprise Architecture Primer
E-Services Planning and Enterprise Architecture PrimerE-Services Planning and Enterprise Architecture Primer
E-Services Planning and Enterprise Architecture PrimerJohn Macasio
 
E-Gov Project Management Essentials
E-Gov Project Management EssentialsE-Gov Project Management Essentials
E-Gov Project Management EssentialsJohn Macasio
 
Basic Thinking Tool for E-Services Planning
Basic Thinking Tool for E-Services PlanningBasic Thinking Tool for E-Services Planning
Basic Thinking Tool for E-Services PlanningJohn Macasio
 
E-Governance and ICT for Government Managers
E-Governance and ICT for Government ManagersE-Governance and ICT for Government Managers
E-Governance and ICT for Government ManagersJohn Macasio
 

Plus de John Macasio (20)

Project Management Competency Guide for Digital Transformation
Project Management Competency Guide for Digital TransformationProject Management Competency Guide for Digital Transformation
Project Management Competency Guide for Digital Transformation
 
Teacher Work from Home with Learning Management System
Teacher Work from Home with Learning Management SystemTeacher Work from Home with Learning Management System
Teacher Work from Home with Learning Management System
 
Online Distance Learning Readiness Assessment
Online Distance Learning Readiness AssessmentOnline Distance Learning Readiness Assessment
Online Distance Learning Readiness Assessment
 
Social Media of Online Distance Learning with Networked Learner
Social Media of Online Distance Learning with Networked LearnerSocial Media of Online Distance Learning with Networked Learner
Social Media of Online Distance Learning with Networked Learner
 
GCIO Competency Model
GCIO Competency ModelGCIO Competency Model
GCIO Competency Model
 
Competency Modeling for Business Process Review
Competency Modeling for Business Process ReviewCompetency Modeling for Business Process Review
Competency Modeling for Business Process Review
 
Doing Enterprise Architecture
Doing Enterprise ArchitectureDoing Enterprise Architecture
Doing Enterprise Architecture
 
Information Security at the Workplace
Information Security at the WorkplaceInformation Security at the Workplace
Information Security at the Workplace
 
Learn with the Millenials
Learn with the MillenialsLearn with the Millenials
Learn with the Millenials
 
Enterprise Architecture Formulation template
Enterprise Architecture Formulation templateEnterprise Architecture Formulation template
Enterprise Architecture Formulation template
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information Security
 
Social Media at Workplace
Social Media at WorkplaceSocial Media at Workplace
Social Media at Workplace
 
E services Strategic Planning with Enterprise Architecture
E services Strategic Planning with Enterprise ArchitectureE services Strategic Planning with Enterprise Architecture
E services Strategic Planning with Enterprise Architecture
 
E-School Project
E-School ProjectE-School Project
E-School Project
 
E-Service Planning and Enterprise Architecture
E-Service Planning and Enterprise ArchitectureE-Service Planning and Enterprise Architecture
E-Service Planning and Enterprise Architecture
 
ICT Project Management Status Checklist
ICT Project Management Status ChecklistICT Project Management Status Checklist
ICT Project Management Status Checklist
 
E-Services Planning and Enterprise Architecture Primer
E-Services Planning and Enterprise Architecture PrimerE-Services Planning and Enterprise Architecture Primer
E-Services Planning and Enterprise Architecture Primer
 
E-Gov Project Management Essentials
E-Gov Project Management EssentialsE-Gov Project Management Essentials
E-Gov Project Management Essentials
 
Basic Thinking Tool for E-Services Planning
Basic Thinking Tool for E-Services PlanningBasic Thinking Tool for E-Services Planning
Basic Thinking Tool for E-Services Planning
 
E-Governance and ICT for Government Managers
E-Governance and ICT for Government ManagersE-Governance and ICT for Government Managers
E-Governance and ICT for Government Managers
 

Dernier

Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 

Dernier (20)

Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

Data Privacy Protection Competrency Guide by a Data Subject

  • 1. Data Privacy Protection Competency Guide “The data subject guidance on how to determine, describe, document and demonstrate accountability, responsibility, risks, policy, control, and operation of a managed data privacy and information security in an enterprise or agency of personal data processing.”
  • 2. Data Privacy Protection Competency Guide Resource Person John Macasio He is a ICT project management consultant who advocates the rule and standard based data privacy and security compliance of information system that respects data privacy rights of a “Data Subject,” and that secure privacy of personal data. In 2014, he was tasked to provide standard based technical training support with enterprise and agency challenged by issues on information security in their ICT services project and operation. He created in 2018 the Data Privacy Protection Guide by a Data Subject to support the whole-of-enterprise data privacy and information security “The data subject guidance on how to determine, describe, document and demonstrate accountability, responsibility, risks, policy, control, and operation of a managed data privacy and information security in an enterprise or agency of personal data processing.”
  • 3. Personal Data Privacy: The name and email addresses collected, retained, and used in the seminar registration form are to recognize the participants and to send learning materials and training information. The participant during the online live seminar may opt to close his or her camera and simply use the microphone or chat for questions and comments. The online live seminar is not streamed in in Facebook or Youtube. Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers. The provided information about the rules and standards are for educational purpose. The guide is free to use. Notification
  • 4. Being Competent in Data Privacy Protection the decision and work associated to the mandated function and outcome. “A competent person has definitive understanding, skills and character needed to perform at a given level of performance standard,
  • 5. Being Competent in Data Privacy Protection to new situations, and to the requirement of collaborative results. It is indicated by the person’s ability to transfer and apply knowledge, skills and attitude
  • 6. Competency Model on Data Privacy Protection A competency model is about shareable body of knowledge believed to define and differentiate the essential indicators of the required understanding, action and attitude behind the successful delivery of the performance
  • 7. 1. Create privacy and data protection policies, taking into account the privacy impact assessments, as well as Sections 25 to 29 of the implementing rules and regulations. 2. Inform and cultivate awareness on privacy and data protection within the organization of the Personal Information Controller or Processor, including all relevant laws, rules and regulations and issuances of the National Privacy Commission. 3. Conduct a mandatory, agency-wide training on privacy and data protection policies once a year: Provided, that a similar training shall be provided The NPC Circular 16-01 and NPC Advisory 2017-1 have to be recognized and implemented by a business enterprise or government agency that claims to be data privacy compliant. The competency guidance enables the personal information controller and processor, and head of government agency to accomplish the obligation:
  • 8. Privacy Rule Context of Competency Re NPC Circular 16-01 NPC Advisory 2017-01 Security of Personal Data in Government Agencies Designation of Data Protection Officers
  • 9. R.A. 10173 –Data Privacy Act 2012 Accountability and ResponsibilityPrivacy and Security Risks Privacy Impact Assessment Process Privacy and Security Controls Privacy and Security Policy Ma Privacy and Security Management Outcome-Process-Procedure -Enable Security Incident Management Breach and Complaint Handlin ata Privacy Protection Competency Guide Data Subject view of Rules and
  • 10. R.A. 10173 –Data Privacy Act 2012 The Accountable and Responsible Goals of the Data Privacy Law Concern of Data Privacy Law Key Result Areas of Privacy Complian Roles, Accountability and Responsibil
  • 11. Statutory Goals 1. Protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.2. Ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. R.A. 10173 Implementing Rules and Regulations National Privacy Commission Advisory- Circular Issuances, and Case Resolution R.A. 10173 Chapter 1 Section 2
  • 12. Whose Interest and Benefit is Data Privacy Act of 2012 R.A. 10173 Participation, Accountability and Responsibility 1. Data Subject Represents the exercise of data privacy rights and main party to associate personal data to be protected with privacy and security 2. National Privacy Commission Creates regulation; monitor compliance; educate the public; enforces rules; and resolve cases on data privacy 3. Personal Information Directs and rules the processing of personal Data Privacy Stakeholders
  • 13. Whose Interest and Benefit is Data Privacy Act of 2012 R.A. 10173 Participation, Accountability and Responsibility 5. Data Protection Officer Perform the oversight function for the Personal Information Controller to achieve the mandated accountability and responsibility on data privacy 6. Compliance Officer for Privacy Assist in the oversight function to direct, compliance, to monitor breach events, to resolve and report privacy security incidents 7. IT and Provision of the technical measures to secure personal information protection in the location, hardware, software, Data Privacy Protection Stakeholders
  • 14. 1. Compliance Governance 2. Personal Data of a Data Subject 3. Data Privacy Rights of a Data Subject 4. Privacy by Design and Privacy by Default of Personal Data Processing – Filing System and Automated System 5. Data Privacy and Information Security Risks Assessment of Data Processing System 6. Security Measures of Personal Data Protection 7. Privacy and Security Violations and Penalties 8. Privacy Management Program 9. Privacy Breach and Security Incident Response Implementation Concerns of R.A.10173- Data Privacy Act 2012
  • 15. Rule 1 – Policy and Definitions Rule 2 – Scope of Application Rule 3 – National Privacy Commission Rule 4 – Data Privacy Principles Rule 5 – Lawful Processing of Personal Data Rule 6 – Security Measures Protection of Personal Data Rule 7 - Security of Sensitive Personal Information in Govt Rule 8 - Rights of Data Subject Rule 9 - Data Breach Notification Rule 10 – Outsourcing and Subcontracting Rule 11 - Registration and Compliance Requirements Rule 12 – Rules on Accountability Rules of Data Privacy Implementation
  • 16. Some Exception Considerations 1. Stated scope limitation of the law in the application of data privacy rules and regulation 2. Legal basis that limits the exercise of the data subject or his or her data privacy rights 3. Necessary and mandated lawful requirements to process personal data of a data subject 4. Legal basis for the “legitimate interest” of the personal information controller to process personal data gathered from a data subject 5. Legal basis that permits the requirements for data sharing or exchange between controller and 3rd
  • 17. Relevant NPC Circulars and Advisories for the Implementation Concerns1. Designate compliance officer NPC Advisory 2017-1 2. Security of personal data in the government agency NPC Circular 16-01 3. Data sharing agreements involving government agencies NPC Circular 16-02 4. Registry of the data processing system NPC Circular 17-01 5. Privacy impact assessment NPC Advisory 2017-03 6. Privacy management manual NPC Privacy Toolkit
  • 18. Relevant Rules Circulars and Advisories for Implementation Concerns7. Personal data breach management NPC Circular 16-03 8. Guidelines on security incident and personal data breach reportorial requirements NPC Advisory No. 2018-01 9. Rules of procedures to exercise the right to complain NPC circular 16-04 10.Rules of procedure on requests for advisory opinions NPC Circular 18-01 11.Rules on mediation before the national privacy commission - NPC Circular 18-03 12.Guidelines on compliance checks NPC Circular 18-02
  • 19. 1.ISO 29100 – Privacy Framework 2.ISO 27001 Annex A – Security Framework 3.ISO 27701- Information Security Extended to Privacy 4.ISO 29134 – Privacy Impact Assessment 5.ISO 29190 – Privacy Management Capability Assessment 6.ISO 27035 – Security Incident Management 7.ISO 27036 – Supplier Relationship Security and Privacy 8.ISO 27550 – Privacy in System Development Lifecycle Privacy and Security Standards Normative references of practice
  • 20. Basic Risks Management Methodology Risks Criteria and Control Requirement Identify, Analyze, Evaluate and Remedy Privacy Impact Assessment Report Privacy and Security Risks Privacy Impact Assessment Process
  • 21. What is management of data privacy and security risks? (ISO 31000)
  • 22. What reasons to cause privacy impact assessment?1. The developed, acquired and operated data processing system collects personal data 2. A change in applicable privacy related laws and regulations, internal policy and standards, information system operation, purposes and means for processing data, new or changed data flows. 3. A new or prospective technology, service or other initiative where personal information is, or to be, processed 4. A decision that sensitive personal information is going to be processed 5. A data privacy violation complaint is made against a (ISO 29134)
  • 23. 1. Collection 2. Retention 3. Use 4. Sharing 5. Disposal 1.Privacy Governance 2.Privacy Regulation & Policies 3.Privacy Rights Processes 4.Privacy Principles 5.Criteria Lawful Processing 6.Condition SPI Processing 7.Privacy Impact Assessment 8.Privacy Management System 9.Privacy Breach Management 10.ISO 29100 Privacy
  • 24. Privacy Threat Incidents Privacy Breach Threats to Personal Data (SANS Threat Survey) Security Controls (R.A. 10173 and GDPR) Privacy Law R.A. 10173 1. Unauthorized processing 2. Negligence in access 3. Improper disposal 4. Unauthorized purpose 5. Unauthorized access 6. Intentional breach 7. Concealed breach 8. Malicious disclosure 9. Unauthorized disclosure 10. Combination of unwanted act 1. Ransomware 2. Elevation of privilege into sensitive systems 3. Breaches in cloud-based, multitenant architectures 4. Denial of service 5. Data tampering 6. Identity theft 7. Insider threat 8. Questionable transactions 9. Corporate or foreign government espionage 10.Information disclosure 11.Compromise of DNS infrastructure enabling stealing and exfiltration of data 12.Anti-malware/Antivirus 1. Security Policy 2. Network Protection 3. Confidentiality, Integrity, Availability, and Resilience Assurance of Processing System 4. Intrusion Detection and Prevention 5. Network Security Monitoring 6. Vulnerability Assessment and Penetration Testing 7. Backup and Data Recovery 8. Identity, Access, Privilege Management 9. Security Incident Management System 10.Data Loss Prevention 11.Encryption and Pseudonymization, Host-based encryption 12.Insider Threat Control 13.Third-Party Risk Management
  • 25. Security Threat Incidents Violation/Threat Vulnerability/Exploitation (ETSI ISG ISI) Control Measures (CIS Security Controls) Cyber Crime Prevention Law -R.A. 10175 1. Illegal access 2. Illegal interception 3. Data interference 4. System interference 5. Misuse of device 6. Fraud 7. Forgery 8. Identity Theft 9. Cyber-squatting 10. Unsolicited Commercial Communications 1. Website Forgery 2. Spam 3. Phishing 4. Intrusion 5. Website Defacement 6. Misappropriation of Resources 7. Denial of Service 8. Malware 9. Physical Intrusion 10. Malfunction 11. Loss or theft of mobile device 12. Trace Malfunction 13. Internal Deviant Behavior 14. Rights or Privileges Usurpation or Abuse 15. Unauthorized access to servers through remote access points 16. Illicit Access to Internet 17. Deactivating of Logs Recording 18. Non-patched or poorly patched vulnerability exploitation 19. Configuration vulnerability exploitation 20. Security incidents on non-inventoried and/or not 1. Inventory and Control of Hardware Assets 2. Inventory and Control of Software Assets 3. Continuous Vulnerability Management 4. Controlled Use of Administrative Privileges 5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers 6. Maintenance, Monitoring and Analysis of Audit Logs 7. Email and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports, Protocols and Services 10. Data Recovery Capabilities 11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches 12. Boundary Defense 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 16. Account Monitoring and Control 17. Implement a Security Awareness and Training
  • 26. Data Processing Privacy and Security Impact AssessmentName of Data Processing System: Controller: Processor: [] Outsource {] In source Personal Database Name: Location of Data Processing and Storage: Legal Basis Data Processing: Data Share: SECURITY INCIDENT CONSIDERED AS THREAT TO PRIVACY AND A PENALIZED VIOLATION VULNERABILITIES Privacy Rights Not Respected Privacy Principles Undermined Lawful Criteria to Process Personal Information Not Applied Conditions to Process Sensitive Personal Information Not Applied Data Sharing Condition Not Applied 1.Unauthorized processing 2.Negligence in access 3.Improper disposal 4. Unauthorized purpose 5.Unauthorized access or intentional
  • 27. Data Processing Privacy and Security Impact AssessmentName of Data Processing System: Controller: Processor: [] Outsource {] In source Personal Database Name: Location of Data Processing and Storage: Legal Basis Data Processing: Data Share: SECURITY INCIDENT CONSIDERED AS THREAT TO PRIVACY AND A PENALIZED VIOLATION VULNERABILITIES Organizational Security Measures Not Instituted Physical Security Measures Not Implemented Technical Security Measures Not Installed CIS Security Control Not Applied OWASP Web Application Security Risks not Remedied 1.Unauthorized processing 2.Negligence in access 3.Improper disposal 4. Unauthorized purpose 5.Unauthorized access or intentional breach
  • 28. Data Processing Privacy and Security Impact Assessment Name of Data Processing System: Controller: Processor: [] Outsource {] In source Personal Database Name: Location of Data Processing and Storage: Legal Basis Data Processing: Data Share: VIOLATION SOURCE OF SECURITY THREAT EXPLOITED VULNERABILITIE S IMPACT PROBABILITY REMEDY TREATMENT 1.Unauthorized processing Organizational No policy Negligible Unlikely Vulnerability test 2.Negligence in access Physical Poor office design Limited Possible Policy review 3.Improper disposal Technical Lack of procedures Significant Likely Acquire tools 4. Unauthorized purpose Organizational Weak monitoring Maximum Almost certain Organize team 5.Unauthorized access or intentional breach Technical Not segmented network Training people
  • 29. What to Achieve-Maintain-Prevent-Elim Data Privacy and Security Governance Data Privacy Protection Policy Information Security Policy Privacy and Security Controls Privacy and Security Policy Making
  • 30. What is to achieve with R.A. 10173? 1. PRIVACY RIGHTS (RA 10173 chapter IV) “Right to be informed” “Right to access” “Right to object” “Right to complain” The rights to be exercised by an individual in the processing of p “Right to rectify” “Right to block” “Right to erase” “Right to data portability” “Right to damages”
  • 31. Privacy Rights on Personal Data Privacy Rights of Data Subject Respect Indicators 5. The right to erasure or blocking Permission to withdraw and delete personal data 6. The right to rectify Permission to check accuracy and to correct 7. The right to data portability Ability to request and download personal data 8. The right to complain Rules of procedure to file
  • 32. Privacy Rights on Personal Data Privacy Rights of Data Subject Respect Indicators 1. The right to be informed Notification and consent 2. The right to give consent Written or recorded agreement to process personal data 3. The right to access Permission to view and participate
  • 33. What is to achieve with R.A. 10173?2. PRIVACY PRINCIPLES (RA 10173 chap III) The foundation of data processing system that is privacy by design Consent and choice Proportionality Transparency Legitimate Purpose Fairness Lawfulness Accuracy Minimization Participation Anonymity Accountability
  • 34. Privacy Principles of Personal Data ProcessingPrinciples of Transparency, Legitimate Purpose and Proportionality 1. Transparency The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language 2. Legitimate purpose The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy
  • 35. Privacy Principles of Personal Data ProcessingGeneral principles in collection, processing and retention 1. Collection must be for a declared, specified, and legitimate purpose Consent is required prior to the collection and processing of personal data, subject to exemptions provided by the Act and other applicable laws and regulations. When consent is required, it must be time-bound in relation to the declared, specified and legitimate purpose. Consent given may be withdrawn. The data subject must be provided specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of his or her personal data for profiling, or processing for direct marketing, and data sharing. Purpose should be determined and declared before, or as soon asreasonably practicable, after collection
  • 36. Privacy Principles of Personal Data Processing2. Personal data shall be processed fairly and lawfully. Processing shall uphold the rights of the data subject, including the right to refuse, withdraw consent, or object. It shall likewise be transparent, and allow the data subject sufficient information to know the nature and extent of processing Information provided to a data subject must always be in clear and plain language to ensure that they are easy to understand and access. Processing must be in a manner compatible with declared, specified, and legitimate purpose Processed personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed Processing shall be undertaken in a manner that ensures appropriate privacy and security safeguards. 3. Processing should ensure data quality. Personal data should be accurate and where necessary for declared, specified and legitimate purpose, kept up to date
  • 37. Privacy Principles of Personal Data Processing4. Personal Data shall not be retained longer than necessary Retention of personal data shall only for as long as necessary: (a) for the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated; (b) for the establishment, exercise or defense of legal claims; or (c) for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by appropriate government agency Retention of personal data shall be allowed in cases provided by law Personal data shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any
  • 38. Privacy Principles of Personal Data Processing5. Any authorized further processing shall have adequate safeguards. Personal data originally collected for a declared, specified, or legitimate purpose may be processed further for historical, statistical, or scientific purposes, and, in cases laid down in law, may be stored for longer periods, subject to implementation of the appropriate organizational, physical, and technical security measures required by the Act in order to safeguard the rights and freedoms of the data subject Personal data which is aggregated or kept in a form which does not permit identification of data subjects may be kept longer than necessary for the declared, specified, and legitimate purpose Personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined.
  • 39. Privacy Principles of Personal Data ProcessingGeneral Principles for Data Sharing 1. Data sharing shall be allowed when it is expressly authorized by law: Provided, that there are adequate safeguards for data privacy and security, and processing adheres to principle of transparency, legitimate purpose and proportionality 2. Data Sharing shall be allowed in the private sector if the data subject consents to data sharing, and the following conditions are complied with: 1.Consent for data sharing shall be required even when the data is to shared with an affiliate or mother company, or similar relationships 2. Data sharing for commercial purposes, including direct marketing, be covered by a data sharing agreement. (a) The data sharing agreement shall establish adequate safeguards for d privacy and security, and uphold rights of data subjects. (b) The data sharing agreement shall be subject to review by the Commission on its own initiative or upon complaint of data subject 3. The data subject shall be provided with the following information p to collection or before data is shared: (a) Identity of the personal information controllers or personal information processors that will be given access to the personal data; (b) Purpose of data sharing; (c) Categories of personal data concerned; (d) Intended recipients or categories of recipients of the personal data; (e) Existence of the rights of data subjects, including the right to access and correction, and the right to object
  • 40. Privacy Principles of Personal Data ProcessingData collected from parties other than the data subject for purpose of research shall be allowed When the personal data is publicly available, or has the consent of the data subject for purpose of research: Provided, that adequate safeguards are in place, and no decision directly affecting the data subject shall be made on the basis of the data collected or processed. The rights of the data subject shall be upheld without compromising research integrity Data sharing between government agencies for the purpose of a public function or provision of a 1. Any or all government agencies party to the agreement shall comply with the Act, these Rules, and all other issuances of the Commission, including putting in place adequate safeguards for data privacy and security. 2. The data sharing agreement shall be subject to review of the Commission, on its own initiative or upon complaint of data subject
  • 41. What is to achieve with R.A. 10173? INFORMATION SECURITYThe preservation of the confidentiality, integrity, and availability of information CONFIDENTIALITY Authority is enforced to keep secrecy and privacy of personal data INTEGRITY Trust is assured in the accuracy, completeness, immediacy, usefulness, and reliability of personal data AVAILABILITY Accessibilityis guaranteed in the connectivity, uptime, reach ability, location, protection, and speed of personal information exchange
  • 42. What is to achieve with R.A. 10173? 3. SECURITY MEASURES (RA 10173 chap V) Organizational Security Physical Security Technical Security 1.Compliance Officers. 1.Policies and Procedures on Limited Physical Access 1.Security policy in processing personal data 2.Data Protection Policies 2.Security Design of Office Space and Room 2.Safeguards to protect computer network again unlawful, illegitimate, and destructive activities 3.Records of Processing Activities 3.Person Duties, Responsibility and Schedule Information 3.Confidentiality, integrity, availability, and resilience of the processing systems and services 4.Processing of Personal Data 4.Policies on transfer, removal, disposal, and re-use of electronic media 4.Vulnerability assessment and regular monitoring for security breaches 5.Personal Information Processor Contracts 5.Prevention policies against mechanical destruction of files and equipment 5.Ability to restore the availability and access to personal data
  • 43. What is to be prevented-eliminated with R.A. 10173? is illegal or unwanted act that endangers the privacy rights of a person. Data privacy violation is penalized act to be complained through NPC Complaint-Assisted Form.Section 25 Unauthorized processing Section 30 Concealment of breach Section 26 Negligence in access Section 31 Malicious disclosure Section 27 Improper disposal Section 32 Unauthorized disclosure Section 28 Unauthorized Section 33 Combination of 4. PRIVACY VIOLATION (RA 10173 chap VII
  • 44. Data Privacy Rights Violation 1.Unauthorized processing It is when personal information is processed without the consent of the data subject, or without being authorized using lawful criteria 1.Negligence in access It is when personal information is made accessible due to negligence and without being authorized by any existing law.
  • 45. Data Privacy Rights Violation 3. Improper disposal It is when personal information is knowingly or negligently disposed, discard, or abandon in an area accessible to the public or has otherwise placed the personal information of an individual in any container for trash collection 4. Unauthorized It is when personal information is
  • 46. Data Privacy Rights Violation 5. Unauthorized access or intentional breach It is when an individual handling personal information knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information are stored 6. Concealed breach It is when an individual or entity who has knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f) of the Act,
  • 47. Data Privacy Rights Violation 7. Malicious disclosure It is when an individual or entity with malice or in bad faith, discloses unwarranted or false information relative to any personal information or sensitive personal information obtained by him or her 8. Unauthorized disclosure It is when an individual or entity discloses to third party personal
  • 48. DATA SUBJECT Maintain Personal Information Inventory PI CONTROLLER PI PROCESSOR THIRD-PARTY Execute Personal Data Processing Privacy Agreement Personal Information Processing Responsibility Flow Personal Information Instruct Processing of Personal Data Receive, Accept and Provide Request for For Personal Information Share Retained or Receive Collected Personal Information Of Data Disclosure or Sharing Agreement Collect Retain Use Disclose Dispose Access Block Erase Change Personal Information Complain Transfer Claim Privacy Regulations Policies Controls Agreements Personal Information
  • 49. DATA PRIVACY RIGHTS AND PROCESSING POLICYDATA PRIVACY RIGHTS PERSONAL DATA PRIVACY PROCESSING POLICY Collection (Get) Processing (Use) Retention (Store) Sharing (Disclose) Disposal (Delete) 1. To be informed 2. To give consent 3. To have accessed 4. To correct 5. To block or erase 6. To complain 7. To claim damage 8. To transfer rights 9. To claim data 1. Lawful criteria 2. Transparency 3. Legitimate purpose 4. Proportionality 5. Declared, specified, and legitimate purpose. 6. Fair and lawful; 7. Data Quality 8. Not retained longer 9. Adequate 1. Lawful criteria 2. Transparency 3. Legitimate purpose 4. Proportionality 5. Declared, specified, and legitimate purpose. 6. Fair and lawful; 7. Data Quality 8. Not retained longer 9. Adequate 1. Lawful criteria 2. Transparency 3. Legitimate purpose 4. Proportionality 5. Declared, specified, and legitimate purpose. 6. Fair and lawful; 7. Data Quality 8. Not retained longer 9. Adequate 1. Authorized by law 2. Data subject consent 3. Adequate Safeguard 4. For research using publicly available data 5. Data sharing agreement 1. Lawful criteria 2. Transparency 3. Legitimate purpose 4. Proportionality 5. Declared, specified, and legitimate purpose. 6. Fair and lawful; 7. Data Quality 8. Not retained longer 9. Adequate
  • 50. SECURITY MEASURES POLICY SECURITY MEASURES POLICY Organizational Security Physical Security Technical Security 1.Compliance Officers. 1.Policies and Procedures on Limited Physical Access 1.Security policy in processing personal data 2.Data Protection Policies 2.Security Design of Office Space and Room 2.Safeguards to protect computer network again unlawful, illegitimate, and destructive activities 3.Records of Processing Activities 3.Person Duties, Responsibility and Schedule Information 3.Confidentiality, integrity, availability, and resilience of the processing systems and services 4.Processing of Personal Data 4.Policies on transfer, removal, disposal, and re-use of electronic media 4.Vulnerability assessment and regular monitoring for security breaches 5.Personal Information Processor Contracts 5.Prevention policies against mechanical destruction of files and equipment 5.Ability to restore the availability and access to personal data 6.Regularly testing, assessing, and evaluating the effectiveness of
  • 51. DATA PRIVACY AGREEMENT POLICY PRIVACY AGREEMENT WITH PERSONAL INFORMATION CONTROLLER DATA SUBJECT DATA PROCESSOR 3RD PARTY DPO Notification and Consent Form Data Processing Agreement Data Sharing Agreement Appointment Contract 1. The purpose 2. The personal data 3. The data processing activities 4. The data processor and 3rd party 5. The exercise of privacy rights 6. The privacy compliance procedures 1. Data privacy rights 2. Data processing privacy principles 3. Personal data security measures 4. Accountability 1. Data sharing principles 1. Authority 2. Accountability 3. Tasks 4. Deliverables
  • 52. Privacy Management Capability Function-Policy-Process-Documentation Supplier Relationship Management System Development Project Privacy Management Privacy and Security Management Outcome-Process-Procedure -Enabler
  • 53. Who are the stakeholders of data privacy management?1.Data Subject -personal data -privacy rights -complainant 3.Personal Information Controller -legitimate interest -data processing instruction -privacy law accountability 4.Personal Information Process -data processing system -data processing agreement and execution -privacy law accountability5.Data Protection Officer -privacy compliance oversight -privacy single point of contact -privacy awareness and training 2.National Privacy Commiss -rule making -compliance monitoringg -complaint and investigation -enforcement
  • 54. What are the stakeholders’ privacy agreement 1.Assets of data privacy to be secured 2.Privacy and security risks to be controlled 3.Privacy protection policies and measures to be maintained 5. Business system and process to be ruled with data privacy and security controls 4. Privacy and security contracts to be enforced 7.Privacy capability building of personnel to be regularly conducted 8. Data privacy and information security ecosystem relationship to maintain 6.Privacy and security management methodology and technology to be acquired
  • 55. What is to be managed? 1. PRIVACY is freedom from intrusion into the private life or affairs of an individual or person, when that intrusion results from undue or illegal gathering and use of data about that individual. (ISO 2382 – IT Vocabulary)
  • 56. What is to be managed? represents the definitive act of respecting the person's rights of privacy and the security of personal data that are being collected, processed, retained, shared, and disposed by the personal information controller and processor of business or government 2. PRIVACY PROTECTION
  • 57. What is to be managed? The identifiable person has a human right called PRIVACY. that represent a set of information that identifies an individual or person.1. Personal Information 2. Sensitive Personal Information 3. Privileged Information 3. PERSONAL DATA
  • 58. 1. Name Given name, middle name, surname, alias 2. Identification number License number, tax number 3. Location data Address, GPS location 4. Online identifier e-mail, IP address 5. Digital identifier Biometric, CCTV data 6. Genetic Data DNA test result 7. Health Data Diagnostic report 8. Research Data Research question, enumerator interview logs 9. Physical factor Height, weight, sex 10. Physiological factor Body chemistry 11. Mental factor Intellectual aptitude test results 12. Economic factor Salary, debts, property 13. Cultural factor Nationality, tribe 14. Social identity Club membership, titles, legal record Personal Data Category
  • 59. Sensitive Personal Information (RA 10173 sec 3i) 1. Health, education, genetic or sexual life of a person 2. Proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings 3. Individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations 4. Identification document issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns
  • 60. Personal Data Processing Privacy ProtectionPrivacy Protection Requirements Management Results 1. Personal data and processing system visibility Registry of personal data, filing system, automation program 2. Respect data privacy rights Data privacy rights policy, process, notification, consent 3. Regulated personal data processing lifecycle of personal information and sensitive personal information Inventory of process, system and technology and risks assessment 4. Data privacy principles in personal Data processing privacy
  • 61. Personal Data Processing Privacy ProtectionPrivacy Protection Requirements Management Results 6. Conditions to process sensitive personal information Privacy policy and system conformity test 7. Accountability in personal data sharing Data sharing agreemnt, and security measures 8. Security measures in personal information protection Organization, physical and technical measures – policy, role, activities, product, services and technology 9. Breach and Privacy violation and corresponding penalties Breach reporting and case management
  • 62. Data Processing Activities Data Subject Information Controller Information Processor Third Party Data Share Collection Retention Processing Share Dispose Consent Register Instruct Collection Collect Secure Store Secure -Consume Instruct Storage Instruct Processing Instruct Transfer Instruct Deletion Use Secure Disclose Secure Delete Secure Provide Receive PI PI PI PI PI PI PI PERSONAL DATA FLOW PI PI PI
  • 63. DATASUBJECT GroupThree PICONTROLLERPIPROCESSORPersonal Data Collection and Retention Process Input Personal Data Or Change Request PIPROCESSOR Read Notification Give Consent Instruct Collection and Retention of Personal Data Execute Personal Data Collection and Retention Request to View Block Correct Delete Copy Personal Information Requirement Data Processing Agreement Data Privacy Regulation, Policy and Controls Privacy Rights Principles Capture & Store Rules Personal Data Store Yes No Yes Ready for use and disclosure
  • 64. DATASUBJECTPICONTROLLER3rdPARTYPersonal Data Use and Disclosure Process Input Personal Data Or Request Access PIPROCESSOR Read Notification Give Consent Instruct Utilization and Sharing of Personal Data Execute the Use and Sharing of Data View Block Correct Delete Copy Complain Personal Information Requirement Data Utilization and Sharing Agreement Data Privacy Regulation, Policy and Controls Legitimate Use Criteria Lawful Processing Privacy Control Yes No Yes Display Processing and Results Personal Data Sharing Store
  • 65. DATASUBJECTPICONTROLLER3rdPARTYPersonal Data Disposal Process Input Request Access PIPROCESSOR Read Notification Give Consent Instruct Disposal of Stored Personal Information Execute the Disposal or Destruction of Personal Data and Media View Copy Complain Personal Information Requirement Data Retention and Disposal Agreement Data Privacy Regulation, Policy and Controls Disposal Condition Retention Rule Responsible Yes No Yes File Shredded Media Destroyed
  • 66. Develop Privacy Management Program A privacy management program or system is a definitive and shared understanding, decision and work about the data privacy protection capability and protocols of the business units that are responsible in personal data processing.1. Organized compliance governance 2. Subscribed data privacy and security policies 3. Remediation action based on privacy impact assessment report 4. Continual education on data privacy protection
  • 67. Data Privacy Management Capability – ISO 291901.Inventory Enterprise and agency understands what compose its processing of personal data. It is able to make visible and account the processes, systems, databases, and third parties involved with processing personal information and sensitive personal information. 2. Policy Enterprise and agency adopted and agreed on their corporate and business unit policies over privacy rights assurance and the security of personal information protection in their collection, retention, transmission, use, disclosure and disposal of personal data.
  • 68. Data Privacy Management Capability – ISO 291903. Governanc e Enterprise and agency have accepted matrix of roles, accountability, responsibilities and competencies to manage data privacy and security of personal information at the corporate and business unit levels. 4. Risk Manageme nt Enterprise and agency has adopted an approach or methodology for managing privacy risk and business compliance across the organization, addressing the use of technologies, and dealing with the trans-border and multi-jurisdictional challenges
  • 69. Data Privacy Management Capability – ISO 291905. Procedure s & Controls Enterprise and agency has written and communicated procedures and controls to actively enforce policy and other compliance obligations, and monitoring of those procedures and controls to ensure they remain intact and effective 6. Informatio n Security Enterprise and agency have set up the security information management system that ensure the confidentiality, integrity, and availability of personal information and the related information technology used to collect, store, transfer, use, share, archive, and destroy the personal data.
  • 70. Data Privacy Management Capability - ISO 291907. Third Party Managem ent Enterprise and agency have 3rd party risk management processes that account for privacy, including performing due diligence during the selection process, putting controls in place—both contractually and for the secure transfer of the information—and building a solid basis of confidence that the third parties using the personal information can protect it and govern its use. 8. Complian ce Enterprise and government has the program to manage compliance with policy, regulations, and other obligations around data privacy assurance and security of personal information protection.
  • 71. Data Privacy Management Capability – ISO 291909. Incident Managem ent Enterprise and government have standard process, documented in a comprehensive plan, which provides an effective and orderly response to security incidents and potential breach incidents involving personal information. 10. Training & Awarenes s Enterprise and government have general and tailored training related to the organization’s use and protection of personal information, supported by an ongoing awareness program and related guidance
  • 72. Rule and Standard Based Management of Data PrivacyR.A. 10173 Implementing Rules Data Privacy Policy ISO 29100 Information Security Policy ISO 27001 Annex A Rule 1 – Policy and Definitions Rule 2 – Scope of Application Rule 3 – National Privacy Commission Rule 4 – Data Privacy Principles Rule 5 – Lawful Processing of Personal Data Rule 6 – Security Measures Protection of Personal Data Rule 7 - Security of Sensitive Personal Information in Government Rule 8 - Rights of Data Subject Rule 9 - Data Breach Notification Rule 10 – Outsourcing and Subcontracting Rule 11 - Registration and Compliance Requirements Rule 12 – Rules on Accountability Rule 13 – Penalties Rule 14 – Miscellaneous Provisions 5.2 Consent and choice 5.3 Purpose legitimacy and specification 5.4 Collection limitation 5.5 Data minimization 5.6 Use, retention and disclosure limitation 5.7 Accuracy and quality 5.8 Openness, transparency and notice 5.9 Individual participation and access 5.10 Accountability 5.11 Information security 5.12 Privacy compliance A5 Information security policies A6 Organization of information security A7.Human resource security A8.Asset management A9.Access control A10.Crytography A11.Physical and environmental security A12.Operations security A13.Communications security A14.System acquisition, development and maintenance A15.Supplier relationship A16.Information security incident management A17.Information security aspects of business continuity management
  • 73. Rule and Standard Based Management of Data PrivacyPolicy Inventory Risks Controls Operation R.A. 10173 -2016 Implementing Rules and Regulation NPC Advisories and Circulars ISO 10007 – Configuration Management ISO 31000 – Risks Management ISO 27005 – Security Risks Management R.A. 10173 Security Measures ISO 29151 – Privacy Controls ISO 27036 – Security Supplier Relationship NPC Circular 16-03 Personal Data Breach Management NYMITY Accountability Framework ISO 29100 – Data Privacy Framework ISO 27001 – Information Security Framework ISO 29190 – Privacy Management Capability NPC Circular 17-01 Registration of Data Processing System and Automated System ISO 29134 – Privacy Impact Assessment ISO 22307 - Finance Sector Privacy Impact Assessment NPC Advisory No. 2017-03 PIA Guidelines ISO 27002 – Security Controls CSI Security CONTROL ISO 27017 – Cloud Security IS0 27018 – Cloud Privacy ISO 27045 – Big ISO 27701 – Privacy Information Management System ISO 27035 – Security Incident Management ISO 27032 – Cyber Security Guidelines ISO 27550 -Privacy Engineering For ETSI Security Indicators
  • 74. Security Operation Center Configuratio Security Incident Protocol and Breach Rules on Procedures for Complaints Change Management Security Incident Management Breach and Complaint Handling
  • 75. DATA COLLECT DATA RETAIN PRIVACY RIGHTS DATA PROCESS TRANSMIT TECHNOLOGY INFRASTRUCTURE BUSINESS PROCESS, SYSTEM & TECHNOLOGY CONT DATA DISPOSE 1. Inform 2. Access 3. Block 4. Change 5. Transfer Apps Platform On-PremiseDataCenter Network Database On-cloud Sensors DATA PROCESSING PRIVACY COMPLIANCE 6. Complain 7. Damage 8. Portability 9. Correct 10. Erase Customer Relationship System Enterprise Resource System 1. Compliance Organization 2. Privacy Rights Process 3. Data Processing Privacy Principles 4. Lawful Criteria PI Processing 5. Condition SPI Processing 6. Accountability in Data Share 7. Data Protection Security Measures 8. Breach and Complaint Management Performance Control System DATA SUBJECT PERSONAL INFORMATON CONTROLLER PROCESSOR PI SPI PVI PI SPI SECURITY OPERATION CENTER PVI Republic Act 10173 – DPA 2012 DATA SHARE1,000 Record 250 Personnel
  • 76. DATA COLLECT DATA RETAIN PRIVACY VIOLATION DATA PROCESS TRANSMIT TECHNOLOGY INFRASTRUCTURE BUSINESS PROCESS, SYSTEM & TECHNOLOGY CONT DATA DISPOSE Apps Platform On-PremiseDataCenter Network Database On-cloud Sensors Organizational Security Measure Technical Security Measures johnmacasio@gmaIL.com Physical Security Measures DATA SUBJECT PERSONAL INFORMATON CONTROLLER PROCESSOR PI SPI PVI PI SPI SECURITY OPERATION CENTER PVI DATA SHAREAccess Record Use Access Record Use 1. Unauthorized processing 2. Negligence in access 3. Improper disposal 4. Unauthorized purpose 5. Unauthorized access 6. Intentional breach 7. Concealed breach 8. Malicious disclosure 9. Unauthorized disclosureSECURITY VIOLATION 1. Illegal Access 2. Illegal Interception 3. Data Interference 4. System Interference 5. Misuse of Devices 6. Cyber Squatting 7. Computer Forgery 8. Computer Fraud 9. Identity Theft
  • 77. Information Security Layer of Data Privacy Protection Governance, Risks, and Compliance System SIEM, IPS, Email, NAC, Wireless Security VA, AV/Malware, PAM, CMDB, MDM, Host based F RBAC, Encrytion, Source Code Test and Secur Encryption, DLP, Data Backup. dDos Data Center Building Power, Security PERIMETER LAYER COMPLIANCE LAYER NETWORK LAYER HOST LAYER APPLICATION LAYER DATA LAYER PHYSICAL LAYER Next Gen Firewall, VPN, IDP, SSO, MFA Are cyber security and data privacy built-in or add-on in the STRATEGY, SOURCING, DESIGN, BUILD, TEST, INSTALLATION and OPERATION of the digital business process, information system and technology platform as required by the implementation regulations of R.A. 10173, R.A. 10175 and DICT National Cyber Security Plan 2022?
  • 78. USERS DATA SUBJECT ANONYMOUSREGULATOR FIREWALL SYSTEM ACCESS/IDENTITY CONTROL SYSTEM FILE ENCYRPTION SYSTEM CONNECTIVITY Intranet/Internet – Wired /Wireless INTRUSION DETECTION CYBER SECURITY AND PRIVACY THREAT SCENARIO - vulnerabilities when exploited violate R.A. 10173 , R.A 10175, and GDPR Data and Storage Identity and Privilege Process and Application Connectivity and Access Interoperation Middleware Service Support •Event LOG •Context LOG 1. IDENTIFY-PROTECT 2. DETECT-RESPOND 3.RECOVER-CONTINUE SECURITY INFORMATION and EVENT MANAGEMENT (SIEM) S O C ANTIVIRUS MALWARE INTRUSION PROTECTION EXPLOITATION ANALYTIC USER BEHAVIOR ANALYTIC Governance, Risk, Compliance System HARDWARE SOFTWARE NETWORK SERVICES CMDB SECURED AREAS OF BUSINESS PERFORMANCE PATCH MANAGEMENT APPS CODE TEST LOGS MANAGEMENTVULNERABILITY AND PENETRATION TEST
  • 79. Internet Provider Cloud Services Border Router Perimeter Firewall Content Filter (WAF) 3.Intrusion Detection System 4. Intrusion Protection System 1.Access Management 2.Identity Management 1.Employee Network 2. Management Network 3. Business unit Network 4. Guest Mobile Network 5. Quarantined Network SECURITY OPERATION CENTRE SIEM System GRC System DATA CENTRE OPERATION 3.Storage 4.Database 5.Application 6.Middleware 7. Agreements Configuration 1.Control 2.Monitor 3.Security 1.Security Tools 2.Security Data Collection Analysis Reporting 3. Security Protection Response Recovery NETWORK ROUTER & SWITCHES NETWORK SEGMENT OF USER CYBER SECURITY & DATA PRIVACY PROTECTION TECHNICAL MEASURES vs. 8 Cyber Threats & 10 Privacy Breaches ON-LINE 1.Customer 2.Providers 3.Employees 4.Anonymous 5.Mobile Social Network 6.Data Subject and Processors IDENTIFY-PROTECT DETECT-RESPONSE 1.DNS 2.Web Services
  • 80. Behind the Wall of CyberPrivacy Assurance IDENTIFICATION DETECTION PROTECTION RESPONSE DATA PRIVACY STANDARDS ISO 29100 ISO 29101 ISO29190 ISO 29134 ISO 27018 ISO 29151 ISO 31000 CYBER SECURITY STANDARDS ISO 27001 ISO 27002 ISO 27005 ISO 27017 ISO 27004 ISO 27035 ISO 22301 ISO 27032 IS0 19600 RECOVER CONTINUE THREAT INTELLIGENCECVE CISA ALERT CMU SEI CERT
  • 81. 1. Configuration Management Database (CMDB) 2. Governance, Risks, and Compliance System (GRC) 3. Security Information and Event Management (SIEM) 4. File and Data Encryption Management (KPI) 5. Access, Identity and Privileges Management (IAM, PAM) 6. Anti-Virus and Malware Management 7. Log Management System (LMS) 8. Patch Management System 9. Vulnerability Scanners and Penetration Testing Tools (VP) 10.Intrusion Prevention and 11.Firewalls and Next-Generation Firewalls (NGFW) 12.Cyber Threat Intelligence Feeds and Vulnerability Measurement Databases 13.User Behavior Analytics 14.Application Code Security Test 15.End-Point Protection 16.E-mail Gateway Protection 17.Insider Threat Protection Data Vault 18.File and Storage Eraser 19.Data Backup and Recovery 20.CCTV and Control System
  • 82. ` End-to-End Security and Privacy Service Portfolio CMDBSIEM INTRUSION DETECT/PROTECT VULNERABILITY ASSESSMENT LOGS MANAGEMENT EVENT & CONTEXT LOGS PATCH MANAGEMENT DATA LOSS PREVENTION THREAT INTELLIGENCE PKI & DATA/HOST ENCYRPTION APPS CODE SECURITY TESTEND-POINT PROTECTIO N ANTI VIRUS MALWARE FIREWALL WAF & MONITORING IDENTITY MANAGEMEN T EMAIL SECURITY GATEWAYDATA BACKUP & RECOVERY INSIDER THREAT CONTROL

Notes de l'éditeur

  1. Data privacy law key performance indicators