What to do when building tech. We need to enable privacy in software development as well. Here we will look at what needs to be done when building tech.

There are known models of Security in Design philosophy espoused by SSE-CMM (Systems Security Engineering – Capability Maturity Model) by SEI, ISO 27001:2013 (with controls in A.___ for Secure Coding), Common Criteria, NIST Guidelines among many others. OWASP has played a stellar role in ensuring Application Security is understood and applied to as well. These are terrific technology controls to have. The Software Engineering for Privacy is a Privacy by Design Philosophy and which is what we will map here with the Engineering process. The Engineering process here is Product Agnostic and Industry Agnostic. 

The Privacy by Design therefore needs to be addressed at all aspects of the Organization and Product Development and Management. Consider Organization processes also as a product and unless we inculcate the "by design and default" philosophy in our organization; we will not be able to produce products, processes and by extension the comfort of privacy to our stakeholders.

The flow described in this season can be used by in either of the below situations:

• you and work standalone/ 
• work with a consultant/expert 
• can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

What challenges come up and how to overcome will be key here?

We will now look at Implementation and Rollout of the policies, processes we described. For SDLC, Engineering and Product technology controls; we will cover those as part of Privacy Engineering.

Our implementation comprises of the following key components

Governance and changes to the policies based on what we need to mitigate

Process and Procedure implementation

Technical areas implementation

The flow described in this season can be used by in either of the below situations:

• you and work standalone/ 
• work with a consultant/expert 
• can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We established the context of your Privacy requirements. Context is very important here, else Privacy is just a high level keyword. All our initiatives are inline with various businesses we run.
Mapping the Personal Data is a very fundamental step and forms the crux of the entire Privacy approach. We need to know what Personal data categories and elements we are collecting, processing, storing etc. along with knowing how this is flowing through the organization and any extended arms.

We saw the data categories and elements in our previous article. We also discussed about Above the Surface data and Below the Surface data. Now, we will discuss the various stages of data, as a lifecycle.

Data comes into the organization in various formats and via different channels. Data also flows out of the organization as well as within the organization in various formats and via different channels. Some of the formats are text file, csv, excel file, pdf form, database format, json style etc and through various channels such as email, API, webapp, mobile app, sftp, USB drive etc. Here is where things get interesting and complex; the episode is to unravel the complexity.

The flow described in this season can be used by in either of the below situations:

• you and work standalone/ 
• work with a consultant/expert 
• can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We now have our defense and alerting layers in place. The next obvious step is to present this to our stakeholders. There are various stakeholders interested in knowing the state of our information and cyber security. These are also called Interested Parties (a term coined by the ISO organization for the various standards and frameworks used). 
The various stakeholders interested in our status are our 

• Leadership and Senior Management
• Customers
• Suppliers
• Regulators
• Employees

 to name a few. These are high level categories and as a CISO, you should try to identify the different groups and their expectations. This will help us in identifying the various security controls and alerts required, and some of the alerts can be generated and passed onto the stakeholders directly as well so that they are aware of incidents happening. Transparency in these situations always helps, and certain conditions force you to have a greater level of transparency than the regular ones, and this is ok.

The flow described in this season can be used by in either of the below situations:

·       you and work standalone/ 

·       work with a consultant/expert 

·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

Dashboards are customisable and configurable in the Arrka Platform for various stakeholders to view and relate to the results.

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We heard in the previous episode about implementing various tools and technology configurations. We now have a reasonable set of preventive techniques working. This however, does not mean that we cannot be hacked our data cannot be stolen. To identify strikes and probes happening against us, we need to set up an alerting mechanism as well. This is an additional layer in our defense and should be potent enough to identify any attacks coming towards us.

Let us examine some scenarios to define alerts we require

Someone is running a vulnerability scan on our networks from outside to identify loopholes in our system. This is called Reconnaissance in the security parlance. It is a series of queries lobbied over the network and targeted at all systems exposed to the public internet. For this, our internet firewall needs to be configured to watch and report. Firewalls have the alert identified however we need to be able to see this.

Internal users have copied data marked as confidential to a USB disk. Anti malware etc software running on end point computers have the ability to detect, we need a system to process this and report/ alert.

Someone is trying to login using a brute force attack. A brute force attack is about running a sequence of characters designed to guess a password. We need systems to report/ alert all such login failures. A typical event matching algorithm will watch for login failures happening within a minute and alert accordingly. This may also be happening to our Administrator type users, and now the threat increases.

The flow described in this season can be used by in either of the below situations:

·       you and work standalone/ 

·       work with a consultant/expert 

·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We have rolled out policies, procedures etc. However, it cannot be standalone and cannot be only a one-time review.

Review of implementations like Log Review, Incident Review, SIEM, Monitoring of the various access, set up a helpdesk etc. All of these can be implemented via Open Source solutions.

We have now defined policies, procedures, done the technical implementation using all the technologies we had within our setup. This is to ensure that we have generated optimum usage of everything we have spent on. Like learning, investment in technology is not wasted. We will always find use of this in every mode that is possible. Each desktop can be used, each laptop can be used in the defense of cybersecurity. It is not just the biggies like Firewall etc that come to the rescue. Many of the attacks happen through legitimate traffic (e-mail, while browsing) etc and hence the end point (as we call the desktop etc in security parlance) needs to have a defense mechanism as much as the others.

The flow described in this season can be used by in either of the below situations:

• you and work standalone/ 
• work with a consultant/expert 
• can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

Beyond the policy, there are other processes required like a Rights Management, Consent Management, Breach notification etc which we will dovetail into.

Now that the Privacy Policy is documented and approved; we move to roll out the Policy through the Organization. One such rollout is the Privacy Notice. However, there are a bunch of other processes that are required to be documented, rolled out and ofcourse – reviewed, audited, monitored! There are many frameworks available to help, globally NIST Privacy Framework https://www.nist.gov/privacy-framework/privacy-framework , ISO 27701, BS 10012 are good frameworks. In India, Data Security Council of India has come up with its own Data Privacy Framework https://www.dsci.in/content/dsci-privacy-framework-dpf%C2%A9 which is the DSCI DPF. The DSCI DPF is well rounded and can be used for implementation.

The Arrka Platform has its own framework, which we have made internally and used in the platform to provide a framework for organisations to implement.

The flow described in this season can be used by in either of the below situations:

• you and work standalone/ 
• work with a consultant/expert 
• can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

This is where policies starts to come in and we will explore the various sections needed.

Now that we have identified our risks, we need to work towards mitigating the risk. A good first step is to arrive at a statement of intent and then document it. This is an internal document prepared as a policy for the organization to follow. This is our Privacy Policy. A Privacy Policy should comprise of:

• Policy Coverage
• Applicable Laws & Regulations
• Organization Structure (including having a Data Protection officer AND/OR Chief Privacy Officer)
• Collection of Personal Data 
• Basis of Processing 
• Consent - if consent as a processing basis is used
• Purpose of processing
• Data Minimization
• Retention periods
• Disclosure 
• Transfer (Cross border, sharing, transfer of data to processor etc.)
• Security Considerations
• Rights Requests Management
• Compliance Management 

The flow described in this season can be used by in either of the below situations:

• you and work standalone/ 
• work with a consultant/expert 
• can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We have to identify the threats and risks so that we can enable appropriate controls and measures to mitigate. 

Thank you for listening so far and appreciate any feedback coming our way. Now that we have identified data, applicability and I believe you are fairly sure that Privacy Compliance is applicable and mandatory to be applied. Therefore we now focus on what are the possible threats that will impact us. 

There are various threat models and frameworks available. This article will not be an explanation of the various threat models and frameworks (I will list them in the end), however, we will focus on the basics and how we can arrive at threats and harms. Then you can choose any model to depict the threats and impacts.

The flow described in this season can be used by in either of the below situations:

• you and work standalone/ 
• work with a consultant/expert 
• can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We now are aware of what Privacy means and implies to us as an organization. 

In this episode, we will look at facets which allow you to determine if and to what extent Privacy is applicable to you. There are specific data which when processed by you requires you to embrace Privacy and there is also an ownership of data aspect that comes in.

The parameters which determine applicability of Privacy laws are:

• Personal Identifiable Information (PII)
• Country of Business (wherever we are doing business)
• Contractual/ Regulatory requirements of the countries
• Type of company – Data Controller OR Data Processor

The flow described in this season can be used by in either of the below situations:

• you and work standalone/ 
• work with a consultant/expert 
• can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.