Awareness about Privacy has gone up around us, mainly thanks to the news about various breaches and fines. As a business owner/ shareholder/ stakeholder/ process owner; you should be worried since you can be the next big story. And this brings us to the core question – with so many laws and regulations coming around; what should we really be worried about? That we should be worried about Privacy and how as a business we manage – is a foregone conclusion. If you are wondering why you should be worried about Privacy; the whole uproar over every organisations policy change, various governments looking at pushing out law etc. Check out the various news.

Here, we are more looking at what Privacy is all about and as a company; how can we go about managing and ensuring compliance to the law around Privacy. This is a series of articles that we are bringing out to help aid the business in understanding the subject and also how they could approach the problem to solve.

The flow described in this season can be used by in either of the below situations:

• you and work standalone/ 
• work with a consultant/expert 
• can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We have now reached a situation where we have implemented and have that euphoric feeling of "GREAT! I have done it! :)" Do enjoy the feeling and take a moment to celebrate this milestone.
For this is a milestone in the journey to keeping your organization protected. It is now nearly 23:59 and in a minute the clock will restart from 00:00. A new day dawns, and we must ensure the day goes on with our organization alert and ready. And so we come to - what do we keep doing.

What does the CISO do now?

What can go wrong?

The answer to both is “Plenty”. There are many things that can go wrong. The CISO is still not in monotonous mode, he/ she has plenty of new work to get into. However, the key to enabling maturity is to build in safeguards and control checkpoints so that issues can be identified early on and tackled. Many a times, we tend to get complacent here, and the processes and controls come to a comfort zone which makes us lazy and very very sloppy! This is something we need to guard against.

This episode tells you what you must keep doing. At some point (no later than a year), you will come back to Step 1. This is necessary because the world keeps changing and so we must adapt.

The flow described in this season can be used by in either of the below situations:

·       you and work standalone/ 

·       work with a consultant/expert 

·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

The previous episodes are about what a Chief Information Security Officer is required for and what steps can be used as an approach to rolling out Security across your organization.
This episode focuses on the 1st step - defining your policy. 
A policy document, for all practical purposes, is a statement of intent of the person/ group signing / approving the policy statements. The policy document is simply a list of statements which implies “This is what we want to implement and follow in our organization” and then come the Procedures, Baselines, Standards. All the follow-throughs are essentially a derivative of the intent and are the ‘How’of the Policy Statements.
There are four pillars to building and rolling out a Policy, and each of them needs to be nurtured well to have a fairly adequate roll-out and maintenance. There is no such thing as “Successful” and “Unsuccessful” roll out. This is not a software product, this is your intent and what you want to do. There is no success/ failure here, only risk management and the degree of managing risk. 

We looked at risk identification and prioritisation in our earlier episode.
We will now look at Implementation and Rollout of the mitigation actions we described.

Our implementation comprises of three major components

• Governance and changes to the policies based on what we need to mitigate
• Process and Procedure implementation
• Technical areas implementation

The governance here comprises of identifying the changes required and the updating of the policies. We did prepare some policies earlier which we now revisit. Why these changes - because we are now more aware of our risks and the threats to our environment. A simple example is related to password policy. E.g. we had an earlier policy which said that all passwords will not be re-used for 2 times, so we cannot use the password for at least 2 turns of password change. However, we have now identified that this is not enough for some applications which are internet facing. The risk is higher here because our passwords become predictable and can be guessed easier. Hence, we may make a change to the policy saying no re-use for at least 5 times. The policy now needs to roll through a change management procedure which records the why and what of the change. We may also decide to have different password policies for different types of applications and this also needs to be recorded and approved. And further to writing procedures - which is what we will explode in this episode.

The flow described in this season can be used by in either of the below situations:

·       you and work standalone/ 

·       work with a consultant/expert 

·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

So now, we have defined policies, created a security architecture in line with the policy. Most security practitioners at this point will say, “we should have assessed risks first. Why do this after the policies are defined?” This is actually a very valid question. However, there are some advantages of doing this later.
Let us understand Risk first. The layman answer is risk is like a dare, and it is a catalyst for making a decision on whether the challenge/dare should be accepted or not. Everyone has a threshold, in risk terms this is called a Risk Appetite. We tend to take risks (or as we called earlier challenges) based on our understanding and perception of risk appetite. I use the words understanding and perception because risk is always subjective. We have all tried to make this scientific, objective, numbers driven; however, there are exceptions that are made when decisions are taken on basis of your gut and instinct. These are feel behaviours which are tough to justify and are more prone to belief in yourself than anything else. E.g. Instinct is what drives innovation and should we choose to ignore this, we will never get a new idea conceptualised and created. Hence some subjective behaviour patterns are expected during a risk exercise. 
This episode looks at the methods of assessing risk and giving you a structure which can be followed.

The flow described in this season can be used by in either of the below situations:

·       you and work standalone/ 

·       work with a consultant/expert 

·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We now have the policies documented and approved. In this episode, we look at the step2 to design our Security Architecture. We need to design our Security Architecture so that the necessary controls within the policy are working adequately and giving us the sense of the security that we require.

Everyone equates Architecture design to a Technology and Product architecture. Actually, an architecture is much more. An architecture revolves around multiple areas as mentioned below

Organization Structure with roles and responsibilities

Re-defining the physical/network/digital layer to get more granular and segmented in terms of security. Identify various configuration that needs to be changed in the existing technology
Lastly and more importantly, upgrade/re-skill  people skills. We need to keep in perspective that our people will be managing the systems and play an important role; therefore they need to be part of the process as well.

The flow described in this season can be used by in either of the below situations:

·       you and work standalone/ 

·       work with a consultant/expert 

·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

Our previous episode looked at the CISO role. This episode looks at threats lurking around when you start going digital.
Going Digital is no longer the world of the rich and the famous and the Fortune 500 ones! Going Digital is the mantra for the future scale. Digital means many things, and among the more common ones is about getting information into the electronic age. This requires transformation. For a bank, this means instead of filling forms; have a kiosk where customers can scan their credentials and auto-fill. For Manufacturing industry, it will mean the supervisor on the production floor will not write the output on paper and will instead use a smartphone/ tablet to record the data and transmit them to a databank which will further analyse and show trends to the stakeholders. Digital transformation is about Social Media, Cloud, Mobile, Analytics and raises significant warning bells because of the ease at which information can be accessed.

The flow described in this season can be used by in either of the below situations:

·       you and work standalone/ 

·       work with a consultant/expert 

·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

In the midst of the various titles like CEO, COO, CTO etc comes the CISO. CISO is the abbreviation for the Chief Information Security Officer. While the CISO as a role is much desired, little is known by business as to what will be taken into account as a role. Typical questions are : what will the CISO do, what activities are they responsible for etc. In addition, the challenge is who will take the interview and hire! This is a tough decision and like all others, we cannot afford to get this wrong. Therefore, it is important to understand what the CISO does, and accordingly take a decision.

This episode takes the first step in building the Compliance Program, and hiring and appointing someone for the leadership role becomes critical. 

Finding what we want as owners (yes, i am also a founder and owner and can relate to your thoughts), is always tough. We need to think about money, priorities, threats to business, cash flow etc. This is where a fast emerging model is the outsourced CISO. GREAT, so now I dont need to have a headcount, and dump everything on the outsourced person/ company (yes, both models are available) however, DO THINK AGAIN. Have we really got the answers we are seeking. Not really, NO – we dont have the answers. Because as usual, we have not tried to treat the disease and only tried to get the person temporarily cured...

The flow described in this season can be used by in either of the below situations:

·       you and work standalone/ 

·       work with a consultant/expert 

·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). 

For details, reach out to us on [email protected]; [email protected]; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.