FTFBTF - For the Founder By the Founder - Privacy Security Unboxed for the SMB business

What to do when building tech. We need to enable privacy in software development as well. Here we will look at what needs to be done when building tech.There are known models of Security in Design philosophy espoused by SSE-CMM (Systems Security Engineering – Capability Maturity Model) by SEI, ISO 27001:2013 (with controls in A.___ for Secure Coding), Common Criteria, NIST Guidelines among many others. OWASP has played a stellar role in ensuring Application Security is understood and applied to as well. These are terrific technology controls to have. The Software Engineering for Privacy is a Privacy by Design Philosophy and which is what we will map here with the Engineering process. The Engineering process here is Product Agnostic and Industry Agnostic. The Privacy by Design therefore needs to be addressed at all aspects of the Organization and Product Development and Management. Consider Organization processes also as a product and unless we inculcate the "by design and default" philosophy in our organization; we will not be able to produce products, processes and by extension the comfort of privacy to our stakeholders.The flow described in this season can be used by in either of the below situations:you and work standalone/ work with a consultant/expert can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

What challenges come up and how to overcome will be key here? We will now look at Implementation and Rollout of the policies, processes we described. For SDLC, Engineering and Product technology controls; we will cover those as part of Privacy Engineering.Our implementation comprises of the following key componentsGovernance and changes to the policies based on what we need to mitigateProcess and Procedure implementationTechnical areas implementationThe flow described in this season can be used by in either of the below situations:you and work standalone/ work with a consultant/expert can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

Beyond the policy, there are other processes required like a Rights Management, Consent Management, Breach notification etc which we will dovetail into. Now that the Privacy Policy is documented and approved; we move to roll out the Policy through the Organization. One such rollout is the Privacy Notice. However, there are a bunch of other processes that are required to be documented, rolled out and ofcourse – reviewed, audited, monitored! There are many frameworks available to help, globally NIST Privacy Framework https://www.nist.gov/privacy-framework/privacy-framework , ISO 27701, BS 10012 are good frameworks. In India, Data Security Council of India has come up with its own Data Privacy Framework https://www.dsci.in/content/dsci-privacy-framework-dpf%C2%A9 which is the DSCI DPF. The DSCI DPF is well rounded and can be used for implementation.The Arrka Platform has its own framework, which we have made internally and used in the platform to provide a framework for organisations to implement.The flow described in this season can be used by in either of the below situations:you and work standalone/ work with a consultant/expert can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

This is where policies starts to come in and we will explore the various sections needed.Now that we have identified our risks, we need to work towards mitigating the risk. A good first step is to arrive at a statement of intent and then document it. This is an internal document prepared as a policy for the organization to follow. This is our Privacy Policy. A Privacy Policy should comprise of:Policy CoverageApplicable Laws & RegulationsOrganization Structure (including having a Data Protection officer AND/OR Chief Privacy Officer)Collection of Personal Data Basis of Processing Consent - if consent as a processing basis is usedPurpose of processingData MinimizationRetention periodsDisclosure Transfer (Cross border, sharing, transfer of data to processor etc.)Security ConsiderationsRights Requests ManagementCompliance Management The flow described in this season can be used by in either of the below situations:you and work standalone/ work with a consultant/expert can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We have to identify the threats and risks so that we can enable appropriate controls and measures to mitigate. Thank you for listening so far and appreciate any feedback coming our way. Now that we have identified data, applicability and I believe you are fairly sure that Privacy Compliance is applicable and mandatory to be applied. Therefore we now focus on what are the possible threats that will impact us. There are various threat models and frameworks available. This article will not be an explanation of the various threat models and frameworks (I will list them in the end), however, we will focus on the basics and how we can arrive at threats and harms. Then you can choose any model to depict the threats and impacts.The flow described in this season can be used by in either of the below situations:you and work standalone/ work with a consultant/expert can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We established the context of your Privacy requirements. Context is very important here, else Privacy is just a high level keyword. All our initiatives are inline with various businesses we run.Mapping the Personal Data is a very fundamental step and forms the crux of the entire Privacy approach. We need to know what Personal data categories and elements we are collecting, processing, storing etc. along with knowing how this is flowing through the organization and any extended arms.We saw the data categories and elements in our previous article. We also discussed about Above the Surface data and Below the Surface data. Now, we will discuss the various stages of data, as a lifecycle.Data comes into the organization in various formats and via different channels. Data also flows out of the organization as well as within the organization in various formats and via different channels. Some of the formats are text file, csv, excel file, pdf form, database format, json style etc and through various channels such as email, API, webapp, mobile app, sftp, USB drive etc. Here is where things get interesting and complex; the episode is to unravel the complexity.The flow described in this season can be used by in either of the below situations:you and work standalone/ work with a consultant/expert can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We now are aware of what Privacy means and implies to us as an organization. In this episode, we will look at facets which allow you to determine if and to what extent Privacy is applicable to you. There are specific data which when processed by you requires you to embrace Privacy and there is also an ownership of data aspect that comes in.The parameters which determine applicability of Privacy laws are:Personal Identifiable Information (PII)Country of Business (wherever we are doing business)Contractual/ Regulatory requirements of the countriesType of company – Data Controller OR Data ProcessorThe flow described in this season can be used by in either of the below situations:you and work standalone/ work with a consultant/expert can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

Awareness about Privacy has gone up around us, mainly thanks to the news about various breaches and fines. As a business owner/ shareholder/ stakeholder/ process owner; you should be worried since you can be the next big story. And this brings us to the core question – with so many laws and regulations coming around; what should we really be worried about? That we should be worried about Privacy and how as a business we manage – is a foregone conclusion. If you are wondering why you should be worried about Privacy; the whole uproar over every organisations policy change, various governments looking at pushing out law etc. Check out the various news. Here, we are more looking at what Privacy is all about and as a company; how can we go about managing and ensuring compliance to the law around Privacy. This is a series of articles that we are bringing out to help aid the business in understanding the subject and also how they could approach the problem to solve.The flow described in this season can be used by in either of the below situations:you and work standalone/ work with a consultant/expert can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We have now reached a situation where we have implemented and have that euphoric feeling of "GREAT! I have done it! :)" Do enjoy the feeling and take a moment to celebrate this milestone.For this is a milestone in the journey to keeping your organization protected. It is now nearly 23:59 and in a minute the clock will restart from 00:00. A new day dawns, and we must ensure the day goes on with our organization alert and ready. And so we come to - what do we keep doing.What does the CISO do now?What can go wrong?The answer to both is “Plenty”. There are many things that can go wrong. The CISO is still not in monotonous mode, he/ she has plenty of new work to get into. However, the key to enabling maturity is to build in safeguards and control checkpoints so that issues can be identified early on and tackled. Many a times, we tend to get complacent here, and the processes and controls come to a comfort zone which makes us lazy and very very sloppy! This is something we need to guard against.This episode tells you what you must keep doing. At some point (no later than a year), you will come back to Step 1. This is necessary because the world keeps changing and so we must adapt.The flow described in this season can be used by in either of the below situations:·       you and work standalone/ ·       work with a consultant/expert ·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We now have our defense and alerting layers in place. The next obvious step is to present this to our stakeholders. There are various stakeholders interested in knowing the state of our information and cyber security. These are also called Interested Parties (a term coined by the ISO organization for the various standards and frameworks used). The various stakeholders interested in our status are our Leadership and Senior ManagementCustomersSuppliersRegulatorsEmployees to name a few. These are high level categories and as a CISO, you should try to identify the different groups and their expectations. This will help us in identifying the various security controls and alerts required, and some of the alerts can be generated and passed onto the stakeholders directly as well so that they are aware of incidents happening. Transparency in these situations always helps, and certain conditions force you to have a greater level of transparency than the regular ones, and this is ok.The flow described in this season can be used by in either of the below situations:·       you and work standalone/ ·       work with a consultant/expert ·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). Dashboards are customisable and configurable in the Arrka Platform for various stakeholders to view and relate to the results.For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We heard in the previous episode about implementing various tools and technology configurations. We now have a reasonable set of preventive techniques working. This however, does not mean that we cannot be hacked our data cannot be stolen. To identify strikes and probes happening against us, we need to set up an alerting mechanism as well. This is an additional layer in our defense and should be potent enough to identify any attacks coming towards us.Let us examine some scenarios to define alerts we requireSomeone is running a vulnerability scan on our networks from outside to identify loopholes in our system. This is called Reconnaissance in the security parlance. It is a series of queries lobbied over the network and targeted at all systems exposed to the public internet. For this, our internet firewall needs to be configured to watch and report. Firewalls have the alert identified however we need to be able to see this.Internal users have copied data marked as confidential to a USB disk. Anti malware etc software running on end point computers have the ability to detect, we need a system to process this and report/ alert.Someone is trying to login using a brute force attack. A brute force attack is about running a sequence of characters designed to guess a password. We need systems to report/ alert all such login failures. A typical event matching algorithm will watch for login failures happening within a minute and alert accordingly. This may also be happening to our Administrator type users, and now the threat increases.The flow described in this season can be used by in either of the below situations:·       you and work standalone/ ·       work with a consultant/expert ·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We have rolled out policies, procedures etc. However, it cannot be standalone and cannot be only a one-time review.Review of implementations like Log Review, Incident Review, SIEM, Monitoring of the various access, set up a helpdesk etc. All of these can be implemented via Open Source solutions. We have now defined policies, procedures, done the technical implementation using all the technologies we had within our setup. This is to ensure that we have generated optimum usage of everything we have spent on. Like learning, investment in technology is not wasted. We will always find use of this in every mode that is possible. Each desktop can be used, each laptop can be used in the defense of cybersecurity. It is not just the biggies like Firewall etc that come to the rescue. Many of the attacks happen through legitimate traffic (e-mail, while browsing) etc and hence the end point (as we call the desktop etc in security parlance) needs to have a defense mechanism as much as the others.The flow described in this season can be used by in either of the below situations:you and work standalone/ work with a consultant/expert can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We looked at risk identification and prioritisation in our earlier episode.We will now look at Implementation and Rollout of the mitigation actions we described.Our implementation comprises of three major componentsGovernance and changes to the policies based on what we need to mitigateProcess and Procedure implementationTechnical areas implementationThe governance here comprises of identifying the changes required and the updating of the policies. We did prepare some policies earlier which we now revisit. Why these changes - because we are now more aware of our risks and the threats to our environment. A simple example is related to password policy. E.g. we had an earlier policy which said that all passwords will not be re-used for 2 times, so we cannot use the password for at least 2 turns of password change. However, we have now identified that this is not enough for some applications which are internet facing. The risk is higher here because our passwords become predictable and can be guessed easier. Hence, we may make a change to the policy saying no re-use for at least 5 times. The policy now needs to roll through a change management procedure which records the why and what of the change. We may also decide to have different password policies for different types of applications and this also needs to be recorded and approved. And further to writing procedures - which is what we will explode in this episode.The flow described in this season can be used by in either of the below situations:·       you and work standalone/ ·       work with a consultant/expert ·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

So now, we have defined policies, created a security architecture in line with the policy. Most security practitioners at this point will say, “we should have assessed risks first. Why do this after the policies are defined?” This is actually a very valid question. However, there are some advantages of doing this later.Let us understand Risk first. The layman answer is risk is like a dare, and it is a catalyst for making a decision on whether the challenge/dare should be accepted or not. Everyone has a threshold, in risk terms this is called a Risk Appetite. We tend to take risks (or as we called earlier challenges) based on our understanding and perception of risk appetite. I use the words understanding and perception because risk is always subjective. We have all tried to make this scientific, objective, numbers driven; however, there are exceptions that are made when decisions are taken on basis of your gut and instinct. These are feel behaviours which are tough to justify and are more prone to belief in yourself than anything else. E.g. Instinct is what drives innovation and should we choose to ignore this, we will never get a new idea conceptualised and created. Hence some subjective behaviour patterns are expected during a risk exercise. This episode looks at the methods of assessing risk and giving you a structure which can be followed.The flow described in this season can be used by in either of the below situations:·       you and work standalone/ ·       work with a consultant/expert ·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

We now have the policies documented and approved. In this episode, we look at the step2 to design our Security Architecture. We need to design our Security Architecture so that the necessary controls within the policy are working adequately and giving us the sense of the security that we require.Everyone equates Architecture design to a Technology and Product architecture. Actually, an architecture is much more. An architecture revolves around multiple areas as mentioned belowOrganization Structure with roles and responsibilitiesRe-defining the physical/network/digital layer to get more granular and segmented in terms of security. Identify various configuration that needs to be changed in the existing technologyLastly and more importantly, upgrade/re-skill  people skills. We need to keep in perspective that our people will be managing the systems and play an important role; therefore they need to be part of the process as well.The flow described in this season can be used by in either of the below situations:·       you and work standalone/ ·       work with a consultant/expert ·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

The previous episodes are about what a Chief Information Security Officer is required for and what steps can be used as an approach to rolling out Security across your organization.This episode focuses on the 1st step - defining your policy. A policy document, for all practical purposes, is a statement of intent of the person/ group signing / approving the policy statements. The policy document is simply a list of statements which implies “This is what we want to implement and follow in our organization” and then come the Procedures, Baselines, Standards. All the follow-throughs are essentially a derivative of the intent and are the ‘How’of the Policy Statements.There are four pillars to building and rolling out a Policy, and each of them needs to be nurtured well to have a fairly adequate roll-out and maintenance. There is no such thing as “Successful” and “Unsuccessful” roll out. This is not a software product, this is your intent and what you want to do. There is no success/ failure here, only risk management and the degree of managing risk. 

Our previous episode looked at the CISO role. This episode looks at threats lurking around when you start going digital.Going Digital is no longer the world of the rich and the famous and the Fortune 500 ones! Going Digital is the mantra for the future scale. Digital means many things, and among the more common ones is about getting information into the electronic age. This requires transformation. For a bank, this means instead of filling forms; have a kiosk where customers can scan their credentials and auto-fill. For Manufacturing industry, it will mean the supervisor on the production floor will not write the output on paper and will instead use a smartphone/ tablet to record the data and transmit them to a databank which will further analyse and show trends to the stakeholders. Digital transformation is about Social Media, Cloud, Mobile, Analytics and raises significant warning bells because of the ease at which information can be accessed.The flow described in this season can be used by in either of the below situations:·       you and work standalone/ ·       work with a consultant/expert ·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.

In the midst of the various titles like CEO, COO, CTO etc comes the CISO. CISO is the abbreviation for the Chief Information Security Officer. While the CISO as a role is much desired, little is known by business as to what will be taken into account as a role. Typical questions are : what will the CISO do, what activities are they responsible for etc. In addition, the challenge is who will take the interview and hire! This is a tough decision and like all others, we cannot afford to get this wrong. Therefore, it is important to understand what the CISO does, and accordingly take a decision.This episode takes the first step in building the Compliance Program, and hiring and appointing someone for the leadership role becomes critical. Finding what we want as owners (yes, i am also a founder and owner and can relate to your thoughts), is always tough. We need to think about money, priorities, threats to business, cash flow etc. This is where a fast emerging model is the outsourced CISO. GREAT, so now I dont need to have a headcount, and dump everything on the outsourced person/ company (yes, both models are available) however, DO THINK AGAIN. Have we really got the answers we are seeking. Not really, NO – we dont have the answers. Because as usual, we have not tried to treat the disease and only tried to get the person temporarily cured...The flow described in this season can be used by in either of the below situations:·       you and work standalone/ ·       work with a consultant/expert ·       can be used to run the show via the Arrka Privacy Management Platform (both for Security and Privacy). For details, reach out to us on sameer.anja@arrka.com; sales@arrka.com; twitter: sameeranja, twitter: arrka2; Give a reference of this cast and avail credits on the platform usage and subscription. The Arrka Platform is made by SMB and for the SMB.