Skip to main content

Say everything, blogs are everywhere

Our title is itself a book's and the first sentence, see that after the comma, is in its front flap by journalist Scott Rosenberg. Let's take some more words from it and share here. Blogging brought the Web's native character into focus---convivial, expressive, democratic. Bloggers have become the curators of our collective experience, testing out their ideas in front of a crowd and linking people in ways that broadcasts can't match. Blogs have created a new kind of public sphere--one in which we can think out loud together. The preceding paragraph is all in the book flap, front and back. It is the simplest answer if somebody is asking what a blog is, then and now. Although we see that as the magnanimous purpose of a blog which is really enticing and challenging. It adds choices and rooms for both sources and audiences without the regular prescriptive cadence.  What's common is the responsibility. Whether or not we do it via blog, print and online news, and whoever

Data privacy, impact assessment, and security-related system testing


Data privacy have become the norm for regulation, standardization and compliance regimes for everything data, vital to persons and businesses. Unlike the early days, data privacy laws have created favorable impressions. It depends on which side you are in. Geeks were dreadful of any kind of technology regulations and bureaucrats couldn’t hid their displeasure in new things as they play whip. Such regimes should be seen more as initiatives to improve the diffusion of technology for everyone and commit any kind of high technology build up into a more responsible social and economic instrument. With data privacy, its adaptation by all, which businesses were affected by the fact that we are not being careful how we use private data especially those being transacted online, is just a manifestation that there is a need for unsubtle formalization of, if not more echt in the, rules—our own in a manner that is, say, stringently and uniquely applicable for every purpose.

We can focus on data privacy, and still able to plug into its adjacency, especially, in the contexts of the bigger cybersecurity and risk management, both are board level responsibility. Some organizations need not necessarily adapt such setting, popular in literatures and advisory firms.

Here are basic queries, resonant of data privacy impact assessment with very specific take in an organization’s business units, that can be useful for either, if not all, data controller, compliance officer and data processor. A team or anybody, who’s responsible, can use it to exposit how data privacy is being administered not only for compliance purposes but also as a good complement to what any organization has been doing to record and store information, long before data privacy has made it to mainstream. You may find it different from those in public domains. No matter, it’s good to have a starting point that is easier to thread along including for data controllers who are not required to comply yet.

Take note that compliance, or relevant languages in every regulation or law, may have been defined in distinctive fashion, at least texts are not literally the same.

How much do we know about a solution’s service agreements, terms and conditions prior to its acquisition or installation and use?

Try these yourself, for your organization, here they are:

·         What identification do you require when doing business with client?
·         Are there any other people involved aside from the above, some 3rd-party?
·         What data do you collect and how?
·         Who is in-charge in data collection?
·         Who has access to those data?
·         Do you share data, with whom and 3rd-party?
·         How often do you evaluate data sharing agreement?
·         Can you identify details of data you are collecting, receiving including storing in your system?
·         As data controller, are you completely aware and do you fully understand your role with data privacy frameworks?

The above doesn’t necessarily alter and obviously tell the responsible people, regardless of business unit they belong, that their role have been added with that of data privacy.

How would you do it for technology people? Systems? These are different.

In cybersecurity, there is the so-called vulnerability assessment and penetration testing, which can provide mechanisms to be used further to make sure security systems, expected to be relative, can accommodate necessary change, in their reinforcement toward data privacy. In our work, we have written the basics, mostly precautionary for clients who wants VAPT performed. Whether or not they want to use it, shows forthrightness and what they can expect in the job. 

The individual person has different objective with data privacy. Consider personal, medical including but not limited to financial data. These are guarded by their respective laws. Data privacy is a bit more extensive. Could be all-encompassing even to complement subjects that have their law enforced on their own. The requirement is simple for the unsuspecting individual but tricky on data controllers or businesses that has huge holdings of private data. That private data will remain a responsibility of its owner, and control as well. The ownership and control, however, changes as soon as those data are shared with enterprising online platforms and portals. A complex password with multi-factor authentication activated, if available, would make access to personal accounts authenticated and authorized only and will not automatically make data private.

Especially true for entities holding private data, a big responsibility for them I supposed, but would be good always to share limitations, if any, in their system and security.

The practice to indemnify them from breaches via the old way of legal terms and conditions without the end-users clearly knowing the responsibilities involved seemed to have past even the archaic stage already.  

Check smartphones' permissions granted to installed apps or software. One of the various media our data are being kept, another is where those data are stored and destined, either temporarily or permanently. Most of the time we left our apps in their default setting after setup or installation. We can turn-off those permissions that are not necessary for their functioning. We can allow, say, our email app to have access to our contacts, but we can also ask. Is contacts necessary for such an email app to function properly? All these permissions being required by any app, must be scrutinized or checked thoroughly. Either with computers, smartphones, IoT or any information system, their functions must be explicit, terms must be elaborated to assure stakeholders and the trusting end-users.

Data risks of subversion and exfiltration are real. And so, we, as end-users can try to limit the likelihood that our data are being abused. We need to be conscious when every time we share our private data. Then we watch and communicate with, if our data are being neglected by, the holding entities e.g. LinkedIn, Paypal and Internet resources available for us all.

Comments

Popular posts from this blog

Philippine telcos blocking entire SMS text with internet addresses in it

If you are sending SMS texts to your friends, family or colleagues and they contain internet or web address including IP and email addresses, and even a period or dot separating, regardless of, your words and numbers, they are automatically blocked and not going to be received by your waiting recipient. Cooler heads must prevail here especially if an important message is urgently being expected. IP version 6 address is fine. However, an IPv4 including localhost address (given automatically to every computers and network interfaces as their own alone designed for troubleshooting purposes), and your money in the billion figure using dot as separators would be blocked.  If you send "local.business, naman.naman etcetera" or any words that made you use dot in between them, as part of the text, they will be blocked. There are some, that isn't blocked in this category. Like check.iclassed, some.ent, whatever.local etcetera, that is because they do not form any domain name at all

How functional and secure AES is

How functional and secure AES is? The Philippine electorate will once again go to polls and decide who will lead the nation in the next six years of their lives. This important event which will elect new president, vice president and 12 senators for national posts, and seats are also being contested for provincial, city and municipal levels, is expected to be counted unofficially in 24 hours, concluded or canvassed officially in a few days or so but authorities and observers expected it to be done in less than a week. Last presidential election, it was known three days after close of election precincts. This is especially true for nation states, not only the Philippines, that conducts their elections using automated election or computerized-and-networked voting systems. In PH, the past automated elections were encumbered with technical issues and fraudulent results, uttered and written everywhere by many concerned and affected individuals and institutions alike. This time, we could say

Philippine cyber campaign

Are Philippine institutions being targeted or simply being probed? We don't know for certain. It could be either or both. Whichever comes first? What we can understand, with the success of such attacks, is that they have found their way. Really.   How hard or easy? The attacker knows, but probably, also, those being attacked. Inclination should be there no matter how sophisticated our security systems are. In cybersecurity, we do a very focused job. Making sure we disappoint whoever is trying to gain access to any resource without permission and authority regardless of the environment we are in. What happened is that every asset deemed to have every variant of resource built-in, operating, that makes up the entire system working whatever it is trying to employ, in that case the primary purpose. Meaning, we have to know if we are running our system in a manner that is really secure, provisioned properly during design stage and managed continuously afterwards, post-implementation. No