Skip to main content

Technology delivering technology

It has been every organization's goal, the industry where they operate included, to have a technology and help run and facilitate every, if not particularly the high-value, area of business.  Sounds just what technology is for almost everything that humans do, including their businesses. Right? It's what the technology team must do and they did.  However, some of the actions they are emulating doesn't seem to be true at all. It's still about technology for the sake of technology. This is not only wrong, it is breaking the very notion that technology is helping people and it is always there whatever they do. When technology arrives and they use it, what happens is the usual messy experience that they already had from the past, and to think they are now on the new ones and still encountering the same problem. Imagine why some organizations can do it better and had been always ahead. Meaning, problems are contained that people didn't even notice there was any, no matte

Data privacy, impact assessment, and security-related system testing


Data privacy have become the norm for regulation, standardization and compliance regimes for everything data, vital to persons and businesses. Unlike the early days, data privacy laws have created favorable impressions. It depends on which side you are in. Geeks were dreadful of any kind of technology regulations and bureaucrats couldn’t hid their displeasure in new things as they play whip. Such regimes should be seen more as initiatives to improve the diffusion of technology for everyone and commit any kind of high technology build up into a more responsible social and economic instrument. With data privacy, its adaptation by all, which businesses were affected by the fact that we are not being careful how we use private data especially those being transacted online, is just a manifestation that there is a need for unsubtle formalization of, if not more echt in the, rules—our own in a manner that is, say, stringently and uniquely applicable for every purpose.

We can focus on data privacy, and still able to plug into its adjacency, especially, in the contexts of the bigger cybersecurity and risk management, both are board level responsibility. Some organizations need not necessarily adapt such setting, popular in literatures and advisory firms.

Here are basic queries, resonant of data privacy impact assessment with very specific take in an organization’s business units, that can be useful for either, if not all, data controller, compliance officer and data processor. A team or anybody, who’s responsible, can use it to exposit how data privacy is being administered not only for compliance purposes but also as a good complement to what any organization has been doing to record and store information, long before data privacy has made it to mainstream. You may find it different from those in public domains. No matter, it’s good to have a starting point that is easier to thread along including for data controllers who are not required to comply yet.

Take note that compliance, or relevant languages in every regulation or law, may have been defined in distinctive fashion, at least texts are not literally the same.

How much do we know about a solution’s service agreements, terms and conditions prior to its acquisition or installation and use?

Try these yourself, for your organization, here they are:

·         What identification do you require when doing business with client?
·         Are there any other people involved aside from the above, some 3rd-party?
·         What data do you collect and how?
·         Who is in-charge in data collection?
·         Who has access to those data?
·         Do you share data, with whom and 3rd-party?
·         How often do you evaluate data sharing agreement?
·         Can you identify details of data you are collecting, receiving including storing in your system?
·         As data controller, are you completely aware and do you fully understand your role with data privacy frameworks?

The above doesn’t necessarily alter and obviously tell the responsible people, regardless of business unit they belong, that their role have been added with that of data privacy.

How would you do it for technology people? Systems? These are different.

In cybersecurity, there is the so-called vulnerability assessment and penetration testing, which can provide mechanisms to be used further to make sure security systems, expected to be relative, can accommodate necessary change, in their reinforcement toward data privacy. In our work, we have written the basics, mostly precautionary for clients who wants VAPT performed. Whether or not they want to use it, shows forthrightness and what they can expect in the job. 

The individual person has different objective with data privacy. Consider personal, medical including but not limited to financial data. These are guarded by their respective laws. Data privacy is a bit more extensive. Could be all-encompassing even to complement subjects that have their law enforced on their own. The requirement is simple for the unsuspecting individual but tricky on data controllers or businesses that has huge holdings of private data. That private data will remain a responsibility of its owner, and control as well. The ownership and control, however, changes as soon as those data are shared with enterprising online platforms and portals. A complex password with multi-factor authentication activated, if available, would make access to personal accounts authenticated and authorized only and will not automatically make data private.

Especially true for entities holding private data, a big responsibility for them I supposed, but would be good always to share limitations, if any, in their system and security.

The practice to indemnify them from breaches via the old way of legal terms and conditions without the end-users clearly knowing the responsibilities involved seemed to have past even the archaic stage already.  

Check smartphones' permissions granted to installed apps or software. One of the various media our data are being kept, another is where those data are stored and destined, either temporarily or permanently. Most of the time we left our apps in their default setting after setup or installation. We can turn-off those permissions that are not necessary for their functioning. We can allow, say, our email app to have access to our contacts, but we can also ask. Is contacts necessary for such an email app to function properly? All these permissions being required by any app, must be scrutinized or checked thoroughly. Either with computers, smartphones, IoT or any information system, their functions must be explicit, terms must be elaborated to assure stakeholders and the trusting end-users.

Data risks of subversion and exfiltration are real. And so, we, as end-users can try to limit the likelihood that our data are being abused. We need to be conscious when every time we share our private data. Then we watch and communicate with, if our data are being neglected by, the holding entities e.g. LinkedIn, Paypal and Internet resources available for us all.

Comments

Popular posts from this blog

Philippine telcos blocking entire SMS text with internet addresses in it

If you are sending SMS texts to your friends, family or colleagues and they contain internet or web address including IP and email addresses, and even a period or dot separating, regardless of, your words and numbers, they are automatically blocked and not going to be received by your waiting recipient. Cooler heads must prevail here especially if an important message is urgently being expected. IP version 6 address is fine. However, an IPv4 including localhost address (given automatically to every computers and network interfaces as their own alone designed for troubleshooting purposes), and your money in the billion figure using dot as separators would be blocked.  If you send "local.business, naman.naman etcetera" or any words that made you use dot in between them, as part of the text, they will be blocked. There are some, that isn't blocked in this category. Like check.iclassed, some.ent, whatever.local etcetera, that is because they do not form any domain name at all

Philippine cyber campaign

Are Philippine institutions being targeted or simply being probed? We don't know for certain. It could be either or both. Whichever comes first? What we can understand, with the success of such attacks, is that they have found their way. Really.   How hard or easy? The attacker knows, but probably, also, those being attacked. Inclination should be there no matter how sophisticated our security systems are. In cybersecurity, we do a very focused job. Making sure we disappoint whoever is trying to gain access to any resource without permission and authority regardless of the environment we are in. What happened is that every asset deemed to have every variant of resource built-in, operating, that makes up the entire system working whatever it is trying to employ, in that case the primary purpose. Meaning, we have to know if we are running our system in a manner that is really secure, provisioned properly during design stage and managed continuously afterwards, post-implementation. No

iclassed privacy policy, unbelievable at first sight

Those who, before engaging us and was reading our business conduct, alerts and notices , could not restrain themselves asking, "can you really do your job without keeping any data at all? At the end of the day, you should still be looking at those information and make sure you did, and will, do well. I am expecting a lot from you here, you said so yourself!" Now, that last sentence is so loud. We keep them, not in our premises, but yours. If you've been our clients, you'll know how persistent we are when it comes to the reliability and security of your systems, data and credentials. That's our responsibility, as is made popular by cloud computing, and we don't need to be in a cloud.