Skip to main content

Cybersecurity sees everything

We should mean almost, digitally. With serious considerations to best practices, widely acceptable principles including that of, directly and indirectly related, applicable laws and, if any, for the sake of thoughtful and sensible transparency. Almost everything, in this case is about, as nations and industries are already taking it as an initiative to protect entities such as people, enterprises, assets, properties including but not limited to information, which is the sole subject of information security specialists but it's reality is more complicated than arguing on which security can cover which area. Technology practitioners should appreciate it. Those who goes beyond a few specializations could realized it and make an effective position paramount to a cybersecurity responsibility. And the size of that responsibility may mean breaking and delegating it with various roles, with those who are effective and prudent in their jobs.

Data privacy, impact assessment, and security-related system testing


Data privacy have become the norm for regulation, standardization and compliance regimes for everything data, vital to persons and businesses. Unlike the early days, data privacy laws have created favorable impressions. It depends on which side you are in. Geeks were dreadful of any kind of technology regulations and bureaucrats couldn’t hid their displeasure in new things as they play whip. Such regimes should be seen more as initiatives to improve the diffusion of technology for everyone and commit any kind of high technology build up into a more responsible social and economic instrument. With data privacy, its adaptation by all, which businesses were affected by the fact that we are not being careful how we use private data especially those being transacted online, is just a manifestation that there is a need for unsubtle formalization of, if not more echt in the, rules—our own in a manner that is, say, stringently and uniquely applicable for every purpose.

We can focus on data privacy, and still able to plug into its adjacency, especially, in the contexts of the bigger cybersecurity and risk management, both are board level responsibility. Some organizations need not necessarily adapt such setting, popular in literatures and advisory firms.

Here are basic queries, resonant of data privacy impact assessment with very specific take in an organization’s business units, that can be useful for either, if not all, data controller, compliance officer and data processor. A team or anybody, who’s responsible, can use it to exposit how data privacy is being administered not only for compliance purposes but also as a good complement to what any organization has been doing to record and store information, long before data privacy has made it to mainstream. You may find it different from those in public domains. No matter, it’s good to have a starting point that is easier to thread along including for data controllers who are not required to comply yet.

Take note that compliance, or relevant languages in every regulation or law, may have been defined in distinctive fashion, at least texts are not literally the same.

How much do we know about a solution’s service agreements, terms and conditions prior to its acquisition or installation and use?

Try these yourself, for your organization, here they are:

·         What identification do you require when doing business with client?
·         Are there any other people involved aside from the above, some 3rd-party?
·         What data do you collect and how?
·         Who is in-charge in data collection?
·         Who has access to those data?
·         Do you share data, with whom and 3rd-party?
·         How often do you evaluate data sharing agreement?
·         Can you identify details of data you are collecting, receiving including storing in your system?
·         As data controller, are you completely aware and do you fully understand your role with data privacy frameworks?

The above doesn’t necessarily alter and obviously tell the responsible people, regardless of business unit they belong, that their role have been added with that of data privacy.

How would you do it for technology people? Systems? These are different.

In cybersecurity, there is the so-called vulnerability assessment and penetration testing, which can provide mechanisms to be used further to make sure security systems, expected to be relative, can accommodate necessary change, in their reinforcement toward data privacy. In our work, we have written the basics, mostly precautionary for clients who wants VAPT performed. Whether or not they want to use it, shows forthrightness and what they can expect in the job. 

The individual person has different objective with data privacy. Consider personal, medical including but not limited to financial data. These are guarded by their respective laws. Data privacy is a bit more extensive. Could be all-encompassing even to complement subjects that have their law enforced on their own. The requirement is simple for the unsuspecting individual but tricky on data controllers or businesses that has huge holdings of private data. That private data will remain a responsibility of its owner, and control as well. The ownership and control, however, changes as soon as those data are shared with enterprising online platforms and portals. A complex password with multi-factor authentication activated, if available, would make access to personal accounts authenticated and authorized only and will not automatically make data private.

Especially true for entities holding private data, a big responsibility for them I supposed, but would be good always to share limitations, if any, in their system and security.

The practice to indemnify them from breaches via the old way of legal terms and conditions without the end-users clearly knowing the responsibilities involved seemed to have past even the archaic stage already.  

Check smartphones' permissions granted to installed apps or software. One of the various media our data are being kept, another is where those data are stored and destined, either temporarily or permanently. Most of the time we left our apps in their default setting after setup or installation. We can turn-off those permissions that are not necessary for their functioning. We can allow, say, our email app to have access to our contacts, but we can also ask. Is contacts necessary for such an email app to function properly? All these permissions being required by any app, must be scrutinized or checked thoroughly. Either with computers, smartphones, IoT or any information system, their functions must be explicit, terms must be elaborated to assure stakeholders and the trusting end-users.

Data risks of subversion and exfiltration are real. And so, we, as end-users can try to limit the likelihood that our data are being abused. We need to be conscious when every time we share our private data. Then we watch and communicate with, if our data are being neglected by, the holding entities e.g. LinkedIn, Paypal and Internet resources available for us all.

Comments

Popular posts from this blog

Jobs we observed in a system performance

They are made either any of the following- - Tech job, - Business job, - Nut job, or - Enterprise job. What's yours? Can you do it better from your existing drive? Whatever you do, your output should facilitate not just your organization's goal but a little more than what you originally planned. Leaders usually kept them in the mind, so subtle only them knows it, but with some useful and delicate strategies employed people really are doing a good job, and working to improve them, too. That's the beginning why corporate social responsibility, or even the consequential environmental, social and governance initiatives can be a potent move to do something, if pertinent or weighty is even the right word. That doesn't need an ostentatious resources but the effect is meaningful for stakeholders, everyone we meant.

iclassed privacy policy, unbelievable at first sight

Those who, before engaging us and was reading our business conduct, alerts and notices , could not restrain themselves asking, "can you really do your job without keeping any data at all? At the end of the day, you should still be looking at those information and make sure you did, and will, do well. I am expecting a lot from you here, you said so yourself!" Now, that last sentence is so loud. We keep them, not in our premises, but yours. If you've been our clients, you'll know how persistent we are when it comes to the reliability and security of your systems, data and credentials. That's our responsibility, as is made popular by cloud computing, and we don't need to be in a cloud.

How to save from Microsoft 365 or Teams and learn the basics of the solution from our first license and transaction

 Subscription and license fees for cloud services is not always appealing to small businesses. For big businesses, we are on a spending spree because we simply can, even if a license if not being used purposely and productively. With small businesses, no matter the need for Microsoft 365, we won't even try it. We did try but stopped and never subscribed back again. We consider the cost to be very high not just because of the service or product's license cost only. If accumulated for years compared to simply buying physical media, which is still the best bet. This, however, is going away. For some markets, it is not available anymore. How can a business get Microsoft 365 without breaking the planned budget allocation just for this service? There are options available from Microsoft 365 website. Pick the business, not family, personal or enterprise, which we may want to consider as well. With the cost the only consideration, any of this may not be a good choice. But then some fea...