By ROHIT KACHROO, CISO, INDIABULLS tells about
Top steps during the implementation of a Privacy related project
Identification of information and other assets for protecting privacy is the first concern which any organization should address for any new client project going onboard. Once confidential assets are identified, their owner should be identified who takes full ownership and responsibility for maintaining privacy and who can respond to the situations where urgent attention is required, such as business continuity incidents. One should maintain records of users of these assets with their requirement and nature of use is documented in standard form and reviewed on periodic basis. Once information audience is identified, storage location and processes of maintaining these assets need to be established. Physical access control on information storage location should be implemented to prevent unauthorized assess. Owners of these assets manage access of users on these assets by allowing only authorized users to access and provisioning access on ‘need to know’ basis only. Periodic review of access on these assets should be performed to check on unauthorized access. If required, deploy solutions for monitoring of these information assets for tracking information on real time basis, whether data is stored on servers, transmitted on network or processed in applications. In addition to these controls, risk assessment on these information assets to identify potential threats and vulnerabilities which can expose these data for unauthorized access and use or which can lead to breach of privacy. Result of risk assessment of these information assets shows the area to work and improve on, so that one can act proactively to mitigate risk which can result in privacy breach.
Which are the top implementation mistakes or learning?
Common mistake in implementation phase of project is controlling privilege access on supporting IT infrastructure which can lead to breach of privacy. Information is stored on centralized servers and accessed by a lot of end user systems, and managing privileged access on this critical IT equipment is very crucial. Once data or other assets are identified for maintaining privacy, identifying their audience is equally important who are going to access and use these assets on daily basis. Managing access on these platforms for number of users according to their roles and responsibilities is again an important but not looked into in very serious way. Another control which is generally missed is review of logical access on these information assets on predefined period. Ignoring access review on information can lead at some point of time to unauthorized access on critical data. If access review process is not in place, employees whose role has changed or moved in another process or left the organization may still have their access live and active on those platforms, which gives them access to information for which they are not authorized any more. A lot of information security breach incidents are identified in industries due to this issue.
Another issue which is missed or not taken seriously by many organizations is retention of client’s confidential information. Implementation of processes for maintaining the information throughout information life cycle and secure disposal of information when not required any more is often missed in contracts with clients and in real handling of projects.
Which are the top challenges faced during such implementation?
One of the main challenges faced during implementation of new projects and addressing privacy is managing access on data for only authorized users based on their current roles and responsibilities and managing access as their roles are changed. On IT infrastructure level, network is segregated for maintaining data on dedicated network by creating VLAN (Virtual LAN). By maintaining data on separate VLAN requires extra attention for accessibility and availability issues, which requires additional man power for maintenance work. If data is being transmitted then in this case implementation of encryption is another control which needs to be in place to maintain confidentiality. To protect data at rest, device encryption should also be implemented. But as additional privacy measures increases extra burden on accessibility hence balance should be maintained while going for controls like encryption of data in transmission and encryption of data at rest. This can also impact availability of critical resources when required. Hence balance between Confidentiality, Integrity and Availability of information assets should be addressed by defining criticality of data and its impact if compromised. We implement controls based on priority and severity of risk identified which helps us to work on the high risk area on priority basis. Another challenge which is very critical to address is being compliant with the applicable laws and regulatory requirements of concerned project. Addressing legality and other regulatory requirements is something which cannot be overlooked.
Comments