What are we really Protecting - Data or Information?

Information is created from #Data bit by bit but Data again can be an #Information which can be used to some extent. Data means Information and Information means Data.

What we all are really protecting Information? or Data?.

Whether it is of our employees/customers/partners. Do we really see the need & importance to apply Data Protection controls?

"Time is near, when the Banks/Financial Institutions/Service Organizations will declare their Cyber Security Maturity Scorecard on their websites for the customers - Bharat Gautam".

"Product Competition will be long dead and customers will choose the best players basis their Cyber Security Maturity Scorecard on how they protect their Information & Data - Bharat Gautam".

We need to consider securing the critical Information & Data seriously. We shall ensure that our employee/customer/partner data is kept in a secure manner and shall be accessed basis need to know only. And that we shall collect only that much personal data that is required to make our customer experience efficient and satisfying. Also we shall only collect relevant customer information as different Data & Information require different level of Protection.

We shall be transparent to our customers & our stake holders.

The #Canada Personal Information Protection and Electronic Documents Act ("PIPEDA") governs the topic of data privacy, and how private-sector companies can collect, use and disclose personal information. The Act also contains various provisions to facilitate the use of electronic documents (https://laws-lois.justice.gc.ca/PDF/P-8.6.pdf)

That was for #Canada now if we talk about #UAE, there are specific Information Security & Cyber Security articles & laws in UAE constitution.

Citizens of UAE are covered under general right to Privacy under Article 31 & Article 378 of the Penal code in UAE Constitution. Article 378 of Penal code says that it is an offense to publish any personal data which relates to an individual's private or family without their consent. Article 21 of Cyber Crime Law also covers issues like Hacking, Privacy Breach of an individual without their consent.

Article 21 of the Cyber Crime Law also prohibits the invasion of privacy of an individual or family, by means of a computer and/or electronic system and/or IT, without the individual's consent and unless otherwise authorised by the law. This includes eavesdropping and taking Photos. Article 21 further prohibits disclosing confidential information obtained in the course of, or because of, work, by means of any computer network, website or IT.

UAE has Data Protection Regulation (DPR) which is in Force since 2012. Any entity in UAE which needs to process personal information needs to have authorization from The Commissioner of Data Protection UAE.

The DPR says that Sensitive Personal Data shall not be processed unless :

1. The Data Subject has given his written consent to the Processing of that Sensitive Personal Data;
2. Processing is necessary for the purposes of carrying out the obligations and specific rights of the Data Controller;
3. Processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his consent;
4. Processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body on condition that the Processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data are not disclosed to a Third Party without the consent of the Data Subjects;
5. The Processing relates to Personal Data which are manifestly made public by the Data Subject or is necessary for the establishment, exercise or defence of legal claims;
6. Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject;
7. Processing is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation
8. Processing is necessary to comply with any regulatory requirements, auditing, accounting, anti-money laundering or counter terrorist financing obligations or the prevention or detection of any crime that apply to a Data Controller;
9. Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those Personal Data is Processed by a health professional subject under national laws or regulations established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy;
10. Processing is required for protecting members of the public against:
11. Financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment, management consultancy, IT services, accounting or other commercial activities (either in person or indirectly by means of outsourcing);
12. Dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment, financial or other services; or
13. Authorized in writing by the Commissioner of Data Protection.

If we talk about Cyber Security breaches then it’s the large-scale cyber security breaches that make the headlines because of the underlying Vulnerabilities, and the major concerns are the KRACK, Heartbleed, POODLE, SSLV3 vulnerability being obvious examples are still non patched within the businesses. Yet businesses of every size are grappling with how to secure their networks devices, Data & Information. Now a days every industry is prone to cyber attacks and data compromise if they do not keep pace with ever changing Threat Landscape.

There are two different ways to look at the cyber security. Looking at it as a problem or as an enabler to enhance controls for information security and customer data protection.

The biggest challenge is that people don’t take lessons from one context to another. They will read and try to adopt what they learn from the information security mailers but they will not implement these while accessing certain websites. They will click on a link in social media websites they’d never clicked on in an email as the context is different on social media but without realizing that the after effect is the same. After effect of a cyber security breach is also calculated on the type of market. A cyber security breach in a BFSI sector is considered more devastating as compared to the retail sector.

The difficulty is that all the data is connected. If your debit card or credit card is stolen, it is as fundamental as your bank account. Organizations are held responsible for cyber security breaches but everyone is not aware that the actual root cause of cyber security breach is the user. We need to look at the organization-wide information security programs, which provide a framework for ensuring that risks are understood and that effective controls are selected and implemented.

The requirement for proactive approach towards security of physical assets, intellectual property, data, regulation, compliance and risk management is increasing to ensure customer confidence and relationship maintenance. Thus, the demand for cyber security governance, policy, and reliable business continuity measures are gaining importance simply to ensure streamlined operability of business processes and effective customer relationship management. The latest security protection trends in this segment include Identity and Access Management (IAM), Authentication, Endpoint Encryption, Data Leakage Prevention (DLP), Media Disposal and Waste Monitoring, Managed Security Services, IP Video Surveillance, and Bio-metric Access Control along with some of the optional stuff such as SIEM, NIPS, Advanced Persistent Threats (APT) etc. to ensure that all of these are enabled and respective technologies are streamlined. But i will put more emphasis on correcting the basics to protect the Information & Data. Hackers find difficult to penetrate Fully patched systems and will waste less time while breaching those organizations.

In the end i would rather say that we need to Protect both (Data & Information).

I will also suggest some of the tried and tested ways to Protect Customer Information & Data:

1. Create Data Security a Company-Wide Responsibility
2. Always implement Encryption where sensitive data is involved
3. Restrict Access to Customer Information & Data
4. Create detailed BYOD policies
5. Always use Web Filtering gateways
6. Shred Sensitive Physical Documents
7. Protect your website & Databases
8. Make your employees aware on Cyber Security Do's & Don't's
9. Don’t Store Sensitive Data if not required
10. Implement Strong, Complex non-trivial Passwords