Uncategorized

ISO and OSI model: How Does ISMS Protect OSI Model From Cyber Threats?

Article, Uncategorized / December 11, 2023

ISO and OSI model: How Does ISMS Protect OSI Model From The Cyber Threats?

Cyber threats can occur at any layer of the OSI Model, starting from the Physical Layer to the Application Layer. If you want to know about the functions of the OSI Layers, click here.
In this article, you will see the common threats which may occur in each layer of the OSI Model. You will also learn how Information Security Management systems (ISMS) or ISO/IEC 27001:2013 and ISO/IEC 27002:2022 standards provide the solution to secure OSI Layers.

Examples of Cyber Threat at OSI Layers

1. Application Layer

Solution Provides By ISMS

2. Presentation Layer

Solution Provides By ISMS

3. Session Layer

Solution Provides By ISMS

4. Transport Layer

Solution Provides By ISMS

5. Network Layer

Solution Provides By ISMS

6. Data Link Layer

Solution Provides By ISMS

7. Physical Layer

Solution Provides By ISMS

Conclusion

You can realise how an Information Security Management System (ISMS) plays an important role to secure all the layers of the OSI Model.
An organization can also secure its environment by implementing an ISMS. We are one of the leading professional firms that can assist you in your journey to establishing your customized ISMS. Contact us to know more about our IT Management consulting services.

Why Organisations Needs to Take Data Privacy Seriously?

Article, Uncategorized / November 26, 2024

Why Data Privacy Matters for Indian Organizations in 2023

India by 2020 has nearly 749 million Internet users at a growth rate of 7-8%. India is well on the path to becoming a digital economy, which can be a large market for global players. Indian IT sector has been growing exponentially at 10% per year with a market size of $ 100 billion in 2021. Further, it has been projected that Indian IT expenditure will reach $ 150 Billion by 2022. The rapid growth of Internet users in India and the Great Digitalisation push by the Indian Government through “Digital India” campaigns, where the citizen services were empowered through the use of technology and the Internet, throws a greater challenge to every personal, private and public entities.
 With the great potential, Indian tech-driven organisations carry forward, it is Inevitably the prime time for Indian information technology service organisations to deep dive into the data protection and privacy framework Mechanisms. Information Security has occupied a pivotal role in the recent security policy postures. The range of threats it poses from Individual Privacy to Organisation intellectual data has made it imperative to look for more sophisticated data protection frameworks. The recent Indian bill on data protection “The personal Data protection bill” was a step in the right direction. cyberattacks costs Millions of dollars for Organisations dealing with data. It is always optimal for every organisation to proactively invest in cyber security frameworks. Bigger economies like the EU and US have started acting for an effective data protection framework. However, they were highly criticised for being more complicated and inadequate. This was the best time for India to take cognizance of the significance of data protection while also encouraging the IT market and Technology Innovation to reach their greater potential.

What are the benefits of Data privacy regulations for an Organisation?

  • Data Privacy Increases Trust and credibility on an Organisation 
  • Data Privacy adherence gives better oversights on the Data Processing
  • Better Data Privacy frameworks provide enhanced Data Management mechanisms
  • Privacy is key to trust- better data privacy protects and Improves an Organisation Brand Reputation.
  • Easier Business process automation.
  • Data Privacy through Frequent audits and innovative policies facilitates a better platform for Organisations. 
  • Data Privacy reduces financial loss to data-driven business organisations.
This is the era where every human interaction was influenced by Technology with Data being the medium. We live in a Transition Phase that is breaking the grounds of the third Industrial revolution (Digital Revolution) and entering into the Fourth industrial revolution, which is a fusion of Technology interacting with other subjective spheres of life like Physics, Biology, sciences etc. This technological revolution has created new markets and innovative business models. From young start-ups to Big MNCs every entity has benefitted from this revolution. This Technological transition has made data Omnipresent. Today, every organisation has to deal with an everyday digital transaction involving some kind of data. Even though Digitalisation and Data processing is very crucial for efficient service delivery, Unregulated and arbitrary use of data especially personal data impedes individual autonomy and privacy. Therefore, Data protection is very essential to secure the independence and privacy of Individuals, private and public entities. 

India, the youngest and one of the leading IT sector-based countries, tops the list among the counties facing cyberattacks since the pandemic. Around 68 per cent of the companies in India have faced some form of a cyberattack or the other since the beginning of the pandemic. Further, 1.1 million Cyber- Attacks were reported in India in 2020. As per the reports, 50,000 cyber-crimes were reported in 2020 of which nearly 100 are reported as data theft. Financial and Banking data breaches are regarded as one of the sensitive data breaches. In 2020 alone, nearly 4000 cases of financial data breach or banking fraud were reported. The Supreme court of India in its landmark judgement proclaimed that “The Right to Privacy” is a fundamental right guaranteed by the Indian constitution. India, one of the demographically youngest nations with the fastest-growing number of Unicorns with over billion-dollar valuation, world leader of IT tech organisations, it is Indeed time for Indian firms to take Data privacy seriously.

INNOVATION IN THE AGE OF CYBERSECURITY

Uncategorized / November 26, 2024

Do high regulations penalises innovation?

The most complex challenge every Individual, Corporate entity, government facing in the 21st century is cybersecurity. This trend is invariably going to continue in the coming future. To make this redundant and to fight the blitz of cyberattacks and enhance the security arena for an efficient business environment, governments all over the world, introducing strict Data protection regulations. It is indeed a humongous task to constitute an effective policy framework to make data protection, especially personal data protection safe and secure through upholding the fundamental right to privacy. Nonetheless in this scenario of fast-paced growth in innovation and technology all over the globe, it is certainly an uneasy task to regulate information technology and Digital communication. Every data regulation framework should emphasise data protection without hindering the space for innovations. So, this article discusses how some popular Data Protection regulation frameworks engage with innovation and technology advancements.

1. EU's GDPR:

EU’s GDPR compliance entails better organisational management of data and disclosure of information, efficient management of data processing and collection. Data protection by design has been a legal obligation since the GDPR came into effect in 2018. It means selecting, deploying, configuring and maintaining the appropriate technological measures and techniques to implement data protection within the formation of design. Accordingly, getting compliance with EU’s GDPR requires engagement with rules, greater staff management, the introduction of data protection offices, improved data protection management. With these, some entities may feel the pressure of regulations thus leading to low innovations. Some common perceptions among the corporate entities are 
  • Compliances leads to high costs 
  • Raising entry barriers reducing competition and incentives for innovation
Effects on innovation are highly sensitive to the characteristics of regulations. EU’S GDPR through its privacy by design has encouraged the companies to take a proactive approach rather than a reactive approach to deal with the cyber and digital vulnerabilities. Moreover, creating a kind of digital trust among the consumers or business partners. Digital trust includes transparency and accountability in itself which generates a grand reputation for the firm’s getting compliance with the data protection regulations. Facilitation of privacy by design, impact assessments, internal audit mechanism has created a positive effect on the organisation’s internal structure. According to research, Regulation driven innovations are as successful in the market as other innovations.

2. India's Data Protection Bill:

Indian Data Protection Bill which is yet to become law has explicitly given the subjective scope to innovation. It emphasises creating a “Sand-Box” which includes the organisations or Data Fiduciaries who deal with Artificial intelligence or any other emerging technologies. Such Data Fiduciaries who shall have a Privacy by Design Policy certified by the Authority will be eligible to SANDBOX for twelve months and renewed no more than two times. Furthermore, the regulation mentioned segregating the data fiduciaries who deal with a certain high volume of data as “significant data fiduciaries”.

3. UAE's Personal Data Protection Bill:

UAE which is generally attributed as a hub of innovation has recently introduced its Personal Data Protection Bill, 2022 through the federal decree by the government of Dubai. Although, subjectively most of the data protection regulations of UAE are a replication of the EU’s GDPR, UAE’s personal data protection landscape is in some sense differentiates itself from GDPR like the exclusion of government data and government authorised data from the ambit of the law. Also, unlike GDPR, UAE has precedent regulations on data privacy in some sectors like health, judicial, banking and finance. Especially Free zones in cities like Dubai which hosts several offices for large MNCs and evolving start-ups don’t come under the latest regulations. Thus, giving the exclusive scope for Innovation.
To Conclude, In practice regulations provides additional incentives for innovations leading to the creation of new technologies, products and markets, and the discovery of overlooked efficiencies. Additionally, regulations safeguards crucial assets like Data, Intellectual property rights etc and mitigates cyber threats. Tight regulations lead to great trust in the Digital economy.

INDIA’S NEW PRIVACY REGULATIONS

Uncategorized / November 26, 2024

India's New Personal Data Protection Law:
Key Changes & Implications for Businesses.

The Indian government has put forward the Personal Data Protection bill Draft in 2019 to regulate the data Privacy and processing in India. With the fourth industrial revolution (digital Age), Data has been Playing a magnanimous role in Operation of any organisation. Accordingly, EU has created the general data protection regulation act in 2016. In-Line with the GDPR, Indian Government has brought the PDP bill. Similar to GDPR, Indian data protection bill held the same time frame of two years for implementation of the latest Data protection regulations. personal data protection draft ushers a paradigm shift in IT governance and Regulations in India. This Regulations proposes the guidelines for “processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India”. The absence of any data protection law in India leads to Serious threat to individual’s personal data causing the violation of the fundamental right to privacy. Particularly, this bill laid a great responsibility on IT Enterprises where much of the data shuttles.
 
The Bill Explicitly predefined the role of the data user as Data Fiduciaries, Data Processors and Data Principals which is unprecedent in India law book. The Data Fiduciary (an organisation or entity or Individual or State or their conjunction who determines the purpose and process of collection on data) has been given a greater onus to Govern and regulate their data to make them compliant with the Data protection regulatory laws.
The Extra-Territorial Data regulation of bill emphasises that the data obtained in India may be shared outside India, but shall be stored in India. Also, it’s the responsibility of the data fiduciary to obtain the consent for transferring of data only with the consent of the data principal. India being the largest internet market and the volume of data utilised in India placed a humongous task before the IT enterprises to align with the latest compliances. Nevertheless, enormous value which the data created for itself has made it inevitable to regulations. DATA PROTECTION AUTHORITY OF INDIA is made responsible to regulate Data protection law in India. The Data Protection authority has given the pivotal role in regulation of data through various measures like Qualifying Data auditors, Monitoring data processing and exchange along with the adjudicating powers.       

The Data fiduciary shall Prepare a “Privacy by Design Policy containing the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal” to ensure transparency and accountability. A new rating mechanism shall be introduced to evaluate the Data Protection regime of the Data fiduciary called as DATA TRUST SCORE. This was intended to build the Trust and credibility among Data Fiduciary and Data Principal.

The Data Fiduciary shall be classified into various categories based on their Data range, volume and sensitivity of data they process. Social Media shall be classified as a Significant Data Fiduciary with respect to the wide range of personal data they Process. A provision for Special categories of data fiduciaries under  “SANDBOX” shall be created to encourage Innovation for such Data Fiduciaries who deal with Artificial intelligence or any other emerging technologies.

 The Data Protection Officer shall be responsible for periodic assessment of the Data Fiduciary working with New Technologies and high volume of personal data. The significant data fiduciary shall annually Audit its data protection frameworks through an independent certified auditor to assess its clarity, effectiveness, Transparency and security. The Data Fiduciary was made liable to pay the Penalties and compensation as prescribed in the Data Protection law. A penalty of minimum 5 crore rupees or 2% of the worldwide turnover to 15 crore rupees or 4% of the worldwide turnover shall be laid on the Data Fiduciary if there was any Non-Compliance of Data Protection bill. An Appellate Tribunal shall be constituted by the provision to enforce the protection law which shall act as an adjudication authority with the same powers of a civil court under the code of civil procedures, 1908.

OFFENCE

§  obligation to take prompt and appropriate action in response to a data security breach
§  failure to register with the Authority
§  obligation to undertake a data protection impact       assessment by a significant data fiduciary
§  obligation to conduct a data audit by a significant data fiduciary
§  appointment of a data protection officer by a significant data fiduciary

PENALTIES

penalty which may extend to 5 crore rupees or two per cent. of its total worldwide turnover of the preceding financial year, whichever is higher

OFFENCES

§  processing of personal data in violation of the provisions
§  processing of personal data of children in violation of the provisions
§  failure to adhere to security safeguards
§  transfer of personal data outside India in violation of the provisions

 

                             PENALTIES

 

A penalty which may extend to 15 crore rupees or four per cent. of its
total worldwide turnover of the preceding financial year, whichever is higher.
 

    Advantages of the PDP Bill

  • Protect critical information such as business transactions and financial statements.
  • Provide standard Procedure for data protection (Last bill on data protection-Information Technology Act,2000)
  • Now the personal data or the sensitive data collected in India shall be stored in India.
  • Transparent and explicit Data Collection and Processing Procedure.
  • Enhance User privacy with Advance Notification of reasonable cause for collection of data.
  • Explicit classification of Data Fiduciaries will increase the accountability in processing and regulation data protection.
  • Encouraging Innovation and Technological Advancement through the mechanism of SANDBOX
  • Exclusive Authority and appellate body to monitor data protection. Will enhance Dispute resolution process.
  • Provides protection from Cyber Attacks

    Disadvantages/Challenges of the PDP Bill

 

  • Heavy Hand of government in Data Protection through data Protection Authority.
  • The employers have the full right to use their employees’ data without taking any consent.
  • It is Challenging task to Make Large MNCs like Google, Facebook with latest innovations in technology (Artificial Intelligence and Block Chain) to Regulate and follow compliances.
  • With the world more globalised it is difficult to Contain every Data Generated within the boundaries of a country. Therefore, Indian Data Protection Provisions should be made compatible with other data protection regimes in the world like GDPR, US Data protection laws.

INFORMATION SECURITY: TOP 10 DATA BREACHES OF 2021

Uncategorized / November 26, 2024

2021’s Biggest Data Breaches and What They Teach Us About Cybersecurity

Data Breach is defined as a security violation, which involve Sensitive, Unauthorised and confidential Data to be copied, Transmitted, exposed, stolen by an unauthorised individual for the purpose of personal gain or Malicious intentions. Data Brach influence a wide range of impact ranging from an Individual to the Giant corporations and Governments. With the increase in User Dependence on Internet of things and the rapid evolution of technology, it is much easier to collect, process data. However, the ineffective information security or the security mechanism to protect information is vulnerable to Data Breaches.

ISO/IEC 27040 defines a data breach as: compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed”

Data Breaches exposes millions of Personal details or billions worth of corporate details like Intellectual property details and government data. Data Breach can happen from internal or external. It directly or indirectly cost great expense for organisations dealing with high volumes of data. Much of the data breach may not have any effect or likely to be mitigated with low amount of damage. However, some data breach may cost huge burden for some Organisations. Till date yahoo data breach in 2016, was the most expensive data breach which shelled out nearly $1 Billion.

“The cost of cybercrime continues to climb; it’s expected to double from $3 trillion in 2015 to $6 trillion by the end of 2021 and grow to $10.5 trillion by 2025. The average cost of a single data breach in 2021 was $4.24 million, a 10% jump from 2019, according to Deloitte

With the increase in technology and altering user behaviour with evolving IOT, Information security has become a Substantial affairData breaches can be classified by amount of user information leaked; Value of Information leaked etc. Healthcare, energy, banking, utilities are some of the industries which are mostly affected with Data Compromises.

Top 10 Data Breaches of 2021

      1.LinkedIn 
           Around 700 million LinkedIn user data was compromised in June 2021. This was Second Data Breach in LinkedIn after 2012 where 200 
           million users’ data was leaked.
 
      2.Facebook
             In April 2021, nearly 533 million Facebook user data has been compromised containing usernames, passwords, locations etc.
 
      3.Social arks
            In January 2021, around 200 million user data has been breached from this Chinese social media agency through its unsecured 
            Elasticsearch database. The scrapped data was mostly non encrypted and not password protected.
 
      4.Bonobos
             This Men’s clothing brand suffered a data breach in January 2021 compromising 12.3 million user data. The company claims that the 
             data breach was targeted by cybercriminals through backup servers containing customers data.
 
      5.Twitch
           125GB of sensitive data with potentially 7 million user data has been leaked from this company owned by Amazon. Unlike other 
            data breaches, the data leaked from Twitch was almost the entire twitch data code. Hence it may have impacted all of its users.
 
      6.Neiman Marcus
            This US based Retailer lost nearly 4.8 million user data information. Most of the data was banking details of the users.
 
      7.Meet mindful
            The Dating app lost nearly 2.28 million user data. Most of the data posted on dark web was primarily private information of the users.
 
      8.Pixlr
             Nearly 1.9 million user database of Pixlr was breached in January 2021.
 
      9. Four Sports warehouse brands
             The most recent data breach reported in 2021. About 1.8 million user data of four sports stores namely Tackle Warehouse LLC, 
             Running Warehouse LLC, Tennis Warehouse LLC, and Skate Warehouse LLC were breached. Most of the Credit card details of customers
             were breached.
 
      10.Graff
             About 1.1 million user data of UK based Jewellery store was Breached. User data of high-end customers like Donald Trump, Saudi crown 
             prince were leaked.
Data breach involve exposing of various sets of data from personal Information like name, Social Security numbers, Address, Email/phone numbers, Financial Information, Biometrics to Corporate companies protected and confidential revenue details, sales reports, user details and Trade secrets to government data like Defence secrets, state beneficiaries’ details.

Most of the data breaches happens because of ineffective cybersecurity practices followed by the organisations dealing with data. In the past, most data breaches have been unexposed or Concealed by the Data Fiduciaries. However, with the evolving of strict data protection laws, it was made mandatory to notify any data breach and the measures taken by company to mitigate the damage.