Monday, 3 August 2015

[SERIES] POPII - Protection Of Personally Identifiable Information - Part 1

Privacy – this is very interesting, everybody wants protection over their own PII at the same time people are eager to know other PII.

So what is Privacy or Personally Identifiable Information (PII)?

PII is any data that could identify any living individual.

Before I start further, let’s understand few terminologies
Data Controller
Data controller means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data Processor
Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Data Subject
Data processor means an individual who is the subject of personal data.

There are laws and regulations on POPII across many countries. Different countries have defined privacy rules as per their requirements. All countries PII laws and regulations talk same with little changes. In general there are 7 to 10 Privacy Principles across various country’s laws and regulations

We shall discuss these principles in detail. However what is important is:

When and how organizations are receiving PII?

OR RATHER I would say

How do we end ourselves giving PII to different entities Knowing or -unknowingly?

To understand this holistically, let’s take examples of few different industries

Industries/ Category
PII Entry Point
Bank or Financial industries
·     At the time of opening an account (Fixed Deposit, Saving / Current acc, Loan etc)
·     Name & Address,
·     Age & Gender
·     Religion & Nationality
·     Education etc
(Demographic Info)
·     Physical form and later electronic form (Computer & Media)
Not much as such industries have strict regulations to follow in most of the countries.
Research Company
·     Online Survey
·     Field Survey
·     Demographic Info as mentioned above
·     Depend upon type of survey, it could be your personal political opinion, relational belief, Medical / Health related survey
·     Physical form and later electronic form (Computer & Media)
·     Are you aware what the purpose of these survey
·     Are aware how your PII would be protected by these research companies?
·     Are they going to sale your PII?
·     How long are they going to keep your PII?
·     Outsourcing or subcontracting
·     Data controller might share PII to third party (as a part of outsourcing. Data controller could be Bank, Insurance company, research firm, hospital, Parma company etc.
·     Any of above
·     Mostly electronic form
·     Are you aware data controller is going to share PII with third?
·     Did you give consent to your data controller?
·     Do you know how your PII is going to be protected at third party?
·     Do you know if your PII is going out of your country? Other counties might not protect your PII as your country.
Dispensary, hospital
·     Hospitalization
·     Regular checkups
Sensitive PII
·     insurance details
·     SSN
·     Health problem
·     Any health related deficiency
·     History of health
·     Medicines related etc
·     Mostly electronic form
·     Most of the countries have laws to govern health related information.
·     But the problem I personally feel: “is there any ongoing compliance audit? Have they published their privacy practices etc. Does Hospital staff aware of such information security requirements?
Hotels, Restaurant, Club membership
·     check-in
·     opt for membership
·     ID proof
·     demographic information
·     Registration form (physical) and later electronic mode
·     Does hotel or club have privacy policy?
·     Do their staffs understand the importance of privacy?
·     Do they have infrastructure/system to protect PII?
·     Are they going to share or sale your PII to any other entity?
Shopkeeper, Shopping Mall,  
·     At the time invoice generation
·     Mobile no
·     demographic information
·     Physical or electronic mode
·     Does shopkeeper or Mall have privacy policy?
·     Do their staffs understand the importance of privacy?
·     Do they have infrastructure/system to protect PII?
·     Are they going to share or sale your PII to any other entity?
All Types of employers
·     At the time of hiring or in a process of Interview
·     Periodic appraisal / feedback meeting
·     ID proof
·     demographic information
·     Salary & Bank account information
·     Experience, education and qualification details
·     Performance & appraisal details
·     background / ref check check report
·     physical as well as electronic information
·     Does employer have privacy policy to protect their employee information?
·     Does employee aware if employer is going to share PII with third party?
·     are appropriate system / infrastructure in place to protect PII?

There could be many industries; I have only listed few to set a context for my “POPII blog series”

I thought this would be good to start to explain “Where and How are sharing PII with various “Data Controller”.  Many times we tend to forget “How PII is going to be secure? Can somebody misuse my PII?

Hope this would be useful.

Wait and watch for my NEXT blog on “PRIVACY SERIES”. I shall explain on types of PII and privacy principles.

Friday, 12 June 2015

The Art of Effective POC – Part 3 (Post-POC)

Before I start on Part 3, till now we have seen:


  • Identify business requirement and its weightage
  • Multiple products & feature analysis
  • Organization’s budget Vs Cost
  • Product in Architecture
During POC
  • Test users
  • Test scenario
  • Simulate test scenario in 

This is my last blog on this series of “The Art of Effective POC”. The focus of this blog is on POST-POC activities.

Many IT professional believes, Once Simulation (activity at During-POC) is completed, POC is completed. Answer is NO, a very BIG NO.

Before you conclude on completion of POC, make sure you have answer of below questions:
  • Are you confident that Product is meeting your BUSINESS REQUIREMENT?
  • What would be the BUSINESS IMPACT, if we go ahead with product?
  • What would be the BUSINESS IMPACT, if we do not go ahead with product?
  • Does this product going to meet / support my future BUSINESS GOALS?
  • If we are going ahead with product, what RISK are we carrying? Is these RISKS acceptable to organization?

Q: How do I get an answer of these questions?
A: Follow Phase 3 (Post POC)

Post POC

Evaluate weightage score
Let’s recall our Pre-POC phase where we had documented BUSINESS REQUIREMENT along with weightage and category. Now it’s time for qualitative analysis. Based on your “Test Scenario Simulation and analysis” in Phase 2, apply simple mathematical analysis to calculate weightage. Calculate Weighate for each BUSINESS REQUIREMENT and arrive at final score for each product.
Though this method is quite subjective but if followed effectively, could be helpful for CISO to take quick decision. The reason or objective behind weightage is to help management to take quick decision.

Walk through to CISO
This is extremely important. At least Project Owner should take CISO walk through for BUSINESS CRITICAL requirements. Reasons are:
  • CISO would be able to take decision with firm confidence.
  • To take feedback / input
  • CISO can relate product features from future BUSINESS GOALS perspective
  • Identify risks

Risk Communication
Companies where Information Security is discussed at Board level, this becomes mandatory requirement.

Q: What is Risk Communication?
A: Process of acknowledging that RISKS have been understood and accepted.

There might be gaps between “what are our expectations” Vs “What product is offering OR what we are procuring”. These gaps could be non compliance against business requirement or information security policy. In simple terms, these gaps are RISKS

These RISKS must be assessed by company’s TOP MANAGEMENT to conclude whether RISKS are acceptable OR not acceptable.

In give scenario, Decision is “Acknowledging whether product is meeting business requirements or not meeting business requirements”. Decision is taken considering many factors e.g. weightage, CISO’s feedback / input, Risks , future capability and could be many more depend upon size and type of organization.

With This I would like to END this series on “The Art of Effective POC” As promised, please download POC-Template Excel File.

Hope this would be useful.. 

Saturday, 6 June 2015

The Art of Effective POC – Part 2 (During-POC)

In Pre-POC, We have identified business requirements; analyzed features of products, budget vs. cost analysis and analyzed product architecture. Success of POC is depended on meeting Pre-POC requirements.


Test Users
Careful selection of test users is also an important aspect of project. At the end you want few users to test identified product requirements and provide a feedback. Test users should not be identified just for the formality. I would prefer to have one session with test users to explain what to do and what is expected. Test users should have below qualities:
  • Test users should have clear understanding about requirements identified in Pre-POC.
  • Test users should have techno-process background to provide feedback both in terms of technology as well as process aspect.
  • Test users team should be compress of IT and Business. It is good to involve few users from business as well. In certain product POC, it is idea to have test users team from business only.

Test Scenario
Test scenario is derived from business requirements identified in Pre-POC. Test scenario is converted version of business requirements. The difference is, Test scenario would be technical in language. Test scenario is written for each business requirements identified. One business requirement can have multiple test scenarios. Lets take a example of EndPoint Security
Test Scenario (Example)
Virus Scanning
·         Virus scanning for following platform:
-) Windows
      -) Mac
      -) Linux & Unix
      -) Virtual Servers
      -) NAS & SAN box
·         Schedule & Manual scanning
System utilization during Full Scan
·         Virus Found auto Alert (e-mail, SMS)
·         Virus Treatment (Delete, Quarantine, Clean)
·         Virus signature auto update
Device Control
·         Block USB
·         Block CD/DVD
·         White list of certain system.
App. Blocking
·         Allow only white listed SW on system.
·         Auto alerts in case unauthorized SW found
·         SW Inventory
Patch Mgmt
·         Patch management for all platform
-) Windows
      -) Mac
      -) Linux & Unix
      -) Virtual Servers
      -) NAS & SAN box
·         Report Patch wise
·         Report system wise
  • Patch release auto alter
·         Audit log of each virus detected
Product does not have HIPS feature
Product does not have NAC feature

*Above test cases are only example, this list has be quite extensive and needs series of meetings between IT and Product Vendor.

Simulate Test Scenario
Test scenario should be very simple & specific. Once scenarios are prepared, floor should be given to Test Users for simulation. During simulation, every day meeting between project manager and Test user is recommended to discuss progress and share test experience within team.

Test user should be given template/format in which output needs to be recorded, certain cases test user should preserve evidence e.g. screen shot of config file, system utilization, abnormal system behaviour etc. Idea is to share instant feedback with vendor to further fine tune system for effective POC.

Please note that every business has a unique requirements, product/technology needs some amount of customization during POC as well as during product implementation (Post procurement).

My next blog “The Art of Effective POC – Part 3” would focus on Post-POC. Post POC is most import phase. In this phase Team has to present the facts and management has to take decision. The KEY is we need to present sufficient information to management to take decision without any stress.

Hope this would be useful…