Learn how Location Services protects your privacy. November 2019
Learn how Location Services protects your privacy. November 2019
Effective Jan. 1, 2020, the California Consumer Privacy Act creates new protections for the personal data of California residents and new requirements for the businesses that process it. With CCPA’s 12-month look back from the effective date, enforcement beginning July 2020, and a private right of action tied to data breaches, some critical action is needed now. Go to the IAPP Site for full story and white paper:
At Facebook’s annual developer conference on April 30, founder and CEO Mark Zuckerberg laid out a major change for the social media platform: a shift to privacy. Facebook’s redesign, which was first announced in a blog post in March, aims to prioritize private, encrypted messaging (on Facebook Messenger as well as Facebook-acquired WhatsApp and Instagram’s Direct Messaging) and Facebook groups over the more public “town square”-style News Feed that has been the cornerstone of the platform since its founding. Private messaging, Zuckerberg argued, is the future of social media communications.
Full Post: https://www.lawfareblog.com/focusing-privacy-wont-solve-facebooks-problems
10 Ways To Detect Phishing Emails 🎣 – Infographic via LogRhythm
The Chinese government has been working for several years on a comprehensive Internet security/surveillance program. This program is based on the Cybersecurity Law adopted on 2016. The plan is vast and includes a number of subsidiary laws and regulations. On December 1, 2018, the Chinese Ministry of Public Security announced it will finally roll-out the full plan.
For a Government obsessed with the optics it is surprising how often this current administration does things that leave it wide open to criticism.
FULL STORY: https://www-irishtimes-com.cdn.ampproject.org/c/s/www.irishtimes.com/business/technology/is-ireland-breaching-eu-rules-by-underfunding-data-regulator-1.4047897?mode=amp
Several members-only dark web forums are reportedly auctioning what appears to be a stolen government database featuring the personal information of 92 million Brazilian citizens.
The 16GB SQL database contains such information as name, birth date, mother’s name, gender and tax details including taxpayer IDs, according to BleepingComputer, which credits the discovery to a researcher with the Twitter user name Breach Radar.
Data breaches that occurred over the last few months have quite literally impacted close to one-third of the US population. This staggering number supports the inevitable conclusion that something is very wrong, and that data vulnerabilities represent possibly one of the greatest threats facing not only corporate enterprise, but government agencies as well. Aetna, Equifax, and Time Warner Cable, companies that collectively manage the health information, credit ratings (including highly sensitive financial data), and the communications of a large percentage of the population, recently admitted to massive data breaches and notified those impacted customers that their personal information had been compromised. Reasons given vary from exploitation of a website vulnerability and an affiliate accidently leaking sensitive personal information. These companies will face not only potential litigation and regulatory enforcement action that could represent billions of dollars of loss. Equifax shares have dropped 21 percent since their breach was disclosed on Sept. 7, the biggest two-day drop since 1998. (https://www.bloomberg.com/news/articles/2017-09-11/equifax-backed-out-of-public-investor-presentation-after-breach). Even more sobering, had these breaches occurred after May 25, 2018, the official start data for enforcement of the new EU General Data Protection Regulation, which at least in the case of Equifax also resulted in significant data loss for UK personal information, these companies could have faced additional staggering penalties of up to 4% of their global annual revenue.
As the Director of Sales I am often asked a basic question, “Which edition of BeyData Librarian is right for me?” This is a good question and one that people should consider based on their mission. The different editions were purpose built for specific needs and therefore the wrong edition could lead to a waste of resources or not having what you need.
To understand this better let us first look at a couple of early product roles:
So, on many teams an assessment may be created by a law firm or consultant. These then would be given to their client. If you are never going to run an assessment except to test if it functions as designed than the personal edition is right for you. It is in the running of the assessments themselves where you will see a difference.
Let us ask some Questions and show the version for each answer in a grid:
Who will be using the software?
|It will be a single user on their personal computer||Best Choice||Not Required||Not Required|
|There will be three users of the software in one location||Will not work||Best Choice||Would work, may be overkill|
|There will be many users across our organization in multiple locations||Will not Work||Not the Best Choice||Best Choice|
|Reports do not need customization||Best Choice||Not Required||Not Required|
|Need to customize all reports||Will not work||Will Work||Will Work|
|Just me||Best Choice||Not Required||Not Required|
|Need Windows Authentication||Will not work||Will Work||Will Work|
|Need Active Directory Support||Will not Work||Will Work||Will Work|
Assessments and Diagrams?
|I only need to create Assessment Templates, Nothing else||Best Choice||Overkill||Overkill|
|I need to create Assessments, Data Flow / UML Diagrams, and Run Assessments||Will not work||Will Work||Will Work|
|I need to Run Assessments||Will Work||Will Work||Will Work|
The Personal Edition is good for those just starting out where the work being done is NOT team based. Additionally, this version is great for a technical person that is building assessment templates but will not actually be completing any assessments. It is also a good way to run a full fledge trial of the software with all functionality enabled.
The Professional Edition is often referred to as the Team Edition. Multi User support with SQL Express and Server Support along with support for multiple Authentication methods. The Professional edition also adds the ability to customize the reporting to match your company and brand.
The Enterprise Edition has everything that the previous versions have but adds Azure support for the Hybridicity required by many organizations who also work with third parties and external organizations.
BeyData Librarian ships with many templates but you may need to create a company specific Assessment. This may seem like a daunting task but it is quite simple. This blog post is designed to take you through the steps to automating a manual or spread sheet process that you currently use. For this example, we will use the Cloud Accountability Projects, Data Protection Impact Assessment. You can view the PDF here: Assessment PDF and more information regarding the cloud accountability project can be found here: http://www.a4cloud.eu/ . This assessment is provided under creative Commons with an Attribution and ShareAlike requirement (https://creativecommons.org/share-your-work/licensing-types-examples/).
What we want to do is replicate the “Cloud DPIA Questionnaire” from this document so that instances of the assessment can be run and rerun in an automated process. Here are the steps:
The Task Block is simple and can be identified by its shape of a rectangle. The first one we have is EU Activities and more importantly it corresponds with the first question in the assessment
So, in this first line there are some questions regarding the type of project and defining territory
First, “Is the establishment of your activities in European territory?”
Then there is an Explanation section for the Privacy Pro completing the Assessment: “Whether the processing of personal information of your undertaking takes place in the European Union or not is not relevant. If you are not established in European Union territory, but you offer goods or services to individuals in the EU or monitor them, then you should answer Y to this question.”
The type of question is a Yes/No and for our purposes we will turn this into a checkbox and Checked\Unchecked (Yes/No or True/False) as we will need to test this answer.
Here is what the Task block pages look like with descriptions:
The first page defines the task, you can have one or many. There is the Task Subject /Question and then the description. There is of course the assignment and whether you want to send an email alert. The “Assessment Team” as shown here is a user group, you could also just send it to an individual. Some people prefer not to use email updates as part of the workflow, this is not required.
The Assessment comes with Guidance related to the Response, in Column one the Response Yes is: You have to comply with European Union laws, and Response No is blank. The Actions for each item are important.
The status of this task can be an Open/Done value or the approval type.
Some Privacy Pros will want to attach or review attachments for any instance of the assessment. This tab is where you define those items.
The Answers Page is where we define the items for which we want answers. It can be one to many items and how the answer is provided is up to you. In this case we want a check box but you can also use text, date time, memo, drop down choices. In many cases in this assessment we will use both Check boxes and drop downs.
Finally, there is the task expiration page, and this can be set to whatever you require. The assessment that ships with BeyData Librarian by default ships with no expiration.
The Actions are important and step one has the following actions:
If Yes: Go to the next question
If No: This Questionnaire is addressed to businesses and/or organisations which are established in the European Union. Since you are not established in the EU, this Questionnaire does not apply to you. (So Exit the Assessment)
You can see this clearly in the flowchart:
A “Yes” answer continues to the next step and a “No” answer ends the assessment.
The Score, Weight and Indicators need to be set on this first task block:
And for this first block it is: N/A – This answer is not counted in the overall score with a weight of zero and no risk indicators in this assessment they describe risk indicators as follows.
There are seven privacy indicators:
Sensitivity (SEN): Risks related to a sensitive market (i.e. elderly, children, etc.) and/or sensitive data (i.e. health or medical conditions, finance, sexual behavior)
Compliance (C): Risks related to compliance with external standards, policies, laws, etc.
Trans-border data flow (TB): Risks related to transfer of information across national borders
Transparency (T): Risks related to transparency in the areas of notice/user messaging and choice/consent
Data control (DC): Risks related to control of the data lifecycle (i.e., collection, usage, quality, and/or retention)
Security (SEC): Risks related to security of data and data flows
Data sharing (DS): Risks related to sharing data with third parties
And here we ask if we are collecting European data and as required the answer “NO” ends the assessment and the answer “Yes” goes to the next step.
We can handle both line two and three in this task block
If “health, employment, social security and law enforcement” then 1, else if “historical, scientific statistical or research purposes” then 1/4, else if “exercise of the right to freedom of expression or information” then 3/4, else 0. With a weight of 1 and code SEN, here is an example:
So, to set risk for this task we would select the [ Set Risk] button
And under Risk to Individual set values as required.
PLEASE NOTE: You could also set these in the flowchart programmatically, please see the help file for more information on programmatic options.
Remember even if you are setting the risk programmatically you must create the risk table for the instance as this is where risk values are stored for the assessment. After selecting [OK] you will get a message that the assessment instance and risk table are created – Once the instance is created the assessment is running.
To create the BeyData Librarian Assessment took three (3) hours and to run a complete test of the assessment and branching took 17 minutes. So in under 3.5 hours the assessment was created and new instances could be created at will. If we had the original spreadsheet it would have been quicker because when copying and pasting from a PDF many formatting updates are needed. It would have been under two hours if we had the original content.
You can Update your software to the latest build, or request that your account representative send you the new assessment template and import the template via the share functionality
If you do not have the software and want to see this in operation simply request a demo. https://www.beydata.com/RequestTrial.htm