The Risk, Privacy, and Data Workflow Basics of BeyData Librarian

BeyData LibrarianBeyData Librarian is a Risk Management System that empowers organizations to build and maintain a catalog of all their data flows, PII processing, and risk assessments. By creating a scalable and repeatable processes it enhances the building and maintaining of Data Inventory Catalogs with Workflow and Data Flow Diagramming. The system is designed for small-medium businesses, consultants and enterprise organizations. Great effort was taken in allowing non-technical users to use the system to meet and exceed regulatory requirements, to keep and maintain accurate records of the data that they process, and to document their procedures and technical controls for addressing privacy and security risk.

BeyData Librarian uses a Drag and Drop user interface that creates a core group of processes that empower non-technical compliance officers, systems owners or business users to easily create, view and work with their risk assessments.  Anyone familiar with basic flow or data charting/diagramming will have no problem using the software. BeyData Librarian allows users to rapidly automate and build out workflows to reflect existing manual processes in an extremely timely manner.

The system utilizes core building blocks designed for ease of use, so that users can Build Once, Re-Use Often”. BeyData Librarian allows users to create an initial set of workflows based on the regular nature of their business. These workflows can include; inventory of data, systems identification, processing activities and associated task management, required documentation, risk assessments and approval chains.  Once these workflows have been developed they can be called and/or re-used as the components for all Privacy, Security or Risk Assessments across the organization.

In this way, rather than building a new workflow for every processing activity, organizations can scale their efforts. This “tool-kit” then becomes the core components for most of the processing activities within an organization. As most processing activities fall into a grouping of categories, this allows BeyData Librarian users to easily scale their efforts across an enterprise.  For non-identical but similar processes, BeyData Librarian cloning allows the organization to benefit from work that has already been done in the system, eliminating the need for repetitive data entry, but ensuring approval and review at every step required for accuracy.

BeyData Librarian uses optional Script Objects to control flow and to set workflow variables to some value via an expression. Script Objects allow the system, for example, to keep a running “risk count” that can trigger branching logic to require additional information, new approvals and/or to recommend technical controls.  These Objects are not required but are available and can provide great flexibility.

Workflows Tasks and Approvals can be automated and decentralized so that all necessary stakeholders can provide their input into the final risk assessment.  Task management can not only be predefined in the system, but more importantly can be addressed on an adhoc basis (based on user permission) so that the system can document and address both expected and non-expected risk appropriately.

So, for example, if in responding to a risk assessment, a new variable, not previously defined in the system, is introduced, a new workflow or automated alert can be automatically triggered.  It can also be assigned based on the workflow itself (i.e. does the CPO or CISO team respond to a question on controls within the system). This can be automated for system or data set or modified as necessary using “Flow Scripts” which allow for automated “exception handling” to previously defined logic.

Decisions can also be automated in the system based on predefined workflows utilizing Decision Objects. Decision Objects enable condition based actions or recommendations to control the flow of a risk assessment. For example, “Is my data stored in the Cloud” or “Am I collecting Sensitive PII as defined under the EU General Data Protection Regulation”?  Approvals can be implemented at the task level or at the assessment level.

BeyData Librarian provides the necessary level of simplicity, power and scale to support effective business processes for privacy and security risk management, and to document accountability for internal and external stakeholders. This system of accountability provides true ability for organizations to build a repeatable process for implementing a risk-based approach for data protection.

The following is a partial listing of the  main types of Objects in the system:

  • Script Objects – The Script Objects can be used to set variables or other code and variables to be used by the workflow.
  • Connector Lines – There are multiple types of connections that can Used, all to add both readability and functionality, they include but are not limited to; Source and Target Connectors, Branches. Joins, Arcs, and side connectors are also included.
  • Mail Objects – A mail system that allows for alerting based on conditions that allow for variable driven alerts, warnings and messages.
  • Task Objects – The task object is either a simple or complex object that can complete one or multiple grouped tasks, each task can allow or deny attachments and multiple allowed uses of attachments. Each task can allow additional fields to be added dynamically which are NOT predefined by the system. Approval types can be customized by the system and of course task expiration guidelines can be set.
  • Approval Object – Similar to the task object but with a single purpose of approval of a stage versus one to many tasks.
  • Decision Object – Allows for a conditional Expression to control the flow of the risk assessment
  • Canned Database Objects allow for Specific Updating of the associated risk database
  • Workflow Object – The Workflow object allows you to call one or many workflows from a workflow.
  • Flow Scripts – on connectors one can add a flow script, this allows you to set a variable conditionally and branch to a certain location in the flow based on that variable.

For more information on BeyData Librarian or to schedule a Demo please send a request to Sales@beydata.com

Product Information Pagehttps://beydata.com/librarian.html 

Do we have to change the way we think about Privacy?

Social Network Analysis Image - By Martin Grandjean - Own work : http://www.martingrandjean.ch/wp-content/uploads/2013/10/Graphe3.png, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=29364647January 28th, 2017 was data privacy day (https://staysafeonline.org/data-privacy-day/) and on this day I normally write a blog post or speak at some conference about important guidelines or best practices for data privacy. However, over the last year something has started to become more obvious to me as a result of my work. Data Privacy is not that simple. Yes, we can create systems and processes that help to prevent the leakage of data and those systems can be successful for companies. Policies, procedures and technical controls can help to protect financial and other sorts of confidential company data. That is, if the organization has and follows a good security and data privacy plan, which must also include facility security. While this seems simple, there are still so many data leaks. What is surprising is that Insider threats cause more than half of data leaks. Employees remain the biggest source of information leaks, both intentionally and unintentionally.

However, my area of research does not focus on whether or not what was predicted actually comes to fruition, but instead I focus on what are the threats of the future. I think everyone reading this brief post has some ideas on what those major threats may be, but I would like to suggest one on which there seems to be very little focus at this moment. The threat of public databases and the internet search engine and how that data should be influencing what should be considered personal and/or sensitive information that companies expose or use for research.

Let’s consider Sensitive Personal Data and Personal Health Information (PHI):

Sensitive Personally Identifiable Information(PII) / personal data means personal data consisting of information as to the data subject’s;

  • racial or ethnic origin,
  • political opinions,
  • religious beliefs or other beliefs of a similar nature,
  • membership of a trade union,
  • physical or mental health or condition,
  • sexual practices,
  •  the commission or alleged commission of any offence, or
  • any proceedings for any offence committed or alleged to have been committed by the subject, the disposal of such proceedings or the sentence of any court in such proceedings.

Under US Law and specifically the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers must be treated with special care including:

  • Names,
  • All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000,
  • Dates (other than year) directly related to an individual,
  • Phone numbers,
  • Fax numbers,
  • Email addresses,
  • Social Security numbers,
  • Medical record numbers,
  • Health insurance beneficiary numbers,
  • Account numbers,
  • Certificate/license numbers,
  • Vehicle identifiers and serial numbers, including license plate numbers,
  • Device identifiers and serial numbers,
  • Web Uniform Resource Locators (URLs),
  • Internet Protocol (IP) address numbers,
  • Biometric identifiers, including finger, retinal and voice prints,
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

These items seem quite easy for a company to protect but are they really? What about “inferred” personal or sensitive personal information? Who protects that data? If we look at insider threats and consider social media, search engines and public databases the insider threat is us, the data subjects. This is because friends, family, and ourselves like to share and sometimes overshare. This information becomes easy to find over time and can be used for good or bad ends.

Here are two simple examples:

Example One – The Diner

Recently, I went to meet a friend of mine at “The Red Arrow Diner” to discuss politics in Manchester, NH. It was crowded but we were fortunate to get a booth. My friend and I discussed climbing and our desire to go peak bagging of NH’s 4000 footers (1220m) in New Hampshire. I discuss other mountains I have climbed including Mt Aconcagua. He says, “Rob let’s do it!”

Unfortunately, there was a bad actor in the diner. They leave and go to Google.com, where they type in Rob NH Aconcagua. At the speed of light, they find out:

  • My full name
  • Where I have lived for last 30 years
  • Who my family is and where they live
  • Where I work
  • I am a member of the Freemasons and I have undergone my 32nd Degree with the Scottish Rite.
  • I am a pilot and they get my US Pilot License number and my medical certificate
  • I am a HAM Radio Operator and they get my FCC License and station ID
  • My Court Records
  • That I Believe in a God
  • Personal and Professional Blogs
  • My email addresses
  • Every book I published
  • Every Country I have been to
  • Every company I started

So there is some personal and sensitive information here, and if a bad actor is smart enough they can use this information to launch attacks against me. Here are some possible attacks:

1.      Theft or Burglary-Another climber or an opportunistic thief was in the diner, he knew that I had to have extreme altitude climbing gear or expensive gear to climb to the peaks that I have already done – He has my address and enough information to case my house and plan to attempt to rob me before my dogs get him/her.

2.      Spear phishing combined with social engineering-The person can find all my email addresses so they send me a mail from a “cousin in Philadelphia”. I fall for it and transfer them money for some crisis, or worse I open a funny party video, that they downloaded from my cousins YouTube site and malware is installed on it, say a key logger, and they get my data and account information.

3.      Retribution or Discrimination-For some reason I offended someone with my political views, they found my information on line and were enraged by my views and blamed them on the fact that I believed in God and drove to my house, sliced the tires on my car and broke windows, letting my dogs out before getting caught by the dogs.

There are more damages that can come from this and I will leave that to your imagination.

Example Two – The Plane

On a trip back from Moscow last year I met a nice woman on the flight, I will leave out the names and specifics so as not to leak her information and I will use other fake data in an attempt to protect her Identity. Carol (not her Name) was in a rush to get back to NJ as she missed her daughter and her boyfriend had been elected to a State Office in NJ (Not the actual state) when she was away and she wanted to celebrate with him. We had a great talk and discussed the cast on her arm (Not actually on her arm) and her profession “Kickboxing Teacher” (not her actual profession). Our conversation was interrupted a few times by a person sitting behind her that kept kicking her seat. Carol also got the attention of some men sitting around us that seemed to be listening to our conversation. She discussed her upcoming trip to Berlin and that she would be gone for two weeks and her daughter would be keeping her dog for that trip as there was no one local that could take care of the dog. In the end Carol said it was great talking to me and asked me if I wanted her email address so that we could stay in touch. I smiled and said “I bet I can find your email and full name without you telling me”, she smiled and said “you are on”. We exchanged no information. On getting home I went to my PC and I typed Carol, Kickboxing Teacher, NJ, Cancelled Classes.  I found the place where she worked with a nice personal Bio of Carol, that discussed that how her dog (that she loved) was a great companion, particularly as she was living alone since her daughter had moved out. I also found her Boyfriends full name and the office to which he was elected to in NJ. With the full name I then found her emailed her and sent her the steps on how I found the information. She was shocked that I found so much and grateful that I pointed out these leaks of personal information to her.

So there is some personal information here, and if a bad actor is smart enough they can use this information to launch attacks against her. People on the plane around us could have overheard and used that very same information to impact her, her family and possibly even to impact an elected official. Beyond social engineering, she too could be impacted by the threat of burglary, harm or many of the very same issues I listed above in the first example. I am sure you can imagine more harms and of course remedies.

In closing, for individuals, just like in corporations-we are the insider and many times we may pose the biggest risk to ourselves. We may be our very own biggest threat for data leaks. This raises some new considerations as well:

  • Should companies allow employees to post personal public or internal information on company web sites or collaboration mediums?
  • Should companies have to control the release of customer PII if the same information when combined with public search engines and public databases will lead to the release of personal health or other sensitive information?
  • Are we sharing to much information and does that information put us at risk?

Without intention, we may be harming ourselves, our families, or our career opportunities by sharing information that data aggregators can combine to paint any picture of us to suit their needs, and all of that data massaging is done at the speed of light. There is no simple answer to all of these problems, but one good piece of advice, from Data Privacy Day is before everything else “Stop, Think, and then Connect.”

Resources

FBI – Spear Phishing:https://archives.fbi.gov/archives/news/stories/2009/april/spearphishing_040109

Social Engineering Description on Wikipedia:https://en.wikipedia.org/wiki/Social_engineering_(security)

EEOC – Types of Discrimination: https://www.eeoc.gov/laws/types/

FBI – Cyber crime – https://www.fbi.gov/investigate/cyber

Stop Think Connect: https://staysafeonline.org/stop-think-connect/