Data breaches that occurred over the last few months have quite literally impacted close to one-third of the US population. This staggering number supports the inevitable conclusion that something is very wrong, and that data vulnerabilities represent possibly one of the greatest threats facing not only corporate enterprise, but government agencies as well. Aetna, Equifax, and Time Warner Cable, companies that collectively manage the health information, credit ratings (including highly sensitive financial data), and the communications of a large percentage of the population, recently admitted to massive data breaches and notified those impacted customers that their personal information had been compromised. Reasons given vary from exploitation of a website vulnerability and an affiliate accidently leaking sensitive personal information. These companies will face not only potential litigation and regulatory enforcement action that could represent billions of dollars of loss. Equifax shares have dropped 21 percent since their breach was disclosed on Sept. 7, the biggest two-day drop since 1998. (https://www.bloomberg.com/news/articles/2017-09-11/equifax-backed-out-of-public-investor-presentation-after-breach). Even more sobering, had these breaches occurred after May 25, 2018, the official start data for enforcement of the new EU General Data Protection Regulation, which at least in the case of Equifax also resulted in significant data loss for UK personal information, these companies could have faced additional staggering penalties of up to 4% of their global annual revenue.
As the Director of Sales I am often asked a basic question, “Which edition of BeyData Librarian is right for me?” This is a good question and one that people should consider based on their mission. The different editions were purpose built for specific needs and therefore the wrong edition could lead to a waste of resources or not having what you need.
To understand this better let us first look at a couple of early product roles:
- Create Assessments
- Run and Use Assessments
So, on many teams an assessment may be created by a law firm or consultant. These then would be given to their client. If you are never going to run an assessment except to test if it functions as designed than the personal edition is right for you. It is in the running of the assessments themselves where you will see a difference.
Let us ask some Questions and show the version for each answer in a grid:
Who will be using the software?
|It will be a single user on their personal computer||Best Choice||Not Required||Not Required|
|There will be three users of the software in one location||Will not work||Best Choice||Would work, may be overkill|
|There will be many users across our organization in multiple locations||Will not Work||Not the Best Choice||Best Choice|
|Reports do not need customization||Best Choice||Not Required||Not Required|
|Need to customize all reports||Will not work||Will Work||Will Work|
|Just me||Best Choice||Not Required||Not Required|
|Need Windows Authentication||Will not work||Will Work||Will Work|
|Need Active Directory Support||Will not Work||Will Work||Will Work|
Assessments and Diagrams?
|I only need to create Assessment Templates, Nothing else||Best Choice||Overkill||Overkill|
|I need to create Assessments, Data Flow / UML Diagrams, and Run Assessments||Will not work||Will Work||Will Work|
|I need to Run Assessments||Will Work||Will Work||Will Work|
The Personal Edition is good for those just starting out where the work being done is NOT team based. Additionally, this version is great for a technical person that is building assessment templates but will not actually be completing any assessments. It is also a good way to run a full fledge trial of the software with all functionality enabled.
The Professional Edition is often referred to as the Team Edition. Multi User support with SQL Express and Server Support along with support for multiple Authentication methods. The Professional edition also adds the ability to customize the reporting to match your company and brand.
The Enterprise Edition has everything that the previous versions have but adds Azure support for the Hybridicity required by many organizations who also work with third parties and external organizations.
BeyData Librarian ships with many templates but you may need to create a company specific Assessment. This may seem like a daunting task but it is quite simple. This blog post is designed to take you through the steps to automating a manual or spread sheet process that you currently use. For this example, we will use the Cloud Accountability Projects, Data Protection Impact Assessment. You can view the PDF here: Assessment PDF and more information regarding the cloud accountability project can be found here: http://www.a4cloud.eu/ . This assessment is provided under creative Commons with an Attribution and ShareAlike requirement (https://creativecommons.org/share-your-work/licensing-types-examples/).
What we want to do is replicate the “Cloud DPIA Questionnaire” from this document so that instances of the assessment can be run and rerun in an automated process. Here are the steps:
- Create a new Assessment: We will call the project CDPIA by Selecting the [ Add] button and then renaming the default new name of “Assessment Definition 1” to “CDPIA”
- Now let’s go ahead and Edit the New Assessment by Selecting the [Edit] button which brings up the assessment editor.
- From here we can start adding blocks. To save time we have completed this assessment before writing the blog post. For your information, this is a simple process of dropping blocks and connecting them. Let us talk about block types used.
The Task Block is simple and can be identified by its shape of a rectangle. The first one we have is EU Activities and more importantly it corresponds with the first question in the assessment
So, in this first line there are some questions regarding the type of project and defining territory
First, “Is the establishment of your activities in European territory?”
Then there is an Explanation section for the Privacy Pro completing the Assessment: “Whether the processing of personal information of your undertaking takes place in the European Union or not is not relevant. If you are not established in European Union territory, but you offer goods or services to individuals in the EU or monitor them, then you should answer Y to this question.”
The type of question is a Yes/No and for our purposes we will turn this into a checkbox and Checked\Unchecked (Yes/No or True/False) as we will need to test this answer.
Here is what the Task block pages look like with descriptions:
The first page defines the task, you can have one or many. There is the Task Subject /Question and then the description. There is of course the assignment and whether you want to send an email alert. The “Assessment Team” as shown here is a user group, you could also just send it to an individual. Some people prefer not to use email updates as part of the workflow, this is not required.
The Assessment comes with Guidance related to the Response, in Column one the Response Yes is: You have to comply with European Union laws, and Response No is blank. The Actions for each item are important.
The status of this task can be an Open/Done value or the approval type.
Some Privacy Pros will want to attach or review attachments for any instance of the assessment. This tab is where you define those items.
The Answers Page is where we define the items for which we want answers. It can be one to many items and how the answer is provided is up to you. In this case we want a check box but you can also use text, date time, memo, drop down choices. In many cases in this assessment we will use both Check boxes and drop downs.
Finally, there is the task expiration page, and this can be set to whatever you require. The assessment that ships with BeyData Librarian by default ships with no expiration.
The Actions are important and step one has the following actions:
If Yes: Go to the next question
If No: This Questionnaire is addressed to businesses and/or organisations which are established in the European Union. Since you are not established in the EU, this Questionnaire does not apply to you. (So Exit the Assessment)
You can see this clearly in the flowchart:
A “Yes” answer continues to the next step and a “No” answer ends the assessment.
The Score, Weight and Indicators need to be set on this first task block:
And for this first block it is: N/A – This answer is not counted in the overall score with a weight of zero and no risk indicators in this assessment they describe risk indicators as follows.
There are seven privacy indicators:
Sensitivity (SEN): Risks related to a sensitive market (i.e. elderly, children, etc.) and/or sensitive data (i.e. health or medical conditions, finance, sexual behavior)
Compliance (C): Risks related to compliance with external standards, policies, laws, etc.
Trans-border data flow (TB): Risks related to transfer of information across national borders
Transparency (T): Risks related to transparency in the areas of notice/user messaging and choice/consent
Data control (DC): Risks related to control of the data lifecycle (i.e., collection, usage, quality, and/or retention)
Security (SEC): Risks related to security of data and data flows
Data sharing (DS): Risks related to sharing data with third parties
- Now we have to decide programmatically what to do next, and we therefor put a decision block on the flowchart.
And here we ask if we are collecting European data and as required the answer “NO” ends the assessment and the answer “Yes” goes to the next step.
- Now we go on to line number two and question number two defines a checkbox question, “Do you handle information that can identify other people through one or more of the following activities?” With guidance, “Think for instance, if you use names, identification numbers or location data. The collection of information related to individuals can be potentially intrusive to the information privacy rights of these individuals. In some types of projects information provided is more sensitive than in other ones e.g. Financial data”. Regardless of the answer when complete we go to the next question.
- Web Browsing
- Account and/or Subscription Management
- Authentication and Authorization
We can handle both line two and three in this task block
What is different here is there are risk indicators that we must deal with
If “health, employment, social security and law enforcement” then 1, else if “historical, scientific statistical or research purposes” then 1/4, else if “exercise of the right to freedom of expression or information” then 3/4, else 0. With a weight of 1 and code SEN, here is an example:
So, to set risk for this task we would select the [ Set Risk] button
And under Risk to Individual set values as required.
PLEASE NOTE: You could also set these in the flowchart programmatically, please see the help file for more information on programmatic options.
- You repeat these steps as much as required, this assessment has 50 steps and branching based on conditions. And in the end the assessment looks like this in the assessment editor.
- Once created you need to test the Assessment and you do that by opening the assessment manager and selecting the [Run New] button and giving the test assessment a name and select [OK]
Remember even if you are setting the risk programmatically you must create the risk table for the instance as this is where risk values are stored for the assessment. After selecting [OK] you will get a message that the assessment instance and risk table are created – Once the instance is created the assessment is running.
To create the BeyData Librarian Assessment took three (3) hours and to run a complete test of the assessment and branching took 17 minutes. So in under 3.5 hours the assessment was created and new instances could be created at will. If we had the original spreadsheet it would have been quicker because when copying and pasting from a PDF many formatting updates are needed. It would have been under two hours if we had the original content.
Running our Example
You can Update your software to the latest build, or request that your account representative send you the new assessment template and import the template via the share functionality
If you do not have the software and want to see this in operation simply request a demo. https://www.beydata.com/RequestTrial.htm
Almost daily we hear about a new data breach. This has made businesses and individuals nervous. This of course makes sense if we want to deal with this problem on an emotional level. The data that has been exposed may be personal, sensitive and valuable, and in some cases, may cause great harm. However, the best way to be safe in any environment is to maintain situational awareness. The US Coast Guard Team Coordination Training Guide defines situational awareness in a way that is helpful:
“Situational Awareness is the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regards to the mission. More simply, it’s knowing what is going on around you.” (Coast Guard)
Simply put, we need to know what is going on around us. Whether you are a Pilot, Surgeon, Security Specialist, Chief Security Officer or Chief Privacy Officer, you must have situational awareness. You must know all the “known knowns and the known unknowns.” (Graham). This kind of perspective has been very difficult if not impossible to achieve and maintain, because today’s Data Protection Professional has been working mainly through the lens of a physical data security model and this is no longer sufficient.
As we continue porting our manual or legacy systems so that they are connected to the outer world, and as we become more global in our approach, it is obvious that we need broaden the understanding we have of our systems beyond the brick and mortar of our buildings (and our networks) to gain true Situational Awareness.
BeyData Librarian is the precursor to any meaningful data protection. While this may seem a strong statement, it is one that we think fits. As an example, we’ve heard from more than one prospective client, that the web based application where they store data in a private cloud was secure because they use AES encryption, so they had no security concerns. I know that many of our readers are smiling. There are many threat vectors in this situation where encryption is not a factor and data may not be secure. This is where BeyData Librarian comes into play.
Here are some, but not all, of the basic considerations you should evaluate to gain Situational Awareness of your data: Identify the Systems that you are using, the data within those systems, access points to and from those systems (for data in and data out), who within and outside of your organization has access to those systems, Data flows and locations of data, and then also consider a wide range of regulatory issues including Data Sovereignty, Consent, Third Party Access to (and use of) data, and Disposition of the data. These factors, along with others that may be specific to your business or industry, can be used to help you automate the process of understanding Risk to your business, customers, or individual data subjects if there is a breach, and then finally you should identify the likelihood of a breach. This process should be ongoing and reassessed with any changes in conditions and on a regular basis.
This by itself is not enough, because depending on your organization you may need to increase staff to properly assess your systems without the human error risk that comes from being short staffed or overworked.
BeyData Librarian handles these requirements by providing a solution that allows you to perform assessments for every new system that uses, collects, backs-up or archives data wherever it be. BeyData Librarian also allows you to calculate risk based on common models like those from the National Institute of Standards and Technology (“NIST”) and the Centre for Information Policy Leadership (“CIPL”) or any custom risk model you may have implemented.
Depending on an organizations risk tolerance the system will monitor and alert for risk levels that exceed what are acceptable. From a Security or Privacy Data Protection Officers perspective they now have an inventory of all their systems with associated risk levels. Putting a process in place that requires an assessment of any new system before it goes into production, provides insight into your system and data; collection, use and destruction, throughout the entire data lifecycle and simply put, situational awareness.
When you have the situational awareness, you are ready to implement a system of security and data protection controls that match your organizations security, legal, and statutory requirements that allows you to handle the known unknowns and the unknown unknowns!
Graham, W. R., Wikipedia (2017, July 10). There are known knowns. Retrieved July 19, 2017, from https://en.wikipedia.org/wiki/There_are_known_knowns
Coast Guard, U. (n.d.). Team Coordination Training Student Guide (8/98). Retrieved July 19, 2017, from https://www.uscg.mil/auxiliary/training/tct/chap5.pdf
Figure 1 – Known unknowns – The term was also commonly used inside NASA. Rumsfeld himself cited NASA administrator William Graham in his memoir; he wrote that he had first heard “a variant of the phrase” from Graham when they served together on the Commission to Assess the Ballistic Missile Threat to the United States during the late 1990’s
Videos on all aspects of using BeyData Librarian https://www.youtube.com/channel/UCR1sy8tnqvK-VNaspLoj6TA
BeyData’s “School Librarian Project” puts student privacy at the forefront with an advanced risk management system available to school districts regardless of their size and budget
School Librarian will enable schools of any size to build a simple and easily maintained privacy risk management program that will provide confidence to educators, parents, students and vendors that the proper controls are in place to protect children-our most vulnerable and important resources. The K12 license also provides access to free training resources and videos. To learn more about the BeyData School Librarian Project, or to apply for your educational license, please visit the project Web site at: https://www.beydata.com/schoollibrarian.html
Public Universities and Colleges may also contact BeyData for educational pricing
New Videos on YouTube https://www.youtube.com/channel/UCR1sy8tnqvK-VNaspLoj6TA/videos
BeyData Librarian helps you to conduct Risk Assessments for common Privacy and Security concerns, Regulatory Compliance or just to understand where your data is and who has access to the same. Each module is meant to either stand alone or be used with another assessment or Assessment block.
The base assessments shipped are:
- System Id – The system ID assessment allows you to define a system, documenting all its contact points, identifying the subject matter expert, and not only determining its primary locations but its overall geographical reach. What is also significant about this assessment is that it creates a data inventory catalog card of every system being assessed. These catalog entries can be used for reporting or contact call sheets.
- Data Sovereignty – This Assessment deals directly with the questions of where the data is received, used, stored, and backed up and whether the data is in the cloud. It looks at the origination of the data and considers where there are requirements to keep that data in country.
- Consent – The consent Assessment deals with how consent is obtained, how consent is documented, if consent is limited, and how the specific dataset is marked with consent. This is tied closely to purpose limitation, at which time the “reason” for holding this data is also documented along with a project on for how long it should be retained.
- DPIA Module – The Data Protection Impact Assessment is a Grouped Assessment. By grouped we mean it combines multiple assessments into one assessment workflow. Both Data Sovereignty and Consent are assessments called from this assessment definition. This Represents a complete Assessment versus building blocks. When using a sub assessment, you have an important option. You can choose to wait for the sub assessment to complete or continue with the assessment. Now with sub assessments it is important to have an assessment name that you can recognize. Because of this the main assessment is always listed as the parent. For Example, the DPIA Module calls both Consent and Data Sovereignty. So when you are using the Assessments you will see child assessments if an Assessment is called SampleDPIA and it launches a Consent Assessment Module the Consent module will be indicated as SampleDPIA.Consent .
- Third Party Assessment – this assessment module deals with third party basics such as Identifying all third-party entities and what entities use the data. Additionally, it lets you indicate who is responsible for assuring proper use of data in the system and, if applicable, for determining what data can be shared with other parties and systems. It also allows you to define any policies and procedures been established for this responsibility and accountability.
- Data Access and Sharing – This Assessment module evaluates data access and sharing and it additionally determines if data is external and who has access. This assessment module calls the Third-Party Assessment and Third-Party Access Assessment.
- Data Security – This assessment module deals with how the data in the system verified for accuracy, timeliness, and completeness. It also allows you to identify what administrative and technical controls are in place to protect the data from unauthorized access and misuse.
- Maintenance and Retention – This assessment module deals specifically with Data Maintenance and Retention. The questions also address the maintenance and retention of records, the creation of reports on individuals, and whether a system of records is being created under the Privacy Act, 5 U.S.C. 522a.
- Business Processes – This assessment deals with data collection, whether the data is in the cloud, Backedup, Sovereignty and sharing, data aggregation, potential profiling. It also deals with what controls are in place to protect the newly derived data from unauthorized access or use. It also deals with technologies, monitoring and types of corporate harm. It also asks the obvious question, “Did the completion of this Data PIA result in changes to business processes or technology? “
- Access Third Party Assessment – This is identical to the Third-Party Assessment but for Reporting is designed to be used specifically with Access Questions.
- Fork Example – BeyData Librarian provides a visual overview that has a workflow management process that combines Risk Profiles, Data Catalogs, Assessments, and Reporting to provide a unified risk management system. The Fork example shows how an assessment can fork off or branch off and then return later for a join and completion. It is a powerful feature so it was included in the default assessments as an example only.
Please remember these are simply examples and they can be used by you as working assessments or examples of the assessments. Also remember you can modify these assessments. We recommend that you export an assessment and then re-import it into the system as a new assessment definition and change the new assessment definition.
Remember these assessment definitions are just that. It is not until you run a new instance of an assessment that an assessment is created.
It is also important to remember that you can create risk templates for an assessment and this will allow you to define default risk for any question, answer, or branch depending on assessment answers. If you have further questions refer the manual, or context sensitive help.
Below is a Visual Representation of the Assessments and their Flow
It is very simple to use BeyData Librarian with Microsoft Azure and SQL Server. To begin you need to set up a Azure SQL Server Instance and then a database. It does not matter what you name the database, but in this example, we named it workflow.
This is the database that will hold:
- All Assessment Definitions
- All team details
- All completed and working assessments
- All templates and system related data
- All risk tables and the data catalog
- All tasks and instances of workflows
- All default risk settings
Once you have created the database simple go to the Database tools and open the Query Editor. Then in the DB folder you will find the SQL Script to create the BeyData Librarian Tables. Paste in this code and select [Run]. Alternatively, you can open MS SQL Server Manager Tools 17 Management Studio. Connect to the Database and use the SQL Server Script in that solution.
This will create database tables with no data.
Another way to get the database and tables created is to use the SQL Server Import Data task and Import all Data from the Data tables. You will need to import both the Workflow database and the security database. These can be found in the DB folder of the Installation.
Connecting BeyData Librarian to your Azure Database
After these steps are done you need to establish the connection in BeyData Librarian. Here are the steps:
- Open BeyData Librarian
- Log into the system
- Select [File]
- Select Specify Database Settings and enter your settings.
- Test your Connection and if the connection was successful you will see a connection succeeded mesage
- Once your Connection was successful, select the [Save] button
- Restart BeyData Librarian
- And you are now using Microsoft Azure and your SQL Server Database in the cloud as your database
* These capabilities are only available in the enterprise edition of BeyData Librarian.
More about BeyData Librarian https://beydata.com/librarian.html
Download the BeyData Librarian Trial https://www.beydata.com/RequestTrial.htm
BeyData Librarian introduces unique “hybrid functionality” and a flexible framework that scales to support corporate and regulatory compliance
Concord, New Hampshire, July 5, 2017, BeyData, a leading provider of Risk Management, Data Protection and Compliance Solutions, today announced the release of BeyData Librarian, a hybrid risk management solution, that allows organizations to identify, assess, prioritize, remediate, mitigate and monitor security and privacy risk. BeyData platform technologies are forged from 20+ years of front-line security, data protection and compliance experience, fortified by deep engineering and research expertise. BeyData Librarian’s unique and distributed hybrid architecture allows business users to work in their own environment, without requirements for IT, scaling to support small and medium businesses as well as global enterprise organizations.
The risk of unprotected data and systems has never been greater than it is today, Understanding, addressing and monitoring that risk is not only a regulatory obligation, but the right thing to do. BeyData Librarian brings an elegant and creative technology solution that can be seamlessly deployed across organization, regardless of their size. According to Industry Analyst and Research firm Gartner, “by the end of 2018, more than 50 percent of companies affected by the (EU General Data Protection Regulation) GDPR will not be in full compliance with its requirements.” Yet it will be imperative according to Gartner for organizations to “demonstrate accountability in all processing activities.” (http://www.gartner.com/newsroom/id/3701117) BeyData Librarian will assist organizations in not only conducting the mandatory Data Protection Impact Assessments, that are a fundamental requirement of high risk processing activities under GDPR, but also to conduct security impact assessments, which are also required for most security and vulnerability risk management programs.
In a business landscape with thousands of regulatory compliance, security and privacy statutes to which organizations worldwide must comply, BeyData Librarian helps organizations meet their obligations by offering:
- Risk Assessment of privacy and security concerns across a broad framework of regulatory obligations, such as the EU General Data Protection Regulation (GDPR), ISO 27001 and 27002, the Health Insurance Portability and Accountability Act (HIPAA), the US Federal Information Security Management Act (FISMA), and other company specific concerns connected with Personally Identifiable Information, Personal Health Information, Information Assurance, and Operations Security.
- Hybrid Deployment – Librarian deploys on your desktop, across the enterprise, and allows data to be shared across multiple users, on premise or in the cloud, making deployment simple, easy, and scalable, regardless of the size of your organization or your IT department.
- Automated Risk Calculation based on Industry Guidance from US National Institute of Standards and Technology (NIST) Privacy Framework, the Centre for Information Policy Leadership (CIPL) Privacy Risk Matrix, and the International Organization for Standardization (ISO).
- Executive “Pilot Inspired” Dashboards and Reporting provide ‘just in time’ visibility to organizational and unit or project specific risk. By combining key requirements for privacy and security teams, Librarian will help organizations, cut costs, reduce risk, and streamline traditionally stove-piped efforts within companies. Bringing together privacy, security and risk teams through a unified framework,
Librarian allows users to mitigate risk with a simple to use but powerful methodology. For more information about the new features and functionality in BeyData Librarian, please visit https://beydata.com/librarian.html .
To request a trial or inquire about purchase, please visit https://www.beydata.com/RequestTrial.htm. Microsoft Azure trials are available upon request.
BeyData is a leading provider of advanced Unified Risk Management, Data Protection and Compliance Solutions. Our mission is to provide technology that enables our customers to bridge the gap between innovation and risk management. With the BeyData technologies even the most complex enterprise can gain the full business benefit of the digital economy while protecting their corporate assets.