Understanding the Pre-Loaded Assessments in BeyData Librarian

Assessment Definition Editor

Assessment Definition Editor

BeyData Librarian helps you to conduct Risk Assessments for common Privacy and Security concerns, Regulatory Compliance or just to understand where your data is and who has access to the same.  Each module is meant to either stand alone or be used with another assessment or Assessment block.

The base assessments shipped are:

  • System Id –  The system ID assessment allows you to define a system, documenting all its contact points, identifying the subject matter expert, and not only determining its primary locations but its overall geographical reach.  What is also significant about this assessment is that it creates a data inventory catalog card of every system being assessed.  These catalog entries can be used for reporting or contact call sheets.
  • Data Sovereignty – This Assessment deals directly with the questions of where the data is received, used, stored, and backed up and whether the data is in the cloud. It looks at the origination of the data and considers where there are requirements to keep that data in country.
  • Consent – The consent Assessment deals with how consent is obtained, how consent is documented, if consent is limited, and how the specific dataset is marked with consent. This is tied closely to purpose limitation, at which time the “reason” for holding this data is also documented along with a project on for how long it should be retained.
  • DPIA Module – The Data Protection Impact Assessment is a Grouped Assessment. By grouped we mean it combines multiple assessments into one assessment workflow. Both Data Sovereignty and Consent are assessments called from this assessment definition.  This Represents a complete Assessment versus building blocks.  When using a sub assessment, you have an important option. You can choose to wait for the sub assessment to complete or continue with the assessment.  Now with sub assessments it is important to have an assessment name that you can recognize.  Because of this the main assessment is always listed as the parent. For Example, the DPIA Module calls both Consent and Data Sovereignty.  So when you are using the Assessments you will see child assessments if an Assessment is called SampleDPIA and it launches a Consent Assessment Module the Consent module will be indicated as SampleDPIA.Consent .
  • Third Party Assessment – this assessment module deals with third party basics such as Identifying all third-party entities and what entities use the data. Additionally, it lets you indicate who is responsible for assuring proper use of data in the system and, if applicable, for determining what data can be shared with other parties and systems. It also allows you to define any policies and procedures been established for this responsibility and accountability.
  • Data Access and Sharing – This Assessment module evaluates data access and sharing and it additionally determines if data is external and who has access.  This assessment module calls the Third-Party Assessment and Third-Party Access Assessment.
  • Data Security – This assessment module deals with how the data in the system verified for accuracy, timeliness, and completeness. It also allows you to identify what administrative and technical controls are in place to protect the data from unauthorized access and misuse.
  • Maintenance and Retention – This assessment module deals specifically with Data Maintenance and Retention. The questions also address the maintenance and retention of records, the creation of reports on individuals, and whether a system of records is being created under the Privacy Act, 5 U.S.C. 522a.
  • Business Processes – This assessment deals with data collection, whether the data is in the cloud, Backedup, Sovereignty and sharing, data aggregation, potential profiling. It also deals with what controls are in place to protect the newly derived data from unauthorized access or use. It also deals with technologies, monitoring and types of corporate harm. It also asks the obvious question, “Did the completion of this Data PIA result in changes to business processes or technology? “
  • Access Third Party Assessment – This is identical to the Third-Party Assessment but for Reporting is designed to be used specifically with Access Questions.
  • Fork Example – BeyData Librarian provides a visual overview that has a workflow management process that combines Risk Profiles, Data Catalogs, Assessments, and Reporting to provide a unified risk management system.  The Fork example shows how an assessment can fork off or branch off and then return later for a join and completion. It is a powerful feature so it was included in the default assessments as an example only.

Please remember these are simply examples and they can be used by you as working assessments or examples of the assessments.  Also remember you can modify these assessments.  We recommend that you export an assessment and then re-import it into the system as a new assessment definition and change the new assessment definition.

Remember these assessment definitions are just that. It is not until you run a new instance of an assessment that an assessment is created.

It is also important to remember that you can create risk templates for an assessment and this will allow you to define default risk for any question, answer, or branch depending on assessment answers.  If you have further questions refer the manual, or context sensitive help.

Below is a Visual Representation of the Assessments and their Flow

Figure 1 – DPIA Module

Figure 2 – System ID

Figure 3 – Consent

Figure 4- Data Sovereignty

Figure 5 – Third Party

Figure 6 – Data Access and Sharing

Figure 7 – Maintenance and Retention

Figure 8 – Business Processes

Using BeyData Librarian with Microsoft Azure & SQL Server

It is very simple to use BeyData Librarian with Microsoft Azure and SQL Server.   To begin you need to set up a Azure SQL Server Instance and then a database.   It does not matter what you name the database, but in this example, we named it workflow.

This is the database that will hold:

  • All Assessment Definitions
  • All team details
  • All completed and working assessments
  • All templates and system related data
  • All risk tables and the data catalog
  • All tasks and instances of workflows
  • All default risk settings

Once you have created the database simple go to the Database tools and open the Query Editor.  Then in the DB folder you will find the SQL Script to create the BeyData Librarian Tables.   Paste in this code and select [Run]. Alternatively, you can open MS SQL Server Manager Tools 17 Management Studio. Connect to the Database and use the SQL Server Script in that solution.

This will create database tables with no data.

Another way to get the database and tables created is to use the SQL Server Import Data task and Import all Data from the Data tables.  You will need to import both the Workflow database and the security database.   These can be found in the DB folder of the Installation.

 Connecting BeyData Librarian to your Azure Database

After these steps are done you need to establish the connection in BeyData Librarian.  Here are the steps:

  1. Open BeyData Librarian
  2. Log into the system
  3. Select [File]
  4. Select Specify Database Settings and enter your settings. 
  5. Test your Connection and if the connection was successful you will see a connection succeeded mesage
  6. Once your Connection was successful, select the [Save] button
  7. Restart BeyData Librarian
  8. And you are now using Microsoft Azure and your SQL Server Database in the cloud as your database

* These capabilities are only available in the enterprise edition of BeyData Librarian.

More about BeyData Librarian https://beydata.com/librarian.html 

Download the BeyData Librarian Trial https://www.beydata.com/RequestTrial.htm

BeyData Announces the Release of BeyData Librarian, a Unified Risk Management System for Privacy and Security Risk Accountability

BeyData Librarian introduces unique “hybrid functionality” and a flexible framework that scales to support corporate and regulatory compliance

Concord, New Hampshire, July 5, 2017, BeyData, a leading provider of Risk Management, Data Protection and Compliance Solutions, today announced the release of BeyData Librarian, a hybrid risk management solution, that allows organizations to identify, assess, prioritize, remediate, mitigate and monitor security and privacy risk. BeyData platform technologies are forged from 20+ years of front-line security, data protection and compliance experience, fortified by deep engineering and research expertise. BeyData Librarian’s unique and distributed hybrid architecture allows business users to work in their own environment, without requirements for IT, scaling to support small and medium businesses as well as global enterprise organizations.

The risk of unprotected data and systems has never been greater than it is today, Understanding, addressing and monitoring that risk is not only a regulatory obligation, but the right thing to do. BeyData Librarian brings an elegant and creative technology solution that can be seamlessly deployed across organization, regardless of their size. According to Industry Analyst and Research firm Gartner, “by the end of 2018, more than 50 percent of companies affected by the (EU General Data Protection Regulation) GDPR will not be in full compliance with its requirements.” Yet it will be imperative according to Gartner for organizations to “demonstrate accountability in all processing activities.” (http://www.gartner.com/newsroom/id/3701117) BeyData Librarian will assist organizations in not only conducting the mandatory Data Protection Impact Assessments, that are a fundamental requirement of high risk processing activities under GDPR, but also to conduct security impact assessments, which are also required for most security and vulnerability risk management programs.

In a business landscape with thousands of regulatory compliance, security and privacy statutes to which organizations worldwide must comply, BeyData Librarian helps organizations meet their obligations by offering:

  • Risk Assessment of privacy and security concerns across a broad framework of regulatory obligations, such as the EU General Data Protection Regulation (GDPR), ISO 27001 and 27002, the Health Insurance Portability and Accountability Act (HIPAA), the US Federal Information Security Management Act (FISMA), and other company specific concerns connected with Personally Identifiable Information, Personal Health Information, Information Assurance, and Operations Security.
  • Hybrid Deployment – Librarian deploys on your desktop, across the enterprise, and allows data to be shared across multiple users, on premise or in the cloud, making deployment simple, easy, and scalable, regardless of the size of your organization or your IT department.
  • Automated Risk Calculation based on Industry Guidance from US National Institute of Standards and Technology (NIST) Privacy Framework, the Centre for Information Policy Leadership (CIPL) Privacy Risk Matrix, and the International Organization for Standardization (ISO).
  • Executive “Pilot Inspired” Dashboards and Reporting provide ‘just in time’ visibility to organizational and unit or project specific risk. By combining key requirements for privacy and security teams, Librarian will help organizations, cut costs, reduce risk, and streamline traditionally stove-piped efforts within companies. Bringing together privacy, security and risk teams through a unified framework,

Librarian allows users to mitigate risk with a simple to use but powerful methodology. For more information about the new features and functionality in BeyData Librarian, please visit https://beydata.com/librarian.html .

To request a trial or inquire about purchase, please visit https://www.beydata.com/RequestTrial.htm.  Microsoft Azure trials are available upon request.

About BeyData
BeyData is a leading provider of advanced Unified Risk Management, Data Protection and Compliance Solutions. Our mission is to provide technology that enables our customers to bridge the gap between innovation and risk management. With the BeyData technologies even the most complex enterprise can gain the full business benefit of the digital economy while protecting their corporate assets.

The Risk, Privacy, and Data Workflow Basics of BeyData Librarian

BeyData LibrarianBeyData Librarian is a Risk Management System that empowers organizations to build and maintain a catalog of all their data flows, PII processing, and risk assessments. By creating a scalable and repeatable processes it enhances the building and maintaining of Data Inventory Catalogs with Workflow and Data Flow Diagramming. The system is designed for small-medium businesses, consultants and enterprise organizations. Great effort was taken in allowing non-technical users to use the system to meet and exceed regulatory requirements, to keep and maintain accurate records of the data that they process, and to document their procedures and technical controls for addressing privacy and security risk.

BeyData Librarian uses a Drag and Drop user interface that creates a core group of processes that empower non-technical compliance officers, systems owners or business users to easily create, view and work with their risk assessments.  Anyone familiar with basic flow or data charting/diagramming will have no problem using the software. BeyData Librarian allows users to rapidly automate and build out workflows to reflect existing manual processes in an extremely timely manner.

The system utilizes core building blocks designed for ease of use, so that users can Build Once, Re-Use Often”. BeyData Librarian allows users to create an initial set of workflows based on the regular nature of their business. These workflows can include; inventory of data, systems identification, processing activities and associated task management, required documentation, risk assessments and approval chains.  Once these workflows have been developed they can be called and/or re-used as the components for all Privacy, Security or Risk Assessments across the organization.

In this way, rather than building a new workflow for every processing activity, organizations can scale their efforts. This “tool-kit” then becomes the core components for most of the processing activities within an organization. As most processing activities fall into a grouping of categories, this allows BeyData Librarian users to easily scale their efforts across an enterprise.  For non-identical but similar processes, BeyData Librarian cloning allows the organization to benefit from work that has already been done in the system, eliminating the need for repetitive data entry, but ensuring approval and review at every step required for accuracy.

BeyData Librarian uses optional Script Objects to control flow and to set workflow variables to some value via an expression. Script Objects allow the system, for example, to keep a running “risk count” that can trigger branching logic to require additional information, new approvals and/or to recommend technical controls.  These Objects are not required but are available and can provide great flexibility.

Workflows Tasks and Approvals can be automated and decentralized so that all necessary stakeholders can provide their input into the final risk assessment.  Task management can not only be predefined in the system, but more importantly can be addressed on an adhoc basis (based on user permission) so that the system can document and address both expected and non-expected risk appropriately.

So, for example, if in responding to a risk assessment, a new variable, not previously defined in the system, is introduced, a new workflow or automated alert can be automatically triggered.  It can also be assigned based on the workflow itself (i.e. does the CPO or CISO team respond to a question on controls within the system). This can be automated for system or data set or modified as necessary using “Flow Scripts” which allow for automated “exception handling” to previously defined logic.

Decisions can also be automated in the system based on predefined workflows utilizing Decision Objects. Decision Objects enable condition based actions or recommendations to control the flow of a risk assessment. For example, “Is my data stored in the Cloud” or “Am I collecting Sensitive PII as defined under the EU General Data Protection Regulation”?  Approvals can be implemented at the task level or at the assessment level.

BeyData Librarian provides the necessary level of simplicity, power and scale to support effective business processes for privacy and security risk management, and to document accountability for internal and external stakeholders. This system of accountability provides true ability for organizations to build a repeatable process for implementing a risk-based approach for data protection.

The following is a partial listing of the  main types of Objects in the system:

  • Script Objects – The Script Objects can be used to set variables or other code and variables to be used by the workflow.
  • Connector Lines – There are multiple types of connections that can Used, all to add both readability and functionality, they include but are not limited to; Source and Target Connectors, Branches. Joins, Arcs, and side connectors are also included.
  • Mail Objects – A mail system that allows for alerting based on conditions that allow for variable driven alerts, warnings and messages.
  • Task Objects – The task object is either a simple or complex object that can complete one or multiple grouped tasks, each task can allow or deny attachments and multiple allowed uses of attachments. Each task can allow additional fields to be added dynamically which are NOT predefined by the system. Approval types can be customized by the system and of course task expiration guidelines can be set.
  • Approval Object – Similar to the task object but with a single purpose of approval of a stage versus one to many tasks.
  • Decision Object – Allows for a conditional Expression to control the flow of the risk assessment
  • Canned Database Objects allow for Specific Updating of the associated risk database
  • Workflow Object – The Workflow object allows you to call one or many workflows from a workflow.
  • Flow Scripts – on connectors one can add a flow script, this allows you to set a variable conditionally and branch to a certain location in the flow based on that variable.

For more information on BeyData Librarian or to schedule a Demo please send a request to Sales@beydata.com

Product Information Pagehttps://beydata.com/librarian.html 

Do we have to change the way we think about Privacy?

Social Network Analysis Image - By Martin Grandjean - Own work : http://www.martingrandjean.ch/wp-content/uploads/2013/10/Graphe3.png, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=29364647January 28th, 2017 was data privacy day (https://staysafeonline.org/data-privacy-day/) and on this day I normally write a blog post or speak at some conference about important guidelines or best practices for data privacy. However, over the last year something has started to become more obvious to me as a result of my work. Data Privacy is not that simple. Yes, we can create systems and processes that help to prevent the leakage of data and those systems can be successful for companies. Policies, procedures and technical controls can help to protect financial and other sorts of confidential company data. That is, if the organization has and follows a good security and data privacy plan, which must also include facility security. While this seems simple, there are still so many data leaks. What is surprising is that Insider threats cause more than half of data leaks. Employees remain the biggest source of information leaks, both intentionally and unintentionally.

However, my area of research does not focus on whether or not what was predicted actually comes to fruition, but instead I focus on what are the threats of the future. I think everyone reading this brief post has some ideas on what those major threats may be, but I would like to suggest one on which there seems to be very little focus at this moment. The threat of public databases and the internet search engine and how that data should be influencing what should be considered personal and/or sensitive information that companies expose or use for research.

Let’s consider Sensitive Personal Data and Personal Health Information (PHI):

Sensitive Personally Identifiable Information(PII) / personal data means personal data consisting of information as to the data subject’s;

  • racial or ethnic origin,
  • political opinions,
  • religious beliefs or other beliefs of a similar nature,
  • membership of a trade union,
  • physical or mental health or condition,
  • sexual practices,
  •  the commission or alleged commission of any offence, or
  • any proceedings for any offence committed or alleged to have been committed by the subject, the disposal of such proceedings or the sentence of any court in such proceedings.

Under US Law and specifically the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers must be treated with special care including:

  • Names,
  • All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000,
  • Dates (other than year) directly related to an individual,
  • Phone numbers,
  • Fax numbers,
  • Email addresses,
  • Social Security numbers,
  • Medical record numbers,
  • Health insurance beneficiary numbers,
  • Account numbers,
  • Certificate/license numbers,
  • Vehicle identifiers and serial numbers, including license plate numbers,
  • Device identifiers and serial numbers,
  • Web Uniform Resource Locators (URLs),
  • Internet Protocol (IP) address numbers,
  • Biometric identifiers, including finger, retinal and voice prints,
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

These items seem quite easy for a company to protect but are they really? What about “inferred” personal or sensitive personal information? Who protects that data? If we look at insider threats and consider social media, search engines and public databases the insider threat is us, the data subjects. This is because friends, family, and ourselves like to share and sometimes overshare. This information becomes easy to find over time and can be used for good or bad ends.

Here are two simple examples:

Example One – The Diner

Recently, I went to meet a friend of mine at “The Red Arrow Diner” to discuss politics in Manchester, NH. It was crowded but we were fortunate to get a booth. My friend and I discussed climbing and our desire to go peak bagging of NH’s 4000 footers (1220m) in New Hampshire. I discuss other mountains I have climbed including Mt Aconcagua. He says, “Rob let’s do it!”

Unfortunately, there was a bad actor in the diner. They leave and go to Google.com, where they type in Rob NH Aconcagua. At the speed of light, they find out:

  • My full name
  • Where I have lived for last 30 years
  • Who my family is and where they live
  • Where I work
  • I am a member of the Freemasons and I have undergone my 32nd Degree with the Scottish Rite.
  • I am a pilot and they get my US Pilot License number and my medical certificate
  • I am a HAM Radio Operator and they get my FCC License and station ID
  • My Court Records
  • That I Believe in a God
  • Personal and Professional Blogs
  • My email addresses
  • Every book I published
  • Every Country I have been to
  • Every company I started

So there is some personal and sensitive information here, and if a bad actor is smart enough they can use this information to launch attacks against me. Here are some possible attacks:

1.      Theft or Burglary-Another climber or an opportunistic thief was in the diner, he knew that I had to have extreme altitude climbing gear or expensive gear to climb to the peaks that I have already done – He has my address and enough information to case my house and plan to attempt to rob me before my dogs get him/her.

2.      Spear phishing combined with social engineering-The person can find all my email addresses so they send me a mail from a “cousin in Philadelphia”. I fall for it and transfer them money for some crisis, or worse I open a funny party video, that they downloaded from my cousins YouTube site and malware is installed on it, say a key logger, and they get my data and account information.

3.      Retribution or Discrimination-For some reason I offended someone with my political views, they found my information on line and were enraged by my views and blamed them on the fact that I believed in God and drove to my house, sliced the tires on my car and broke windows, letting my dogs out before getting caught by the dogs.

There are more damages that can come from this and I will leave that to your imagination.

Example Two – The Plane

On a trip back from Moscow last year I met a nice woman on the flight, I will leave out the names and specifics so as not to leak her information and I will use other fake data in an attempt to protect her Identity. Carol (not her Name) was in a rush to get back to NJ as she missed her daughter and her boyfriend had been elected to a State Office in NJ (Not the actual state) when she was away and she wanted to celebrate with him. We had a great talk and discussed the cast on her arm (Not actually on her arm) and her profession “Kickboxing Teacher” (not her actual profession). Our conversation was interrupted a few times by a person sitting behind her that kept kicking her seat. Carol also got the attention of some men sitting around us that seemed to be listening to our conversation. She discussed her upcoming trip to Berlin and that she would be gone for two weeks and her daughter would be keeping her dog for that trip as there was no one local that could take care of the dog. In the end Carol said it was great talking to me and asked me if I wanted her email address so that we could stay in touch. I smiled and said “I bet I can find your email and full name without you telling me”, she smiled and said “you are on”. We exchanged no information. On getting home I went to my PC and I typed Carol, Kickboxing Teacher, NJ, Cancelled Classes.  I found the place where she worked with a nice personal Bio of Carol, that discussed that how her dog (that she loved) was a great companion, particularly as she was living alone since her daughter had moved out. I also found her Boyfriends full name and the office to which he was elected to in NJ. With the full name I then found her emailed her and sent her the steps on how I found the information. She was shocked that I found so much and grateful that I pointed out these leaks of personal information to her.

So there is some personal information here, and if a bad actor is smart enough they can use this information to launch attacks against her. People on the plane around us could have overheard and used that very same information to impact her, her family and possibly even to impact an elected official. Beyond social engineering, she too could be impacted by the threat of burglary, harm or many of the very same issues I listed above in the first example. I am sure you can imagine more harms and of course remedies.

In closing, for individuals, just like in corporations-we are the insider and many times we may pose the biggest risk to ourselves. We may be our very own biggest threat for data leaks. This raises some new considerations as well:

  • Should companies allow employees to post personal public or internal information on company web sites or collaboration mediums?
  • Should companies have to control the release of customer PII if the same information when combined with public search engines and public databases will lead to the release of personal health or other sensitive information?
  • Are we sharing to much information and does that information put us at risk?

Without intention, we may be harming ourselves, our families, or our career opportunities by sharing information that data aggregators can combine to paint any picture of us to suit their needs, and all of that data massaging is done at the speed of light. There is no simple answer to all of these problems, but one good piece of advice, from Data Privacy Day is before everything else “Stop, Think, and then Connect.”


FBI – Spear Phishing:https://archives.fbi.gov/archives/news/stories/2009/april/spearphishing_040109

Social Engineering Description on Wikipedia:https://en.wikipedia.org/wiki/Social_engineering_(security)

EEOC – Types of Discrimination: https://www.eeoc.gov/laws/types/

FBI – Cyber crime – https://www.fbi.gov/investigate/cyber

Stop Think Connect: https://staysafeonline.org/stop-think-connect/