Month: June 2020

What is Privacy Information Management and ISO/IEC 27701?

The European Union’s GDPR [General Data Protection Regulation] has guided us in a new era of privacy regulatory and compliance. More privacy regulations have been enacted in different jurisdictions. This requires organizations to implement policies and procedures in order to assure compliance with the growing list of privacy regulations.

Additionally, we are amidst a rapid digital transformation, where data collection and processing are dramatically increasing. The simultaneous growth in data volume and regulatory requirements pertaining to that data makes compliance increasingly complex for organizations.

The new international standard ISO/IEC 27701 Privacy Information Management System [PIMS] helps organizations reconcile privacy regulatory requirements. Formerly known as ISO/IEC 27552 [during drafting period], ISO/IEC 27701 is a privacy extension to ISO/IEC 27001 Information Security Management. An international management system standard that outlines a comprehensive set of operational controls can be mapped to various regulations, including the GDPR.

Once it is mapped, the PIMS operational controls are implemented by privacy professionals and audited by third-party auditors. This facilitates in a certification and comprehensive evidence of conformity. This standard provides guidance on the protection of privacy, including how organizations should manage personal information.

Compliance Challenges

Vendors need to certify against PIMS. This will be effective for establishing responsible privacy practices by suppliers and partners, irrespective of the size of your organization. ISO/IEC 27701 will help address three key compliance challenges:

  • Multiple Regulatory Requirements: Reconciling multiple regulatory requirements through the use of a universal set of operational controls will enable consistent and efficient implementation.
  • Auditing Regulation-by-Regulation: Auditors, both internal and third party, will be able to assess regulatory compliance using a universal operational control set within a single audit cycle.
  • Certificate of Compliance: Commercial agreements involving movement of personal information may warrant certification of compliance.

Building Blocks of The Standard

PIMS is built on top of the most widely adopted international standards for information security management, ISO/IEC 27001. If your business is already familiar with ISO/IEC 27001, it will be more efficient to integrate the new privacy controls of Privacy Information Management System [PIMS]. This means implementation and audit of both will be less expensive and easier to achieve.

PIMS has new Controller and Processor-specific controls, which help in bridging gaps between security and privacy. It also provides a point of integration between what may be two separate functions in organizations.

ISO/IEC 27701 helps organisations with:

  • Building trust in managing personal information
  • Maintaining transparency between stakeholders
  • Facilitating effective business agreements
  • Defining roles and responsibilities
  • Supporting compliance with privacy regulations
  • Reducing complexity

Does Your Organisation Need Privacy Information Management System?

ISO/IEC 27701 Certification can be implemented by all types and sizes of organizations, including government entities, public and private companies and not for profit organizations.

So, whether your organization is a Controller or a Processor, you should consider pursuing certification, either for your own organization, or as requested by Clients or vendors and suppliers based on your business requirements. 

This applies especially to co-controllers, processors and sub-processors along with those who are processing sensitive or high volumes of personal data.

It provides guidance for organizations who are responsible for PII processing within an Information Security Management System [ISMS], specifically:

  • PII Controllers [including those who are joint PII controllers]
  • PII Processors

ISO/IEC 27701 Requirements

Privacy depends on security and similarly, Privacy Information Management System [PIMS] depends on ISO/IEC 27001 for security management. For obtaining Certification for PIMS, it should be done as an extension of an ISO/IEC 27001 certification, instead of obtaining it independently.

If you have an ISO/IEC 27001 Information Security Management System already in place, you are ready to get started with ISO/IEC 27701. The guidance and requirements for ISO/IEC 27701 PIMS go across 8 different clauses and 6 annexes, which include personally identifiable information [PII] controls and mappings to related standards and the GDPR.

It is crucial that you understand all the guidance, requirements & controls and ensure they are appropriately implemented across your organization.

Neumetric is a cyber security Advisory and Consulting organization that can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security in multiple industries make it easier for us to quickly execute security activities that add value to you, while you continue focusing on the business objectives of the Organization.

RBI Norms on Prepaid Payment Instruments for E-Wallets

In an effort to promote digital transactions, The Reserve Bank released guidelines to facilitate payments among different mobile wallets, in 2018. RBI Norms for PPI, consolidated guidelines to enable 3 different phases in order to prepare better for the implementation of interoperability.

Interoperability of PPI

Interoperability is the technical compatibility that allows a payment system to be used in conjunction with other payment systems. It allows Prepaid Payment Instrument (PPI) issuers, participants, and providers in different systems to undertake payment transactions, without having to participate in multiple systems.

Before the PPI standards were put in place, a mobile wallet user couldn’t make a payment from his wallet to one run by a rival firm. However, after the Prepaid payment instruments was implemented, users were able to transfer funds between wallets and also from their wallets to bank accounts.

The Three-Phase Implementation

Before The RBI released these guidelines in 2018, interoperability of all KYC-compliant Prepaid Payment Instruments was to be enabled in three phases. These phases included.

  • Interoperability of PPIs issued in the form of wallets through UPI (Unified Payments Interface).
  • Interoperability between wallets and bank accounts through UPI.
  • Interoperability issued in the form of cards through card networks.

So now, if a merchant has signed up for one wallet with full KYC (Know Your Customer), he does not require signing up for others and he can receive payments from any wallet.

The new RBI Norms for PPI

Since PPIs have been playing an important role in promoting digital payments, a new type of PPI has been introduced, which can be used only for the purchase of goods and services up to a limit of Rs 10,000. The loading of such PPI will be from a bank account and used for making only digital payments like bills, merchant payments, etc. This new Prepaid payment instruments can be issued on the basis of essential minimum details sourced from the customer.

RBI Rules for such PPIs state that

  • Banks and non-banks can issue semi-closed PPIs for up to Rs 10,000 after obtaining minimum details of the PPI holder.
  • These details include mobile number verified with OTP (One Time Pin) and self-declaration of name and Unique Identification Number of any of the ‘officially valid documents’.
  • The amount loaded in such PPIs in any month cannot exceed Rs. 10,000 and the total amount loaded during the financial year cannot exceed Rs. 1,00,000.
  • The amount outstanding at any point in time cannot exceed Rs. 10,000.
  • The total amount debited from such PPIs during any given month cannot exceed Rs. 10,000.
  • These PPIs can be used only for the purchase of goods and services. Funds transfer from such PPIs to bank accounts and also to PPIs of the same/other issuers will not be permitted.
  • PPI issuers must ensure that this category of Prepaid payment instruments is not issued to the same user in the future using the same mobile number and the same minimum details.

How rules on interoperability impacted E-wallet Companies?

After the interoperability was rolled out completely in 2018, e-wallets were on a par with payment banks. It opened up a new window for wallet companies to explore new business opportunities. The Prepaid payment instruments industry waited quite long for these guidelines and the new rules made the industry more lucrative for new companies to join.

Impact on Users

Today, mobile wallet users can transfer funds from one wallet to the other, effortlessly, without having to download another wallet. They can pay across different networks of any other Prepaid payment instruments through UPI. Once the users have done their KYC with the wallet companies, they can avail of the benefits of interoperability.

Cyberattacks Are Likely From Criminals Than Foreign Nations

According to the former National Security Agency director Mike Rogers, the cyberattacks are likely to come from criminals that are funded by U.S. enemies than from foreign nations themselves. These are much bigger cybercriminals than the enemies themselves. Mike Rogers suspects that some states are creating relationships with cybercriminals, giving them money, targets, and tools and this is expected to grow in the coming years.

BlackBerry CEO John Chen described how his company shifted from producing one of the world’s most popular mobile devices to becoming a provider of security-focused software. They were providing the software to the world’s top mobile device manufacturers and internet-connected devices in Ford, General Motors, and other vehicles.

Pentagon needs to prepare

With the growing number of internet-connected devices like cell phones, fitness trackers, thermostats, and medical devices like pacemakers, cyberattacks will soon become a weapon. Mike has warned the Pentagon by stating that it needs to change how it buys weapon systems to build in cybersecurity from the beginning. It also needs to include funding for cyber updates, as many systems have outdated cybersecurity protections by the time they are delivered.

Rogers added that his concern is not a cyberattacks on the U.S. government or other corporate networks, because these attacks are not a surprise, and Businesses and governments have recovered more quickly from hackers than from natural disasters. He is more concerned about security breaches that affect health care data because such data is widely shared and the devices measuring health data are growing day by day.

A word from BlackBerry CEO

John Chen became BlackBerry’s CEO in 2013. He explained that the company was headed for financial disaster in 2013, with deteriorating sales and dwindling cash. There were Chinese competitors who were selling similar devices for less than the cost of the parts for BlackBerry smartphones. He had to slash the costs so that the company could generate instead of burning through cash.

Since BlackBerry was known for privacy and reliability, he refocused the company on privacy and security through software. This gave the company higher profit margins than selling consumer phones. Late last year, the company acquired antivirus software provider Cylance to add artificial intelligence capabilities to BlackBerry’s security products for internet-connected devices. The company is now generating more than $1 billion in revenue from security products and made its first profit since 2012.

Best-in-Class security for your Business

True data protection has extended beyond the core and so is the cybersecurity demand from end-users. There is a constant need to extend the data protection ecosystem, where cryptographic keys and data is secured and managed, and also the access & distribution are controlled, to mobile and tactical environments. 

A Reliable Solution to enhance your Managed Services Solutions

Neumetric, a cybersecurity services, consulting & product organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

How Attackers Use Single Sign-On in Phishing Pages & Steal Credentials?

With the ever-increasing use of technology, cybercrime has become a common issue. Recently, malicious pages have been reported in order to influence Single Sign-On (SSO) to steal credentials of users. With the popularity and ease of SSO among widely used websites, this type of phishing attack has grown significantly.

But are you familiar with Single Sign-On? Well, if not, here is a tutorial to guide you through SSO.

SSO - Single Sign-On

Single sign-on, abbreviated as SSO, is a user authentication service. It allows users to use one set of login credentials (name and password) to access multiple applications. It does not require the user to remember multiple sets of credentials for different accounts. The process to eliminate the password prompts for each application during a session improves the user experience. This is usually practiced by enterprises, smaller organizations, and individuals to mitigate the management of various usernames and passwords.  

Single sign-on is usually accomplished by authenticating the user against a repository like Lightweight Directory Access Protocol (LDAP). Among many popular applications available on the web, that offer SSO to users includes Google, Facebook, and Twitter.

SSO can also be extended to third-party services. For instance, some applications allow users to access their account using Facebook or Google’s authentication. But how is it abused? Let’s have a look.

SSO Abuse

The availability of Single sign-on is steadily increasing across various applications and this has led many hackers to misuse it. Malicious web pages have been reported to bluff users to be the sign-in pages of applications like Dropbox. When people enter their user credentials, the data is harvested, despite logging them into the intended application.

Before the popularity of Single sign-on, hackers used to create a separate page for each service to steal the user credentials. But with the advent of new techniques, they are able to create a single phishing page.

How Can You Protect Your Data From This Cyber Attack?

The best way to protect yourself from SSO phishing attacks is to enable two-factor authentication. A secondary authentication makes it difficult for hackers to access your account. In addition to this, it is not advisable to use SMS as the secondary authentication, as it is not as secure as other methods.

Neumetric, a cybersecurity services, consulting & product organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

Scroll to top