Apr 12 2022

NSO Group Spied on European Union—on French Orders?

Category: Cyber Espionage,Cyber Spy,SpywareDISC @ 10:46 am
NSO Group Spied on European Union—on French Orders?

An espionage attempt was made by an NSO Group customer to hack the phones of senior EU officials. Although there’s some suggestion that it might have been QuaDream—a similar Israeli spyware firm.

Commissioner for Justice Didier Reynders (pictured) seems to have been the main target, along with several of his staffers at the Directorate-General for Justice and Consumers. They were warned of the attack five months ago—by Apple.

But who ordered the hack? Might it have been the French government? In today’s SB Blogwatch, we’re shocked—SHOCKED—to discover un peu d’espionnage fratricide.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Shrimp can lobster.

What Did Didier Do?

What’s the craic? Raphael Satter and Christopher Bing claim this exclusive for Reuters—“Senior EU officials were targeted with Israeli spyware”:

“Remotely and invisibly take control of iPhones”
Among them was Didier Reynders, a senior Belgian statesman who has served as the European Justice Commissioner since 2019. … At least four other [Justice and Consumers] commission staffers were also targeted.
…
The commission became aware of the targeting following messages issued by Apple to thousands of iPhone owners in November telling them they were “targeted by state-sponsored attackers.” … The warnings triggered immediate concern at the commission. … A senior tech staffer sent a message to colleagues with background about Israeli hacking tools: … “Given the nature of your responsibilities, you are a potential target.”
…
Recipients of the warnings were targeted between February and September 2021 using ForcedEntry, an advanced piece of software that was used by Israeli cyber surveillance vendor NSO Group to help foreign spy agencies remotely and invisibly take control of iPhones. A smaller Israeli spyware vendor named QuaDream also sold a nearly identical tool.

So which was it? And why? Lucas Ropek shrugs—“Sophisticated Spyware Attack”:

“Comes at potentially the worst possible time”
It’s not totally clear why these officials were targeted or who used the malware against them. … NSO has denied that it had any involvement. … Reuters also reached out to QuaDream … but did not get any sort of comment or response.
…
The claims that EU officials were targeted with NSO Group software comes at potentially the worst possible time for the company as it continues to battle both legal and financial troubles, as well as multiple government investigations. … NSO is now appealing to the U.S. Supreme Court in a new effort to rid itself of a hefty lawsuit filed by … WhatsApp, [which] sued NSO in October of 2019 after the surveillance firm’s malware was allegedly discovered on some 1,400 users’ phones. … The company is also currently battling another lawsuit from Apple filed last November on similar grounds.

Government investigations? Malcolm Owen isn’t scared to say whodunnit—“EU officials’ iPhones were targets of NSO Group’s spyware”:

“Use of surveillance software”
The discovery of the misuse of NSO Group’s tools certainly doesn’t help the company’s profile following the Pegasus scandal, when it was found the tool was used by governments to spy on journalists, activists, and government opponents, instead of for fighting crime. The adoption of Pegasus and other tools by government agencies led to lawmakers in the U.S. asking Apple and the FBI about the latter’s acquisition of NSO Group tools.
…
Meanwhile, the European Parliament will be launching a committee on April 19 to investigate the use of surveillance software in European member states.

The European Union, huh? FOHEng thinks this should be a teachable moment:

Many of these same EU people think The App Store should be forced to open, increasing the vectors for … exploits to make it into devices. They’re as stupid as some US Senators, who aren’t allowed to sideload Apps on their devices over security concerns, yet want to force Apple to allow this. They are truly delusional.
…
Third party stores with Apps being vetted for security? An oxymoron if ever there was one. … You think iOS third party stores are going to somehow be secure and Apps checked?

Worthless politicians? zeiche seems to think so:

“No big deal until it happens to me.” This story has been unfolding slowly for years, yet these EU officials didn’t seem too bothered until Apple notified them about their phones being hacked. … Thanks for all the concern.

But what of Apple in all this? Heed the prognostications of Roderikus:

More fines for offering a platform that is basically compromised while being marketed as “safe.”

However, mikece is triggered by a certain word in the Reuter hed:

Throwing the adjective “Israeli” into the title is misleading as it suggest the state of Israel is somehow involved. … Blaming Israel for this is like blaming Japan for all of the Toyota Hiluxes converted into gun platforms around the world.

Yet we’ve still not dealt with the “who” question. For this, we turn to Justthefacts:

CitizenLab did some clever geographic fingerprinting, and have a list of which countries are doing this. … Out of these, the credible list is: France, Greece, Netherlands, Poland, UK, USA.

The target was the European Justice Minister from 2019 onwards. He doesn’t have military or external trade secrets. Neither the UK nor USA are impacted in any way by what goes on in his office. So it’s either France, Greece, Netherlands, Poland.

If you have a look at the heat-map produced by CitizenLab, it’s the French government snooping on the EU. What were you expecting?

Nor the “why”: What else do we know about the named victim? ffkom ffills us in: [You’re ffired—Ed.]

Didier Reynders is [one of] those politicians who have continuously undermined EU data protection laws by agreeing to sham contracts like “Safe Harbour” and “Privacy Shield,” … knowing those were contradicting EU law … and not worth the paper they were written on. He, personally, is also responsible for not enforcing … GDPR.
…
It serves Mr. Reynders right that his data is exposed, just as much as he has helped to expose EU citizen’s data.

Ultimate spyware' — How Pegasus is used for surveillance


Tags: European Union, NSO Group Spied

Mar 10 2022

Build your DPO career with self-paced online learning

Category: GDPR,Information Privacy,Security and privacy LawDISC @ 10:15 am

Are you planning a career as a DPO (data protection officer)?

Certified GDPR Foundation, Practitioner and Data Protection Officer (C-DPO) Accelerated Self-Paced Online Combination Training Course
Are you planning a career as a DPO (data protection officer)? Our unique combined GDPR (General Data Protection Regulation) and DPO training course is now available in a low-cost self-paced online format.

Delivered by an experienced data privacy consultant, the Certified GDPR Foundation, Practitioner and Data Protection Officer (C-DPO) Accelerated Self-Paced Online Combination Training Course provides the knowledge to implement and maintain GDPR compliance and fulfil the DPO role.

Work at your own pace with self-paced online training – a more affordable, flexible and less disruptive way to study. Designed by GDPR experts, this course features pre-recorded video modules supported by a learner guide and interactive exercises and tests.

The course includes essential elements of our GDPR / Data Privacy Roles Learning Path, which provides a unique guide to which training courses and qualifications will help you enhance your GDPR or DPO career.

Don’t Panic! I’m A Professional Data Protection Officer – 2023 Diary: Funny 2023 Planner Gift For A Hard Working Data Protection Officer

Tags: data protection officer, DPO, DPO (data protection officer)

Feb 09 2022

Adding Data Privacy to DevSecOps

Category: Information PrivacyDISC @ 1:44 pm
Adding Data Privacy to DevSecOps

Colorado and Virginia passed new data privacy laws in 2021. Connecticut and Oklahoma are among the states that could enact new legislation around data privacy protections in 2022. California, which kicked off the conversation around data privacy at the state level, is updating its laws. Couple that with the EU’s GDPR and other data privacy laws enacted worldwide, and it is clear that data privacy has become incredibly important within cybersecurity. And that includes within the DevSecOps process.

It’s been enough of a challenge to integrate security into the DevOps process at all, even though it is now recognized that adding security early in the SDLC can eliminate issues further along in app development and deployment. But adding data privacy? Is it really necessary? Yes, it is necessary, said Casey Bisson, head of product growth at BluBracket, in email commentary. Applications now include more and more personal data that needs protection, such as apps that rely on medical PII. Those apps must have security and privacy baked into each phase of the SLDC via DevSecOps.

“There have been far too many examples of leaks of PII within code, for instance, because many companies don’t secure their Git repositories,” said Bisson. “As more sensitive information has made its way into code, it’s natural that hackers will target code. True DevSecOps will bake privacy concerns into every stage and will make these checks automated.”

Data in the Test Process

In DevSecOps, applications are developed often by using test data. “If that data is not properly sanitized, it can be lost,” said John Bambenek, principal threat hunter at Netenrich, in an email interview. “There is also the special case of secrets management and ensuring that development processes properly secure and don’t accidentally disclose those secrets. The speed of development nowadays means that special controls need to be in place to ensure production data isn’t compromised from agile development.” Beyond test data, real consumer data has to be considered. Ultimately, every organization has information they need to protect so it’s important to focus on data privacy early in development so the team working on the platform can build the controls necessary into the platform to support the privacy requirements the data has, explained Shawn Smith, director of infrastructure at nVisium, via email. “The longer you wait to define the data relationships, the harder it is to ensure proper controls are developed to support them.”

Bringing Privacy into DevSecOps

Putting a greater emphasis on privacy within DevSecOps requires two things—data privacy protocols already in place within the organization and a strong commitment to the integration of cybersecurity with data privacy. “An organization needs to start with a strong privacy program and an executive in charge of its implementation,” said Bambenek. “Especially if the data involves private information from consumers, a data protection expect should be embedded in the development process to ensure that data is used safely and that the entire development pipeline is informed with strong privacy principles.” The DevSecOps team and leadership should have a strong understanding of the privacy laws and regulations—both set by overarching government rules and by industry requirements. Knowing the compliance requirements that must be met offers a baseline to measure how data must be handled throughout the entire app development process, Smith pointed out, adding that once you have the base to build upon, the controls and steps to actually achieve the privacy levels you want will fall into place pretty easily. Finally, Bisson advised DevSecOps professionals to shift security left and empower developers to prevent any credentials or PII from being inadvertently accessible through their code before it makes it to the cloud. “DevSecOps teams should scan code both within company repositories and outside in public repos; on GitHub, for instance. It’s so easy to clone code that these details and secrets can easily be leaked,” said Bisson.

Consumers don’t understand how or where in the development process security is added, and it’s not entirely necessary for them to understand how the sausage is made. The most important concern for them is that their sensitive data is protected at all times. For that to happen most efficiently, data privacy has to be an integral part of DevSecOps.

Understanding Privacy and Data Protection: What You Need to Know

#DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvement

Tags: DevSecOps

Jan 13 2022

CPRA Cheat sheet

Category: Cheat Sheet,Information Privacy,Security and privacy LawDISC @ 1:34 pm

Download ISO/IEC 27701 2019 Standard and Toolkit

CPRA compliance gap assessment tool 

Tags: CPRA, CPRA Cheat sheet, CPRA compliance gap assessment tool, ISO 27701 2019 Standard and Toolkit

Jan 02 2022

NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT

Category: data security,Information Privacy,NIST PrivacyDISC @ 11:15 am

NIST-PRIVACY-FRAMEWORK-A-TOOL-FOR-1Download

The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can: 

* Achieve scaled privacy compliance quickly
* Remain one step ahead of legislative developments with affordable advice and support
* Reduce privacy risks with one simple subscription service
* Enjoy peace of mind with your own dedicated data privacy manager

NIST Cybersecurity Framework

NIST Cybersecurity Framework: A pocket guide by [Alan Calder]

Data Governance

Tags: Data Governance, NIST Cybersecurity Framework, NIST PRIVACY FRAMEWORK, Privacy as a Service

Dec 27 2021

The ultimate guide to PCI DSS compliance

Category: Information Security,pci dssDISC @ 11:56 am

The ultimate guide to PCI DSS compliance

Luke Irwin  

If your business handles debit or credit card data, you’ve probably heard of the PCI DSS (Payment Card Industry Data Security Standard).

It’s an information security framework designed to reduce payment card fraud by requiring organisations to implement technical and organisational defence measures.

We explain everything you need to know about the PCI DSS in this blog, including who it applies to, the benefits of compliance and what happens if you fail to meet its requirements.

Who needs PCI DSS compliance?

Any merchant or service provider that processes, transmits or stores cardholder state is subject to the PCI DSS.

  • Merchants are organisations that accept debit or credit card payments for goods or services.
  • Service providers are businesses that are directly involved in processing, storing or transmitting cardholder data on behalf of another entity.

Some organisations can be both a merchant and a service provider. For instance, an organisation that provides data processing services for other merchants will also be a merchant itself if it accepts card payments from them.

Benefits of PCI DSS compliance

The most obvious benefit of PCI DSS compliance is to reduce the risk of security incidents. When organisations implement its requirements, they shore up the most common weaknesses that attackers exploit.

According to the 2020 Trustwave Global Security Report, the majority of data breaches involving cardholder data were CNP (card-not-present) attacks. This indicates that e-commerce platforms are the most vulnerable, but this is only half the picture.

Data protection isn’t just about preventing cyber attacks; information can also be exposed by mistakes the organization makes. Such errors can also result in violations of the GDPR (General Data Protection Regulation) and other data protection laws.

PCI DSS compliance can help organisations prevent regulatory errors and the effects associated with it.

Is PCI DSS compliance mandatory?

The PCI DSS is a standard not a law, and is enforced through contracts between merchants, acquiring banks that process payment card transactions and the payment brands.

Compliance is mandatory for all organisations that process, store or transmit cardholder data. Covered organisations that fail to meet their requirements could face strict penalties.

Notably, the Standard doesn’t simply levy a one-off fine for non-compliance. Instead, organisations can be penalised between $5,000 (about €4,300) and $100,000 (about €86,000) a month until they achieve compliance.

Organisations can also face other punitive measures from their acquiring bank. For example, the bank might increase its transaction fees or terminate the relationship with the merchant altogether.

How do I achieve PCI DSS compliance?

The PCI DSS contains 12 requirements that organisations must meet if they are to achieve compliance.

They are combination of technical solutions, such as data encryption and network monitoring, alongside processes and policies to ensure that employees manage sensitive data effectively.

Those processes include steps such as changing default passwords, restricting physical access to locations where cardholder data is stored and creating an information security policy.

How do you know if you are PCI compliant?

To demonstrate that your organisation is PCI DSS compliant, organisations must audit their CDE (cardholder data environment).

There are three types of audit:

The type of audit you must conduct, and your exact PCI DSS compliance requirements, will vary depending on your merchant or service provider level. This information is based on the number of card transactions processed per year.

Level 1 merchants are those process more than 6 million transactions per year, or those whose data has previously been compromised. They must complete the following each year:

  • RoC conducted by a QSA or ISA.
  • Quarterly scan by an ASV.

Level 2 merchants are those that process 1 million to 6 million transactions per year. They must complete the following each year:

  • RoC conducted by a QSA or ISA, or an SAQ (SAQ D) signed by a company officer (dependent on payment brand).
  • Quarterly scan by an ASV

Level 3 merchants are those that process 20,000 to 1 million transactions per year. They must complete the following each year:

  • SAQ signed by a company officer.
  • Quarterly scan by an ASV (dependent on SAQ completed).

Level 4 merchants are those that process fewer than 20,000 transactions per year. They must complete the following each year:

  • SAQ signed by a company officer.
  • Quarterly scan by an ASV (dependent on SAQ completed).

The audit requirements for service providers are more straightforward. Level 1 encompasses any organisation that process and/or store more than 300,000 transactions per year. They are required to conduct a RoC by a QSA or ISA and have an ASV conduct quarterly scans.

Service providers that transmit and/or store fewer than 300,000 transactions per year must complete either an RoC conducted by a QSA or an ISA, or an SAQ D signed by a company officer. They must also have an ASV conduct quarterly scans.

Get started with the PCI DSS

As a QSA company, IT Governance provides services to support organisations at each stage of each organisation’s PCI DSS compliance project. You can find out complete list of PCI DSS services and solutions on our website.

Organizations looking for help achieving compliance should take a look at our PCI DSS Documentation Toolkit.

It contains everything you need to implement the Standard’s requirements, including template documents and a document checker to ensure you select and amend the appropriate records.

The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.

It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant. All you have to do is fill in the sections that are relevant to your organization.

PCI DSS Implementation Training Course | Qualified Security Assessor Company

PCI DSS: A pocket guide, sixth edition

PCI DSS: A pocket guide, sixth edition | IT Governance USA

Tags: PCI, pci dss

Dec 03 2021

Top 5 Cloud security challenges, risks and threats

Category: Information SecurityDISC @ 3:35 pm
Top 5 Cloud security challenges, risks and threats

Top 5 Cloud security challenges, risks and threats

Cloud services are an integral part of modern business. They provide a cost-effective way to store data; and with the rise in hybrid workforces, they deliver a reliable way for employees to access information remotely.

But as is often the case with technological solutions, the benefits of convenience comes with security risks. In this blog, we look at the top five Cloud security challenges that organisations face, and provide tips on how to overcome them.

1. Data breaches

A Gartner study found that 95% of Cloud breaches are the result of the result of misconfigurations.

2. Phishing scams

3. Insider threats

Insider Threats (Cornell Studies in Security Affairs) 

4. Regulatory non-compliance

the risk of a data breach and create GDPR (General Data Protection Regulation) headaches.

5. Insecure UIs and APIs

Design secure network and API endpoint security for Microservices applications

Secure your Cloud services

You can find more tips like the ones in this blog by reading Securing Cloud Services: A pragmatic guide.

This book, written by security architect Lee Newcombe, explains everything you need to know about Cloud security. It covers the key concepts of Cloud computing and the its security architectures, and then looks at the security considerations you must acknowledge.

It’s ideal for anyone looking at implementing Cloud services, whether that’s infrastructure-, platform-, software- or function-as-a-service.

Sep 13 2021

Mobile app creation: Why data privacy and compliance should be at the forefront

Category: App Security,Mobile SecurityDISC @ 9:44 am
Mobile app creation: Why data privacy and compliance should be at the forefront

A user’s personal data can be anything from their user name and email address to their telephone name and physical address. Less obvious forms of sensitive data include IP addresses, log data and any information gathered through cookies, as well as users’ biometric data.

Any business whose mobile app collects personal information from users is required to have a Privacy Policy. Regardless of app geography or business domain, there are mandatory regulations such as the GDPR, the CCPA, and the PDPA, as well as Apple, Google and Android guidelines that ensure accountability and user data privacy. Some apps do not directly collect personal data but instead use a third-party tool like Google Analytics – they, too, need a Privacy Policy.

Data privacy and security and the mobile app creation process

Xamarin in Action: Creating native cross-platform mobile apps

Tags: Mobile app

May 02 2021

How to Become a Data Protection Officer

Category: data security,Information SecurityDISC @ 12:05 pm
data protection officer CCO

How to Become a Data Protection Officer

The role of a Data Protection Officer (DPO) is a fairly new one in many companies. What’s more, the need to hire a DPO often comes as a response to the General Data Protection Regulations (GDPR) which were implemented back in 2018.
As such, the responsibilities, reporting and structure of the role are primarily defined by GDPR guidelines.

But though it might be a fairly new role, it can be a very exciting and rewarding one. So if you’re considering a career as a data protection officer, this guide is for you. Below, we’ll take a look at what the role entails and what you need to do to get a job as a DPO.

What is a Data Protection Officer and What Do They Do?

In a nutshell, a data protection officer is a steward for data protection and privacy within a business. They must implement effective data protection strategies and facilitate a culture of data protection throughout the company. This is to ensure companywide compliance with GDPR. The appointment of a DPO is mandatory in some businesses, particularly those in the public sector or those that process a large amount of personal data. That being said, some businesses choose to appoint a DPO even though they are not legally required to as it pays to have someone in charge of compliance and data privacy.

In the general data protection regulations, it is stated that the DPO should report directly to the highest management level. As a DPO, some of the key responsibilities include:

  • Ensuring that a business applies the laws of data protection appropriately and effectively, as
    well as following these regulations and legislations.
  • Educating and training management and all other employees about GDPR and other data protection statutes as well as about compliance and demonstrating effective measures and strategies for data handling and processing.
  • Conducting regular security audits.
  • Acting as the point of contact between the company and any supervisory authorities (SAs). For example, if there is a data breach, it is the job of the DPO to report this to the relevant authorities.

With this in mind, here’s how you can tailor your career path to lead to the role of a data protection officer.

In order to become a DPO, What skills you may need…

Becoming a Data Protection Officer

Certified Data Protection Officer

Data Protection and the Cloud 

Data Protection and the Cloud – Are you really managing the risks?

Tags: data protection officer

Apr 23 2021

TikTok sued over its use of children’s personal data

Category: data security,MetadataDISC @ 10:31 am
TikTok sued over its use of children’s personal data

TikTok is again being accused of illegally processing children’s personal data.

The latest claim has been brought by Anne Longfield, the former children’s commissioner for England, who is suing the video-sharing app on behalf of 3.5 million children in the UK.

She alleges that TikTok is violating the GDPR (General Data Protection Regulation) by collecting excessive data and failing to explain what it’s used for.

Children’s data is subject to special protections under the GDPR, including the requirement that privacy policies must be written in a way that’s understandable to the service’s target audience.

Tags: children’s personal data

Apr 16 2021

New Federal Data Privacy Legislation Proposed

Category: Information Privacy,NIST Privacy,Security and privacy LawDISC @ 2:32 pm
New Federal Data Privacy Legislation Proposed

In late March 2021, Representative Susan DelBene (D-WA 01) introduced legislation to the 116th Congress to protect consumer privacy and put control of consumers’ data in their own hands.

DelBene noted that states are surging ahead of the federal government in creating privacy laws, each with their own flavor and each serving the needs of a particular constituency/demographic. DelBene argued that having a federal policy will stem consumer confusion and put the United States back into the conversation on global privacy policies. The EU, for example, is pushing their General Data Protection Regulation (GDPR) as the global standard.

The Information Transparency and Personal Data Control Act (pdf) will ensure that an individual’s personal identifying information (PII), and all information pertaining to children under the age of 13, are protected. The bill requires:

  • Companies produce their privacy policies in “plain English” within 90 days of the bill’s passage.
  • Users must “opt in” before companies my use their sensitive PII. In doing so, the user is made aware of how the information may be used and more importantly how it is not to be used. Companies will have 90 days to put in place this capability once the legislation becomes law.
  • Companies must be transparent when it comes to sharing user information – who, what, where, how and why.
  • The Federal Trade Commission (FTC) will be given the authority to fine bad actors on their first offense and empower state attorneys general to pursue offenders. If the FTC doesn’t act on a complaint within 60 days, the state attorney general may pursue legal remedies.
  • Trust, yet verify by requiring, every two years, a “neutral” privacy audit to ensure companies (with information from 250,000 or more people) are handling PII in accordance with the provisions of the Act.

The bill will provide to the FTC 50 additional full-time employees, of which 15 must be technical experts (not further defined), and initial funding for the program will be $35 million.

DISC InfoSec Shop

Mar 13 2021

Privacy as a Service can help

Category: Information PrivacyDISC @ 11:04 pm

If you are a business looking to comply with various data privacy laws, look no further. We can help with Privacy as a Service. 👍

The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:

 Privacy as a Service

* Achieve scaled privacy compliance quickly
* Remain one step ahead of legislative developments with affordable advice and support
* Reduce privacy risks with one simple subscription service
* Enjoy peace of mind with your own dedicated data privacy manager

Tags: Privacy as a Service

Mar 12 2021

What are the best books on data privacy?

Category: Information Privacy,Security and privacy Law,Security trainingDISC @ 12:41 pm
Luke Irwin

Looking for affordable ways to keep your data secure? Sometimes the simplest solutions are the best – and nothing beats the simplicity of a book.

With books, you get expert advice at your fingertips. You can study whenever is convenient and the information is always there for you to reference.

So, which books are right for you? That depends on what you want to know. Fortunately, IT Governance has a selection of titles covering everything you need to know, including the GDPR, Cloud security and the CCPA.

Let’s take a look at some of our most popular titles. Below are the four best books on Data Privacy.

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide

EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition

This bestselling guide is the ideal companion for those trying to understand how the GDPR affects their organisation.

It explains the Regulation’s requirements in terms you can understand and helps you understand data subjects’ rights and the way consent requests have changed.

You’ll also gain a deeper understanding of the GDPR’s technical requirements, such as the appointment of a DPO (data protection officer), international data transfers and the obligations of data controllers and processors.

Buy now

Data Protection and the Cloud – Are you really managing the risks?

Cloud computing is becoming a bigger part of the way organisations do business, but you need to understand the privacy risks that come with it.

In this guide, data protection expert Paul Ticher shows you how to use the Cloud safely and in line with the requirements of the GDPR and the NIS (Network and Information Systems) Regulations 2018.

Buy now

EU GDPR: An international guide to compliance

Written by Alan Calder, IT Governance’s founder and executive chairman, this book is an essential introduction to the GDPR.

It’s ideal for anybody who is new to the Regulation or needs a refresher, explaining the legal terminology and compliance in simple terms.

It also provides invaluable advice on how you can meet the GDPR’s requirements.

This includes broad measures that your organisation should implement as well as tips on things you should and shouldn’t do when processing personal data.

Buy now

The California Consumer Privacy Act (CCPA): An implementation guide

If your organisation collects California residents’ personal data, you must comply with the CCPA (California Consumer Privacy Act).

The law, which took effect on 1 January 2020, applies to certain companies depending on their annual turnover, how much personal data they collect and whether they sell the information for profit.

Written by data protection expert and consultant Preston Bukaty, this handbook provides a comprehensive explanation of the law’s scope and how to achieve compliance.

Buy now

Tags: best books on data privacy

Feb 15 2021

California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course

Category: Information Privacy,Security and privacy LawDISC @ 2:24 pm
California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course

Training course outline

The CCPA (California Consumer Privacy Act) is a California data protection law that came into effect on January 1, 2020. Following the passing of Prop 24, the CPRA (California Privacy Rights Act) will take effect officially on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation).

Just like the GDPR, it gives people more control over their personal data, and holds businesses more accountable for protecting the data they collect and process.

Once you have completed the California Consumer Privacy Act Foundation Online Training course, you will be able to:

  • Demonstrate an understanding of privacy and cybersecurity law concepts, and basis of national/state jurisdiction 
  • Define terms used in the CCPA/CPRA and contrast to the GDPR 
  • Articulate the rights of consumers, and determine the duties of a business 
  • Examine the CPRA’s security requirements and prepare relevant responses 
  • Use the CPRA to determine what action(s) should be taken in the event of a breach 
  • Demonstrate an understanding of the CPRA’s penalty provisions 

California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course

Tags: California Consumer Privacy Act, CCPA

Feb 02 2021

5 key privacy trends for 2021

Category: GDPR,Information Privacy,NIST Privacy,Security and privacy LawDISC @ 3:28 pm
No alt text provided for this image

Source: 5 key privacy trends for 2021

As organisations become increasingly reliant on the use of personal data, the risks they face grow exponentially.

We saw last year a record number of data breachesand a surge in penalties for regulatory violations, but 2021 is set to be even more perilous as the public demand for data privacy grows, COVID-19 scams continue and data protection laws get more complex following Brexit.

Here are our five key data privacy trends for this year.

1. There will be more public awareness of privacy rights

This year, we will see growing public awareness of privacy rights. There is a proliferation of information about data breaches, including commentary in the press regarding data breaches and class action suits, such as the one filed against British Airways.

All of this information is helping consumers become more aware of their rights.

Likewise, the collection by major private and public-sector organisations, as well as employers, of location- and health-related data will also drive employee and consumer awareness of data privacy.

The fact that employers must have a lawful reason for processing personal data means that even on the simple interface of employee–employer relationships, there is a growing awareness of individuals’ rights concerning data.

There is also an increased focus on supervisory authority decisions surrounding DSARs (data subject access requests), and the role they play in taking forward an employment law case.

Over the next year or two, DSARs will likely become a standard preliminary step in any employment-related legal action.

2. Brexit will continue to cause headaches

Brexit, of course, is the biggest immediate issue for UK and EU organisations, and they need to understand the relevance of the UK GDPR (General Data Protection Regulation) â€“ which is embedded in the DPA (Data Protection Act) 2018 as a localised version of the EU GDPR.

For example, references to the EU scope have been changed to the UK, and sections that relate to the actions of the EDPB (European Data Protection Board) have been removed, because its decisions are no longer applicable in the UK.

Organisations operating in the UK and the EU are subject to both regulations, and must keep an eye on the differences in the way they are interpreted and how that affects their compliance requirements.

3. We shouldn’t expect an adequacy decision imminently

Another big concern for organisations operating in the UK and the EU is how to transfer personal data between the UK and the EU.

For data to be transferred freely, there needs to be an adequacy decision made by the EU in respect of the UK data protection regime. On the face of it, that should be straightforward, because its rules mirror those of the EU GDPR.

But in practical terms, it’s not quite as straightforward – not least because there’s an intersection between the UK government’s bulk collection of personal data and the restrictions placed on that under the EU GDPR.

Currently, personal data can continue between the EU and the UK for a minimum of four months – until 30 April. If both parties agree, that can be extended for another two months.

In that period, the EU must decide whether to grant an adequacy decision to the UK. If it does, the UK will be adequate in the same way that the Channel Islands are, and personal data will be able to be moved between the EU and the UK freely.

The UK has already granted an adequacy finding in respect of the EU – so that’s not an issue for moving data from the UK to the EU.

4. GDPR enforcement will be more consistent

In the EU, the approach to enforcing the GDPR is continuing to mature. In the 18 months after the Regulation took effect, there wasn’t much in the way of major decisions, but in the past year there has been a growing number of decisions on a wide range of issues.

In some cases, the fines were miniscule, but in others the penalties were large.

It’s clear that supervisory authorities are paying attention to the requirements of the GDPR – not just relating to data breaches but also violations of its data protection requirements.

We can expect to see supervisory authorities act with greater cohesion and make swifter decisions.

Although the UK’s ICO (Information Commissioner’s Office) has no obligation to follow through with decisions made in the EU, it will almost certainly pay attention to what is happening in the EU.

5. Cookie laws will come under greater scrutiny

From the perspective of most marketers and website users, cookies are a pain in the neck, but they are becoming an increasingly important part of data privacy.

This is evident in the ÂŁ91 million fine levied against Google for its ad tracking practices, as well as the recent actions from Max Schrems and his organisation NOYB.

So, cookies – and in particular the way organisations gain consent for their use – will become a significant issue in the EU and the UK.

Current regulations indicate that they apply whenever organisations provide a service into the EU, so we’ll see more websites, wherever they are based, displaying big banners asking visitors to accept and review their cookie collection practices.

Likewise, people will increasingly review these practices to see whether organisations are getting legitimate consent and therefore meeting their regulatory requirements.

Meet your data privacy requirements with IT Governance

You can find out more about data privacy and the steps you must take to protect the information you process with our Privacy by Design Foundation Training Course.

One of our experts will guide you through the privacy and Agile roadmap, helping you understand how to incorporate privacy by design in your products and services.

Jan 28 2021

Privacy as a Service

Category: Information PrivacyDISC @ 1:21 pm
May be an image of text that says 'Privacy as a Service'

The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:

 Privacy as a Service

* Achieve scaled privacy compliance quickly
* Remain one step ahead of legislative developments with affordable advice and support
* Reduce privacy risks with one simple subscription service
* Enjoy peace of mind with your own dedicated data privacy manager

Tags: Privacy as a Service

Nov 22 2020

How does the Schrems II ruling affect your organization?

Category: GDPRDISC @ 5:01 pm

GDPR compliance got even more complicated this summer when the CJEU (European Court of Justice) ruled the EU–US Privacy Shield invalid.

Organizations that had relied on the framework for transatlantic data transfers have been scrambling for a solution – with even some multinationals unsure how to proceed.

If you’re among those trying to understand how the ruling affects your data transfer processes, then ITGP updated books can help.

EU General Data Protection Regulation (GDPR) – An implementation and compliance guide

This comprehensive guide covers:

  • DPO (data protection officer) requirements, including which organizations need a DPO and what DPOs do;
  • When organizations must conduct DPIAs (data protection impact assessments);
  • GDPR implementation FAQs;
  • Guidance on how to create data protection processes that are in line with best practices; and
  • An index of the GDPR.
EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition
 

       Buy now

EU GDPR – An international guide to compliance

Ideal for those trying to understand the essentials of GDPR compliance, EU GDPR – An international guide to compliance:

  • Explains the terms and definitions used in the GDPR;
  • Sets out the circumstances under which organizations may receive fines;
  • Shows how to meet your compliance requirements; and
  • Provides guidance on the technologies and documentation you can use to protect the personal data that you process.
EU GDPR – An international guide to compliance
 

       Buy now




Tags: gdpr, Schrems II

Sep 27 2020

Enhance your privacy management with ISO 27701

Category: ISO 27kDISC @ 11:09 am

ISO/IEC 27701:2019 provides guidance on data protection, including how organizations should manage personal information, and helps demonstrate compliance with privacy regulations around the world, such as the GDPR.

The Standard integrates with the international information security management standard ISO/IEC 27001 to extend an ISMS (information security management system), enabling an organization to establish, implement, maintain and continually improve a PIMS (privacy information management system).

ITG pocket guide ISO/IEC 27701:2019: An introduction to privacy information management is an ideal primer for anyone implementing a PIMS based on ISO 27701.

Improve your privacy information management regime

Co-written by Alan Shipman, an acknowledged expert in the field of privacy and personal information and the project editor of ISO/IEC 27701, this pocket guide will help you understand the basics of privacy management, including:

 

  • What privacy information management means
  • How to manage privacy information successfully using a PIMS aligned to ISO/IEC 27701
  • Key areas of investment for a business-focused PIMS and
  • How your organization can demonstrate the degree of assurance it offers with regard to privacy information management.
ISO/IEC 27701:2019: An introduction to privacy information management
 

         Buy now

ISO 27701 Gap Analysis Tool


Download a Security Risk Assessment Steps paper!







DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet




Tags: ISO 27701, ISO 27701 Gap Analysis Tool, PIMS

Aug 18 2020

Privacy eLearning – Staff InfoSec & Compliance Awareness

Category: eLearning,GDPR,Information Privacy,Security AwarenessDISC @ 9:53 am

Privacy eLearning & Staff Awareness

  • Access staff awareness e-learning programs and train staff on best practice processes
  • Ensure staff can spot and respond to cybersecurity and privacy risks
  • Comply with data protection and information security legislation and standards
  • Test learner knowledge to prove compliance for auditing purposes
  • Train staff under one, manageable contract with these cost-effective annual licenses
  • Developed by industry experts our programs are updated every three months to ensure the content remains relevant
  • Gain access to any new content ITG release throughout your year-long contract
  • Customize the courses by adding links to company documents, policies, and procedures
  • Fast deployment with instant access to all of the courses
  • Reinforce awareness with monthly security updates, which include the latest news and tips



1) Complete Staff Awareness E-learning Suite
Complete Staff Awareness E-learning Suite

2) GDPR Challenge E-learning Game
This short and punchy ten-minute game will test your employees’ knowledge on real-life GDPR-relevant scenarios across different industries.

3) GDPR Staff Awareness E-learning Course
GDPR Staff Awareness eLearning Course

4) GDPR: Email Misuse Staff Awareness E-Learning Course
GDPR: Email Misuse Staff Awareness E-Learning Course

5) Information Security & ISO 27001 Staff Awareness E-Learning Course
ITG eLearning Course: Information Security & ISO27001 Staff Awareness

6) PCI DSS Staff Awareness E-Learning Course
PCI DSS Online Staff Awareness eLearning Course

7) Information Security Staff Awareness E-Learning Course
Information Security | eLearning Course

8) Phishing Staff Awareness E-Learning Course
Phishing Staff Awareness E-Learning Course

9) Data Protection Awareness Posters
Data Protection Awareness Posters

10) Phishing Awareness Posters
Phishing Awareness Posters

11) The ISMS Card Game
The ISMS Card Game




Tags: GRC eLearning, information security awareness, InfoSec eLearning, security awareness training

Dec 19 2019

ISO/IEC 27701 2019 Standard and Toolkit

Category: GDPR,Information Privacy,ISO 27kDISC @ 12:35 pm

ISO/IEC 27701 is the international standard that serves as an extension to an ISO 27001/ ISO 27002 #ISMS (information security management system). It provides guidelines for implementing, maintaining, and continually improving a #PIMS (privacy information management system).

Develop a privacy information management system as an extension to your ISO 27001-conformant ISMS with ISO/IEC 27701. Supports GDPR compliance.

SECURITY TECHNIQUES — EXTENSION TO ISO/IEC 27001 AND ISO/IEC 27002 FOR PRIVACY INFORMATION MANAGEMENT SYSTEM #PIMS

Key features:

* The Standard includes mapping to the GDPR, ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151
* Integrates with other management system standards, including the information security standard, ISO/IEC 27001
* Provides PIMS-specific guidance for ISO/IEC 27002
* Specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a PIMS
* Supports compliance with the GDPR and DPA 2018
* Provides guidance for data controllers and processors responsible for processing personal data


ISO 27701 Gap Analysis Tool


Achieve full compliance with ISO 27701:2019
The ISO 27701 Gap Analysis Tool has been created to help organizations identify whether they are meeting the requirements of the Standard and where they are falling short. Note that this tool assumes that you have a complete and functioning ISO 27001:2013 ISMS (information security management system).

It helps organizations prioritise work areas in order to expand an existing ISMS to take account of privacy. It also gives organizations direction, helping project managers identify where to start.


What does the tool do?

  • Contains a set of sample audit questions
  • Lists all ISO 27701:2019 requirements, identifying where documentation is mandatory for compliance
  • Provides a clear, colour-coded report on the state of compliance
  • The executive summary displays the results of compliance in a clear table so that you can report on your results and measure the closure of gaps.


    • The tool is designed to work in any Microsoft environment. It does not need to be installed like software, and it does not depend on complex databases; it relies on human involvement.



    ISO 27701 The New Privacy Extension for ISO 27001
    httpv://www.youtube.com/watch?v=-NUfTDXlv30

    Quick Guide to ISO/IEC 27701 – The Newest Privacy Information Standard
    httpv://www.youtube.com/watch?v=ilw4UmMSlU4

    General Data Protection Regulation (GDPR) | The California Consumer Privacy Act (CCPA)

    Subscribe to DISC InfoSec blog by Email




    Tags: CCPA, gdpr, iso 27001, iso 27002, ISO 27701, ISO27701, PIMS

    « Previous PageNext Page »