Saturday, August 10, 2019

Personal Data Breach Notification Template - Birds Eye View

Image Courtesy : https://www.identitymanagementinstitute.org

Points to be considered while preparing a Personal Data Breach Notification Template to be in conformance with GDPR requirements

  • The nature of the Personal Data breach
  • Circumstances & Cause of the breach (if known and more of a best practice)
  • The date of the breach or the duration of the breach
  • Description of the personal information affected
  • An estimate of the number of affected individuals/Data Subjects
  • An estimate of the number of affected Personal Data Records
  • A description of the steps taken/proposed to be taken to reduce the impact of personal data breach including , where appropriate, measures to mitigate its possible adverse effects
  • A description of any steps taken to notify the affected individuals; and
  • Contact information of Data protection officer/person who can answer questions about the breach on behalf of the organization.


Note: The points mentioned above are in resonance with requirement under article 33 of GDPR. It can also serve as a pointer for generic Personal data breach notification template


Posted by at No comments:
Labels: , ,

Wednesday, May 6, 2015

New, Hot and must (arguably post your CISSP & Other Equivalents) have Certification for Information Security Professionals



A big hello to my fellow Information security Professionals. Many of us post our CISSP,CISA/CISM,PMP are thinking what next ? Below is the answer:
ISC2 and ISACA – two giant of the Information security world have come up with two new certifications CCSP - Certified Cloud Security Professional and CSX (Cyber Security Nexus) – Practitioner, Specialist & Expert.
The areas covered by them – Cloud Computing and Cyber Security are one of the most talked and having a very high demand in the current market.



1. CCSP - Certified Cloud Security Professional
CCSP is a global credential born from the expertise of the two industry-leading stewards of information systems and cloud computing security, ISC2 and CSA.
CCSP exam will test their competence in the six CCSP domains of the ISC2 Common Body of Knowledge (CBK), which cover:
·         Architectural Concepts & Design Requirements
·         Cloud Data Security
·         Cloud Platform & Infrastructure Security
·         Cloud Application Security
·         Operations
·         Legal & Compliance

For more Details: https://www.isc2.org/ccsp/default.aspx

2.       CSX (Cyber Security Nexus) – Practitioner, Specialist & Expert
Whereas other certifications available today test for knowledge in a question and answer format, CSX training and exams are conducted in a live, virtual “cyber lab” environment — providing validation of actual technical skill, ability and performance

CSX Practitioner
A CSX Practitioner certification demonstrates your ability to serve as a first responder, following established procedures, defined processes and working mostly with known problems on a single system. You’ll show you have firewall, patching and anti-virus experience and can implement common security controls, perform vulnerability scans and some analysis

CSX Specialist
The CSX Specialist series offers you the opportunity to pursue a certification in a specialty area — allowing you to demonstrate deep knowledge and ability in that domain. Choose from five independent certifications: Identify, Protect, Detect, Respond or Recover. These certifications build on the skills developed in CSX Practitioner and test advanced concepts in each of the domains

CSX Expert
A CSX Expert certification establishes your standing as a master-level security professional capable of identifying, analyzing, responding to and mitigating the most complex cybersecurity incidents — usually in intricate enterprise environments that pose significant exposure to attacks. CSX Experts are the authoritative source for all cybersecurity matters within an organization and approve cybersecurity controls.
 For more Details: http://www.isaca.org/cyber/Pages/csx-cybersecurity-nexus-certifications.aspx

If you ask my personal Favourite, Post my CISSP, PMP etc. – It is CSX as Cyber Security is the next big Thing!

All the Best and please feel free to touch base with me in case of any clarifications/Guidance.

Deepesh Kumar
CISSP,PMP, ISO 27001 LA,CHFI
Email: jannayak.deepesh@gmail.com

Image Courtesy : ISC2 and ISACA
Posted by at 1 comment:

Wednesday, April 15, 2015

Changes to PCI DSS v3.1 - What has changed in comparison to PCI DSS v3.0




PCI Security Standards Council (PCI SSC) published PCI Data Security Standard (PCI DSS) Version 3.1 and supporting guidance today. The revision includes minor updates and clarifications, and addresses vulnerabilities within the

Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk.


 



PCI DSS version 3.1 is effective immediately. PCI DSS Version 3.0 will be retired on 30 June 2015.

What has changed?

PCI DSS v3.1
Section
PCI DSS V3.0
Implement additional security features for any required services, protocols, or daemons that are considered to be insecure—for example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
2.2.3*
Implement additional security features for any required services, protocols, or daemons that are considered to be insecure—for example, use secured technologies such as SSH, S-FTP, SSL, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or TLS for web-based management and other non-console administrative access
2.3
Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access
Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
· Only trusted keys and certificates are accepted.
· The protocol in use only supports secure versions or configurations.
· The encryption strength is appropriate for the encryption methodology in use
4.1
Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
· Only trusted keys and certificates are accepted.
· The protocol in use only supports secure versions or configurations.
· The encryption strength is appropriate for the encryption methodology in use.


*- Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately, new implementations must not use SSL or early TLS. POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30, 2016.

My view on TLS : TLSv1.0 is prone to CCB attacks. Recommended version is TLSv1.2


 Courtesy :  PCI DSS

Posted by at No comments:
Subscribe to: Posts (Atom)