Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
4 likes1,705 views
The document provides an overview of personal data protection regulations and technical aspects related to data privacy. It discusses key aspects of the draft Indonesian Personal Data Protection Bill, including rights of data owners and obligations of data controllers. It also covers technical topics like identity and access management, data loss prevention, and incident management. The presentation aims to provide a basic understanding of both regulatory requirements and technical controls for protecting personal data.
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
- 1. 11 PERSONAL DATA PROTECTION Eryk B. Pratama IT Advisory & Cyber Security Consultant at Global Consulting Firm Komunitas Data Privacy & Protection Indonesia 11 July 2020 | 20:00 Komunitas Orang Siber Indonesia Webinar Basic Regulation and Technical Aspects
- 2. Agenda 01 Introduction 02 Regulation Aspects 03 Technical Aspects
- 3. Introduction
- 4. Data Ethics & Privacy News Introduction
- 5. Data/Information Lifecycle Introduction Source: ISACA – Getting Started with Data Governance with COBIT 5 It is important to plan the life cycle of data along with their placement within the governance structure. As practices operate, the data supporting or underlying them reach the various levels of their natural life cycles. Data is planned, designed, acquired, used, monitored and disposed of. Critical information security control Store | Data at Rest Share | Data in Motion Use | Data in Use
- 6. Mind-map Introduction Regulation Technical Aspects EU General Data Protection Regulation (GDPR) US California Consumer Protection Act (CCPA) RUU Perlindungan Data Pribadi (RUU PDP) Pre-Breach Identity & Access Management Data Loss Prevention Privilege Access Management Cyber Hygiene During & Post Breach Incident Management Crisis Management PP 71 2019 - PSTE Peraturan Kominfo No 20 2016 - Data Pribadi pada PSE
- 8. RUU Perlindungan Data Pribadi Regulation Aspects Key Highlight ▪ Explicit Consent is required from the data owner for personal data processing. ▪ Responding timelines for Data subject rights have been separately called out in the RUU PDP. ▪ Data controller to notify the data owner and the Minister within 3 days of data breach. ▪ Penalties for non-compliance may range from Rp 20 Billion to Rp 70 Billion or Imprisonment ranging from 2 to 7 years Data Owner Data Controller Data Processor Data Protection Officer
- 9. Data Owner – Pemilik Data Pribadi Regulation Aspects Hak Pemilik Data Pribadi Pasal Deskripsi Pasal 4 meminta Informasi tentang kejelasan identitas, dasar kepentingan hukum, tujuan permintaan dan penggunaan Data Pribadi, dan akuntabilitas pihak yang meminta Data Pribadi. Pasal 5 melengkapi Data Pribadi miliknya sebelum diproses oleh Pengendali Data Pribadi. Pasal 6 mengakses Data Pribadi miliknya sesuai dengan ketentuan peraturan perundang-undangan. Pasal 7 memperbarui dan/atau memperbaiki kesalahan dan/atau ketidakakuratan Data Pribadi miliknya sesuai dengan ketentuan perundang-undangan. Pasal 8 mengakhiri pemrosesan, menghapus, dan/atau memusnahkan Data Pribadi miliknya. Pasal 9 menarik kembali persetujuan pemrosesan Data Pribadi miliknya yang telah diberikan kepada Pengendali Data Pribadi Pasal 10 mengajukan keberatan atas tindakan pengambilan keputusan yang hanya didasarkan pada pemrosesan secara otomatis terkait profil seseorang (profiling). Pasal 11 memilih atau tidak memilih pemrosesan Data Pribadi melalui mekanisme pseudonim untuk tujuan tertentu Pasal 12 menunda atau membatasi pemrosesan Data Pribadi secara proporsional sesuai dengan tujuan pemrosesan Data Pribadi Pasal 13 menuntut dan menerima ganti rugi atas pelanggaran Data Pribadi miliknya sesuai dengan ketentuan peraturan perundang-undangan.
- 10. Data Masking Regulation Aspects Encryption Tokenization Anonymization Pseudonymization Source: https://teskalabs.com/blog/data-privacy-pseudonymization-anonymization-encryption Pseudonymized Anonymized
- 11. Data Masking - Tokenization Regulation Aspects Source: https://blog.thalesesecurity.com/2015/02/05/token-gesture-vormetric-unveils-new-tokenization-solution/ No sensitive data is stored in the production database
- 12. Data Controller – Pengendali Data Pribadi Regulation Aspects Kewajiban Data Controller Pasal Deskripsi Pasal 24 ▪ wajib menyampaikan Informasi mengenai legalitas dari pemrosesan , tujuan pemrosesan , jenis dan relevansi pemrosesan, periode retensi dokumen, rincian informasi yang dikumpulkan, dan jangka waktu pemrosesan data ▪ menunjukkan bukti persetujuan yang telah diberikan oleh Pemilik Data Pribadi Pasal 25 wajib menghentikan pemrosesan Data Pribadi dalam hal Pemilik Data Pribadi menarik kembali persetujuan pemrosesan Data Pribadi Pasal 27 wajib melindungi dan memastikan keamanan Data Pribadi yang diprosesnya dengan melakukan: ▪ penyusunan dan penerapan langkah teknis operasional untuk melindungi Data Pribadi ▪ penentuan tingkat keamanan Data Pribadi dengan memperhatikan sifat dan risiko dari Data Pribadi yang harus dilindungi dalam pemrosesan Data Pribadi Pasal 28 wajib melakukan pengawasan terhadap setiap pihak yang terlibat dalam pemrosesan Data Pribadi Pasal 29 wajib memastikan pelindungan Data Pribadi dari pemrosesan Data Pribadi yang tidak sah Pasal 36 wajib melakukan pemrosesan Data Pribadi sesuai dengan tujuan pemrosesan Data Pribadi yang disetujui oleh Pemilik Data Pribadi. (Explisit / Implicit Consent) Pasal 38 Pasal 39 Penghapusan dan pemusnahan data pribadi
- 13. Data Protection Officer – Fungsi Perlindungan Data Pribadi Regulation Aspects ▪ harus ditunjuk berdasarkan kualitas profesional, pengetahuan mengenai hukum dan praktik pelindungan Data Pribadi. ▪ dapat berasal dari dalam dan/atau luar Pengendali Data Pribadi atau Prosesor Data Pribadi. ▪ menginformasikan dan memberikan saran untuk Data Controller dan Data Processor ▪ memantau dan memastikan kepatuhan terhadap Undang-Undang ini dan kebijakan Pengendali Data Pribadi atau Prosesor Data Pribadi ▪ memberikan saran mengenai penilaian dampak pelindungan Data Pribadi dan memantau kinerja Data Controller dan Data Processor ▪ berkoordinasi dan bertindak sebagai narahubung untuk isu yang berkaitan dengan pemrosesan Data Pribadi ▪ Dalam melaksanakan tugas, harus memperhatikan risiko terkait pemrosesan Data Pribadi, dengan mempertimbangkan sifat, ruang lingkup, konteks, dan tujuan pemrosesan
- 15. Identity and Access Management Technical Aspects – Identity & Access Management Security Management Provides the overarching framework, policies, and procedures Identity Management Access Management Manages individual identities and their access to resources and services Manages the “who has access to what” question and allows access based on individual relationship with the resources and services Directory Services Maintains an identity repository that store identity data and attributes, and provides access and authorization information “ IAM grants authorized users the right to use a service, while preventing access to non-authorized users “
- 16. From Simply Managing Identities to Managing Complex Relationships Technical Aspects – Identity & Access Management Identity Access Management Identity Relationship Management Source: Forrester Research
- 17. Identity Management Basic Process Technical Aspects – Identity & Access Management Authoritative/Trusted Source Middleware / Identity Management Solution Target System HR Data IDM Solution Active Directory Email Server ERP Others Applications Provisioning Reconciliation Create,Update,Revoke
- 18. Access Management Basic Process Technical Aspects – Identity & Access Management Receive Request Verification Provide Rights Log and Track Access ▪ Change requests ▪ Services requests ▪ HR requests ▪ App / Script requests ▪ Valid user ? ▪ Valid request ? ▪ Request access ? ▪ Remove access ? ▪ Provide access ▪ Remove access ▪ Restrict access ▪ Check and monitor identity status ▪ Violations to Incident Management Process Business Rules, Policies, Procedures, Controls ISMS
- 19. User and Access Management primary concern Technical Aspects – Identity & Access Management User access provisioning and de-provisioning Periodic access reviews Privileged user accounts Segregation of duties System authentication User Management Access Management
- 20. Data Governance: Common Area Technical Aspects – Data Loss Prevention Source: https://www.pinterest.com/pin/838584393089888744/ Data Security is one of foundational and important area in Data Governance
- 21. Data Loss/Leakage Prevention Solution Technical Aspects – Data Loss Prevention A Data Loss Prevention (DLP) solution typically incorporates people, process, and technology to protect sensitive data traversing throughout an organization. Data within an organization is often categorized and protected by DLP in the following three different forms: Data in Motion Data at Rest Data in Use Data that is transmitted or moved, both through electronic or non-electronic means. Data that is actively traveling on a network, such as email or web traffic. Data that resides on a stable medium, including servers, network shares, databases, individual computers, and portable media. Data that has been obtained and are being processed or actively used. Typically, referring to data on end-user computing device or host systems. Structured Data Unstructured Data Semi-structured Data Data commonly stored in databases or applications Exists in filesystems or documents Examples of such data format types include email Data Type
- 22. Sample Deployment Technical Aspects – Data Loss Prevention ILLUSTRATIVE DLP Manager DLP Monitor DLP Prevent DLP Prevent Host DLP DLP Discover DLP End Point
- 23. DLP Implementation Key Activities Technical Aspects – Data Loss Prevention Review of the organisation data protection policy and conduct gap assessment Define data flows, data classification and information asset list DLP Framework and High-level Policy Definition Base policy creation and tuning Metrics definition Incident response workflow creation User awareness
- 24. DLP Implementation Strategy Technical Aspects – Data Loss Prevention Organizations often deploy DLP solutions using a phased approach. This includes initial implementation of the DLP solution in monitoring mode and/or within selected business unit(s) to help ensure policies/rules effectiveness and assess business impact before turning on any automated “prevent “functions. LowHigh Near Term Long Term ImplementationComplexity Email Monitoring Network Monitoring Endpoint Monitoring and Discovery Email Filtering/Blocking Network Filtering/Blocking Endpoint Filtering/Blocking Timeline Prevent PhaseMonitor Phase Benefits ▪ By performing Email DLP first, existing technology is utilized and a high-risk use case is addressed quickly ▪ Implementing endpoint DLP after email DLP allows company to address the remaining high-risk use cases. ▪ Deploying DLP in monitoring mode followed by preventive mode allows company to pilot solution
- 25. DLP Use Case: Data in Motion Technical Aspects – Data Loss Prevention Data Origination Outbound Email from Internal Source (Sensitive Information) User Action Internal user sends email with sensitive information (e.g. PII, PCI, HR files, etc.) outbound to an external user or personal email address. DLP Response DLP monitors and analyzes outbound traffic based on policies for predefined data elements and company document tags. Document tagging allows DLP to fingerprint files in order to monitor and/or prohibit the movement of sensitive information based on policies. Available Action Monitor, record/block/encrypt, and notify Result Sensitive information is tracked and prevented from reaching unauthorized recipient. Sender, manager, security, and/or HR notified of policy violation or actions required/taken for authorized recipients (e.g. email and attachments marked to indicate level of confidentiality and encrypted, as required).
- 26. DLP Use Case: Data in Use Technical Aspects – Data Loss Prevention Data Origination Unauthorized Sensitive Information Download User Action User attempts to retain sensitive information for unauthorized use from an application or database through copy/paste functions, the “print screen” command, hard copy printing, or exploitation of current access privileges to execute excessive sensitive information downloads (e.g. prior to departure). DLP Response DLP monitors workstation and mobile device activity for the use and/or transfer of sensitive information based on policies for predefined data elements and company document tags. Company document tagging and user- defined fingerprinting allow DLP to monitor and/or prohibit the movement of sensitive information based on policies. Available Action Monitor/inventory, block, and notify Result Sensitive information is monitored, blocking the “print screen,” paste, and hard copy print actions. The user, manager, security, and/or HR are notified of policy violation. Utilize scan results to update/maintain inventory of endpoints containing sensitive information.
- 27. Incident Management Definition Technical Aspects – Incident Management What is an IT incident? An IT incident is any disruption to an organization's IT services that affects anything from a single user or the entire business . In short, an incident is anything that interrupts business continuity. What is IT incident management? Incident management is the process of managing IT service disruptions and restoring services within agreed service level agreements (SLAs). The scope of incident management starts with an end user reporting an issue and ends with a service desk team member resolving that issue. Analyst Incident Responder Digital Forensic Incident Escalation Layer 1 (L1) Layer 2 (L2) Layer 3 (L3) Incident Classification MediumHigh Low Incident Prioritization Critical High Medium Low
- 28. Incident Management Process Technical Aspects – Incident Management Incident Management process based on NIST SP 800-61
- 29. Practical Incident Management Process Technical Aspects – Incident Management Incident Logging Incident Categorization Incident Prioritization Incident Assignment Task Creation and Management SLA Management and escalation Incident Resolution Incident Closure
- 30. Thank You ☺ https://medium.com/@proferyk https://www.slideshare.net/proferyk IT Advisory & Risk (t.me/itadvindonesia) Data Privacy & Protection (t.me/dataprivid) Komunitas Data Privacy & Protection (t.me/dataprotectionid)