Want to be a “Master Trainer” for C.DPO.DA.?

FDPPI is closely working with Cyber Law College to develop capacity of Data Protection Officers and Data Auditors.

In this direction, FDPPI being a Not for Profit Organization with an interest in developing the community interests, has decided to develop a set of “Master Trainers” in the immediate future at 20 major cities of the country who can conduct local physical training programs for C.DPO.DA. These Master trainers will be individual torch bearers of Privacy Training supported to the extent required by FDPPI/Cyber Law College.

Since FDPPI has introduced a “Cross Certification” program where by professionals trained by DSCI/IAPP/ISACA are provided privileged entry into the C.DPO.DA. examination ( with a concessional examination fee of Rs 6000/- plus GST as a launch offer applicable till October 17, 2024), it is decided that professionals trained by these “Master Trainers” are also allowed a direct entry to C.DPO.DA. at a differential pricing of Rs 10000/- plus GST (Subject to change).

One of the pre-requisites for being a Master Trainer is however that the entrepreneur should himself be a C.DPO.DA. qualified (at Level 3).

Level 1, 2 and 3 are three grades in C.DPO.DA. and Level 3 represents “Distinction”. Level 1 would be considered as the minimal Certification level for Privacy Professionals and Level 2 is recommended for Implementations consultants. The classification is based on different cut off points in the examination.

Since FDPPI/Cyber Law College is conducting the next program for C.DPO.DA. in Bengaluru on 27-29 of September 2024, it has been also decided to allow three persons aspiring to be “Master Trainers” to attend the training at 50% discount. (Net price would be Rs 20000/- plus GST 3600/- for three days). Persons coming from outside Bengaluru need to make their own arrangements for travel and stay. Interested persons may contact Naavi immediately. Since only three persons will be accommodated in this scheme, aspirants are requested to act quickly.

This will be purely optional for the trainees and if they are satisfied with the certifications given by the individual trainers there is no need to also try to get a C.DPO.DA. Certification. This is a voluntary offer from FDPPI and the other organizations whose Certifications are eligible for this cross certification are not required to provide any mutual counter offers.

With this Cross Certification Scheme and opening it out to Private Individuals, FDPPI is democratizing the training to persons with passion of training. This is an opportunity for every training professional or training company to develop their own training programs at their own pricing and enabling their candidates to opt for industry standard certifications. It is presumed that in the long term this will revolutionize the Certification mechanism and enable reduction of cost to the professionals aspiring for multiple Certifications.

Naavi

Posted in Cyber Law | Leave a comment

Opportunities fly past. Recognize and Seize it

Posted in Cyber Law | Leave a comment

Let’s Create a Community of Data Auditors

DPDPA 2023 as a data protection law charted a course different from GDPR in several respects. One such differentiation that we can note is that DPDPA envisages a role for “Data Auditors” who are independent auditors outside the Company. Currently it is mandatory for Significant Data Fiduciaries to appoint such Data Auditors.

As a result of this, there is now a statutory recognition for such Data Auditors. with this development there is a need to develop Data Auditors as a community and Naavi.org through Ujvala Consultants Pvt Ltd will take the lead in creating this community. Watch out for more information on this front.

In the meantime, as regards the three day program scheduled to be held at Bengaluru on September 27, 28 and 29 by FDPPI, there is a request from many on the curriculum.

I had indicated yesterday that it would focus on “Audit” as per DPDPA 2023 which is for Data Fiduciaries, Significant Data Fiduciaries, Consent Managers etc.

To further elaborate the contents of the discussion would include the following.

a) The legal basis for Data Protection in the form of nuances of DPDPA 2023 along with ITA 2000, CPA 2019 and also international laws such as GDPR.

b) Implementation challenges for “Compliance by Design” with Technical and Organizational controls including the technical challenges of

-Data Discovery, Data Classification, Data Storage, Data Access, Consent Management, Management of Rights of Data Principals, Minor’s Data Management, Data Breach Management, Data Retention Management, Data Confidentiality, Integrity and Availability Management, Grievance Redressal management, Management of Consent Managers, Data Pseudonymization, etc.,

c) Governance Challenges related to how the risks can be assessed and managed including Data Valuation and using Cyber Insurance.

d) Conducting an Audit of how an organization has complied with the DPDPA 2023 requirements in a technical environment with a focus on how to look for evidence gathering and validation.

FDPPI’s Certification C.DPO.DA. is a crown jewel which would be available only for those who successfully complete the examination.

All persons who attend the program are given one free attempt at the examination. Examination would be online for a duration of 2 hours. If they opt out of the examination, they will get a “Participation Certificate”.

If they appear for the exam and cross the first cut-off point, they will be eligible for “C.DPO.DA-L1 (Foundation Level)” Certificate. If they cross the second cut-off point, they will be eligible for “C.DPO.DA.-L2 (Implementation Level) Certificate”. If they are able to cross the third cut-off point they will be eligible for C.DPO.DA.-L3 (Expert Auditor Level) certification.

Appropriate reading material would be provided both online and offline. Discussions will include lectures and Case study discussions.

It is our desire that we want to make the Program an elevating experience for all the participants.

Look forward to meeting you…

Posted in Cyber Law | Leave a comment

Why Auditors have to be ready before the DPDPA Compliance come into existence

It is heartening to note that CERT IN has recognized the need for its Empanelled Auditors to be ready to Audit the DPDPA Compliance in other Companies. As a part of this recognition, CERT In empanelment division recently issued a circular note to all its empanelled auditors recommending certain Certification Programs.

FDPPI is happy to note that CERT IN has included the training program which FDPPI has organized in Bengaluru on September 27, 28 and 29 as one of the recommended courses, stating

It goes without saying that the empanelled auditor firms themselves need to be first compliant with DPDPA before auditing others.

Quote:

Dear Empanelled Auditing Organizations,

As you are aware, CERT-In empaneled auditing organizations play critical role in assessing and hence securing cyber infrastructure of entities operating in Indian cyber constituency. It is imperative for auditing organizations to continuously build capacity through regular training programs and certifications. CERT-In is in discussion with various institutions and forums to prepare audit focused courses/programs in various domains for both technical and senior executives.

As you may also be aware that, Digital Personal Data Protection (DPDP) Act is in place and CERT-In empaneled auditing organizations will also come across privacy and data protection audits. Hence, it is recommended to train management and staff on appropriate data protection and privacy programs. 

Currently following 4 programs have been evaluated by CERT-In and are expected to benefit the auditors engaged with empanelled auditing organizations:

“Unquote”

The recommended programs relevant to CERT In auditors included the following

We are honoured with this recommendation and will do our best to ensure that the confidence reposed in us by CERT In would be adequately justified through our unwavering commitment to excellence and responsibility.

To give an idea of how FDPPI’s program is unique and is different from others is that it would exclusively cover

  1. Audit of Data Fiduciaries
  2. Audit of Significant Data Fiduciaries
  3. Audit of Consent Managers
  4. Audit for Insurability
  5. Assessment of DTS
  6. DPIA and Data Breach audits
  7. Audit of Media and Gaming Companies

These requirements will be covered along with DPDPA 2023 as a law, the implementation challenges in terms of technology tooling. Solutions in the form of current frameworks including ISO 27001/27701, CSF of CERT In/RBI and a detailed discussion on DGPSI will also be covered.

It is needless to say that the program would be unique and those who miss the opportunity would miss an early bus to the coveted Data Auditor community.

Naavi

Posted in Cyber Law | Leave a comment

DPDPA Insurance and Insurability Assessment

I refer to my earlier writings about the need for insuring of risks arising out of non compliance of data protection regulations.

Ref: A Golden Era for Insurance Industry ushered in through Personal Data Protection Act of India

Now with the adoption of DPDPA 2023 and the imminent release of the DPDPA Rules, it has become necessary for Companies to start reviewing their DPDPA Risk Containment policy.

The estimation of the risk starts with the “Gap Analysis” which gives an early indication of how the Rs 250 crore Plus risk could affect the company theoretically. Companies put in place Risk mitigation efforts but the residual risk after mitigation has to be either absorbed or covered through appropriate insurance.

We do expect that the DPB will be considerate and adopt a soft approach towards imposing any penalties. Hence the real risk of administrative penalties for a company which in good faith has implemented DPDPA compliance can be considered much less. However, when a breach does occur, the cost of making improvements to the system following an inquiry by DPB is a reality and has to be covered along with whatever penalties are imposed. The cost of conducting a Data Breach Analysis will also be substantial.

Most Companies do use the services of the Big Four and spend huge money for both gap analysis and data breach analysis.

Presently Cyber Insurance policies do cover the losses to the first party in terms of expenses, liability arising out of claims by victims which we may call as the third party losses arising out of the breach. The “Administrative Penalties” are a new development in India and hence existing policies may not provide adequate coverage for the same.

While the Insurance Companies and the IRDAI needs to think of appropriate upgradations of their current policies even as they think of updating their own Cyber Security Policies to include DPDPA Compliance, FDPPI is launching on its Sixth anniversary on September 17 2024, an “DPDPA Readiness Assessment” (DPRA) at a minimal cost. The assessment based on a set of parameters evaluates the DPDPA readiness in terms of a DTS (Data Trust Score).

This DRA should also be considered as “DPDPA Insurability Assessment” which the Insurance Companies may use to accept any request for underwriting and fixing the premium.

The evaluation itself may be a “DPDPA Insurability Index” (DII) which should be either qualitative such as “Fair”, “Good” and “Excellent”. The “Good” index could be fitted to the normal premium level where as “Fair” may involve a surcharge and “Excellent” a discount in the premium. The assessment would be based on an interview by an auditor with a key executive of the organization, ideally the CEO.

In the event of a data breach there may be an assessment of the Claim which is an assessment which apart from identify the expenses incurred will also evaluate the root cause of breach to identify the negligence factor of the organization to assist the Insurance Companies to determine the claim. This Data Breach Claim Assessment (DBCA) may determine whether the Insurer approves the claim and if so to what extent.

The DRA is presently available for service through Ujvala Consultants Pvt Ltd while the DBCA is under development and identification of technology partners for technical evaluation of a data breach.

On or after 17th September 2024, the DRA would be available for companies.

Naavi

Posted in Cyber Law | Leave a comment

Quantum Computing Cybersecurity Preparedness Act

USA has passed a federal Act called “Quantum Computing Cybersecurity Preparedness Act”. The Act was signed on December 21 2022 with different timelines for implementation. The concept of a legislation urging the Federal Agencies in US to be prepared for Quantum attacks even before the use of Quantum computing has become commercially relevant is a principle that needs a special commendation.

It is natural for organizations like FDPPI or Naavi to say “Be Ready” and start compliance from today since DPDPA 2023 is “Due Diligence” under ITA 2000. But what USA has done with its Quantum Computing Cybersecurity Preparedness Act is that there is a legislative compulsion to make Federal agencies start their security preparedness in advance.

This “Preparedness Act” has mandated certain agencies like OMB (Office of Management and Budget), CISA (Cyber Security and Infrastructure Agency) and NIST (National Institute of Standards and Technology) to start acting and given them time lines.

It has mandated that within 180 days, the OMB shall issue guidance on the migration of IT to post-quantum cryptography and to set budgets. Such efforts are expected to include creating an inventory of assets where there is an exposure of Quantum Cryptographic risks. Again, within 1 year the heads of CISA and National Cyber Director shall provide information on the inventory of such assets to OMB. The NIST shall also issue guidelines for post quantum cryptography standards. It is under this mandate that NIST came out with three standards on August 13, 2024. The Private sector though not part of this mandate is likely to follow suit to enhance their reputation and be eligible for Government Contracts.

This law requires federal agencies to migrate their systems to “Post-Quantum” Cryptography, which is resilient against attacks from Quantum Computers and classical computers.

The RSA (Rivest-Shamir-Adleman) algorithm which is the most commonly used cryptographic algorithm which even India uses in the Digital Signatures is considered vulnerable under Quantum attacks.

If any organization is using cryptographic algorithms like RSA at present then they are considered as not compliant with the “Quantum Computing Cybersecurity Preparedness Act”.

On August 13, 2024, NIST announced approval of three algorithms which are considered “Quantum Safe” Cryptographical algorithms.

These are :

  1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard
  2. FIPS204, Module-Lattice-Based Digital Signature Standard
  3. FIPS205, Stateless Hash-Based Digital Signature Standard

FIPS 203 is a general encryption standard, and FIPS 204 and 205 are digital signature standards for authenticating users. Unlike RSA, FIPS 203 and 204 rely on lattice cryptography, which relies on the difficulty of finding the lowest common multiple in a set of numbers. FIPS 205 uses hash functions as its core mathematical problem. Neither cryptographic approach is thought to be susceptible to quantum computing.

NIST’s release of the final post-quantum cryptography standards sets a one-year clock ticking for Office of Management and Budget OMB to issue further guidance preparing agencies for the migration of their data to the new, quantum-resilient standards. 

Agencies are expected to start migrating to post-quantum cryptography quickly once OMB issues further guidance.

The Private Sector needs to follow the new Cryptographic standards at the earliest if they have to remain compliant with the new Act and is able to meet the Quantum risks.

The auditors are now required to provide some guidance to organizations on “Quantum Readiness”.

FDPPI presently has its framework namely DGPSI which is a process based Compliance system. Under DGPSI framework, “Cryptographic Systems” is one process which can be assessed for compliance separately to whatever compliance is required.

In the case of “Quantum Readiness Assessment”, we try to check if the organization is prepared to move to the post quantum cryptographic algorithms. Along with this the awareness of Quantum risks and the inventory of Cryptographic algorithms need to be kept ready before scouting for vendors who can provide replacement of the crypto algorithms.

This type of assessment is new and the SOPs need to be developed. FDPPI is trying to put together an SIG to create such SOPs. Interested members can get in touch with the undersigned.

Naavi

In India it would have been preferable if there had been a similar “DPDPA Preparedness Act”. Instead the DPDPA Rules itself may substitute this requirement and set timelines for the setting up of DPB and for them to roll out certain provisions.

Certain agencies such as SEBI and IRDAI have already issued their own sectoral guidelines for their sectoral organizations to incorporate DPDPA Compliance. Further when the rules are released, the organizations that will be aspiring to apply for registration as “Consent Manager” will require to prepare their platform to comply with the rules.

Posted in Cyber Law | Leave a comment