Based on some of the comments received to my article on Data Trust Scoring System yesterday, I am providing the following clarifications:
It is a Framework
The concept named “Naavi’s 5×5 Data Trust Score”© System is a new concept introduced to meet the suggested requirements under the Personal Data Protection Act 2018. It is a framework under assessments can be converted into a “Score”.
Assessments will however be done by individual auditors and the detailed criteria for assigning the ratings for each of the domains would be left to the auditor based on their understanding of PDPA 2018.
In the past (March 2009), Naavi had proposed a similar measurable criteria for assessing ITA 2008 compliance under the Indian Information Security Framework (IISF-309) Under this framework, Ujvala Consultants Pvt Ltd had published detailed assessment guideline used for its audits.
The framework started as a 21 point system in 2009 and has now evolved into a 30 point framework represented below .
Just as the framework itself evolved from a 21 point system in 2009 to a 30 point system the detailed guidelines used within these different headings have also gone through some changes. Additionally, the Theory of Information Security Motivation and the Total Information Assurance Concept supplemented the framework.
Similarly, the DTS system as proposed is also expected to undergo a change as we go along. A decision to publish the detailed assessment criteria therefore may be taken after the concept attains some maturity in the testing ground of Naavi.
Probably the framework will also assist the Data Protection Authority of India when it comes up with its own thoughts on this matter.
The DTS scoring is an end result of an audit which includes evaluation of Technical controls based on a Risk assessment, Policies and Procedures that meet the legal interpretations in PDPA 2018 as well as an assessment of the behavioural state of the manpower involved.
Hence the system cannot eliminate subjectivity based on the experience and understanding of the Auditor.
However, if the interpretations are from the same school of thought, the differences in DTS score between different auditors could tend to a small range of uncertainty.
The current article presents a framework and there could be an adaptation based on assignment of different weightages to different domains used by different auditors including Ujvala Consultants Pvt Ltd.
Within the five domains, there could be several sub domain definitions to narrow down the evaluation criteria.
Naavi.org may publish its recommended weightage criteria from time to time based on its assessment of the market environment. At this point of time when PDPA 2018 is still a draft, it is reasonable that the weightage is kept simple and equal. Hence all the 5 domains have been given an equal weightage of 20% each. The auditor may assign values between 0-100 in each of the five domains and fit it into the grade between E to A and also present a consolidated DTS for an organization at a given point of time.
Hygiene Factor Treatment
While discussing motivational theories, we discuss what is known as a “Hygiene Factor” which Professor Herzeberg introduced. Under this concept certain aspects if present has zero value as a motivator but if not present, would have a value as a de-motivator.
I have tried to suggest that this concept may be adopted into the assignment of either the wieghtage itself or to the assignment of values under each domain.
What this means is that the weightage or value assigned may drop suddenly to zero at a threshold point. Values may be assigned on a continuous basis only above this threshold value.
Factors such as Commitment and Knowledge were referred to as “Hygiene” factors in my article yesterday. A similar approach could be extended to other domains as well. If adopted, the threshold level represents the values below which the auditor would not to even assign any score. These are the flexibilities that need to be considered as the system evolves over time.
Level II Score
The Level II criteria which indicates the trend over a minimum three year period will have a notation as an extention of DTS such as “DTS 55+” or “DTS 55-“ indicating whether it is improving or declining and may show even an acceleration factor by representing the score as“DTS55++” or “DTS 55–“. It can also be “DTS55+- or DTS55-+”. (Here 55 is the weighted score of an organization based on the approved weightages).
The Level II scoring is a thing of the future since it requires a minimum three year span to decide
The Data Trust Score or DTS system proposed here is a concept which can be developed in due course with the assistance of other professionals who find the concept useful.
Probably some students or academically oriented practitioners may test the concept in specific corporate environments to make the concepts clearer.
[P.S: We are in an academic debate on this concept and views from the readers will be very valuable]