RIGELTECH Corporation

IT’s CRUNCH TIME for RA10173 - (Data Privacy Act 2012 PH)

(Originally Appearing in the MANILA TIMES - http://bit.ly/2GwWk3j)

The 28th of January is International Data Privacy Day. It was created to increase awareness and promote privacy and data protection best practices.

In the Philippines, with regards to our own journey to Data Privacy, we are in to the last two months for complying with the Data Privacy Act (RA 10173). originally set on September 2017, it has been extended to March 8, 2018 for the Phase II of compliance and March 31, for submitting the Annual Incident Report.

If this were a basketball game, we are down to the ‘last two minutes’ and from the looks of it, “Non-Compliance” has a big lead. In this waning moments of the game, less of the strategy and more one-on-one plays ensue. Some folks are asking me What Now? Since a whole lot of them is still in the midst of gathering information to create the required documentation, should they change priorities and act on the most important requirements first? If Yes, which ones?

Okay but First, a Disclaimer. The suggestions here are of my own and are not endorsed by any organization or government agency, it might not even be a best practice! So, read on and please apply with discretion.

Say somebody needs urgent medical attention and the hospital is quite some ways off, you call Emergency Services and they perform an initial diagnosis and apply first aid while taking the patient to the hospital for treatment.

Well, that’s where we are now – we need to perform some Data Privacy stop-gap Measures and continue the paper works after. That way we have some semblance of protection to lessen the threats against breaches or leakage of personal information.

First and foremost – start on the measures that will guarantee the RIGHTS of the DATA OWNER by providing a FACILITY for them to be able to be Informed, Object, Access, Rectify, Erase or Block, Request for a copy (In any format) of their personal Information. How? You start off with publishing the Contact Information of the Individual or group who is in charge of all Data Privacy Concerns of the Organization. It’s simple as putting it in the website or email signatures. That way they can file all their request for Access, Rectification, Erasure/Blocking, and Copies using the normal communication channels. Bonus if you can have a page on your website with a form that they can fill up. Extra points if there is an additional facility to allow them to follow up or check the status of their request. For Information – Email or Snail mail will suffice. Important! Don’t forget to put up your PRIVACY NOTICE either in your website or in any and all of the forms that requests for Personal Information. You can put the contact info there as well.

If you noticed, Rights to damages and to complain are not in there as this should be directed to the National Privacy Commission.

Second – Provide and enforce appropriate security measures for each stage of the Personal Data Lifecycle. Note that security measures can also be both in the form of Physical and Electronic Security. If you have Personal Data in Paper Documents, a strong and secured Storage Facility (Safe, Metal cabinet with lock and key) plus a proper accounting and logging process will do. Lock ‘em up and sign the logbook =). Bonus points – Close Circuit TV (CCTV) monitoring. This applies to both the storage and use of physical documents. Create and maintain an approval process of using, sharing, and storing personal information. Manual forms can be used and in the absence of any application or tools, email is a good temporary way of requesting, approving and storing requests.

For securing Personal Data which is in Electronic form (i.e. Word Processing Files and spreadsheets), there is a vast selection of Free and Open Source Software (FOSS) that can be downloaded and used to provide Strong Encryption to such files. Encryption is key and the best protection against theft of computers or laptop with Personal Data. They might be able to get their hands on them, but with strong encryption applied to these – the data will be useless. By the way, do not rely on the built-in encryption of word processing and spreadsheet applications. They are weak and can easily be cracked. As much as practically possible – Encrypt the entire hard drive or the partition where the personal data is stored.

For Destruction of Data which are not needed anymore, burn or shred physical documents and just like in encryption, a myriad of free and open source software is available to overwrite data in hard disks using military grade methods to render it unreadable.

You would also need to document all these actions and security measures in your PRIVACY NOTICE along with the DECLARATION that your organization adheres to the guiding principles of transparency, legitimate, purpose, and proportionality as well as to the principles of collection, processing, retention, data sharing, and processing. It will also be extremely helpful to communicate this internally within the organization via Policy or Inter-Office Memo from the duly designated Data Privacy Officer or DPO.

(Originally Appearing in the Manila Times 06SEP2017 - https://goo.gl/Z51obD)

INFORMATION on how to protect yourself from the ruthless cybercriminals and hackers in the cyber world is abundant. How-tos, podcasts, eBooks, audio and video tutorials are everywhere. There is so much information readily available today than at any point in man’s history, all part of the myriad benefits brought forth by the magical Internet. We have enough people and materials telling us what to do so as not to be a victim and yet we still fall short either because of ignorance, stupidity, or sometimes just plain bad luck. Whatever the reason, an alternate but surefire and effective way to develop awareness is to learn both from your own mistakes and the mistakes of others. In this edition, I will be sharing some of the security fails I have come across in my life as an information security professional.As one security professional narrated, “I have walked over a land mine, and this is how I lost my legs”. Nothing like real-life experiences to teach you not to be secured.

Not changing default passwords. 

From high-end network and computing gear to your WiFi router at home, there is always a ‘starter’ password. I have gotten into many wireless routers and consequently free WiFi because people are either too lazy or don’t know how to go about it. To give you an idea and for educational purposes, the default WiFi password of one of our well-known local internet service provider goes about this format: ABCDWIFI12345 (internet provider name +”WIFI”+ the last five digits of your router’s MAC address) – this information and even the default administrator account and password is available via good old Google search. BTW, almost all of the well-known router brands default passwords are there as well.

Ignoring Common Sense. 

In the late 2016 survey by conducted by Freidrick-Alexander University, they found that 76 percent of their respondents claim to be aware of the risks of unknown links and yet still clicked anyway. If it’s too good to be true, then it is probably not. Receiving prizes from contests that you didn’t join, packages or goods that you never ordered, friend of a friend of a friend – these are all warning signs that you shouldn’t ignore. If in doubt, DO NOT. It takes a small amount of effort to verify an email or a service especially today when we have all these advanced communication methods at our fingertips.

Not Updating (Patching). 

Software is made by programmers, i.e. humans and hence by that very nature, prone to mistakes. In this case, programming bugs which, if implications in security occur, becomes a vulnerability. Updating or patching is the method to which corrections can be applied and hence new versions are produced. Unless there is a significant impact on the operation of the application, updating or patching should be mandatory. Un-patched or dated software is the single most frequent and very important reason why hacks and intrusions occur. It should be on the very top of every security mitigation list.

Giving administrator accounts. Software or programs inherit the rights and access level of the user who runs them. If the user has administrative level access, then the program executes with the same level of security. Certain applications legitimately need administrative levels to run and perform their intended action but what if a malicious software (Malware) manages to use the administrative account? You now have a rogue application roaming around with super user privileges. The possibility of compromise becomes wider in scale and deeper in implications.

Disabling logging.Yes, it can eat up storage space and it is much easier to turn off and forget all about it rather than allocate time and effort to maintain it. Besides, with that amount of information, who has the patience to review and go over it? That’s typically what some IT people would say, but make no mistake about it, logs are your best friend where everything else fails. This is the only source of data that can help you shed light on security incidents, who accessed what when, as well as records of device events and incidents. Unless you are continually capturing the packetsof traffic going in and out of your network (which are a hundred times more voluminous and harder to decode), logs are your best source of ‘after the fact’ data for forensic analysis and evidence.

Bragging about your security system.This is a classic mistake usually attributed to individuals or security engineers that have too much ‘air up there’. For whatever purpose, it maybe, whether to assure management or clients, please never ever brag about how secure your systems are, and how much high-tech expensive security hardware and software you have, especially in public or in the press. Hackers would take that head on with a “challenge accepted” thought balloon over their heads. To them, it is an explicit and open invitation short of putting a ‘Hack Me’ sign on your forehead.