RISK & GDPR

Risk Management 

DISCLAIMER:

• This document contains unedited notes and has not been formally proofread.
• The information provided in this document is intended to provide a basic understanding of certain technologies.
• Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
• Some websites and software may be flagged as malware by antivirus programs.
• The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
• The document is not a substitute for professional advice or expert analysis and should not be used as such.
• The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
• The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
• The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
• The author reserve the right to update or change the information contained in this document at any time without prior notice.

• Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
• It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
• Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
• It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
• It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
• It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

References

• ISO standards 

• Transcript from you tube derived using Fabric:

  • https://www.gouti1454.com/p/llama-ai.html#yttranscript389m

  GDPR ACT: https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted.

  Open-source 
  

  • Link to the tool: https://remover.visiblelabs.org/
  • Link to the code: https://github.com/visible-cx/databroker_remover

***********************************************************

Risk

means foreseeing the outcomes and trying to see what possible failures or roadblocks can happen in preventing the desired result or action or outcome.  

Best Example:

• when you plan to reach to a destination by car, what are the risk you will foresee
• Traffic jams, break down, road closures. 
• Mitigation measures : preventive break down measures - fuel tank fill up, tyre air check, engine oil check. 
• Contingency measures :  break down service cover, contact numbers. 

Risk, Threat and Vulnerability

Vulnerability 

• It is a weakness or flaw in a system, application, or network.

Threat 

• It is anything that could potentially exploit a vulnerability and cause harm.

Risk 

• The possibility of something negative happening. It's the chance of harm, loss, or damage occurring.

E.g.

• Vulnerability: Leaving your front door unlocked.

• Threat: A burglar walking through your neighborhood.

• Risk: The chance the burglar notices your unlocked door and enters your house.

Managing Org Risk: 

Risk = Threats * Vulnerabilities 

Zero-Day Attack

Vulnerabilities found in wild -> Unaware = Public + Vendor 

Then after the period Vendor is aware -> Unaware = Public

Vendor  released patches -> aware = Public

E.g.

• A zero-day exploit is like someone finding a hidden backdoor into a house that even the owner didn’t know existed—until a break-in happens.

Risk Management Cycle: 

• Appraising risks - Risk Identification (Infosec Risk assessment), 
• Addressing identified risks (Infosec Risk Treatment), and 
• keeping those risks under constant observation(Risk tracking). 

RISK REGISTER

Identifying all the possible scenarios that might constitute into a problem and identifying mitigation plans. 

• The risk register is a live, current database of recognised risks. 
• The database is categorised under the following headings: organizational; people; physical-access control, asset management, BYOD; and technological-restricted access privilege, controlled zone. 

TABLE 1: RISK REGISTER : SAMPLE

Information on the risk life cycle, 

• Including Risk ownership (Avoidance, Acceptance, Transfer), 
• Risk Treatment (Reducing or Minimizing the Impact of the Risk), is contained in the Risk Treatment Plan, which is a component of the Risk Register.

Risk Score

Risk score is based on the probability and impact of the event when it occurs, the rational is based on the previous know incidents and experiences. 

TABLE 2 : RISK SCORE

	IMPACT
PROBABILITY	10%	30%	50%	70%	90%
<30%	LOW	LOW	LOW	MEDIUM	MEDIUM
>=30% : < 50%	LOW	MEDIUM	MEDIUM	HIGH	HIGH
>=50% : <70%	LOW	MEDIUM	HIGH	HIGH	HIGH
>=70% : <90%	MEDIUM	HIGH	HIGH	HIGH	HIGH
>= 90%	MEDIUM	HIGH	HIGH	HIGH	HIGH

The below table provides on example risks. 

TABLE 3: RISK REGISTER

Risk	Risk Description	Probability Score	Severity Impact	Mitigation
Documentation File loss/ corruption	Project word documents lost or unable to recover	10%	High	NTU OneDrive Backup is used
Virtual Machine Configuration	VM can be corrupted during the progress of then testing attacks.	30%	Medium	Reconfiguration of VM will be done
Restricted Network Access	NTU restricted network access	50%	Medium	Alternative Connectivity will be used such mobile hotspot
Malware infection	Taking live sample Malware/ Ransomware for simulation in Virtual machines could infect the host machine and network connected	90%	High	Simulation carried out in sandbox/  isolated network

Risk Treatment

Based on the Risk score the risk treatment plan can be applied as follows with examples:

• Avoidance: 
• Eliminating the risk altogether by changing the activity or process that creates it.
• Risk: Employees using personal devices for work, increasing the risk of data breaches and malware infections.
• Avoidance: Implementing a strict BYOD (Bring Your Own Device) policy that prohibits personal device use for work activities. This eliminates the risk at its source.

• Transfer:
• Sharing the risk with another party, such as through insurance or outsourcing.
• Risk: Cyberattacks causing financial losses due to data breaches or ransomware.
• Transfer: Purchasing cyber insurance to offset potential financial damages. This shifts the risk burden to the insurance provider.

• Mitigation: 
• Reducing the likelihood or impact of the risk through controls, safeguards, or procedures.
• Risk: Weak passwords easily compromised by hackers.
• Mitigation: Implementing a strong password policy enforcing complexity requirements, regular changes, and two-factor authentication. This reduces the likelihood of password-related breaches.

• Acceptance:
• Deciding to live with the risk, considering its low probability or acceptable consequences.
• Risk: Occasional power outages disrupting operations.
• Acceptance: Determining that the cost of backup power systems outweighs the potential losses from brief outages. The organization accepts the risk and focuses on resilience measures like uninterruptible power supplies for critical systems.

**************************************************

GDPR

How to Collect, Manage, process personal data

GDPR key concepts

• Lawful processing
• Data subject rights
• Data controllers Vs Data processors
• Privacy by design

DPO - Data protection Officer 

GDPR requires parental concerns before collecting children's data who are less than 16 or 13.

Companies time to respond for a data breach and 72 Hrs to communicate with the EU regarding the breach.

Do I need all of the data I am Collecting here?

Could o do this work without using personal data at all.

Am I using the data in a way a user may not expect?

Do I have a plan to delete this data once I no longer need it?

DPIA -Data Protection Impact Assessment 

DSRs - Data Subject rights : 

6 GDPR DSRs

• Right to be forgotten
• Right of access
• Right to data portability
• Right to restriction of processing
• Right to rectify
• Right to object

Methods to prove lawfulness of Processing: 

• Contractual Necessity
• Consent
• Legitimate interest

GDPR Controllers and Processors

Controllers: are at risk of incurring high fines if they do not meet the obligations set forth in the GDPR

**********************************************************************************

The Role of GDPR in Protecting Personal Data: non-compliance with GDPR standards.

        This YouTube video (linked below) highlights how GDPR regulations help protect personal data by enabling users to request its deletion. The video dives into the concerning practice where third parties purchase personal data from data brokers and resell it to businesses, often without the user’s knowledge or consent. This example underscores the misuse of personal data and non-compliance with GDPR standards.

Using Open-Source Tools to Request Data Deletion

If you're concerned about your data privacy, an open-source tool exists that lets you request data deletion from data brokers. You can access the tool: https://remover.visiblelabs.org/

In the UK and EU, users have the right to make a "Data Deletion Request" under the UK Data Protection Act.

Deleting Data Request form

For "sagacity solutions"

For example, if you'd like to request data deletion from Sagacity Solutions, you can use this link [https://www.mydatachoices.co.uk/Suppress] or contact them via email at dpo@sagacitysolutions.co.uk.

Transcript from youtube derived using Fabric:

Reference:

yt --transcript https://youtu.be/Ryv_rT41Jks?si=kM4FnrxBvm5HMt4X | fabric -sp clean_text

Transcript summary:

This Could Be the Most Deceptive and Possibly Unlawful Strategy I've Ever Seen from TV Licensing

I believe that by the end of this video, I'll have provided you with a discount on a service that can help protect you from similar situations. This video is in partnership with Incog, which I'll explain later. I was contacted by one of my viewers who had a dispute with TV Licensing, a trademark of the BBC. The BBC contracts out most of its services to enforce TV licensing to a company that operates under the brand of TV Licensing.

My viewer submitted a subject access request, but the letter I'll be discussing is not a response to that request. Instead, it's a response to a complaint following the letters received. Before diving into the letter, I'd like to ask that if you enjoy my objective, neutral, and sometimes brutal breakdowns of letters, stories, politics, law, and news, please consider liking the video, subscribing to my channel, and ringing the notification bell.

Now, let's examine the letter and where it all started. The issue began when my viewer received a letter from TV Licensing, claiming that they had been watching BBC iPlayer without a license. My viewer responded by stating that they hadn't been watching iPlayer and that they consume zero BBC content. They also mentioned that they have all BBC accounts blocked on social media and watch media on Disney+, YouTube, and Amazon Prime.

It's essential to clarify that a TV license is not dependent on BBC content alone. If you watch or record any live TV or consume BBC content through BBC iPlayer, you need a TV license. However, in this case, it makes no material difference to the letter.

My viewer asked how the mistake was made and requested a sincere apology for the unnecessary stress and anxiety caused. The BBC responded by explaining that they had used data provided by a third-party company, Sega City Solutions, to increase the effectiveness of their approach. This data included email addresses linked to no-license-needed postal addresses.

The BBC compared this data with their list of no-license-needed addresses and sent letters to those addresses if the email address had been used to access BBC iPlayer. However, there's a disconnect here, as the BBC is sending letters to addresses because the email address has been used to access iPlayer, without considering that people may have moved house and still use the same email address.

The letter from the BBC explains that Sega City Solutions has contracts with third parties that provide personal data about those third-party customers. This data is then shared with the BBC, which uses it to send letters threatening prosecution if a TV license is not purchased.

The problem here is that Sega City is one of many third-party companies that hold data and information on you, and they sell or provide access to it. The BBC has confirmed that Sega City has contracts with further third parties, which provide personal data about those third-party customers.

My partner for this video is Incog, a service that helps protect your privacy, identity, and security by contacting data broker marketing companies that gather your information and requiring them to remove your data from their servers in accordance with GDPR.

The BBC has used data provided by Sega City Solutions to threaten my viewer with prosecution, but I believe this approach may be potentially unlawful. The data processing in this case may be incompatible with the original purposes for which it was gathered.

The BBC has confirmed that the email address provided by Sega City Solutions could belong to someone no longer associated with the address, but they still used this data to send a letter to my viewer. This approach has led to people deciding to buy a TV license, either because they genuinely need one or because they fear prosecution.

I think there's a serious problem here with GDPR and the way in which the data has been processed. The data was gathered for one purpose but was then used for another, potentially incompatible purpose.

If you want to avoid being targeted by these third-party companies and protect your data, I recommend checking out Incog. They will contact these companies and require them to remove your data from their servers.

In conclusion, I believe that the BBC's strategy of using data from third-party companies to threaten prosecution is potentially unlawful and may be in breach of GDPR. I recommend being cautious when sharing your data and using services like Incog to protect your privacy and security.

***********************

Framework Toolkit

Modern IT Risk Management: QMS & ISMS Integration

A unified approach to identifying, analyzing, and controlling risks across Quality Management Systems (QMS) and Information Security Management Systems (ISMS) in cloud-native and modern architectures.

Risk involves the possibility of suffering harm or loss—chances of uncertain occurrences that will adversely affect project objectives. Risk management includes the processes concerned with identifying, analyzing, and responding to risk factors throughout the life of the project. For modern IT environments, achieving success means effectively balancing quality parameters (QMS) with rigorous security standards (ISMS).

🛡️ 1. Risk Management Strategy

The risk management strategy addresses the specific actions and management approach used to apply and control the risk management program. This strategy must be guided by a common vision of success that describes the desired future project outcomes in terms of the product that is delivered, its cost, and its fitness for the task.

Core Strategic Components

• Methods and tools to be used for risk identification, analysis, mitigation, monitoring, and communication.
• Parameters, including likelihood, consequence, and thresholds, for taking action on identified risks.
• Definition of risk measures to monitor the status of the risks.
• Time intervals for risk monitoring or reassessment.

🔍 2. Modern Risk Identification & Taxonomy

Before risks can be managed, they must be identified. Identification surfaces risks before they become problems. It is important to identify all risks that are obvious to both managers and practitioners.

Taxonomy for QMS & ISMS

Risks can be broadly classified into risks pertaining to Technology, Hardware, Software, People, Schedule/SLA, and Cost. In a modern IT scope, these manifest across three crucial pillars:

1. ISMS (Security) Risks

• Zero-day vulnerabilities and cloud infrastructure misconfigurations.
• Data breaches affecting confidentiality and integrity.
• Inadequate access controls and identity management failures.

2. QMS (Quality) Risks

• Process Risks that could result in non-fulfillment of quality objectives.
• Inadequate automated testing coverage breaking CI/CD pipelines.
• High defect leakage to production environments.

3. Operational & People Risks

• Do the people have the right combination of skills?
• Have staff members received necessary training?
• Will turnover among staff members be low enough to allow continuity?

📊 3. Risk Analysis and Prioritization

Analysis is the conversion of risk data into risk decision-making information. The purpose of this step is to analyze the probability of the identified risks occurring and their impact on the project.

Calculating Normalized Impact

“Risk impact” describes the effect on a project, product, or service when risk is realized. The normalized impact is evaluated from the impact on schedule, effort, and technical aspects using the following expression:

Normalized impact = Average of (Impact on cost, Impact of schedule or service level, Impact on scope, Impact on Quality or Availability)

The higher the impact and probability of occurrence, the higher the risk priority and the need for action. Priorities are categorized as:

• Extreme: This risk requires immediate attention, and both contingency planning and mitigation planning must be implemented.
• High: Preventive solutions must be searched for and evaluated.
• Medium: Additional QA steps must be planned. If the risk is realized, related risk management techniques must be implemented.
• Low: The risk must be monitored.

🛠️ 4. Risk Response & Cost-Benefit Strategies

Planning involves developing actions to address individual risks, prioritizing risk actions, and creating an integrated risk management plan. The plan for a specific risk can take many forms:

Strategy	Definition & Execution
Avoidance	Avoid a risk by changing the product design or the development process. Reducing scope to avoid high-risk activities, adding resources or time, or adopting a familiar approach instead of an innovative one are examples of Risk Avoidance.
Transference	Transference of risk implies that the responsibility is delegated to a source external to the project. Insurance policies and outsourced/contracted services are typical examples.
Mitigation	Reducing the risk probability, impact, or both to yield an acceptable risk severity. Mitigate the impact by developing a specific plan (along with an identified triggering event) should the risk occur.
Acceptance	Accept the risk and take no further action, thus accepting the consequences if the risk occurs. Passive acceptance suggests that the fallout will be dealt with at the time of occurrence.

The Cost-Benefit Analysis

For every risk for which a mitigation plan is identified, the project manager shall conduct a cost-benefit analysis. This helps determine whether the investment in the mitigation plan outweighs the potential loss.

Cost-Benefit-Ratio = Cost of the risk (if encountered and not mitigated) / Cost of the mitigation plan

If the ratio is more than 1.0, the benefit derived from the investment in the mitigation plan generally outweighs the loss that would be incurred otherwise.

📡 5. Residual Risks & Continuous Monitoring

Contingency Planning & Secondary Risks

Residual Risks are those that remain after avoidance, transfer, or mitigation responses have been taken. Contingency plans must be developed for these. Additionally, risks that arise as a direct result of implementing a risk response must be logged and tracked as secondary risks.

Risk Thresholds & Escalation

To prioritize management efforts, define "escalation thresholds" to identify risks requiring priority follow-up or escalation to senior management. The escalation threshold is the "risk index" value beyond which immediate visibility is mandatory. Be cautious: setting the threshold too low causes false alarms, while setting it too high hides critical issues.

Overall Portfolio RAG Status

Projects are classified into Red, Amber, or Green zones based on current risk profiles. If a project has even one "Extreme" risk actively occurring, it falls into the Red zone. Red and Amber projects mandate immediate escalation during Senior Management and Delivery Unit reviews.

Standard Framework References

1. ISO 9001:2015 Quality management systems — Requirements (Section 6.1: Actions to address risks and opportunities).
2. ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection (Section 6.1.2: Information security risk assessment).
3. NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments.
4. Carnegie Mellon University Software Engineering Institute (SEI) Taxonomy-Based Risk Identification.