RISK & GDPR

Risk Management 

DISCLAIMER:

  • This document contains unedited notes and has not been formally proofread.
  • The information provided in this document is intended to provide a basic understanding of certain technologies.
  • Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
  • Some websites and software may be flagged as malware by antivirus programs.
  • The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
  • The document is not a substitute for professional advice or expert analysis and should not be used as such.
  • The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
  • The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
  • The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
  • The author reserve the right to update or change the information contained in this document at any time without prior notice.
  • Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
  • It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
  • Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
  • It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
  • It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
  • It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

References

  • ISO standards 

  • Transcript from you tube derived using Fabric:

    • https://www.gouti1454.com/p/llama-ai.html#yttranscript389m
    GDPR ACT: https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted.

    Open-source 

    • Link to the tool: https://remover.visiblelabs.org/
    • Link to the code: https://github.com/visible-cx/databroker_remover
***********************************************************

Risk

means foreseeing the outcomes and trying to see what possible failures or roadblocks can happen in preventing the desired result or action or outcome.  

Best Example:

  • when you plan to reach to a destination by car, what are the risk you will foresee
  • Traffic jams, break down, road closures. 
  • Mitigation measures : preventive break down measures - fuel tank fill up, tyre air check, engine oil check. 
  • Contingency measures :  break down service cover, contact numbers. 

Risk, Threat and Vulnerability

Vulnerability 
  • It is a weakness or flaw in a system, application, or network.
Threat 
  • It is anything that could potentially exploit a vulnerability and cause harm.
Risk 
  • The possibility of something negative happening. It's the chance of harm, loss, or damage occurring.
E.g.

  • Vulnerability: Leaving your front door unlocked.
  • Threat: A burglar walking through your neighborhood.
  • Risk: The chance the burglar notices your unlocked door and enters your house.

Managing Org Risk: 

Risk = Threats * Vulnerabilities 

Zero-Day Attack

Vulnerabilities found in wild -> Unaware = Public + Vendor 

Then after the period Vendor is aware -> Unaware = Public

Vendor  released patches -> aware = Public

E.g.
  • A zero-day exploit is like someone finding a hidden backdoor into a house that even the owner didn’t know existed—until a break-in happens.

Risk Management Cycle: 

  • Appraising risks - Risk Identification (Infosec Risk assessment), 
  • Addressing identified risks (Infosec Risk Treatment), and 
  • keeping those risks under constant observation(Risk tracking). 

RISK REGISTER

Identifying all the possible scenarios that might constitute into a problem and identifying mitigation plans. 
  • The risk register is a live, current database of recognised risks. 
  • The database is categorised under the following headings: organizational; people; physical-access control, asset management, BYOD; and technological-restricted access privilege, controlled zone. 

TABLE 1: RISK REGISTER : SAMPLE



Information on the risk life cycle, 
  • Including Risk ownership (Avoidance, Acceptance, Transfer), 
  • Risk Treatment (Reducing or Minimizing the Impact of the Risk), is contained in the Risk Treatment Plan, which is a component of the Risk Register.

Risk Score

Risk score is based on the probability and impact of the event when it occurs, the rational is based on the previous know incidents and experiences. 

TABLE 2 : RISK SCORE

IMPACT
PROBABILITY10%30%50%70%90%
<30%LOWLOWLOWMEDIUMMEDIUM
>=30% : < 50%LOWMEDIUMMEDIUMHIGHHIGH
>=50% : <70%LOWMEDIUMHIGHHIGHHIGH
>=70% : <90%MEDIUMHIGHHIGHHIGHHIGH
>= 90%MEDIUMHIGHHIGHHIGHHIGH


The below table provides on example risks. 

TABLE 3: RISK REGISTER

Risk
 Risk Description Probability Score Severity Impact Mitigation

Documentation File loss/ corruption

Project word documents lost or unable to recover

10%

High

NTU OneDrive Backup is used

Virtual Machine Configuration

VM can be corrupted during the progress of then testing attacks.

30%

Medium

Reconfiguration of VM will be done

Restricted Network Access

NTU restricted network access

50%

Medium

Alternative Connectivity will be used such mobile hotspot

Malware infection

Taking live sample Malware/ Ransomware for simulation in Virtual machines could infect the host machine and network connected

90%

High

Simulation carried out in sandbox/  isolated network

Risk Treatment


Based on the Risk score the risk treatment plan can be applied as follows with examples:
  • Avoidance: 
  • Eliminating the risk altogether by changing the activity or process that creates it.
    • Risk: Employees using personal devices for work, increasing the risk of data breaches and malware infections.
    • Avoidance: Implementing a strict BYOD (Bring Your Own Device) policy that prohibits personal device use for work activities. This eliminates the risk at its source.
  • Transfer:
  • Sharing the risk with another party, such as through insurance or outsourcing.
    • Risk: Cyberattacks causing financial losses due to data breaches or ransomware.
    • Transfer: Purchasing cyber insurance to offset potential financial damages. This shifts the risk burden to the insurance provider.
  • Mitigation: 
  • Reducing the likelihood or impact of the risk through controls, safeguards, or procedures.
    • Risk: Weak passwords easily compromised by hackers.
    • Mitigation: Implementing a strong password policy enforcing complexity requirements, regular changes, and two-factor authentication. This reduces the likelihood of password-related breaches.
  • Acceptance:
  • Deciding to live with the risk, considering its low probability or acceptable consequences.
    • Risk: Occasional power outages disrupting operations.
    • Acceptance: Determining that the cost of backup power systems outweighs the potential losses from brief outages. The organization accepts the risk and focuses on resilience measures like uninterruptible power supplies for critical systems.
**************************************************

GDPR

How to Collect, Manage, process personal data


GDPR key concepts

  • Lawful processing
  • Data subject rights
  • Data controllers Vs Data processors
  • Privacy by design

DPO - Data protection Officer 

GDPR requires parental concerns before collecting children's data who are less than 16 or 13.

Companies time to respond for a data breach and 72 Hrs to communicate with the EU regarding the breach.


Do I need all of the data I am Collecting here?

Could o do this work without using personal data at all.

Am I using the data in a way a user may not expect?

Do I have a plan to delete this data once I no longer need it?


DPIA -Data Protection Impact Assessment 


DSRs - Data Subject rights : 

6 GDPR DSRs


  • Right to be forgotten
  • Right of access
  • Right to data portability
  • Right to restriction of processing
  • Right to rectify
  • Right to object

Methods to prove lawfulness of Processing: 


  • Contractual Necessity
  • Consent
  • Legitimate interest

GDPR Controllers and Processors

Controllers: are at risk of incurring high fines if they do not meet the obligations set forth in the GDPR


**********************************************************************************


The Role of GDPR in Protecting Personal Data: non-compliance with GDPR standards.

        This YouTube video (linked below) highlights how GDPR regulations help protect personal data by enabling users to request its deletion. The video dives into the concerning practice where third parties purchase personal data from data brokers and resell it to businesses, often without the user’s knowledge or consent. This example underscores the misuse of personal data and non-compliance with GDPR standards.


Using Open-Source Tools to Request Data Deletion

If you're concerned about your data privacy, an open-source tool exists that lets you request data deletion from data brokers. You can access the tool: https://remover.visiblelabs.org/

In the UK and EU, users have the right to make a "Data Deletion Request" under the UK Data Protection Act.

Deleting Data Request form

For "sagacity solutions"

For example, if you'd like to request data deletion from Sagacity Solutions, you can use this link [https://www.mydatachoices.co.uk/Suppress] or contact them via email at dpo@sagacitysolutions.co.uk.


Transcript from youtube derived using Fabric:

Reference:

yt --transcript https://youtu.be/Ryv_rT41Jks?si=kM4FnrxBvm5HMt4X | fabric -sp clean_text


Transcript summary:

This Could Be the Most Deceptive and Possibly Unlawful Strategy I've Ever Seen from TV Licensing


I believe that by the end of this video, I'll have provided you with a discount on a service that can help protect you from similar situations. This video is in partnership with Incog, which I'll explain later. I was contacted by one of my viewers who had a dispute with TV Licensing, a trademark of the BBC. The BBC contracts out most of its services to enforce TV licensing to a company that operates under the brand of TV Licensing.


My viewer submitted a subject access request, but the letter I'll be discussing is not a response to that request. Instead, it's a response to a complaint following the letters received. Before diving into the letter, I'd like to ask that if you enjoy my objective, neutral, and sometimes brutal breakdowns of letters, stories, politics, law, and news, please consider liking the video, subscribing to my channel, and ringing the notification bell.


Now, let's examine the letter and where it all started. The issue began when my viewer received a letter from TV Licensing, claiming that they had been watching BBC iPlayer without a license. My viewer responded by stating that they hadn't been watching iPlayer and that they consume zero BBC content. They also mentioned that they have all BBC accounts blocked on social media and watch media on Disney+, YouTube, and Amazon Prime.


It's essential to clarify that a TV license is not dependent on BBC content alone. If you watch or record any live TV or consume BBC content through BBC iPlayer, you need a TV license. However, in this case, it makes no material difference to the letter.


My viewer asked how the mistake was made and requested a sincere apology for the unnecessary stress and anxiety caused. The BBC responded by explaining that they had used data provided by a third-party company, Sega City Solutions, to increase the effectiveness of their approach. This data included email addresses linked to no-license-needed postal addresses.


The BBC compared this data with their list of no-license-needed addresses and sent letters to those addresses if the email address had been used to access BBC iPlayer. However, there's a disconnect here, as the BBC is sending letters to addresses because the email address has been used to access iPlayer, without considering that people may have moved house and still use the same email address.


The letter from the BBC explains that Sega City Solutions has contracts with third parties that provide personal data about those third-party customers. This data is then shared with the BBC, which uses it to send letters threatening prosecution if a TV license is not purchased.


The problem here is that Sega City is one of many third-party companies that hold data and information on you, and they sell or provide access to it. The BBC has confirmed that Sega City has contracts with further third parties, which provide personal data about those third-party customers.


My partner for this video is Incog, a service that helps protect your privacy, identity, and security by contacting data broker marketing companies that gather your information and requiring them to remove your data from their servers in accordance with GDPR.


The BBC has used data provided by Sega City Solutions to threaten my viewer with prosecution, but I believe this approach may be potentially unlawful. The data processing in this case may be incompatible with the original purposes for which it was gathered.


The BBC has confirmed that the email address provided by Sega City Solutions could belong to someone no longer associated with the address, but they still used this data to send a letter to my viewer. This approach has led to people deciding to buy a TV license, either because they genuinely need one or because they fear prosecution.


I think there's a serious problem here with GDPR and the way in which the data has been processed. The data was gathered for one purpose but was then used for another, potentially incompatible purpose.


If you want to avoid being targeted by these third-party companies and protect your data, I recommend checking out Incog. They will contact these companies and require them to remove your data from their servers.


In conclusion, I believe that the BBC's strategy of using data from third-party companies to threaten prosecution is potentially unlawful and may be in breach of GDPR. I recommend being cautious when sharing your data and using services like Incog to protect your privacy and security.

***********************

Comments

Post a Comment

Popular Posts

Marriage Registration Online steps [Tamil Nadu]

Marriage Registration Online 1. Hindu Marriage Act 2. TamilNadu Marriage Act Steps To follow 1. Log into :-> https://tnreginet.gov.in/portal/  2. Click on "User Registration"   under " LOGIN " section 3. Now Login with UserID & Password  Hindu Marriage Registration 4. After Log in then select  Home > Marriage Registration > Hindu Marriage Registration 5. Fill in the details     1. Husband details           A.  Details Must be know - District, Taluk, Village and then f rom Drop down select the " street name "         B . if any of the parent is not alive mark the same and produce the death certificate while submitting the application in-person.      2. Wife Details          A. same as above, have all the information to fill in details 3. Witness Options 4. Other Details 5. Proof Details: for Husband & Wife  Home > Draft Listing T...
Read more

HOME LAB : HANDS-ON

Image
HOME LAB : HANDS-ON Disclaimer Home LAB Home Assistant on OMV Container in Raspberry Pi https://www.gouti1454.com/p/homeassistant.html Installing Home Assistant on Docker using OMV Compose, along with Portainer, Jellyfin, and MQTT. Here’s the breakdown: Home Assistant on OMV Compose Setting up MQTT and connected it to Home Assistant HomePage with Docker Compose https://www.gouti1454.com/p/homepage-docker.html Setting Up HomePage with Docker Compose Key things to get right, While installing  HomePage Docker:  Best Practices for Docker Compose: Widgets Configuration: Common Errors & Fixes: Lamma AI https://www.gouti1454.com/p/llama-ai.html This post covers some useful tips and tricks for extracting YouTube transcripts and using the Fabric framework. The topics include: ...
Read more

Google: Book an Appointment Feature Rolled Out

Image
Google: Book an Appointment Feature Rolled Out Reference:  https://workspace.google.com/resources/appointment-scheduling/ Appointment scheduling allows you to manage your availability and let clients, partners, friends or family book time with you directly within Google Calendar via a personal booking page. https://workspace.google.com/intl/en_uk/products/calendar/ Google: Book an Appointment  Google has now made its "Book an Appointment" feature available to everyone. This tool lets you set your available time slots so others can schedule meetings with you without any calendar conflicts. It automatically checks your existing events to avoid overlaps. To get started, open Google Calendar, and you’ll find the option to create your first appointment schedule. Google Calendar: Create   Set your availability, customize the settings as per your needs.  Google Calendar: Create Once all the parameters are set based on your preferences, then click save.  Your personaliz...
Read more