RISK & GDPR

Risk Management 

DISCLAIMER:

  • This document contains unedited notes and has not been formally proofread.
  • The information provided in this document is intended to provide a basic understanding of certain technologies.
  • Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
  • Some websites and software may be flagged as malware by antivirus programs.
  • The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
  • The document is not a substitute for professional advice or expert analysis and should not be used as such.
  • The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
  • The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
  • The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
  • The author reserve the right to update or change the information contained in this document at any time without prior notice.
  • Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
  • It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
  • Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
  • It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
  • It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
  • It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

References

  • ISO standards 
***********************************************************

Risk

means foreseeing the outcomes and trying to see what possible failures or roadblocks can happen in preventing the desired result or action or outcome.  

Best Example:

  • when you plan to reach to a destination by car, what are the risk you will foresee
  • Traffic jams, break down, road closures. 
  • Mitigation measures : preventive break down measures - fuel tank fill up, tyre air check, engine oil check. 
  • Contingency measures :  break down service cover, contact numbers. 

Risk, Threat and Vulnerability

Vulnerability 
  • It is a weakness or flaw in a system, application, or network.
Threat 
  • It is anything that could potentially exploit a vulnerability and cause harm.
Risk 
  • The possibility of something negative happening. It's the chance of harm, loss, or damage occurring.
E.g.

  • Vulnerability: Leaving your front door unlocked.
  • Threat: A burglar walking through your neighborhood.
  • Risk: The chance the burglar notices your unlocked door and enters your house.

Managing Org Risk: 

Risk = Threats * Vulnerabilities 

Zero-Day Attack

Vulnerabilities found in wild -> Unaware = Public + Vendor 

Then after the period Vendor is aware -> Unaware = Public

Vendor  released patches -> aware = Public

E.g.
  • A zero-day exploit is like someone finding a hidden backdoor into a house that even the owner didn’t know existed—until a break-in happens.

Risk Management Cycle: 

  • Appraising risks - Risk Identification (Infosec Risk assessment), 
  • Addressing identified risks (Infosec Risk Treatment), and 
  • keeping those risks under constant observation(Risk tracking). 

RISK REGISTER

Identifying all the possible scenarios that might constitute into a problem and identifying mitigation plans. 
  • The risk register is a live, current database of recognised risks. 
  • The database is categorised under the following headings: organizational; people; physical-access control, asset management, BYOD; and technological-restricted access privilege, controlled zone. 

TABLE 1: RISK REGISTER : SAMPLE



Information on the risk life cycle, 
  • Including Risk ownership (Avoidance, Acceptance, Transfer), 
  • Risk Treatment (Reducing or Minimizing the Impact of the Risk), is contained in the Risk Treatment Plan, which is a component of the Risk Register.

Risk Score

Risk score is based on the probability and impact of the event when it occurs, the rational is based on the previous know incidents and experiences. 

TABLE 2 : RISK SCORE



The below table provides on example risks. 

TABLE 3: RISK REGISTER

Risk
 Risk Description Probability Score Severity Impact Mitigation

Documentation File loss/ corruption

Project word documents lost or unable to recover

0.1

High

NTU OneDrive Backup is used

Virtual Machine Configuration

VM can be corrupted during the progress of then testing attacks.

0.3

Medium

Reconfiguration of VM will be done

Restricted Network Access

NTU restricted network access

0.5

Medium

Alternative Connectivity will be used such mobile hotspot

Malware infection

Taking live sample Malware/ Ransomware for simulation in Virtual machines could infect the host machine and network connected

0.9

High

Simulation carried out in sandbox/  isolated network

Risk Treatment


Based on the Risk score the risk treatment plan can be applied as follows with examples:
  • Avoidance: 
  • Eliminating the risk altogether by changing the activity or process that creates it.
    • Risk: Employees using personal devices for work, increasing the risk of data breaches and malware infections.
    • Avoidance: Implementing a strict BYOD (Bring Your Own Device) policy that prohibits personal device use for work activities. This eliminates the risk at its source.
  • Transfer:
  • Sharing the risk with another party, such as through insurance or outsourcing.
    • Risk: Cyberattacks causing financial losses due to data breaches or ransomware.
    • Transfer: Purchasing cyber insurance to offset potential financial damages. This shifts the risk burden to the insurance provider.
  • Mitigation: 
  • Reducing the likelihood or impact of the risk through controls, safeguards, or procedures.
    • Risk: Weak passwords easily compromised by hackers.
    • Mitigation: Implementing a strong password policy enforcing complexity requirements, regular changes, and two-factor authentication. This reduces the likelihood of password-related breaches.
  • Acceptance:
  • Deciding to live with the risk, considering its low probability or acceptable consequences.
    • Risk: Occasional power outages disrupting operations.
    • Acceptance: Determining that the cost of backup power systems outweighs the potential losses from brief outages. The organization accepts the risk and focuses on resilience measures like uninterruptible power supplies for critical systems.
**************************************************

GDPR

How to Collect, Manage, process personal data


GDPR key concepts

  • Lawful processing
  • Data subject rights
  • Data controllers Vs Data processors
  • Privacy by design

DPO - Data protection Officer 

GDPR requires parental concerns before collecting children's data who are less than 16 or 13.

Companies time to respond for a data breach and 72 Hrs to communicate with the EU regarding the breach.


Do I need all of the data I am Collecting here?

Could o do this work without using personal data at all.

Am I using the data in a way a user may not expect?

Do I have a plan to delete this data once I no longer need it?


DPIA -Data Protection Impact Assessment 


DSRs - Data Subject rights : 

6 GDPR DSRs


  • Right to be forgotten
  • Right of access
  • Right to data portability
  • Right to restriction of processing
  • Right to rectify
  • Right to object

Methods to prove lawfulness of Processing: 


  • Contractual Necessity
  • Consent
  • Legitimate interest

GDPR Controllers and Processors

Controllers: are at risk of incurring high fines if they do not meet the obligations set forth in the GDPR


****************************************

Comments

Post a Comment

Popular Posts

Marriage Registration Online steps [Tamil Nadu]

Marriage Registration Online 1. Hindu Marriage Act 2. TamilNadu Marriage Act Steps To follow 1. Log into :-> https://tnreginet.gov.in/portal/  2. Click on "User Registration"   under " LOGIN " section 3. Now Login with UserID & Password  Hindu Marriage Registration 4. After Log in then select  Home > Marriage Registration > Hindu Marriage Registration 5. Fill in the details     1. Husband details           A.  Details Must be know - District, Taluk, Village and then f rom Drop down select the " street name "         B . if any of the parent is not alive mark the same and produce the death certificate while submitting the application in-person.      2. Wife Details          A. same as above, have all the information to fill in details 3. Witness Options 4. Other Details 5. Proof Details: for Husband & Wife  Home > Draft Listing T...
Read more

Plagiarism

Image
Plagiarism      Plagiarism score or similarity score is obtained by the tool ( Turnitin ) to check,  whether the  s ubmitted documents contains any copied & pasted as it is from any sources. The plagiarism is  used to check the similarity of the phrases and sentence that are used in the document are they copied as it is and used in the  report. Even when the credit is provided for referencing these source under the reference section. One must use the quotations to use the same sentence or phrases, that are copied & pasted in the document. When the filter is applied to ignore the quoted sentenced, these are ignored by the tool to obtain the similarity score.       The image below displays an example of a plagiarism or similarity score, which is obtained by Turnitin, a tool used to check whether submitted documents contain any copied and pasted content from other sources. The similarity score indicates how similar th...
Read more

HOME LAB : HANDS-ON

Image
HOME LAB : HANDS-ON Disclaimer Home LAB Home Assistant on OMV Container in Raspberry Pi https://www.gouti1454.com/p/homeassistant.html Installing Home Assistant on Docker using OMV Compose, along with Portainer, Jellyfin, and MQTT. Here’s the breakdown: Home Assistant on OMV Compose Setting up MQTT and connected it to Home Assistant HomePage with Docker Compose https://www.gouti1454.com/p/homepage-docker.html Setting Up HomePage with Docker Compose Key things to get right, While installing  HomePage Docker:  Best Practices for Docker Compose: Widgets Configuration: Common Errors & Fixes: Lamma AI https://www.gouti1454.com/p/llama-ai.html This post covers some useful tips and tricks for extracting YouTube transcripts and using the Fabric framework. The topics include: ...
Read more