The document provides an overview of personal data protection regulations and technical aspects related to data privacy. It discusses key aspects of the draft Indonesian Personal Data Protection Bill, including rights of data owners and obligations of data controllers. It also covers technical topics like identity and access management, data loss prevention, and incident management. The presentation aims to provide a basic understanding of both regulatory requirements and technical controls for protecting personal data.
DevEX - reference for building teams, processes, and platforms
Personal Data Protection Regulation and Technical Aspects
1. 11
PERSONAL DATA PROTECTION
Eryk B. Pratama
IT Advisory & Cyber Security Consultant at Global Consulting Firm
Komunitas Data Privacy & Protection Indonesia
11 July 2020 | 20:00
Komunitas Orang Siber Indonesia Webinar
Basic Regulation and Technical Aspects
5. Data/Information Lifecycle
Introduction
Source: ISACA – Getting Started with Data Governance with COBIT 5
It is important to plan the life cycle of data along with their placement within the governance structure. As practices
operate, the data supporting or underlying them reach the various levels of their natural life cycles. Data is planned,
designed, acquired, used, monitored and disposed of.
Critical information security control
Store | Data at Rest Share | Data in Motion Use | Data in Use
6. Mind-map
Introduction
Regulation Technical Aspects
EU General Data Protection
Regulation (GDPR)
US California Consumer
Protection Act (CCPA)
RUU Perlindungan Data
Pribadi (RUU PDP)
Pre-Breach
Identity & Access Management
Data Loss Prevention
Privilege Access Management
Cyber Hygiene
During & Post Breach
Incident Management
Crisis Management
PP 71 2019 - PSTE
Peraturan Kominfo No 20
2016 - Data Pribadi pada PSE
8. RUU Perlindungan Data Pribadi
Regulation Aspects
Key Highlight
▪ Explicit Consent is required from the data owner for
personal data processing.
▪ Responding timelines for Data subject rights have been
separately called out in the RUU PDP.
▪ Data controller to notify the data owner and the Minister
within 3 days of data breach.
▪ Penalties for non-compliance may range from Rp 20 Billion
to Rp 70 Billion or Imprisonment ranging from 2 to 7 years
Data Owner Data Controller Data Processor Data Protection Officer
9. Data Owner – Pemilik Data Pribadi
Regulation Aspects
Hak Pemilik Data Pribadi
Pasal Deskripsi
Pasal 4 meminta Informasi tentang kejelasan identitas, dasar kepentingan hukum, tujuan permintaan dan penggunaan Data
Pribadi, dan akuntabilitas pihak yang meminta Data Pribadi.
Pasal 5 melengkapi Data Pribadi miliknya sebelum diproses oleh Pengendali Data Pribadi.
Pasal 6 mengakses Data Pribadi miliknya sesuai dengan ketentuan peraturan perundang-undangan.
Pasal 7 memperbarui dan/atau memperbaiki kesalahan dan/atau ketidakakuratan Data Pribadi miliknya sesuai dengan
ketentuan perundang-undangan.
Pasal 8 mengakhiri pemrosesan, menghapus, dan/atau memusnahkan Data Pribadi miliknya.
Pasal 9 menarik kembali persetujuan pemrosesan Data Pribadi miliknya yang telah diberikan kepada Pengendali Data Pribadi
Pasal 10 mengajukan keberatan atas tindakan pengambilan keputusan yang hanya didasarkan pada pemrosesan secara otomatis
terkait profil seseorang (profiling).
Pasal 11 memilih atau tidak memilih pemrosesan Data Pribadi melalui mekanisme pseudonim untuk tujuan tertentu
Pasal 12 menunda atau membatasi pemrosesan Data Pribadi secara proporsional sesuai dengan tujuan pemrosesan Data Pribadi
Pasal 13 menuntut dan menerima ganti rugi atas pelanggaran Data Pribadi miliknya sesuai dengan ketentuan peraturan
perundang-undangan.
11. Data Masking - Tokenization
Regulation Aspects
Source: https://blog.thalesesecurity.com/2015/02/05/token-gesture-vormetric-unveils-new-tokenization-solution/
No sensitive data is stored in the production
database
12. Data Controller – Pengendali Data Pribadi
Regulation Aspects
Kewajiban Data Controller
Pasal Deskripsi
Pasal 24 ▪ wajib menyampaikan Informasi mengenai legalitas dari pemrosesan , tujuan pemrosesan , jenis dan relevansi
pemrosesan, periode retensi dokumen, rincian informasi yang dikumpulkan, dan jangka waktu pemrosesan data
▪ menunjukkan bukti persetujuan yang telah diberikan oleh Pemilik Data Pribadi
Pasal 25 wajib menghentikan pemrosesan Data Pribadi dalam hal Pemilik Data Pribadi menarik kembali persetujuan
pemrosesan Data Pribadi
Pasal 27 wajib melindungi dan memastikan keamanan Data Pribadi yang diprosesnya dengan melakukan:
▪ penyusunan dan penerapan langkah teknis operasional untuk melindungi Data Pribadi
▪ penentuan tingkat keamanan Data Pribadi dengan memperhatikan sifat dan risiko dari Data Pribadi yang
harus dilindungi dalam pemrosesan Data Pribadi
Pasal 28 wajib melakukan pengawasan terhadap setiap pihak yang terlibat dalam pemrosesan Data Pribadi
Pasal 29 wajib memastikan pelindungan Data Pribadi dari pemrosesan Data Pribadi yang tidak sah
Pasal 36 wajib melakukan pemrosesan Data Pribadi sesuai dengan tujuan pemrosesan Data Pribadi yang disetujui oleh Pemilik
Data Pribadi. (Explisit / Implicit Consent)
Pasal 38
Pasal 39
Penghapusan dan pemusnahan data pribadi
13. Data Protection Officer – Fungsi Perlindungan Data Pribadi
Regulation Aspects
▪ harus ditunjuk berdasarkan kualitas profesional, pengetahuan mengenai hukum
dan praktik pelindungan Data Pribadi.
▪ dapat berasal dari dalam dan/atau luar Pengendali Data Pribadi atau Prosesor Data Pribadi.
▪ menginformasikan dan memberikan saran untuk Data Controller dan Data Processor
▪ memantau dan memastikan kepatuhan terhadap Undang-Undang ini dan kebijakan Pengendali Data
Pribadi atau Prosesor Data Pribadi
▪ memberikan saran mengenai penilaian dampak pelindungan Data Pribadi dan memantau kinerja
Data Controller dan Data Processor
▪ berkoordinasi dan bertindak sebagai narahubung untuk isu yang berkaitan dengan pemrosesan Data
Pribadi
▪ Dalam melaksanakan tugas, harus memperhatikan risiko terkait pemrosesan Data Pribadi, dengan
mempertimbangkan sifat, ruang lingkup, konteks, dan tujuan pemrosesan
15. Identity and Access Management
Technical Aspects – Identity & Access Management
Security Management
Provides the overarching framework, policies, and procedures
Identity Management Access Management
Manages individual identities and their access to
resources and services
Manages the “who has access to what” question and
allows access based on individual relationship with the
resources and services
Directory Services
Maintains an identity repository that store identity data and attributes, and provides access and
authorization information
“ IAM grants authorized users the right to use a service,
while preventing access to non-authorized users “
16. From Simply Managing Identities to Managing Complex Relationships
Technical Aspects – Identity & Access Management
Identity Access Management Identity Relationship Management
Source: Forrester Research
17. Identity Management Basic Process
Technical Aspects – Identity & Access Management
Authoritative/Trusted Source
Middleware / Identity
Management Solution
Target System
HR Data IDM Solution
Active Directory
Email Server
ERP
Others Applications
Provisioning
Reconciliation
Create,Update,Revoke
18. Access Management Basic Process
Technical Aspects – Identity & Access Management
Receive Request Verification Provide Rights Log and Track Access
▪ Change requests
▪ Services requests
▪ HR requests
▪ App / Script requests
▪ Valid user ?
▪ Valid request ?
▪ Request access ?
▪ Remove access ?
▪ Provide access
▪ Remove access
▪ Restrict access
▪ Check and monitor
identity status
▪ Violations to Incident
Management Process
Business Rules, Policies, Procedures, Controls
ISMS
19. User and Access Management primary concern
Technical Aspects – Identity & Access Management
User access provisioning and de-provisioning
Periodic access reviews
Privileged user accounts
Segregation of duties
System authentication
User Management
Access Management
20. Data Governance: Common Area
Technical Aspects – Data Loss Prevention
Source: https://www.pinterest.com/pin/838584393089888744/
Data Security is one of
foundational and important
area in Data Governance
21. Data Loss/Leakage Prevention Solution
Technical Aspects – Data Loss Prevention
A Data Loss Prevention (DLP) solution typically incorporates people, process, and technology to protect sensitive data traversing
throughout an organization. Data within an organization is often categorized and protected by DLP in the following three different
forms:
Data in Motion Data at Rest Data in Use
Data that is transmitted or moved, both
through electronic or non-electronic
means. Data that is actively traveling on
a network, such as email or web traffic.
Data that resides on a stable medium,
including servers, network shares,
databases, individual computers, and
portable media.
Data that has been obtained and are
being processed or actively used.
Typically, referring to data on end-user
computing device or host systems.
Structured Data Unstructured Data Semi-structured Data
Data commonly stored in
databases or applications
Exists in filesystems or
documents
Examples of such data format
types include email
Data Type
22. Sample Deployment
Technical Aspects – Data Loss Prevention
ILLUSTRATIVE
DLP Manager
DLP Monitor
DLP Prevent
DLP Prevent
Host DLP
DLP Discover
DLP End Point
23. DLP Implementation Key Activities
Technical Aspects – Data Loss Prevention
Review of the organisation data protection policy and conduct gap assessment
Define data flows, data classification and information asset list
DLP Framework and High-level Policy Definition
Base policy creation and tuning
Metrics definition
Incident response workflow creation
User awareness
24. DLP Implementation Strategy
Technical Aspects – Data Loss Prevention
Organizations often deploy DLP solutions using a phased approach. This includes initial implementation of the DLP solution in monitoring
mode and/or within selected business unit(s) to help ensure policies/rules effectiveness and assess business impact before turning on any
automated “prevent “functions.
LowHigh
Near Term Long Term
ImplementationComplexity
Email
Monitoring
Network
Monitoring
Endpoint Monitoring
and Discovery
Email
Filtering/Blocking
Network
Filtering/Blocking
Endpoint
Filtering/Blocking
Timeline
Prevent PhaseMonitor Phase
Benefits
▪ By performing Email DLP first, existing technology is utilized and a high-risk use case is addressed quickly
▪ Implementing endpoint DLP after email DLP allows company to address the remaining high-risk use cases.
▪ Deploying DLP in monitoring mode followed by preventive mode allows company to pilot solution
25. DLP Use Case: Data in Motion
Technical Aspects – Data Loss Prevention
Data Origination Outbound Email from Internal Source (Sensitive Information)
User Action
Internal user sends email with sensitive information (e.g. PII, PCI, HR files, etc.) outbound to an external
user or personal email address.
DLP Response
DLP monitors and analyzes outbound traffic based on policies for predefined data elements and
company document tags. Document tagging allows DLP to fingerprint files in order to monitor and/or prohibit
the movement of sensitive information based on policies.
Available Action Monitor, record/block/encrypt, and notify
Result
Sensitive information is tracked and prevented from reaching unauthorized recipient. Sender, manager, security,
and/or HR notified of policy violation or actions required/taken for authorized recipients (e.g. email and
attachments marked to indicate level of confidentiality and encrypted, as required).
26. DLP Use Case: Data in Use
Technical Aspects – Data Loss Prevention
Data Origination Unauthorized Sensitive Information Download
User Action
User attempts to retain sensitive information for unauthorized use from an application or database through
copy/paste functions, the “print screen” command, hard copy printing, or exploitation of current access
privileges to execute excessive sensitive information downloads (e.g. prior to departure).
DLP Response
DLP monitors workstation and mobile device activity for the use and/or transfer of sensitive information based
on policies for predefined data elements and company document tags. Company document tagging and user-
defined fingerprinting allow DLP to monitor and/or prohibit the movement of sensitive information based on
policies.
Available Action Monitor/inventory, block, and notify
Result
Sensitive information is monitored, blocking the “print screen,” paste, and hard copy print actions. The user,
manager, security, and/or HR are notified of policy violation. Utilize scan results to update/maintain inventory of
endpoints containing sensitive information.
27. Incident Management Definition
Technical Aspects – Incident Management
What is an IT incident?
An IT incident is any disruption to an organization's IT services that affects anything from a single user or the entire business . In
short, an incident is anything that interrupts business continuity.
What is IT incident management?
Incident management is the process of managing IT service disruptions and restoring services within agreed
service level agreements (SLAs). The scope of incident management starts with an end user reporting an issue and
ends with a service desk team member resolving that issue.
Analyst Incident Responder Digital Forensic
Incident Escalation
Layer 1 (L1) Layer 2 (L2) Layer 3 (L3)
Incident Classification
MediumHigh Low
Incident Prioritization
Critical High Medium Low