This document provides a profile of an expert presenter including their extensive experience in IT advisory, consulting, auditing, training, and project management spanning 16 years. The presenter has advised 6 companies, served as an international subject matter expert for ISACA, developed certification exams, reviewed publications, audited and consulted over 30 companies, delivered over 200 training sessions to over 7,000 attendees, and written over 300 articles. The document then outlines the presenter's upcoming session on information privacy and security which will discuss definitions, taxonomies, expectations, types of information collected, standards, challenges, and lessons learned.
3. Presenter Profile
• 16 years of working experience with exposure in IT advisory, consulting,
audit, training and education and project management
• Advisor at six companies
• ISACA International Subject Matter Expert (COBIT 5 Configuration
Management, COBIT 5 Enabling Information, Risk Scenarios with COBIT 5
for Risk, Big Data Privacy Risk and Control)
• ISACA International Certification Exam and QAE Developer for CISA, CISM,
CGEIT, and CRISC
• Reviewer Panel at three international journals: AECT TechTrends, BJET and
ISACA Journals
• Have audited and consulted 30+ companies
• More than 65 international certifications under his belt
• Has been delivering and hosting 200+ sessions with 7,000+ attendees and
5000+ hours of training, lecture, conference, workshop, seminar across
Indonesia and outside the country for 70+ organizations
• Writes, reviews and edits 300+ articles, encyclopedia entries, manuscripts
and white paper concerning ICT, management and business on more than 20
media, publications, organizations, journals and conferences.
May 2014 3
6. Okay, Let’s Put it this Way
Information Privacy is the relationship
between collection and
dissemination of:
•Information
•Technology
•Personal and public expectations
•Laws and regulations surrounding
them
May 2014 6
7. What does Privacy Mean Now?
• In the past: Privacy is about secrecy.
• These days: Privacy is all about control.
People's relationship with privacy is socially
complicated
Agree or Disagree?
May 2014 7
8. Primary Concerns
• The act of data collection: Legal versus Illegal
• Improper access (Authentication)
• Unauthorized use (Authorization)
May 2014 8
Image courtesy of: City Caucus Image courtesy of:ngshire
10. How Big Consumer Data is
•In 1996 E-commerce revenue in 1996:
US$600M
•In 2015 E-commerce revenue expected
to hit US$995B
•Big Bang of Social Networks: 1 billion
Facebook, 800 million Google+, 400
million Twitter, and 250 million LinkedIn
users.
May 2014 10
11. In Regards to Expectations
• Individuals would expect reasonable
measures on:
• Technical
• Physical
• Administrative
• Privacy (and Information Security) professionals in
organizations handle compliance with privacy promises
• No such thing as Perfect Privacy, just acceptable levels
of risk
May 2014 11
12. Wide Range of Information
• Healthcare records
• Criminal justice investigations
• Financial institutions and
transactions
• Residence and geographic
records
• Invisible traces of our presence
• Data trails
• Credit Card Databases
• Phone Company Databases
• Customer Databases
May 2014 12
13. Web Data Collection
• Personal/profile
• Other types of info
• Device information
• Cookies
• Log information
• User communications
• Location
• Software
• Application
• Behavior
May 2014 13
Image courtesy of NBCNews
14. Government
• Edward Snowden,
Hero or Traitor (?)
Company
• Data and information collection
• Revenue lost and recovery costs
• Security awareness
• Protect users’ data and information
(from hacking, cracking and
phreaking activities)
• Safeguard the service-remote
storage service “Cloud”
• Image/Credibility
• Legal charge/fine
Costs for Information Privacy
May 2014 14
Image courtesy of Wikipedia
15. Consumer
• Time to learn (learning
curve)
• Credibility/Reputation
• Opportunity/revenue
loss
• Recovery costs
Costs of Information Privacy (cont’d)
May 2014 15
Image courtesy of smh.com.au
16. Challenges in the Future
• What is “private” information by now?
• Make information more accessible
• Evolve systems to prevent breaches
May 2014 16
Image courtesy of theinspirationroom.com
17. Moving Forward to Information Security
May 2014 17
Image courtesy of BBInsurance.com
18. ISACA Says…
Information shall be protected against disclosure to
unauthorized users (confidentiality), improper
modification (integrity) and non-access when required
(availability).
Explicitly, it says to us on what to do:
• Confidentiality: preserving authorized restrictions on access
and disclosure to protect privacy and proprietary information
• Integrity: guarding against improper modification or
destruction, and ensuring information non-repudiation and
authenticity
• Availability: making sure timely and reliable access and use
of information
May 2014 18
19. Information Security Principles
According to Information Systems Security
Certification Consortium
A. Support the business
• Focus on the business functions and
processes
• Deliver quality and value to stakeholders
• Comply to law and regulation requirements
• Provide timely and accurate information
• Evaluate existing and future information
threats
• Improve information security continuously
May 2014 19
20. Information Security Principles (cont’d)
B. Secure the organization
• Adopt a risk-based approach
• Protect classified information
• Focus on critical business processes
• Develop systems securely
C. Promote information security
• Attain responsible behavior
• Act in professional and ethical manner
• Foster information security positive culture
May 2014 20
21. Information Security Standards
International wide named ‘ISO/IEC 27001’
Best practice recommendations for initiating,
developing, implementing, and maintaining Information
Security Management Systems (ISMS) with:
• Risk Assessment
• Security Policy
• Asset Management
• Physical/Environmental Security
• Access Control
• And many others
May 2014 21
26. How it Applies Country to Country
“No one shall be subjected to arbitrary
interference with his privacy, family, home
or correspondence, nor to attacks upon
his honor and reputation. Everyone has
the right to the protection of the law
against such interference or attacks.”
—Universal Declaration of Human Rights, Article 12
May 2014 26
27. Laws by Countries
• The U.S.
• HIPAA
• Electronic Communications Privacy Act
• PATROIT Act
• The Children’s Online Privacy Protection
Act
• European Union (EU)
• Data Protection Directive
• European Data Protection Regulation
May 2014 27
28. For Indonesia? We Have UU #14 Year of 2008
Keterbukaan Informasi Publik (Disclosure of Public Information)
“Setiap Badan Publik berkewajiban membuka akses bagi setiap
pemohon informasi publik untuk memperoleh informasi publik,
kecuali beberapa informasi tertentu”
• 8 years of development and 64 clauses that regulates:
1. Menjamin hak warga negara untuk mengetahui rencana
pembuatan kebijakan publik, program kebijakan publik, dan
proses pengambilan keputusan publik, serta alasan
pengambilan suatu keputusan publik;
2. Mendorong partisipasi masyarakat dalam proses
pengambilan kebijakan publik;
3. Meningkatkan peran aktif masyarakat dalam pengambilan
kebijakan publik dan pengelolaan Badan Publik yang baik;
May 2014 28
29. UU No. 14 Year of 2008 (cont’d)
4. Mewujudkan penyelenggaraan negara yang
baik, yaitu yang transparan, efektif dan efisien,
akuntabel serta dapat dipertanggungjawabkan;
5. Mengetahui alasan kebijakan publik yang
memengaruhi hajat hidup orang banyak;
6. Mengembangkan ilmu pengetahuan dan
mencerdaskan kehidupan bangsa;
7. Meningkatkan pengelolaan dan pelayanan
informasi di lingkungan Badan Publik untuk
menghasilkan layanan informasi yang berkualitas.
May 2014 29
30. UU #14 Year of 2008 (cont’d)
Definition of undisclosed information :
1. Informasi Publik yang apabila dibuka dan diberikan kepada
Pemohon Informasi Publik dapat menghambat proses
penegakan hukum;
2. Informasi Publik yang apabila dibuka dan diberikan kepada
Pemohon Informasi Publik dapat mengganggu kepentingan
perlindungan hak atas kekayaan intelektual dan
perlindungan dari persaingan usaha tidak sehat;
3. Informasi Publik yang apabila dibuka dan diberikan kepada
Pemohon Informasi Publik dapat membahayakan
pertahanan dan keamanan negara;
4. Informasi Publik yang apabila dibuka dan diberikan kepada
Pemohon Informasi Publik dapat mengungkapkan kekayaan
alam Indonesia;
May 2014 30
31. UU #14 Year of 2008 (cont’d)
5. Informasi Publik yang apabila dibuka dan diberikan dapat
merugikan ketahanan ekonomi nasional;
6. Informasi Publik yang apabila dibuka dan diberikan dapat
merugikan kepentingan hubungan luar negeri;
7. Informasi Publik yang apabila dibuka dapat mengungkapkan
isi akta otentik yang bersifat pribadi dan kemauan terakhir
ataupun wasiat seseorang;
8. Informasi Publik yang apabila dibuka dan diberikan dapat
mengungkap rahasia pribadi;
9. Memorandum atau surat-surat antar Badan Publik atau intra
Badan Publik, kecuali atas putusan Komisi Informasi atau
pengadilan;
10. Informasi yang tidak boleh diungkapkan berdasarkan
Undang-Undang.
May 2014 31
32. State-Owned Companies Must Provide
• Nama dan tempat kedudukan, maksud dan tujuan serta jenis
kegiatan usaha, jangka waktu pendirian, dan permodalan,
• Nama lengkap pemegang saham, anggota direksi, dan
anggota Dewan Komisaris perseroan;
• Laporan tahunan, laporan keuangan, neraca laporan laba rugi,
dan laporan tanggung jawab sosial perusahaan yang telah
diaudit;
• Hasil penilaian oleh auditor eksternal, lembaga pemeringkat
kredit dan lembaga pemeringkat lainnya;
• Sistem dan alokasi dana remunerasi anggota komisaris/dewan
pengawas dan direksi;
• Mekanisme penetapan direksi dan komisaris/dewan pengawas;
May 2014 32
33. State-Owned Companies Must Provide (cont’d)
• Kasus hukum yang berdasarkan Undang-Undang terbuka
sebagai Informasi Publik;
• Pedoman pelaksanaan tata kelola perusahaan yang baik
berdasarkan prinsip-prinsip transparansi, akuntabilitas,
pertanggungjawaban, kemandirian, dan kewajaran;
• Pengumuman penerbitan efek yang bersifat utang;
• Penggantian akuntan yang mengaudit perusahaan;
• Perubahan tahun fiskal perusahaan;
• Kegiatan penugasan pemerintah dan/atau kewajiban
pelayanan umum atau subsidi;
• Mekanisme pengadaan barang dan jasa;
• Informasi lain yang ditentukan oleh Undang-Undang yang
berkaitan dengan BUMN dan BUMD
May 2014 33
34. By Utilizing Such Framework and or Standard
Reduce complexity of activities and processes
Deliver better understanding of information
security
Attain cost-effectiveness in managing privacy
and security
Enhance user satisfaction with the
arrangements and outcomes
Improve integration of information security
May 2014 34
35. By Utilizing Such Framework and or Standard (cont’d)
Inform risk decisions and risk awareness
Enhance prevention, detection and
recovery
Reduce probability and impact of
security incidents
Leverage support for organization
innovation and competitiveness
May 2014 35
36. ISACAFramework on Information Security
May 2014 36
ISMS: Information Security Management Systems
R: Responsible; A: Accountable; C: Coordinate; I: Informed
37. Lessons Learned on IP and IS
May 2014 37
Image courtesy of businesscomputingworld.co.uk
38. Highlight these and Give Them A Boom!
Having IS policies, procedures, and
technologies in place to prevent and
deal with Information Privacy issues is
a MUST.
Negligence in IS and maintaining PII
can have damaging effects on the
customer satisfaction and employee
relationship.
May 2014 38
39. For Individuals, Here is the Takeaways
• One user, one device (PC, notebook,
mobile)
• One user, one account (email, social
media, social network and others)
• Password safety, complexity and routines
• Do periodic back-up and put it off-site
• If shared, be mindful to be at your own risk
• Your information, your privacy
• Your privacy, your security
May 2014 39