Naavi.org

Here is a continuation of Naavi’s series of videos on DGPSI.

Naavi Academy has started a series of videos explaining DGPSI as a framework for compliance of DPDPA.

Here is an introductory video:

Yesterday we started a new round of discussion advocating the need to modify the well known CIA triad approach to Information Security to add “Preservation of Value of Data”. While all data has a value, the proposed concept of V & V was central to the security of Personal Data where there was a need to protect the personal data in such a manner that there would be a reduction of Risk of penalty under the Data Protection regulations.

Let us try to explore this further.

When I published the book “Guardians of Privacy…a comprehensive handbook on DPDPA 2023 and DGPSI” which I suppose some of you must have read, I had published a Security

approach (Page 210) in the form of a “Septagon” as follows.

This was an upgradation from the “Security Pentagon which I had proposed much earlier as part of the Theory of Information Security Motivation and had included the requirements of Privacy through the “Governance”, “Compliance” and “Legal Basis” aspects in replacement of “Non Repudiability” which was included in the “Authentication” itself.

These seven boundaries of Personal Data Protection represented the requirements of protecting the Personal Data in the current generation of Data Protection laws much better than the CIA concept which was used earlier by the community.

While the “Legal basis” and “Compliance” include the “Privacy Concepts’, the “Governance” includes the concepts such as Recognition and preservation of the value of data and other aspects such as Distributed Responsibility or concepts such as “Data is created by technology but interpreted by humans”, which are not today part of Compliance but are considered essential for implementation of DGPSI framework.

The mod CIA V&V concept is therefore another expression of this personal data security pentagon. While “Governance” represents the first V in CIA V&V, “Compliance” represents the second “V”.

If we had used the acronym of the parameters used in the security pentagon, we would have arrived at CIA-ALCG as an extension of the familiar CIA. The CIA in CIA-ALCG is of course used as “Modified CIA” as explained in the article yesterday.

It is time that we shift our Information Security focus from CIA to CIA-ALCG as we migrate from “Information Security” to “Personal Data Security”. This would be also applicable where the context is security of both personal and non personal data.

Yes, I am once again challenging the age old ISO concept much to the discomfort of some professionals who are having a role set problem as ISO auditors. But this is inevitable as the society moves from Information Security of all Data as one objective to Information Security under ITA 2000 and Personal Data Security under DPDPA 2023 (and other laws) as an objective of protecting personal and non personal data together in an organization. It is for the same reason that I repeatedly hold that ISO 27001 is necessary but not sufficient for Personal Data Protection and we need to implement DGPSI instead as the framework of choice.

Request for comments from professionals.

CIA is a well known security concept which defines the Information Security Frameworks such as ISO 27001 and many others.

In the context of ISMS objectives requiring to be modified for Personal Data security based on the Data Protection laws, there is a need to redefine Information security from as “Preservation of Confidentiality, Integrity, Availability and also the Value of Data”. The Core concepts of Confidentiality, Integrity and Availability themselves need to be modified and we need to adopt a ModC, Mod I and Mod A, in the place of CIA. To this we need to add the value perception.

The Value perception itself needs to be looked at from two angles namely the “Value of Data” because of the cost or market value and also the need to preserve erosion of value by in adequate Governance measures leading to penalties under the laws.

Hence CIA Triad needs to be upgraded to Mod-CIA V&V. The reason why CIA has to be modified in the Data Protection context can be briefly explained below.

The reason is, while “C” in ISMS reflects data access Control which the IS department decides on the basis of “Role Based Access”, in the Data Privacy context the fixing of Data access controls reflect the permissions given by the Data Principal based on the purpose of processing of personal data.

Similarly the “I” in the IS context reflects the need to ensure accuracy of data in the interest of the organization, in the DPDPA context, “Maintenance” of accuracy, completeness and consistency is related to whether the processed data is meant for disclosure or decision making.

Also “A” in DPDPA scenario depends on the exercising of “Rights” under the law rather than the denial of access possibility.

Apart from the modified CIA concept, the context of Personal Data Governance under DPDPA Compliance also recognizes the financial value of data represented by the V in the new concept.

The value itself can be looked at from the perspective of the revenue generative potential which is V+ while the opportunity cost of in adequate compliance results in a financial loss which is represented by V-.

Thus the CIA Triad needs to be expanded to five elements of Personal data security namely the Modified Confidentiality, Modified Integrity, Modified Availability, Value preservation and Prevention of Value loss through penalties.

Currently, DGPSI Full version does take into account all the five elements and hopefully this practice will gain acceptability in due course in the industry.