Yesterday we started a new round of discussion advocating the need to modify the well known CIA triad approach to Information Security to add “Preservation of Value of Data”. While all data has a value, the proposed concept of V & V was central to the security of Personal Data where there was a need to protect the personal data in such a manner that there would be a reduction of Risk of penalty under the Data Protection regulations.
Let us try to explore this further.
When I published the book “Guardians of Privacy…a comprehensive handbook on DPDPA 2023 and DGPSI” which I suppose some of you must have read, I had published a Security
approach (Page 210) in the form of a “Septagon” as follows.
This was an upgradation from the “Security Pentagon which I had proposed much earlier as part of the Theory of Information Security Motivation and had included the requirements of Privacy through the “Governance”, “Compliance” and “Legal Basis” aspects in replacement of “Non Repudiability” which was included in the “Authentication” itself.
These seven boundaries of Personal Data Protection represented the requirements of protecting the Personal Data in the current generation of Data Protection laws much better than the CIA concept which was used earlier by the community.
While the “Legal basis” and “Compliance” include the “Privacy Concepts’, the “Governance” includes the concepts such as Recognition and preservation of the value of data and other aspects such as Distributed Responsibility or concepts such as “Data is created by technology but interpreted by humans”, which are not today part of Compliance but are considered essential for implementation of DGPSI framework.
The mod CIA V&V concept is therefore another expression of this personal data security pentagon. While “Governance” represents the first V in CIA V&V, “Compliance” represents the second “V”.
If we had used the acronym of the parameters used in the security pentagon, we would have arrived at CIA-ALCG as an extension of the familiar CIA. The CIA in CIA-ALCG is of course used as “Modified CIA” as explained in the article yesterday.
It is time that we shift our Information Security focus from CIA to CIA-ALCG as we migrate from “Information Security” to “Personal Data Security”. This would be also applicable where the context is security of both personal and non personal data.
Yes, I am once again challenging the age old ISO concept much to the discomfort of some professionals who are having a role set problem as ISO auditors. But this is inevitable as the society moves from Information Security of all Data as one objective to Information Security under ITA 2000 and Personal Data Security under DPDPA 2023 (and other laws) as an objective of protecting personal and non personal data together in an organization. It is for the same reason that I repeatedly hold that ISO 27001 is necessary but not sufficient for Personal Data Protection and we need to implement DGPSI instead as the framework of choice.
Request for comments from professionals.
