ISO 27001

ISO 27001 provides a framework of standards for how a modern organization should manage their
information and data. Risk management is a key part of ISO 27001, ensuring that a company or non-
profit understands where their strengths and weaknesses lie. Companies of all sizes need to recognize
the importance of cybersecurity, but simply setting up an IT security group within the organization is not
enough to ensure data integrity. An ISMS is a critical tool, especially for groups that are spread across
multiple locations or countries, as it covers all end-to-end processes related to security.

An ISMS (information security management system) should exist as a living set of documentation within
an organization for the purpose of risk management. Decades ago, companies would actually print out
the ISMS and distribute it to employees for their awareness. Today, an ISMS should be stored online in a
secure location, typically a knowledge management system. Employees need to be able to refer to the
ISMS at any time and be alerted when a change is implemented. When seeking ISO 27001 certification,
the ISMS is the chief piece of reference material used to determine your organization’s compliance level.

ISO 27001:2013 main Clauses are -

1. Context of the Organization – explains what stakeholders should be involved in the creation and
maintenance of the ISMS.
2. Leadership – describes how leaders within the organization should commit to ISMS policies and
procedures.
3. Planning – covers an outline of how risk management should be planned across the organization.
4. Support – describes how to raise awareness about information security and assign
responsibilities.
5. Operation – covers how risks should be managed and how documentation should be performed
to meet audit standards.
6. Performance Evaluation – provides guidelines on how to monitor and measure the performance
of the ISMS.
7. Improvement – explains how the ISMS should be continually updated and improved, especially
following audits.
8. Reference Control Objectives and Controls – provides an annex detailing the individual elements
of an audit.

The documentation for ISO 27001 breaks down the best practices into 14 separate controls.

1. Information Security Policies 

2. Organisation of Information Security 
3. Human Resource Security 
4. Asset Management .
5. Access Control 
6. Cryptography 
7. Physical and Environmental Security 
8. Operations Security 
9. Communications Security 
10. System Acquisition, Development and Maintenance 
11. Supplier Relationships 
12. Information Security Incident Management 
13. Information Security Aspects of Business Continuity Management 
14. Compliance
Certification - Earning an initial ISO 27001 certification is only the first step to being fully compliant.
Maintaining the high standards and best practices is often a challenge for organizations, as employees
tend to lose their diligence after an audit has been completed. It is leadership’s responsibility to make
sure this doesn’t happen. Given how often new employees join a company, the organization should hold
quarterly training sessions so that all members understand the ISMS and how it is used. Existing
employees should also be required to pass a yearly test that reinforces the fundamental goals of ISO
27001.

In order to remain compliant, organizations must conduct their own ISO 27001 internal audits once
every three years. Cybersecurity experts recommend doing it annually so as to reinforce risk
management practices and look for any gaps or shortcomings. Process follows as –
1. Original Certification: Full Audit

2. Surveillance Audit: High level Audit

3. Surveillance Audit: High level Audit
4. Re-Certification: Full Audit

ISO 27001 checklist: 12 steps for the implementation

1. Project Planning
2. Current State Assessment
3. Information Asset Profiling
4. Risk Assessment
5. Risk Treatment planning
6. Design/Fine tune security policy & procedures
7. Policy and Procedure roll out
8. Implementation of Risk Treatment Plan
9. Internal compliance assessment
10. Stage-I audit (Documentation and walk through)
11. Corrective and preventative action
12. Stage II Audit Implementation Audit

Benefits:

1. Providing a framework for resolving security issues; focusing only on those relevant to your
specific organisation
2. Enhancing the confidence and perception of your clients, stakeholders and partners
3. Increasingly become a differentiator in contract tenders
4. Breeding internal and external confidence in the management of risk within your organisation
5. Increasing security awareness throughout the business via staff training and involvement
6. Helping develop best practice
7. Helping adherence to the Standard proving business continuity is managed professionally and
vigilantly in the event of a catastrophe

Establishing the ISMS -

The standard adopts the “Plan-Do-Check-Act” (PDCA) model which is applied to structure all ISMS processes:

 Plan: basically establish the ISMS policies and objectives relevant to managing risk
The organization should ...
o Define ISMS scope and policy
o Identify and assess the risks
 o Manage risks through control objectives and controls
o Prepare Statement of Applicability
 Do: implement and operate the ISMS policy
The organization should ...
o Formulate and implement a risk mitigation plan
o Implement controls selected to meet the control objectives
 Check: assess and measure process performance against policy
The organization should ...
o Perform monitoring procedures
o Conduct periodic reviews of for effectiveness
o Review level of acceptable and residual risk
o Conduct internal ISMS audits at planned intervals
 Act: take corrective and preventative actions based on results of internal ISMS audit
The organization should ...
o Implement identified improvements in ISMS
o Take appropriate corrective and preventive actions
o Maintain communications with all stakeholders
o Validate improvement.

PCI-DSS
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for
organizations that handle branded credit cards from the major card schemes.
PCI DSS was developed to enhance cardholder data security and facilitate broad adoption of consistent
data security measures globally
Goal: Managing the ongoing evolution of the Payment Card Industry Data Security Standard.
The PCI Council is independent of Payment brands.
Provides a baseline technical and operational requirements designed to protect account data. It is
applies to any entity that stores, processes and/or transmits cardholder data (CHD) and/or sensitive
authentication data (SAD).

Famous Example of Credit Card Breach -

 Heartland Payment Systems
Date: March 2008
Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data
systems.
Cost of Breach : $145 million
 Target Stores
Date: December 2013
Impact: Credit/debit card information and/or contact information of up to 110 million people
compromised
Cost of Breach : $162 million
 Sony's PlayStation Network
Date: April 20, 2011
Impact: 77 million PlayStation Network accounts hacked; estimated losses of $171 million while the
site was down for a month.

6 Major Principles –
 Build and maintain a secure network.
 Protect cardholder data.
 Maintain a vulnerability management program.
 Implement strong access control measures.
  Regularly monitor and test networks.
 Maintain an information security policy.

Principles and Requirements

 Build and maintain a secure network.
1. Install and maintain a firewall configuration to protect cardholder data - All systems must be
protected from unauthorised access from untrusted networks e-commerce employee internet
access desktop browsers, employee email access, dedicated connection such as business-to-
business connections wireless network etc.
2. Do not use vendor-supplied defaults for system passwords and other security parameters -
Malicious individuals (external and internal to an entity) often use vendor default passwords and
other vendor default settings to compromise systems. These passwords and settings are well
known by hacker community and are easily determined via public information.
 Protect cardholder data.
3. Protect stored cardholder data - Protection methods such as encryption, truncation, masking and
hashing are critical components of cardholder data protection. If an Intruder circumvents security
control and gains access to encrypted data, without the proper cryptographic keys, the data is
unreadable and usable to that person. Other effective methods of protecting stored data should
also be considered as potential risk mitigation opportunities.
4. Encrypt transmission of cardholder data across open, public networks - Sensitive information
must be encrypted during transmission over networks that are easily accessed by malicious
individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption &
authentication protocols, continue to be targets of malicious individuals who exploit these
vulnerabilities to gain privileged access to cardholder data environments.
 Maintain a vulnerability management program.
5. Protect all systems against malware and regularly update anti-virus software or programs -
Antivirus software not be used on all systems commonly affected by Malware to protect systems
from current and evolving malicious software threats. additional antimalware solutions may be
considered supplement to the antivirus software, however, such additional solutions do not
replace the need for antivirus software.
6. Develop and maintain secure systems and applications - Unscrupulous individuals you security
vulnerabilities to be in privileged access to systems. many of these vulnerabilities and vi Binder
provided security patches which must be installed by the entities that manages the system. all
systems must have appropriate software packages to protect against the exploitation and
compromise of cardholder data by malicious individual and malicious software.
 Implement strong access control measures
7. Restrict access to cardholder data by business need to know - To ensure critical data can only be
accessed by authorised personnel, systems and processes must be in place to limit access based
on need to know and according to job responsibilities. “Need to know” is when access rights are
granted to only the least amount of data and privileges needed to perform a job.
8. Identify and authenticate access to system components - Assigning a unique ID to each person
ensures that each individual is uniquely accountable for their actions. When such accountability is
in place, actions taken on critical data systems are performed by and can be traced to known and
authorised users and processes.
9. Restrict physical access to cardholder data - Any physical access to data or systems that house
cardholder data provides the opportunity for individuals to access devices or data and to remove
systems or hardcopies, and should be appropriately restricted.
 Regularly monitor and test networks.
10. Track and monitor all access to network resources and cardholder data - Logging mechanism
and the ability to track user activities are critical in preventing, detecting or minimising the impact
 of data compromise. The presence of logs in all environment allows thorough tracking, alerting
and analysis when something goes wrong. Determining the cause of a compromise is very
difficult, if not impossible, without system activity logs.
11. Regularly test security systems and processes - Vulnerabilities discovered continually by
malicious individuals and researchers and being introduced by new software. System components
processes and system software should be tested frequently to ensure security control continue to
reflect the changing environment.
 Maintain an information security policy.
12. Maintain a policy that addresses information security for all personnel - Strong security policy
sets a security tone for the whole entity and informs personnel what is expected of them. All
personnel should be aware of the sensitivity of data and their responsibilities for protecting. For
the purpose of requirement 12, “personnel” refers to full-time and part-time employees,
temporary employees, contractors and consultants who are “resident” on the entities sides or
otherwise have access to the cardholder data environment.

PCI DSS Assessment Process

1. Confirm the scope of the PCI DSS assessment.

2. Perform the PCI DSS assessment of the environment, following the testing procedures for each
requirement.
3. Complete the applicable report for the assessment (i.e., Self-Assessment Questionnaire (SAQ) or
Report on Compliance (ROC)), including documentation of all compensating controls, according to
the applicable PCI guidance and instructions.
4. Complete the Attestation of Compliance for Service Providers or Merchants, as applicable.
5. Submit the SAQ or ROC, and the Attestation of Compliance, along with any other requested
documentation—such as ASV scan reports—to the acquirer (for merchants) or to the payment
brand or other requester (for service providers).
6. If required, perform remediation to address requirements that are not in place, and provide an
updated report.

Entities in Payment Ecosystem-

1. PCI DSS Entities Acquiring Bank

 This is the bank with which a business or a Merchant hold their funds.
 Acquiring Bank will outfit merchants with card readers and equipment to accept card payments
 Acquiring Bank will deposit funds into the merchant’s account once a credit sale goes through.
 Example HSBC, CHASE, Wells Fargo
2. PCI DSS Entities Payment Brands
 Payment Brands transport data between the issuing bank and the merchant.
 Payment Brands are responsible for setting interchange and assessments.
 Most common Payment Brands are Vis, MasterCard, American Express, JCB and Discover.
3. PCI DSS Entities Issuers
 Issuing Bank: this is the cardholder’s bank, which gave him or her the credit cards they’re using at
the Merchant’s store.
 Issuing Bank will determine whether the cardholder has the appropriate funds to complete a
transaction, and then release the funds so that the transaction can settle.
 Examples of issuing banks are HSBC, Citi etc.
4. PCI DSS Entities: Merchants
 A Merchant is any entity that accepts payment cards bearing the logos of any of the five
members of PCI SSC (American Express, Discover, JCB, MasterCard and Visa) as payment for
goods and/or
services.
 HIPAA
 Health Insurance Portability & Accountability Act of 1996
 Provides a framework for establishment of nationwide protection of patient confidentiality,
security of electronic systems, and standards and requirements for electronic transmission of
health information.
 Designed to protect the privacy of individually identifiable patient information.
 Provide for the electronic and physical security of Health and patient medical information.
 Simplified building and other electronic transactions through the use of standard transactions
and code settings (building codes) improving efficiency.
 Health plans as well as their employees and other members of the work force

HIPAA is applicable to covered entities:

Healthcare providers
 Transmit information electronically.
 Physicians, hospitals, or any other provider who has direct or indirect patient contact.
Health plans
 Individual or group plan that provides or pays the cost of medical care. The law specifically
includes many types of organizations and government programs as health plans.
 Insurance companies or similar Agencies that pay for Healthcare
Healthcare clearing houses
 Companies that facilitate the processing of health information for billing purposes.
 A public or private entity, including a billing service, community health management information
system or community health information system, and networks and switches that either process
or facilitate the processing of health information received from another entity.
Health Care
 Care, services, or supplies related to the health of an individual, including (1) preventive,
diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counselling, service,
assessment, or procedure with respect to the physical or mental condition, or functional status,
of an individual that affects the structure or function of the body; and (2) sale or dispensing of a
drug, device, equipment, or other item in accordance with a prescription.

HIPPA Rules - Privacy and security address separately under two distinct rules under HIPAA
Privacy rules
Sets the standards for how protected health information should be controlled.
Defines who is authorised to access information and includes the right of individuals to keep information
about themselves from being disclosed.
Privacy is the ability of an individual or group to seclude themselves or information about themselves
and thereby reveal themselves selectively. The boundaries and content of what is considered private
differ among cultures and individuals, but share basic common themes. Internet privacy is the desire or
mandate of personal privacy concerning transactions or transmission of data via the Internet. It involves
the exercise of control over the type and amount of information a person reveals about himself on the
Internet and who may access such information. Privacy deals with the revelation and use of (personal)
data

Security rules
Defines the standards that requires covered entities to implement basic safeguards to protect it
electronic protected health information (ePHI).
Security is the ability to control access and protect information from accidental or intentional disclosure
to unauthorised persons and from alteration destruction on loss.
Security is the degree of protection against danger, damage, loss, and criminal activity. Security as a form
of protection are structures and processes that provide or improve security as a condition. Information
security means protecting information and information systems from unauthorized access, use,
disclosure, disruption, modification, perusal, inspection, recording or destruction. Security deals with the
control of data.

Three types of HIPAA violations:

 Incidental: If reasonable steps are taken to safeguard a patient’s information and a visitor
happens to overhear or see PHI that you are using, you will not be liable for that disclosure
 Accidental: If you mistakenly disclose PHI or provide confidential information to an unauthorized
person or if you breach the security of confidential data, you must
Acknowledge the mistake and notify your supervisor and the Privacy Officer immediately. Learn
from the error and help revise procedures (when necessary) to prevent it from happening again.
 Intentional: If you ignore the rules and carelessly or deliberately use or disclose protected health
or confidential information, you can expect: Disciplinary action, up to and including termination
Civil and/or criminal charges

HIPAA Compliance Steps –

 Determine which of the required annual audits and assessments are applicable to your organization.
 Conduct the required audits and assessments, analyze the results, and document any deficiencies.
 Document your remediation plans, put the plans into action, review annually, and update as
necessary.
 If the organization has not already done so, appoint a HIPAA Compliance, Privacy and/or Security
Officer.
 Ensure the designated HIPAA Compliance Officer conducts annual HIPAA training for all members of
staff.
 Ensure HIPAA training and staff member attestation of HIPAA policies and procedures is documented.
 Perform due diligence on Business Associates to assess HIPAA compliance and annually review BAAs.
 Review processes for staff members to report breaches and how breaches are notified to HHS OCR.

Patient’s Rights under HIPAA –

HIPAA’s focus is on the Rights of the Patient and confidentiality of their information. Under HIPAA,
patients have the right to several key issues:
 Right to Request Amendment of their medical record
 Right to Request to Inspect and Copy their record
 Right to Restrict what information and to whom it can be
 released
 Right to Receive Confidential Communication
 Right to Complain about a disclosure of their PHI

HIPAA Rules:
 HIPAA Privacy: Privacy Officer, Employee Training(Individual having access to PHI), Documents &
Controls.
 HIPAA Security: Security Officer, Employee Training(Individual implementing HIPAA Security
Controls), Security Risk Assessment, Documents & Controls.

PHI – Protected Health Information

 Asset - Health information about a patient.
 Individually Identifiable Information.
 Physical or psychological status of an individual whether past, present or future that is created
collected or otherwise in the care of a functional entity such as a health plan provider, School,
university or other entity, and relates in any way to provision of care for payment for that care
regardless of time frame.
 PHI should be shared only with agencies and individuals who have a need for the information.
 Limits many uses and disclosures of health information to the “minimum necessary” amount needed
for the task
 HIPAA Regulations requires to protect patients’ PHI in all media including, but not limited to, PHI
created, stored, or transmitted in/on the following media:
1. Verbal Discussions (i.e. in person or on the phone)
2. Written on paper (i.e. chart, progress notes, encounter forms, prescriptions, x-ray orders,
referral forms and explanation of benefit (EOBs) forms
3. Computer Applications and Systems (i.e. electronic health record (EHR), Practice
Management, Lab and X-Ray
4. Computer Hardware/Equipment (i.e. PCs, laptops, PDAs, pagers, fax machines, servers and
cell phones.

What are permitted uses of PHI?

•Treatment: patient care
 Activities directly related to providing coordinating or managing the health care of patients
•Payment
•Administrative activities associated with Billing and reimbursement
•Healthcare operations
•Most other activities in support of core functions

Examples of PHI –
 Name, photograph, date of birth
 Social security number, passport number
 Physical and mental condition
1. Past history of a condition
2. Present condition
3. Plan or predictions about the future of a condition.
 Health information from record
1. Who provided care
2. What type of care was given
3. Where care was given
4. Why care was give
 Individuals health care payment billing forms
1. Who was paid
2. What services were covered by the payment
3. Where payment was made
4. When payment was made
5. How payment was made
 Address, telephone number, fax, email lD
 Admission date information medical record number
 Fingerprints health status diagnosis
 Clinical records

Safeguards as per Act -

Covered entity must have in place appropriate administrative technical and physical safeguards to
protect the privacy of protected health information. Covered entity master reasonably safeguard
protected health information from any intentional or unintentional use or disclosure that is in violation
of the standard implementation specifications or other requirements of this sub part.

Administrative safeguards
 Policies, processes and procedures.
 Define the basis of security
 The most current version of given policy process and procedure should be in active circulation and
use
 All documents are reviewed periodically to ensure no violation and the routine spot checks are
performed to double-check adherence by the work force. E.g. Training, Awareness and BVG

Technical Safeguards
 Electronic or mechanic measures such as combination keypads or closed circuit camera systems
password control or system access passwords or pin numbers for sensitive files etc.
 E.g. Password, Encryption, Logical Access Control List defining 'How' & 'What' a user can access data.

Physical Safeguards
 Measures taken with respect to the premises storage containers room and the like where is the PHI
is kept.
 Security guards lockable storage containers access control lists paper or electronic identification
package and other such items that control access to the PHI on the system that stores it
 E.g. Media handling, Physical Access Controls List defining 'How' & 'What' a user can access within
the facility.

CSO – The chief security officer (CSO) is the company executive responsible for the security of
personnel, physical assets, and information in both physical and digital form. The importance of this
position has increased in the age of information technology (IT) as it has become easier to steal sensitive
company information.
Responsibilities of the CSO - The CSO is responsible for executing and overseeing, among others, the
following duties:

 Day-to-day operations: Implementing and overseeing strategies to assess and mitigate  risk,
safeguarding the corporation and its assets, crisis management.

 Security: Developing, implementing, and maintaining security processes and policies, identifying
and reducing risks, limiting liability and exposure to informational, physical, and financial risk.

 Compliance: Making sure the company is compliant with local, national and global regulations,
especially in areas like privacy, health, and safety.

 Innovation: Conducting research and executing security management solutions to help keep the
organization safe. 
CTO - A chief technology officer (CTO) is the executive in charge of an organization's technological needs
as well as its research and development (R&D). Also known as a chief technical officer, this individual
examines the short- and long-term needs of an organization and utilizes capital to make investments
designed to help the organization reach its objectives. The CTO usually reports directly to a company's
chief information officer (CIO), but may also report to the chief executive officer (CEO) of the firm.
CPO - A chief product officer (CPO) is a corporate title referring to an executive who leads the entire
product organization. Alternatively, the CPO is known as VP of product or head of product. A CPO is
responsible for the strategic product direction. Usually, it includes product vision, product innovation,
product design, product development, project management, and product marketing. In many tech
companies, this position also provides distribution, manufacturing, and procurement.
A CPO’s primary objectives include:

1. Leading the PM organization, supervising PM managers, and mentoring their team

2. Creating a vision and strategy for the entire PM organization

3. Marketing and evangelizing products from concept to launch

4. Research that leads to informed decision-making across the organization

CIO - IT Director- Chief Information Officer(CIO)

 Responsible for strategic planning and structure of IT department.
 Facilitates Business Operations and Requirements.
 Report to CEO or CFO
 Responsible for advising CEO on strategic planning that affects the management.
 Responsible for the success of the security program

COBIT
COBIT stands for Control Objectives for Information and related Technology. It is a framework created by
the ISACA (Information Systems Audit and Control Association) for IT governance and management. It
was designed to be a supportive tool for managers—and allows bridging the crucial gap between
technical issues, business risks, and control requirements. COBIT is essential to developing, controlling,
and maintaining risk and security for enterprises around the world, regardless of your industry.

The five COBIT 5 principles:

1.Meeting Stakeholder Needs
2.Covering the Enterprise End-to-end
3.Applying a Single Integrated Framework
4.Enabling a Holistic Approach
5.Separating Governance From Management

These five principles enable an organisation to build a holistic framework for the governance and
management of IT that is built on seven ‘enablers’:

1. People, policies and frameworks

2. Processes

3. Organisational structures

4. Culture, ethics and behaviour

5. Information

6. Services, infrastructure and applications

7. People, skills and competencies

Together, the principles and enablers allow an organisation to align its IT investments with its objectives
to realise the value of those investments.

The COBIT 5 Framework

 COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising
benefits and optimising risk levels and resource use.
 COBIT 5 enables information and related technology to be governed and managed in a holistic
manner for the entire enterprise, taking in the full end-to-end business and functional areas of
responsibility, considering the IT-related interests of internal and external stakeholders.
 The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether
commercial, not-for-profit or in the public sector.

Benefits – The COBIT 5 framework can help organisations of all sizes:

 Improve and maintain high-quality information to support business decisions;

 Use IT effectively to achieve business goals;

 Use technology to promote operational excellence;

 Ensure IT risk is managed effectively;

 Ensure organisations realise the value of their investments in IT; and

 Achieve compliance with laws, regulations and contractual agreements .

COBIT 5 –Implementation Cycle

 Business case for the implementation & improvement of the governance and management of IT
 Recognizing typical pain points and trigger events
 Creating the appropriate environment for implementation
 Identify gaps and guide the development of enablers such as policies, processes, principles
 Organizational structures, and roles and responsibilities

Sarbanes-Oxley Act
The Sarbanes –Oxley Actor more popularly know as the SOX act was passed in 2002in the wake of
number of notable corporate accounting scandals including Enron and Worldcom. It is also known as the
'Public Company Accounting Reform and Investor Protection Act and 'Corporate and Auditing
Accountability and Responsibility Act. This law set new or enhanced standards for all U.S. public
company boards, management and public accounting firms. It is named after sponsors U.S. Senator Paul
Sarbanes(D-MD) and U.S. Representative Michael G. Oxley. The main intent of this law is for the top
management must now individually certify the accuracy of financial information.
 Purpose–to protect investors or stakeholders interest by improving the accuracy and reliability of
corporate and financial disclosures.
 Applicability –All publicly traded companies in the US as well as foreign companies that are publicly
traded and do business in the US.
 Requirement–Top management (CEO and CFO) must individually certify the accuracy of financial
information on annual and quarterly reports.

Public Company Accounting Oversight Board

 PCAOB Non-profit cooperate created by congress in 2002. It is part of SOX Act.
 To serve as watch dog or regulator for auditing industry.
 Auditing firms previously were self-regulated but with major failure with Enron lead to PCAOB, to
ensure audit industry is doing a good job, auditors maintain the independence.
 Government agency SEC appoints 5 board members (1 serves as a chair person and other members).
Even if it is non-profit cooperation, independent group its tied to this governmental agency.
 SEC will oversee the activities of PCAOB, it will approve their budgets, there activities.
 PCAOB gets money/funded by fees paid by public companies. Companies that are publicly traded. It
audits these companies, which you can buy stock of.
Its Role –

 All companies that are doing audits of publicly traded companies they have to register with PCAOB
 It is standard setter auditing industry GAAS generally accepted auditing standards, how to properly
do an audit.
 Registered firms have to follow these standards sets by PCAOB.
 PCAOB is going to monitor these auditing firms on an on-going basis. They sample audit some of the
registered companies audit.

SOX -
The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to
criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on
requirements to comply with the law.
•Title I: Public Company Accounting Oversight Board
•Title II: Auditor Independence
•Title III: Corporate Responsibility
•Title IV: Enhanced Financial Disclosures
•Title V: Analyst Conflicts Of Interest
•Title VI: Commission Resources And Authority
•Title VII: Studies & Reports
•Title VIII: Corporate and Criminal Fraud Accountability
•Title IX: White Collar Crime Penalty Enhancement
•Title X: Corporate Tax Returns
•Title XI: Corporate Fraud Accountability

SOX -Section 302

 Section 302 focuses on disclosure controls and procedures, and accountability of signing officers
(CEO and CFO), they personally attest that financial information is accurate and reliable within the
quarterly 10-Q and annual 10-K reports filed with the SEC.
 Mainly signing-off by them signifies that they are:
 Confirming they reviewed the report
 Stating that, based on their knowledge, the report does not contain false or misleading statements or
omit necessary material information
 Affirmation on accuracy of reports with respect to financial condition and results of operations for
their company during the periods covered in the report
Requirements:
 Certify financial reports quarterly
 Disclosure of all controllable committees
 Disclosure of all fraudulent works.

Responsible:
 In case of failure CEO and CFO accountable.

SOX -Section 404

Section 404 requires that companies to annually assess and report on the effectiveness of their internal
controls and procedures for financial reporting. All controls are evaluated and reported in 2 phases -
 Design of internal controls
 Operating effectiveness of the controls

The results of the testing must be:

 Reviewed by management
 All control testing failures to be categorized as a deficiency, significant deficiency, or material
weakness
 The company needs to report deficiencies to the Audit Committee, Board of Directors
 Material weaknesses must be disclosed in the company’s annual 10-K financial report
 SOX requirements mandate that public companies have an independent external auditor inspect
internal controls

Requirements:
 This act requires management to produce an "internal control report" as part of each annual
Exchange Act report.
 The report must affirm "the responsibility of management for establishing and maintaining an
adequate internal control structure and procedures for financial reporting. Certification by quarterly
review and annual review

Responsible
 Management
 Independent auditor

GDPR:
Deals with part of data protection that deals with the proper handling (collection, storage,
managing and sharing) of data as well as compliance applicable privacy laws (such as GDPR).
3 Key Elements of Data Privacy:
1. Right of an individual to be left alone and have control over their personal data,
2. Procedures for Proper handling, processing, collecting and sharing of personal data,
3. Compliance with data protection laws.

Data Subject Rights -

 Right to be Informed
 Right to Access
 Right to Rectification and erasure
 Right to Restrict Processing
 Right to Data Portability
 Right to Object and Automated Decision Making and Profiling
  Withdrawal of Consent

Principles of Data Privacy –

 Lawfulness, fairness and transparency- It requires that personal data are processed in a lawful, fair
and transparent manner in relation to data subjects.
 Purpose limitation. It means that personal data are to be collected only for specified, explicit and
legitimate purposes and it is not allowed to process them further in a way that is not compatible with
those purposes.
 Data minimisation. According to this principle, personal data must be adequate, relevant and limited
to what is necessary in relation to the purposes for which they are processed.
 Accuracy is  required to ensure that personal data are accurate and are kept up to date where it is
necessary.
 Storage Limitation entails that personal data must be kept in a form that makes it possible to identify
data subjects for no longer than is necessary for the purposes of the processing
 Integrity and confidentiality requires that in the processing of personal data appropriate security of
personal data is ensured.
 Accountability, According to this principle, the controller shall be responsible for compliance with
the principles listed in Article 5(1) GDPR(principles relating to processing of personal data)

Difference between data Privacy and Data Security –

Data Privacy - Data Privacy focuses on the rights of individuals, the purpose of data collection and
processing, privacy preferences, and the way organizations govern personal data of  data subjects. It
focuses on how to collect, process, share, archive, and delete the data in accordance with the law.

Data Security - Data Security includes a set of standards and different safeguards and measures that an
organization is taking in order to prevent any third party from unauthorized access to digital data, or any
intentional or unintentional alteration, deletion or disclosure of data. It focuses on the protection of data
from malicious attacks and prevents the exploitation of stolen data (data breach or cyber-attack). It
includes Access control, Encryption, Network security, etc.

What is EU GDPR? - EU GDPR stands for General Data Protection Regulation

Aim? - GDPR aims towards protecting the personal data of natural person within EU/EEA
Scope?
 Controller Scope – Organizations across the world, dealing with personal data of people residing
within EU
 Data Subject Scope – Any natural person within the EU territory
 Territorial Scope – EU/EEA

Terminologies-
 Data Subjects – Natural person whose data is being used
 Data Controller – One who determines purpose and the means
 Data Processor- One who process the data on behalf of the controller
 Sub-Processor – One who process the data on behalf on processor
 Personal data – Any information which can directly or indirectly identify the data subject
 Special Category personal data – Sensitive personal data e.g. Biometric, Health, Political or religious
views
 Data Processing Agreement – legal binding between controller and processor

Key Concepts –
Data Subject Request management – 1 month from the data of request, extension of 2 more
month available
Data breach management – 72 hours notification to SA, may also need to notify data subjects
Data Protection Officer – Not all organizations need to appoint DPO
 Public Authorities
 Large scale systematic monitoring
 Large scale processing of sensitive personal data

DPIA
 Systematic and extensive profiling with significant effects;
 Processing Special category or criminal offences data on large scale
 Systematic monitoring of publicly accessible places on a large scale

SOC Reporting –
System and Organization Controls (SOC) reports enable companies to feel confident that service
providers, or potential service providers, are operating in an ethical and compliant manner. No one likes
to hear the word audit, but SOC reports establish credibility and trustworthiness for a service provider —
a competitive advantage that’s worth both the time and monetary investment.

SOC reports utilize independent, third-party auditors to examine various aspects of a company, such as:

 Security

 Availability

 Processing Integrity

 Confidentiality

 Privacy

 Controls related to financial reporting

 Controls related to Cybersecurity

benefit of obtaining a SOC report -

A number of service organizations are required to undergo a SOC examination, including payroll or
medical claims processors, data center companies, loan servicers, and Software as a Service (SaaS)
providers that may touch, store, process or impact financials or sensitive data of their user entities, or
clients. However, any company with a business model based on providing a service to another company
can benefit from a successful SOC examination. First and foremost, a SOC report is an independent,
third-party validation of a service organization’s commitment to evidencing the design and effective
operation of their controls. It not only lets potential clients know that your company is legitimate, but
going through the assessment process can point out weaknesses and flaws before a client does.

SOC reporting can:

 reduce compliance costs and time spent on audits and filling out vendor questionnaires
 meet contractual obligations and marketplace concerns through flexible, customized reporting
 proactively address risks across your organization
 increase trust and transparency to internal and external stakeholders