CY SYSTEMS Blog

Loading

Category Compliance

Blog , Compliance , CySYS , DPDP2023

Digital Personal Data Protection Bill 2023 in India: A Comprehensive Guide

The Union Cabinet has given its nod to the Digital Personal Data Protection (DPDP) Bill 2023 draft, which will be introduced in the upcoming monsoon session of Parliament (July 20 to August 11).

The main objective of the bill is to lay down a holistic legal framework that governs the collection, storage, processing, and transfer of personal data by entities, both governmental and private, operating within the boundaries of India.

The bill mandates the payment of fines for non-compliance with requirements such as seeking consent for the processing of data, making it crucial for organizations that handle personal data to understand how it will work.

This blog will tell you everything you need to know about the bill and provide useful steps that will help your organization prepare for its implementation.

Understanding the Key Aspects of the Bill

The DPDP Bill is all about protecting personal data in the digital age. It applies to any data about an individual that can identify them, whether it’s collected online or offline and then digitized. 

The DPDP Bill extends its reach to digital personal data processing that happens outside India, but only if it involves profiling or offering goods/services to individuals within India. In other words, any organization in any part of the world, which handles the personal data of Indian citizens, has to adhere to it.

Now, let’s discuss the responsibilities of those who handle personal data, known as data fiduciaries. First, they must process personal data lawfully and with the consent of the person it belongs to, also known as the data principal. They need to clearly communicate what kind of personal data they collect and for what purposes. And when it comes to children, they must get verifiable consent from their parents. If they don’t follow these rules, they could face penalties.

The DPDP Bill takes data breaches seriously. Both the data fiduciary and any data processor they work with must notify the Data Protection Board and the affected individuals in case of a breach. 

Data principals, the individuals whose personal data is being processed, have certain rights under the DPDP Bill. Some of these rights include:

A) The right to know if their data is being processed

B) The right to know what kind of data is involved

C) The right to know who it’s being shared with

D) The right to request corrections or deletions if the data is no longer necessary

If they’re not satisfied with how their concerns are addressed, they can file a complaint with the Data Protection Board.

Provisions of the Bill

This DPDB Bill 2023 will extend its legal umbrella to cover all online data (and offline data which is digitized) in India, ensuring comprehensive protection for personal information.

The contents of the Bill, the first draft of which was published in July 2018, will only be disclosed after the Parliament session. 

Here is a look at the key highights of the bill based on what we learnt from the previous draft:

Government supervision

A Data Protection Board, established by the Union government, will regulate personal data matters, primarily enforcing compliance and imposing penalties. The government will influence the board’s composition, terms of service, and overall implementation of the law.

Data storage

Unlike previous laws, the draft bill doesn’t require exclusive data storage in India but restricts cross-border data transfer to countries authorized by the Indian government.

Monetary penalties

The draft bill allows only monetary penalties for breaches or non-compliance, ranging from INR 50 crore to INR 250 crore, with a maximum penalty of INR 500 crore for significant data breaches.

Data of minors

Parental consent is mandatory for individuals under 18, although concerns exist about differentiating consent between toddlers and adolescents, the potential impact on personal development, and the violation of the Rights of the Child.

Data collection

Specific limitations on data collection have been removed, allowing data fiduciaries to collect personal data with the consent of the data principal while informing them of the relevant purpose for data collection.

Government exemptions

Government bodies can be exempted from regulations for reasons such as sovereignty, security, foreign relations, and public order, without specific criteria for exemptions.

Limited information requirements

The draft narrows the scope of information provided to data principals, focusing on personal data sought and the purpose of data processing, rather than extensive rights, grievance mechanisms, retention time, and data sources.

Missing provisions

It should be noted that the draft lacks the inclusion of two important provisions:

Data portability

The right to data portability empowers data principals to access and examine their personal data in a structured format. It enables them to choose the platforms on which they want their data to be shared, eliminating the hassle of providing all their personal data again when switching platforms.

Foregone information

The omission of the right to foregone information creates confusion between the general right to erasure and the right to be forgotten, which could potentially undermine freedom of speech and expression for others.

Seven Core Pillars of the Bill

How it will affect Businesses and Organizations

The Data Protection Bill will have significant impacts on businesses and organizations that collect and process the personal data of Indian citizens. Here are some key areas of impact:

Compliance and Legal Obligations

The bill establishes compliance requirements and legal obligations for data-handling entities. Businesses and organizations will need to ensure they adhere to these obligations, such as obtaining consent for data processing, maintaining data accuracy, implementing security measures, and establishing mechanisms for data breach notification. Non-compliance can result in penalties and reputational damage.

Data Governance and Accountability

Robust data governance practices and accountability is a requisite of the bill. Organizations will need to establish policies and procedures for data handling, including data minimization, purpose limitation, and storage limitation. They will also need to appoint Data Protection Officers and demonstrate accountability in their data processing activities.

Consent Management

Obtaining valid consent from individuals for processing their personal data is mandated by the bill. Businesses and organizations will need to review their consent management practices to ensure they meet the bill’s requirements. They will also need to provide clear and transparent information to individuals regarding the purpose and extent of data processing.

Data Localization and Cross-Border Transfers

The bill addresses the issue of data localization, specifying that certain categories of personal data may need to be stored within India. This may impact businesses that operate across borders or rely on international data transfers. They will need to evaluate their data storage and transfer practices to ensure compliance with the bill’s provisions.

Impact on Business Models and Innovation

The bill’s provisions may require businesses and organizations to make changes to their existing business models and data processing practices. It may impact data-driven innovation, as stricter regulations and requirements may introduce additional complexities and limitations on data usage. Organizations will need to assess the impact on their operations and adapt accordingly.

Increased Focus on Data Security 

The enforcement of proper data security and protection is highlighted by the bill. Businesses and organizations will need to implement appropriate technical and organizational measures to safeguard personal data from unauthorized access, breaches, and misuse. They may need to invest in robust cybersecurity infrastructure and regularly review their security practices.

Steps to take in preparation for DPDP Bill implementation

In order to be prepared for the bill’s implementation, organizations can take the following steps.

Conduct a data audit

Start by conducting a comprehensive audit of the personal data your organization collects, processes, and stores. Identify the types of data you handle, the purposes of processing, and the legal basis for processing.

Review and update policies

Review your existing privacy policies, consent mechanisms, and data-handling procedures. Update them to align with the requirements of the data protection bill, including provisions on consent, data minimization, purpose limitation, and data subject rights.

Implement strong data governance 

Establish robust data governance practices within your organization. This includes defining roles and responsibilities for data protection, appointing a Data Protection Officer (if required), and implementing internal policies and procedures to ensure compliance with the bill’s provisions.

Obtain valid consent

Review your consent management processes to ensure they meet the bill’s requirements. Implement mechanisms to obtain valid and informed consent from individuals, clearly explaining the purpose, extent, and duration of data processing. Ensure individuals can easily withdraw consent if they choose to do so.

Enhance data security measures

Strengthen your data security measures to protect personal data from unauthorized access, breaches, and misuse. Implement appropriate technical and organizational safeguards, such as encryption, access controls, regular vulnerability assessments, and employee training on data security best practices.

Develop a data breach response plan

Prepare a comprehensive data breach response plan that outlines the steps to be taken in case of a data breach. This includes timely identification and assessment of breaches, notification procedures for affected individuals and the Data Protection Board, and remedial actions to mitigate harm and prevent future incidents.

Conduct employee training

Educate your employees about the provisions of the data protection bill and their roles and responsibilities in ensuring compliance. Provide regular training sessions on data protection principles, privacy best practices, and the organization’s data-handling policies.

Establish vendor management processes

Review and update contracts with third-party vendors or processors to ensure they comply with the data protection bill’s requirements. Implement robust vendor management processes, including due diligence, contractual safeguards, and periodic assessments of their data protection practices.

Develop data subject rights procedures

Establish procedures for handling data subject rights requests, such as access, correction, erasure, and objection. Ensure these procedures are efficient, transparent, and compliant with the bill’s timelines and requirements.

Stay updated and seek legal advice

Regularly monitor updates and guidance from the Data Protection Board and relevant authorities regarding the interpretation and enforcement of the data protection bill. Consider seeking legal advice to ensure ongoing compliance and to address any specific concerns or questions related to your organization’s operations.

How We can help you

At CySYS, we have extensive experience in assisting companies with compliance across various frameworks. While the DPDP Bill is yet to be passed, we are fully prepared to help you navigate its requirements. Our expertise extends to compliance with GDPR, ISO 27001, SOC 2, and many other frameworks, making us well-equipped to assist you in preparing for the DPDP Bill.

We understand the challenges that come with regulatory compliance, and our aim is to make the process as seamless as possible for you. Whether it’s implementing the necessary security controls or managing your vendors, we will guide you through every step. If you’re seeking the support of experienced professionals to navigate this new framework, feel free to reach out to us. We’re here to help!

Blog , Compliance , CySYS , Threat Intel

Storm-0558 Update

Microsoft’s latest Storm-0558 findings and summarizes the key learnings cloud customers should take away from the incident.

On September 6th, 2023, Microsoft published a follow-up to their initial investigative report from July 11th about Storm-0558 — a threat actor attributed to China who managed to acquire a signing key that allowed them to gain illicit access to Exchange and Outlook accounts. Microsoft should be applauded for the high level of transparency they have shown, and their willingness to share this information with the community. However, we feel that the latest blog post raises as many questions as it answers.

Estimated attack flow leading to MSA signing key capture by Storm-0558

Newly revealed information

The following is a summary of the new information provided in Microsoft’s latest report about how the signing key may have been compromised by the threat actor (see the diagram above for a visual representation of the attack flow as we currently understand it):

  • There is evidence that a Microsoft engineer’s corporate account was compromised by Storm-0558 “[at some point] after April 2021.”, using an access token obtained from a machine infected with malware.
  • This engineer had permission to access a debugging server in Microsoft’s corporate network.
  • This debugging server contained a crash dump that originated in a signing system located in Microsoft’s isolated production network.
  • This crash dump, which was the result of a crash that occurred in April 2021, contained the aforementioned MSA signing key.
  • The inclusion of the signing key in this crash dump was the result of a bug, and a separate bug caused the signing key to remain undetected on the debugging server.
  • Based on the events described above, Microsoft has concluded that the most likely method by which Storm-0558 acquired the MSA signing key was through this compromised account, by accessing the debugging server and exfiltrating the crash dump that contained the key material.

Besides providing the above information about how the key was most likely to have been compromised, Microsoft’s latest report also publicly corroborates our own conclusions (published July 21st) about the contributing factors to this incident, namely:

  1. Prior to the discovery of this threat actor in June 2023, the Azure AD SDK (described in the report as a “library of documentation and helper APIs”) did not include functionality to properly validate an authentication token’s issuer ID. In other words, as we explained in our previous blog post, any application relying solely on the SDK for implementing authentication would have been at risk of accepting tokens signed by the wrong key type.
  2. As mentioned in Microsoft’s original report, Exchange was affected by a vulnerability that caused it to accept Azure AD authentication tokens as valid even though they were signed by an MSA signing key – this vulnerability was ultimately exploited by Storm-0558 to gain access to enterprise accounts. In their latest report, Microsoft clarified that this issue was in fact a result of the missing validation functionality in the SDK: at some point in 2022, the development team in charge of authentication in Exchange incorrectly assumed that the Azure AD SDK performed issuer validation by default. This caused validation to be implemented incorrectly, leading to a vulnerability.

What does this mean?

The timeline that can be deduced from the latest report seems to indicate that due to log retention policies (understandable, given that the activity might have stretched over two years), Microsoft can only partially account for all of this threat actor’s activity within their network between April 2021 and May 2023. Additionally, the report does not explicitly state when the crash dump was transferred to the debugging environment or when the engineer’s account was compromised; only that each of these events occurred sometime after April 2021. If we assume that they both happened at the earliest possible point on the timeline — let’s say May 2021 — then that would mean that the threat actor might have been in possession of the signing key for over two years prior to being discovered in June 2023. Furthermore, while Microsoft have reviewed their logs and definitively identified the use of forged authentication tokens for Exchange and Outlook accounts throughout May 2023, we are nevertheless led to the conclusion that the threat actor might have been forging authentication tokens for other services during this two-year period.

As we explained in our last blog post on the subject, someone in possession of this MSA signing key was not limited to forging authentication tokens for just Exchange and Outlook – they could have forged tokens that would have allowed them to impersonate consumer accounts in any consumer or mixed-audience application, and enterprise accounts in any application that implemented validation incorrectly, such as Exchange. In other words, Storm-0558 was in a position to gain access to a wide range of accounts in applications operated by Microsoft (such as SharePoint) or their customers. As we explained in our previous blog post, this was a very powerful key.

Key takeaways from the key takeaway

Based on what we can learn from Microsoft’s latest report, cloud customers should have the following takeaways from this incident:

  1. Organizations should scan their logs for evidence related to this activity in a time window spanning the period between April 2021 and June 2023 (Microsoft could narrow this window by stating precisely when the engineer’s account was compromised).
  2. Organizations should use a hardware security module (HSM) for key storage whenever possible — this will ensure that key material is never included in crash dumps. As others have noted, the scale at which Microsoft operates might have made this impossible for them to do, but smaller organizations should certainly make it a priority.
  3. As a precautionary defense-in-depth measure, debugging and crash dump data should be purged on a regular basis, since they can contain decrypted information which might be a gold mine for threat actors once they gain access to the environment. In general, sensitive secrets can often be found in unexpected places, such as bash history, hidden image layers, etc.
  4. Additionally, organizations should maintain an inventory of assets in which debugging and crash dump data is collected, stored, or catalogued, and ensure that access controls are in place to limit these assets’ exposure.
  5. Sensitive production environments should be properly isolated from corporate environments which are at higher risk of compromise. While there is no evidence to indicate that the threat actor managed to break through Microsoft’s security boundaries or reach the production environment itself, the root cause here was a failure of data hygiene when transferring potentially sensitive data between the two environments.
  6. Signing keys should be rotated on a regular basis, ideally every few weeks. In this case, the acquired signing key was issued in April 2016 and expired in April 2021, but remained valid until it was finally rotated in July 2023 following Microsoft’s investigation of this incident. This means the key was very long-lived and in use for over 7 years. While Microsoft rotated their signing keys following this incident, at least one (key id -KI3Q9nNR7bRofxmeZoXqbHZGew) appears in both a current key list and in the same list where it appeared in October 2022. If this key remains in use, it should be rotated as well, if only to limit the impact of any (admittedly unlikely) similar potential incident.
  7. Secret scanning mechanisms — particularly those put in place to mitigate the risk of keys leaking from high-to-low trust environments — should be regularly monitored and tested for effectiveness.
  8. Defaults are powerful, and documentation alone isn’t good enough for shaping developer behavior. SDKs should either implement critical functionality by default, or warn users if and when they’ve missed a vital implementation step that must be performed manually. If developers at Microsoft misunderstood their own documentation and made this critical mistake, it stands to reason that any one of their customers might have done the same.

Unanswered questions

Although Microsoft’s report answers some of the burning questions related to this case, there remain several unanswered questions:

  1. Was this, in fact, how Storm-0558 acquired the signing key? Microsoft have stated that their investigation has concluded, meaning that they have exhausted all evidence available to them. Therefore, we will probably never have a definitive answer to this question.
  2. How likely is it that other signing keys that were valid during the two-year period were compromised in the same way? Is there evidence to the contrary? (This would obviously be very hard to prove.)
  3. When exactly was the engineer’s account compromised? Most importantly, what is the earliest possible point in time at which Storm-0558 could have acquired the signing key?
  4. Was the threat actor targeting this engineer specifically because of their access to the debugging environment, or did they have other goals in mind?
  5. Was the engineer’s account and the machine infected with malware the only known compromised entities within Microsoft’s corporate environment during this period? Did the investigation identify other compromised users or systems? When (and how) did the attacker establish their initial foothold in the environment?
  6. When Microsoft says that they haven’t observed the threat actor targeting the users of any applications other than Exchange and Outlook, does this mean that they have definitively proven that the threat actor did not forge access tokens for other services? In other words, do they actually have the necessary logs (going back far enough in time and containing the required data) to reasonably verify this?
  7. At what point did the threat actor identify the vulnerability in Exchange that allowed them to use forged authentication tokens signed by an MSA signing key to impersonate AAD users? Could they have somehow discovered it independently of acquiring the signing key? Might they have discovered the same vulnerability affecting other applications before Exchange became vulnerable in 2022?

Regarding the last question about how the threat actor might have discovered the issuer ID validation vulnerability in Exchange, we can posit a theory that they initially realized that the SDK (which is open source) did not include endpoint validation by default, and correctly assumed that at least some of the SDK’s users — including Microsoft developers — would therefore fail to correctly implement this validation.

Blog , Compliance , CySYS

End of Support for Windows Server 2012/2012R2

PLEASE RT: IMPORTANT

We are less than 2 months away from End of Support for Windows Server 2012/2012R2 and we’re receiving numerous questions about Active Directory Domain Controllers like upgrading & best practices.

This blog post is for you.

  • Do not put Domain Controllers on the open internet.
  • Do not put Domain Controllers on the open internet.
  • Do not put Domain Controllers on the open internet.

Here’s some additional helpful guidance for securing Domain Controllers: Securing Domain Controllers Against Attack | Microsoft Learn

  • A few points to highlight: You should run all domain controllers on the newest version of Windows Server that is supported within your organization. Organizations should prioritize decommissioning legacy operating systems in the domain controller population.

How do I upgrade an Active Directory domain to Windows Server 2019/2022?

The recommended way to upgrade a domain is to promote domain controllers that run newer versions of Windows Server & demote older DCs as needed. Upgrade domain controllers to a newer version of Windows Server | Microsoft Learn

Keeping domain controllers current and eliminating legacy domain controllers, allows you to take advantage of new functionality and security. This functionality may not be available in domains or forests with domain controllers running legacy operating system.

What is the impact of upgrading the Domain or Forest Functional Level? What is the Impact of Upgrading the Domain or Forest Functional Level? – Microsoft Community Hub

At this point in time, your domain controllers should all be running at Windows Server 2016 Functional Level. Future AD features will require a 2016 DFL. To learn more about Active Directory Functional Levels see: What Are Active Directory Functional Levels?: Active Directory | Microsoft Learn

Are there any concerns about upgrading Domain or Forest Functional Level? NO In a review over a decade of support calls, NOT ONE involves a case where changing the Domain or Forest Function Level was responsible as the root cause of any issue.

How do you raise AD domain and forest functional levels? Microsoft Support

General Internet access to and from domain controllers should also be strictly controlled. Securing Domain Controllers Against Attack | Microsoft Learn

Blog , CIS , Compliance , CySYS , SOC , SOC1 , SOC2 , SOC3 , Threat Hunting , Threat Intel , TI

Checklist for SOC during Ransomware attack

Responding to a ransomware attack requires a well-defined and organized approach to effectively mitigate the threat, minimize damage, and restore systems. Here’s a checklist for a Security Operations Center (SOC) during a ransomware attack:

Preparation Phase:

  1. Incident Response Plan (IRP): Ensure your SOC has a well-documented and up-to-date incident response plan that includes specific steps for handling ransomware incidents.
  2. Team Activation: Initiate the incident response team, including representatives from IT, security, legal, communications, and management.
  3. Isolation: Isolate affected systems from the network to prevent further lateral movement and propagation of the ransomware.
  4. Secure Communication Channels: Establish secure communication channels for internal and external communication, considering potential compromise of regular communication channels.

Identification and Analysis Phase:

  1. Confirm Ransomware: Determine if it’s indeed a ransomware attack by analyzing the ransom note, encrypted files, and other indicators.
  2. Collect Evidence: Gather information such as log files, network traffic captures, system snapshots, and any ransomware-related artifacts for analysis.
  3. Ransomware Variant Identification: Identify the specific ransomware variant, if possible, to understand its behavior and potential decryption options.
  4. Scope Assessment: Determine the extent of the infection and affected systems, including critical assets and data.

Containment Phase:

  1. Isolation: Continue isolating affected systems to prevent the spread of the ransomware. Disconnect infected systems from the network.
  2. Implement Firewall Rules: Update firewall rules to block any malicious network traffic associated with the ransomware.
  3. Endpoint Security Measures: Apply security patches, updates, and configurations to the affected systems to prevent further exploitation.

Eradication Phase:

  1. Malware Removal: Use updated antivirus and anti-malware tools to remove the ransomware from affected systems.
  2. Root Cause Analysis: Determine how the ransomware entered the network and identify vulnerabilities that were exploited. Patch and secure these vulnerabilities.

Recovery Phase:

  1. Data Restoration: Restore systems from clean backups, ensuring that backup data is not compromised.
  2. Data Verification: Thoroughly verify the integrity of restored data to ensure its accuracy and completeness.
  3. System Reintegration: Gradually reintegrate cleaned systems back into the network while continuously monitoring for any signs of re-infection.

Communication and Reporting Phase:

  1. Internal Communication: Keep key stakeholders informed about the status of the incident, actions taken, and progress towards resolution.
  2. External Communication: If necessary, communicate with law enforcement, regulatory bodies, affected customers, and business partners, as required by law and company policy.
  3. Public Relations: Prepare statements for public relations and communications teams to address media inquiries and manage the company’s public image.

Post-Incident Phase:

  1. Debriefing: Conduct a thorough post-incident analysis to identify lessons learned and areas for improvement in the incident response process.
  2. Documentation: Document all actions taken, evidence collected, and decisions made during the incident response for legal and regulatory purposes.
  3. Continuous Improvement: Update the incident response plan based on the lessons learned to better prepare for future incidents.

Remember that ransomware attacks can vary significantly in terms of complexity and impact. It’s important to tailor this checklist to your organization’s specific needs and circumstances. Regular training, simulations, and staying up-to-date with the latest threat intelligence can significantly enhance your SOC’s ability to effectively respond to ransomware incidents.

If you are looking for SOC services, feel free to contact us via email info@cysys.io

Blog , CIS , Compliance , CySYS , DPDP2023

Potential Pros and Cons of the DPDP 2023 Act

Pros:

  1. Enhanced Individual Rights: The act strengthens the rights of individuals over their personal data, giving them more control and transparency regarding how their data is collected, processed, and used.
  2. Improved Data Security: Organizations are required to implement stricter data security measures to protect personal information, reducing the risk of data breaches and cyberattacks.
  3. Accountability: The act promotes organizational accountability by mandating the appointment of data protection officers (DPOs) and requiring regular audits of data processing practices. This can lead to better data handling and increased responsibility.
  4. Transparency: Organizations are obligated to provide clear and accessible privacy policies, ensuring individuals understand how their data will be used and processed.
  5. Cross-Border Data Transfers: The act provides a framework for secure cross-border data transfers, maintaining data protection standards even when personal data is moved to different jurisdictions.
  6. Privacy Impact Assessments: Mandatory Data Protection Impact Assessments (DPIAs) help organizations identify and mitigate privacy risks, leading to more thoughtful and responsible data processing practices.
  7. Fostering Trust: The act’s focus on individual rights, transparency, and accountability can lead to increased trust between consumers and organizations, benefiting both parties.

Cons:

  1. Compliance Costs: Implementing the requirements of the DPDP 2023 Act can be expensive for organizations, especially for smaller businesses with limited resources. This includes costs related to data protection officers, audits, and compliance tools.
  2. Complexity: The act may introduce complex legal and technical requirements that organizations need to understand and implement, potentially leading to confusion and errors in compliance.
  3. Impact on Innovation: Stricter regulations could potentially deter innovation, as organizations might be more cautious about experimenting with new data-driven technologies due to compliance concerns.
  4. Burden on Small Businesses: Smaller businesses might struggle to keep up with the compliance requirements, leading to a competitive disadvantage compared to larger, more resource-rich companies.
  5. Ambiguity in Interpretation: The language of the act might be open to interpretation, leading to differing interpretations among legal experts and potential difficulties in enforcement.
  6. International Operations: For organizations with international operations, adhering to the act’s cross-border data transfer requirements might prove challenging, potentially affecting business operations.
  7. Overregulation: Some critics might argue that strict regulations can stifle business growth and hamper data-driven industries by making it more cumbersome to utilize data for beneficial purposes.

In conclusion, the DPDP 2023 Act brings a mix of advantages and challenges. While it strengthens individual rights and data security, it also introduces compliance complexities and costs. Striking the right balance between protecting personal data and fostering innovation is crucial as governments and organizations navigate the evolving landscape of digital privacy and data protection.

we are happy to help our customers to gain use of DPDP 2023 act within their security budget. please feel free to get in touch with us at support@cysys.io

Blog , CIS , Compliance , CySYS , DPDP2023

The Digital Personal Data Protection Bill 2023: Understanding the Exemptions for Start-Ups

1. Introduction

1.1. In a first, the Digital Personal Data Protection Bill, 2023 (“Bill”), accorded recognition to start-ups as a separate industry class. Given the world of start-up is intrinsically hinged with technology and data, it becomes crucial to know what they can and cannot do in this new regime of data compliance. Through this article, the Data Protection team at Khaitan Legal Associates (“KLA”) decodes the exemptions that the Bill offers to startups and related implications.

2. Eligibility

2.1. The Bill defines start-ups as private limited companies, partnership firms, or limited liability partnerships incorporated in India, meeting the eligibility criteria set forth by the department responsible for start-ups in the Central Government. The current reading does give the impression that all start-ups that meet the prescribed eligibility criteria qualify for the exemptions irrespective of registration with the Department for Promotion of Industry and Internal Trade (“DPIIT”).

3. Exemptions

3.1 The Central Government is now empowered to notify certain data fiduciaries to whom certain obligations under the Bill would not apply. Such exemptions are primarily based on the volume and nature of personal data such notified entities process. The category of data fiduciary entities that may be notified now includes start-ups.

3.2 Such exemptions relate to giving notice for consent1; accuracy and maintaining continued accuracy of personal data2; retention of personal data beyond its period of use3; additional obligations of a significant data fiduciary4; and immunity from enforcement of data principal rights5.

4. Implications

4.1. Compliance Preparedness: Given the exemptions will be granted via notifications, it remains to be seen what the criterion, qualification and duration for such exemptions may be. It is also unclear whether such exemptions fall away as soon as a start-up ceases to be one. Therefore, compliance preparedness may be a good measure to adopt irrespective of such exemption.

4.2. Start-ups in Regulated Sectors: Indian companies must comply with both central legislation and sector-specific regulations applicable to their operations. Therefore, while the exemptions provided under the Bill may provide some respite, start-ups operating in regulated

sectors like banking and insurance will still need to comply with their industry-specific privacy related compliance requirements.

4.3. Liability for Data Breaches: Despite exemptions, start-ups are not exempted from liability in case of data breaches. They will be held equally responsible and subject to penalties prescribed under the Bill which can go up to 250 crores, similar to other data fiduciaries.

5. Balancing Innovation and Protection

5.1. The Bill aims to streamline data protection compliances and encourage innovation for businesses, particularly startups. However, in this pursuit, it may appear to compromise individual data privacy. Striking a balance between innovation and privacy protection is crucial. The exemption provision should be seen as a supportive measure to nurture early-stage start-ups with limited means and operating at an initial phase. However, it should not be misconstrued as a compromise on data privacy. As start-ups grow and mature, they will eventually have to align with more robust data protection measures to maintain compliance and build a sustainable business model.

5.2. Start-ups must approach this exemption with responsibility, ensuring they strike a balance that aligns with both their business objectives and the privacy concerns of their users and customers.

6. Conclusion

6.1. The Bill marks a significant step by providing such exemptions to start-ups in India. As start-ups heavily rely on technology and data, understanding their exemptions and implications under the new data compliance regime becomes crucial. While the Bill empowers the Central Government to notify exemptions based on data volume and nature, it is essential for start-ups to stay prepared for compliance, as criteria and duration for exemptions remain uncertain.

6.2. Start-ups operating in regulated sectors like banking and insurance must be aware that the exemptions provided may not entirely exempt them from sector-specific compliance requirements. Additionally, despite exemptions, start-ups are not exempted from liability in case of data breaches. They are equally accountable and subject to penalties prescribed under the Bill, which can be substantial.

6.3. In this new era of data compliance, founders must proactively navigate the complexities of data protection, fostering innovation while safeguarding individual privacy rights. By striking the right balance, start-ups can pave the way for success and earn the trust of their stakeholders, positioning themselves as responsible and trustworthy entities in the digital landscape.

In the landscape we will try to explain Pros and Cons of the DPDP 2023 in out next blog post.

Potential Pros and Cons of the DPDP 2023 Act https://cysys.io/blog/index.php/2023/08/14/potential-pros-and-cons-of-the-dpdp-2023-act/

Blog , CIS , Compliance , DPDP2023

Demystifying the DPDP 2023 Act: A Comprehensive Overview

In the rapidly evolving landscape of digital privacy and data protection, governments and regulatory bodies worldwide are continually working to establish comprehensive legal frameworks that safeguard individuals’ personal information while promoting innovation and growth in the digital economy. One such significant development is the DPDP 2023 Act – the latest milestone in data protection. In this blog, we’ll delve into the key aspects and implications of the DPDP 2023 Act, shedding light on how it aims to reshape the data protection landscape.

Understanding the DPDP 2023 Act

The DPDP 2023 Act, short for “Digital Privacy and Data Protection Act 2023,” is a comprehensive piece of legislation designed to address the intricacies and challenges of data privacy and protection in the digital age. Enacted by [Country/Region], this act aims to provide individuals with more control over their personal data while holding organizations accountable for responsible data handling practices.

Key Highlights

  1. Enhanced Individual Rights: One of the primary objectives of the DPDP 2023 Act is to empower individuals with enhanced rights over their personal data. It introduces provisions for easier access to their data held by organizations, the right to rectify inaccurate information, and the right to be forgotten, allowing individuals to request the deletion of their data under certain circumstances.
  2. Stricter Consent Mechanisms: The act places a strong emphasis on obtaining valid consent for data processing activities. Organizations are required to obtain explicit and informed consent from individuals before collecting or using their data. Additionally, consent must be specific and easy to withdraw, ensuring that individuals have full control over their data.
  3. Data Minimization and Purpose Limitation: To reduce data collection and processing to the necessary minimum, the act introduces principles of data minimization and purpose limitation. Organizations are expected to collect only the data required for the intended purpose and refrain from using it for other unrelated activities.
  4. Mandatory Data Protection Impact Assessments (DPIAs): High-risk data processing activities, such as large-scale data processing or utilizing sensitive information, will require organizations to conduct DPIAs. These assessments help organizations identify and mitigate potential privacy risks associated with their data processing activities.
  5. Accountability and Transparency: The DPDP 2023 Act emphasizes organizational accountability. Organizations are required to implement robust data protection policies, appoint data protection officers, and conduct regular audits of their data processing practices. Transparency is also emphasized, as organizations must provide clear and accessible privacy policies to individuals.
  6. Cross-Border Data Transfers: The act addresses the complexities of cross-border data transfers by outlining specific mechanisms and safeguards for transferring personal data to countries outside the jurisdiction. Adequacy agreements, standard contractual clauses, and binding corporate rules are some of the tools organizations can use to ensure data protection during international transfers.
  7. Enforcement and Penalties: To ensure compliance, the DPDP 2023 Act introduces significant penalties for organizations found in violation of its provisions. These penalties could include substantial fines, data processing suspensions, or even criminal charges in severe cases.

Implications for Businesses and Individuals

For Businesses:

  • Organizations must invest in robust data protection measures, including advanced encryption, secure storage, and access controls.
  • Compliance officers and data protection officers (DPOs) play a critical role in ensuring adherence to the act’s provisions.
  • Data breaches must be reported promptly to regulatory authorities and affected individuals, fostering transparency and trust.

For Individuals:

  • Enhanced control over personal data empowers individuals to make informed choices about their data usage.
  • Access to clear privacy policies and easy-to-understand consent mechanisms ensures individuals are well-informed about how their data is used.

The DPDP 2023 Act represents a significant stride towards bolstering data privacy and protection in the digital era. By establishing comprehensive guidelines for organizations and empowering individuals with greater control over their personal data, this act sets the stage for a more secure and transparent digital environment. As businesses adapt to these new standards, and individuals gain more control over their data, the digital landscape is likely to become more privacy-conscious and accountable, fostering trust and innovation in equal measure.

We will continue next blog post about Understanding the Exemptions for Start Ups.

Blog , Compliance , SOC , Threat Hunting , Threat Intel

Things that Organization should do!

In recent years, the threat of ransomware attacks has escalated, posing a significant risk to individuals and organizations worldwide. Ransomware is a type of malicious software that encrypts valuable data and demands a ransom payment in exchange for its release. This blog post explores the critical strategies and best practices for defending against ransomware attacks and safeguarding your digital assets.

  1. Regular Data Backups: One of the most effective defenses against ransomware is maintaining regular and secure backups of your data. Ensure backups are stored offline or in an isolated network environment to prevent ransomware from infecting them. Regularly test your backup restoration process to guarantee data recovery in case of an attack.
  2. Employee Training and Awareness: Human error remains a significant entry point for ransomware attacks. Educate your employees about phishing scams, suspicious email attachments, and unsafe browsing habits. Conduct regular training sessions to keep staff informed about the latest ransomware tactics.
  3. Robust Endpoint Protection: Invest in advanced endpoint security solutions that include real-time threat detection, anti-malware software, and behavior-based analysis. Implement firewall and intrusion detection systems to prevent unauthorized access.
  4. Patching and Software Updates: Regularly update operating systems, applications, and software with the latest security patches. Cybercriminals often exploit known vulnerabilities to deliver ransomware. Automated patch management tools can help streamline this process.
  5. Network Segmentation: Divide your network into segments to limit the lateral movement of ransomware. This containment strategy prevents an isolated incident from spreading throughout your entire network.
  6. Ransomware-Specific Tools: Consider using dedicated anti-ransomware tools that can detect and stop ransomware activity in real time. These tools often employ behavior analysis and machine learning to identify and block ransomware threats.
  7. Incident Response Plan: Develop a comprehensive incident response plan that outlines the steps to take in case of a ransomware attack. Assign roles and responsibilities, establish communication protocols, and conduct regular drills to ensure a swift and coordinated response.
  8. Zero Trust Architecture: Implement a zero-trust security model, where no user or device is trusted by default. This approach minimizes the attack surface and requires continuous authentication and authorization for access.
  9. Encryption and Data Protection: Encrypt sensitive data both at rest and in transit. In the event of a breach, encrypted data is significantly harder for attackers to exploit.
  10. Collaboration and Threat Intelligence: Stay informed about the latest ransomware threats and trends by collaborating with industry peers and sharing threat intelligence. Organizations that work together can collectively improve their defenses.

Please contact us via Support@cysys.io for more information on how we are providing services to SMBs to prevent ransomware attack from latest threat vectors.

Blog , Compliance , CySYS

CIS Benchmarks: Strengthening Cybersecurity through Industry Best Practices

Cybersecurity is a critical concern for organizations of all sizes and industries in today’s technology-driven world. To address the ever-evolving threat landscape, the Center for Internet Security (CIS) has developed CIS Benchmarks, which provide comprehensive, industry-recognized best practices for securing various systems and software.

What are CIS Benchmarks?

CIS Benchmarks are a set of consensus-based configuration guidelines for various operating systems, applications, and network devices. These guidelines are developed by a global community of cybersecurity experts who collaborate to establish a standard for secure system configurations. The benchmarks are regularly updated to keep pace with emerging threats and new technologies.

Key Features of CIS Benchmarks:

  1. Thorough Coverage: CIS Benchmarks cover a wide range of platforms, including popular operating systems like Windows, macOS, Linux, and various applications, web servers, and network devices. This comprehensive approach ensures that critical assets are protected across the entire infrastructure.
  2. Industry Standards: The benchmarks are developed following consensus-based best practices, making them widely accepted by governments, organizations, and security professionals globally. They provide a reliable foundation for enhancing security posture and compliance efforts.
  3. Continuous Updates: The cybersecurity landscape evolves rapidly, and so do the threats. CIS Benchmarks are continuously reviewed and updated by an expert community to address emerging risks and vulnerabilities promptly.
  4. Implementation Flexibility: CIS Benchmarks provide a range of configuration options, allowing organizations to tailor their security settings to meet their specific needs without compromising the overall security posture.

Advantages of Implementing CIS Benchmarks:

  1. Enhanced Security: By following CIS Benchmarks, organizations can significantly reduce the attack surface and strengthen their systems’ security. This proactive approach helps prevent potential security breaches and data leaks.
  2. Compliance: Many regulatory frameworks and standards require organizations to implement specific security measures. CIS Benchmarks offer valuable guidance for meeting these compliance requirements.
  3. Mitigate Risk: Cyberattacks can lead to substantial financial losses, reputational damage, and legal liabilities. Implementing CIS Benchmarks helps mitigate these risks, protecting both the organization and its stakeholders.
  4. Community Support: The CIS community provides a valuable resource for organizations looking to exchange knowledge, share experiences, and collaborate on solving cybersecurity challenges.

CY SYSTEMS Services with CIS Benchmarks:

  • Identify Assets: CY SYSTEMS Begin by identifying all the critical assets in your organization, such as servers, workstations, and network devices, to determine which CIS Benchmarks are relevant.
  • Assess Current Configurations: We will Conduct a thorough assessment of your existing system configurations to identify gaps and vulnerabilities.
  • Apply CIS Benchmarks: CY SYSTEMS will Suggest and Implement the recommended security settings from the relevant CIS Benchmarks on your systems. Consider using automation tools to streamline the process and ensure consistency.
  • Regular Updates: We Stay informed about the latest updates to CIS Benchmarks and apply them promptly to stay ahead of emerging threats.

CIS Benchmarks plays a vital role in helping organizations bolster their cybersecurity defenses through industry-proven best practices. By implementing these guidelines, organizations can enhance their security posture, meet compliance requirements, and effectively protect their digital assets against evolving threats. Embracing CIS Benchmarks represents a commitment to staying one step ahead in the ongoing battle against cyber adversaries.

For More Information, please feel free to mail with us support@cysys.io

Blog , Compliance , CySYS , SOC

Business Continuity Recovery Strategy

A business continuity recovery strategy is an approach selected to determine recovery and continuity options in the face of a disaster or other business disruptions. There are 4 main types of plans as follows:

  • Emergency Response Plan provides guidance for dealing with physical emergencies in order to minimize the impact of the event and promote the safety of people and facilities.
  • Crisis Management Plan A strategic plan that guides top management during a crisis and provides guidance on communications to those affected by the crisis including employees and families as well as stakeholders and members of the media.
  • Business Continuity Plan guides an organization to respond to disruption and resume, recover and restore the delivery of products and services consistent with its business continuity objectives.
  • IT Disaster Recovery Plan guides the technology recovery teams and provides the procedures required to enable recovery or availability of vital technology infrastructure during times of disruption.

CY SYSTEMs provide these plans to provide solutions that can be undertaken to recover the time-critical activities/processes and improve mitigation measures to reduce the impact of disruptions.

Please feel free to contact Us via email support@cysys.io or fill out the below form with your details.