Professional Documents
Culture Documents
Guidelines:
Phase 1 Deliverables with Urkund Report date: 28th January 2020 by 12:00 noon
Phase 1 Results: 29th January 2020 4:00 pm
Phase 2 Presentation on 30th January 2020
1
Scenario 1 –
Go through the scenario given about Google Fined 50 Mn EUR from the link:
https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-
euros-against-google-llc
2
Scenario 2 Data Leak Case
Onpay started business in 2012 and provides payroll processing services to 20 enterprise
Customers / clients (B2B service). Onpay hosts a multi-tenant architecture based application
service on Amazon Web Services (AWS) cloud and delivers the Payroll application as a
Service (SaaS). Onpay uses AWS as Infrastructure as a Service (IaaS) Provider and develops
the payroll application by itself and deploys major release every quarter for all customers.
Features and services are not customized for any specific customer. Onpay uses AWS data
centres of EU, US and UK.
Onpay’s 11 customers are from Europe and US. Europe is subject to strong Labour
Regulations which are tightly implemented and governed by the European customers' internal
work Councils. Onpay stores and processes personal and confidential information, of
employees of its customers, such as:
First name
Last name
Date of Birth
Bank account number
Bank IFSC number
Joining date in the company
Department name in the company
Income tax computation and deduction
Since May 25, 2018, 2 of 20 customers of Onpay have signed a Data Protection Agreement
(DPA) and Model / Standard Contract Clause (M/SCC) with Onpay.
In June / July 2018, a large beverages company operating in Europe reports to its European
Data Protection Authority that personal data of 3000 of its employees were leaked due to
security lapse in one of its Payroll services provider Onpay.
1. Read more about OnNpay and its customers from www.onpay.com and conduct a
PESTLE analysis for the company.
2. Similarly conduct a PESTLE analysis for the beverages industry from the data
criticality point of view
3. Why payroll data is an important consideration for any organization?
4. What measures should the beverages company take to address the privacy risks and
concerns of its 3000 employees in Europe?
5. What Measures should Onpay take to address the privacy risks and concerns of its
customer's employees?
6. Is the problem statement limited only to the 3000 employees of the beverages
company? How will you determine the full problem statement? What measures
should the beverages firm use?
7. Should Onpay disclose the breach to all its customers? What is the role of a legal
counsel and Public Relations team/firm in breach/incident management?
8. How would you design the communication for informing about the data breach to
external stakeholders? Present a sample.
9. What is the key principle to determine if the data leak should be reported to
regulators, customers and data subjects?
10. What measures should the beverages company have taken before accepting Onpay
as a vendor?
3
11. What are the technical and organisational controls which could have been
implemented to prevent this security breach?
12. Imagine the data leak is reported to regulators and the beverages company wants to
sue Onpay for the leak. If found responsible, Onpay will be liable to pay a fine of up to
€10 million or 2% of the company’s global annual turnover, under Article 83(4) of the
General Data Protection Regulation. Write down the key steps how will Onpay handle
the situation and mitigate the issue.
4
Scenario 3: DDoS attack brings the online portal down
Client: TraveleCom
Location: US
It’s the eve of Black Friday and Cyber Monday during the Thanksgiving time in US. A week
before the Thanksgiving, the Engineering and Datacentre team is having critical stand-up
meetings several times during the day to gear up for the traffic and business that awaits them
on Black Friday, Thanksgiving Weekend and Cyber Monday. Typically, TraveleCom gets
about 30% of its revenue from these 4 days and the daily traffic jumps from 5 million hits to 50
million hits on the 4 days. Business provides goodies in terms of deep discounts, coupons,
freebies to make maximum of this rush to maximize the conversions. Huge marketing costs
have been spent and is going to be spent in terms of campaigns in print and digital media.
The Engineering and Development team have freezed all new code deployments in the
production environments. The production environment has been ramped up 15 folds to
manage the traffic bump. Looks like everything is set to make the maximum out of
Thanksgiving eve.
Crisis strikes on Monday morning as the site experiences severe DDoS attack on Black Friday
by Hackers. The site goes down multiple times during the day forcing TraveleCom customers
to look elsewhere. The next 3 days till Cyber Monday are disasters since the genuine traffic
falls to less than 2 million hits owing to site reliability issues. Company is facing barrel in terms
of huge loss of revenue, reputation.
Phase 1 Deliverables:
5
Scenario 4
Go through the incident Marriot fined 99 Million pounds from the given link:
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-
intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-
breach/
6
Scenario 5 LOSS OF WEBMAIL – PHISHING ATTACK
Company: BBC
Location: London, UK.
BBC News (also known as the BBC News Channel) is a British free-to-air television news
network. It was launched as BBC News 24 on 9 November 1997 at 5:30pm as part of the
BBC's foray into digital domestic television channels, becoming the first competitor to Sky
News, which had been running since 1989.
On January 28, 2015, some of the employees notices a suspicious email in their inboxes.
There is a link in the email which if a user clicks would take him / her to the BBC Webmail
logon page. When they enter their logon details in this page it does not take them to their email
inbox, rather to some spurious free download site. The website opens in a loop, which means
whatever button or link the user clicks, it opens another unknown website
As a CISO, you were informed by the Manager – BBC Information Systems that the BBC is
the target of an email phishing attack. The email that your users have seen has been identified
as the phishing email.
This is not just enough, one of the internet notorious groups calling itself as “the Syrian
Electronic Army” has subsequently hacked some of the key BBC Twitter accounts. They are
posting messages on Twitter boasting that they have taken over these accounts. It is
suspected that the phishing email is the tool that they have used to gain access to the admin
email rights and Twitter accounts. It is suspected that they have all the BBC Login account
details and passwords of BBC employees and users whosoever has clicked so far on the link
and accesses the fake BBC Webmail logon page.
As a precaution the Information System department has shut down the webmail, which means
that only users who have a BBC Remote Access Token can logon to the BBC network from
outside the BBC. They have released a reporting form and advised not to click on any
attachments or links within emails and to raise a call with the ATOS service desk if received
any email with the link.
7
plans, unreleased documentaries, employee details and bank account details, etc.
The group has threatened to release the information online which will affect BBC
adversely and may cost millions and release of business secrets. How will the
company tackle the situation?
8
Scenario 6
Read the incident of British airways fined 184 million pounds-
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-
announces-intention-to-fine-british-airways/
9
Appendix – Project Guidelines
Students may use the below information as a reference point for the analysis
RISK ASSESSMENT –
The risk assessment is the second step in developing a BCP. It should include:
10
RISK MANAGEMENT –
Risk management is the development of a written, enterprise-wide BCP. The institution
should ensure that the BCP is:
The assessment of the project can be done on the basis whether the groups have
covered the following:
1. The plan development team should meet with the internal technology team, application
team, and network administrator(s) and establish the scope of the activity, e.g., internal
elements, external assets, third-party resources etc. IT department senior management
should be properly informed.
2. Have the groups gathered all relevant network infrastructure documents, e.g., network
diagrams, equipment configurations, databases.
3. Have they obtained copies of existing IT and network DR plans if they exist?
4. Have they identified what management perceives as the most serious threats to the IT
infrastructure, e.g., fire, human error, loss of power, system failure?
5. Have they identified what management perceives as the most serious vulnerabilities to
the infrastructure, e.g., lack of backup power, out-of-date copies of databases?
6. Have they reviewed previous history of outages and disruptions, and how the firm
handled them?
7. Have they identified what management perceives as the most critical IT assets, e.g., call
centre, server farms, Internet access?
8. Have they determined the maximum outage time management can accept if the
identified IT assets are unavailable?
9. Have they identified the operational procedures currently used to respond to critical
outages?
10. Have they determined when these procedures were last tested to validate their
appropriateness?
11. Have they identified emergency response team(s) for all critical IT infrastructure
disruptions; determine their level of training with critical systems, especially in
emergencies.
11
12. Have they compiled results from all assessments into a gap analysis report that identifies
what is currently done versus what ought to be done, with recommendations as to how to
achieve the required level of preparedness, and estimated investment required.
13. Have management review the report and agree on recommended actions.
14. Prepare IT disaster recovery plan(s) to address critical IT systems and networks.
15. Conduct tests of plans and system recovery assets to validate their operation.
16. Update DR plan documentation to reflect changes.
17. Schedule next review/audit of IT disaster recovery capabilities
Sources –
https://www.fdic.gov/regulations/examinations/supervisory/insights/sisum06/bcp.pdf
http://www.al.undp.org/content/dam/albania/docs/STAR/Disaster%20Recovery%20and%20
Bussines%20Continuity%20Plan.pdf
http://www.epcc.edu/IT/InformationSecurity/Documents/Business_Continuity/Business_Conti
nuity_Planning_Guidelines.pdf
12