Data Security in Digital Era

(Data Privacy)

rudy_b@telkom.co.id
Dept IA Telkom
Industry 4.0
Todays Telco’s is Entering to the Most Preferable Playground & Near Fit with
its Capabilities…
 Indonesia Internet Users 2019-2020 (Q2)

Source: Laporan Survei Internet APJII 2019-2020

COVID-19: Updated Telecommunications Sector Responses
 Digital Maturity Model

Source: Gartner Digital Government Maturity Model

 What is Privacy ?
“Privacy is the protection of personal data and is considered a fundamental human right.”
(Organisation for Economic Co-operation and Development (OECD) Guidelines, 1980)

“Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to
privacy with respect to the processing of personal data.”
(European Union (EU) Directive, 1995)

“The rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of
personal information.”
(The American Institute of Certified Public Accountants/Canadian Institute of Chartered Accountants (AICPA/CICA), 2009)

“Data Pribadi adalah data perseorangan tertentu yang disimpan, dirawat, dan dijaga kebenaran serta dilindungi
kerahasiaannya. “
(Permen Kominfo No 20 Thn 2016, tentang Perlindungan Data Pribadi Dalam Sistem Elektronika)

“bahwa pelindungan data pribadi merupakan salah satu hak asasi manusia yang merupakan bagian dari pelindungan diri
pribadi, perlu diberikan landasan hukum yang kuat untuk memberikan keamanan atas data pribadi, berdasarkan Undang-
Undang Dasar Negara Republik Indonesia Tahun 1945”
(Rancangan UU PDP (Perlindungan Data Pribadai) RI)
 Privacy Risks

Privacy is a risk management issue for businesses, governments, and nonprofit organizations.
Consumers and citizens are concerned with how organizations use their personal information. Failure of
management and data controllers to address the protection of personal information presents numerous risks
to the organization, including:

1. Possible damage to the organization’s public image and branding.

2. Potential financial or investor losses.
3. Legal liability and industry or regulatory sanctions.
4. Charges of deceptive practices.
5. Customer, citizen, or employee distrust.
6. Loss of customers and revenues.
7. Damaged business relationships.

Source: IIA PG Auditing Privacy Risks, 2nd edition, Jul 2012

 Privacy Audit Benefits

Evaluating an Organization’s Privacy Framework, the internal audit activity can contribute to good governance
and risk management by assessing the adequacy of management’s identification of risks related to its privacy
objectives and the adequacy of the controls established to mitigate those risks to an acceptable level.

Privacy Audit Benefits, including:

1. Facilitates compliance with laws and regulations.

2. Measures and helps improve compliance with the organization’s data protection system.
3. Identifies potential inconsistencies between policies and practices.
4. Increases the level of data protection awareness among management and staff.
5. Provides information for a data protection system review.
6. Provides assurance over reputational risks.
7. Improves procedures for responding to privacy complaints.

Source: IIA PG Auditing Privacy Risks, 2nd edition, Jul 2012

 Personal Information

In today’s business context, privacy often refers to the personal information about an
individual and the individual’s ability to:

1. Know how his or her personal information is handled.

2. Control the information collected.
3. Control what the information is used for.
4. Control who has access to the information.
5. Amend, change, and delete the information.

Personal information is data that can be linked to or used to identify an individual either
directly or indirectly.

Source: IIA PG Auditing Privacy Risks, 2nd edition, Jul 2012

Examples of Personal and Sensitive Information
Sample Cases

[root@hostname ~]
Sample Case: External
Sample Case: External

Screenshoot situs jual beli Raid Forums, salah satu anggotanya menjual dataset yang
diklaim milik 279 juta penduduk Indonesia.(Source: Raid Forums)
Sample Case: Internal
Sample Case: Internal
Sample Case: Contoh Temuan pada PKAT iSec Audit
Sample Case: Potential Risk Personal Data Leak
 Check Your E-Mail

https://www.periksadata.com/ https://www.avast.com/hackcheck
Peraturan
RUU
 Consideration

Privacy protection can be considered a process of establishing an appropriate balance between privacy and
multiple competing interests.
To minimize intrusiveness, maximize fairness, and create legitimate, enforceable expectations of privacy, a set
of principles governing the processing involved include a blend of substantive concepts such as data quality,
integrity, and limitation of use, and procedural principles such as the concepts of consent and access rights.

When implementing a privacy program, there are major roles to consider:

1. Data subject — Individual whose personal information is collected, used, disclosed, retained, and
disposed of.
2. Data controller — Organization that controls access to and processing of personal information.
3. Privacy officer — An organization’s privacy oversight, monitoring, and contact function.
4. Privacy commissioner — A governmental oversight authority.
5. Service providers — Circumstances where third parties are involved in processing personal
information.

Source: IIA PG Auditing Privacy Risks, 2nd edition, Jul 2012

 Auditing Privacy Areas

Typical areas that internal audit may review when auditing privacy include:

1. Governance/management oversight.
2. Privacy policies and controls.
3. Applicable privacy notices.
4. Types and appropriateness of information collected.
5. Systems that process, store, and transmit personal information.
6. Collection methodologies.
7. Consent and opt-in/opt-out management.
8. Uses of personal information for compliance with stated intent, applicable laws, and
other regulations.
9. Security practices, operations, and technical controls in place to protect personal
information.
10.Retention and disposal practices of personal information.
Source: IIA PG Auditing Privacy Risks, 2nd edition, Jul 2012
Audit Program Example
Privacy Management

Risk : The organization has not conducted formal privacy policy, privacy awareness, data handling, or
information security training.

Object : General (policies, risk assessment, etc)

 Data Management & Collection

Risk : The organization is not adequately protecting personal information it collects, uses, retains, discloses,
and disposes

Object : the application to be assessed

 Data Security

Risk : The organization not conducted access management to transfer of data and data at rest

Object : the application to be assessed

 3rd Party C&C Agreements

Risk : The organization not conducted third-party management of data

Object : the application to be assessed

 Incident Management and Escalation

Risk : The organization has not conducted Incident Management on data privacy breach

Object : the application to be assessed

Professional’s Guide to Privacy Knowledge