Data Sovereignty; Qualifying Data Transactions
Rimesh Patel CEng
What it means for Cyber Security.
Demonstrating how data processing principles effect your security controls for physical and virtual activities will give your products and services a sense of data ownership, responsibility and accountability - especially if you are using frameworks that help the mapping of security controls to regulatory concepts.
For consumers, controls should be transparent so once engaged with, they inherently satisfy confidentiality, integrity and availability functions.
For businesses, being aware of your data categories and how they are prioritised alongside core services will let you naturally satisfy confidentiality, integrity and availability considerations by making sure your security postures have the correct risk mechanisms in place letting you enterprise your data strategy with sovereignty in mind.
To be sovereign, your data strategy has to better clarify the scope of territorial data and how local governance is to be satisfied for any region. Only then can swifter indigenous transaction gateway points allow you to up sell globally - or vice versa.
Where if you are using gateway solutions, it is your responsibility to know where the data processing takes place and not only just risk assessing where server exists - you need to define why the transaction needs data to be processed by that gateway for the consumer, business and enterprise. Do your third-party specialists really need to process all that data through their international processing affiliations? How do their aggregate activities effect your data processing?
A good starting point is to define what do 'digital transactions' mean within your industry;
Hospitality.
Legal.
Accountancy.
Arts & Entertainments.
Marketing.
Logistical.
GP, Dental or Medical Services.
Once your industry trends are known, look at regional and local regulation bodies, how do they advise on data sovereignty, which data points consider functional and non-functional representation on how your data is processed within a typical defined aggregate transaction. This gives more clarity to your data categories, which will help you identify where are your sensitive data points really exist that primarily need to have risk controls applied, especially if your gateway is both your business controller or processor.
More importantly, does your DPO agree with the synthesised processing that might take place? Of course, if your DPO has taken a security by design approach then how are they assuring it works? For example, does you framework controls transcend through every local, regional, national and international transaction? How have you empowered the DPO to work with all transaction points? What options are provided for the data territory to demonstrate enforceable safeguards and adequacy decision process for effective legal adherence.
Is feeding into your risk register sufficiently going to meet the requirements for insurance mechanisms, and how will your operations team be able to promote cyber resilience activities - they need to implement the polices right ? You need to demonstrate uniform data usage across all boundaries that filter down for practical implementation i.e. backup mechanisms required for data residency, or how critical mass data needs are served through the policies.
The finance and legal executives will then want to know about how the data concepts and controls effect the international data waivers, pacts and privacy laws - what data strategy is in place for them to do their function for the business? If you are using DPIA's, BIA's and GDPR related questionnaires, how are the results assured?
SAIBER Ltd has Chartered Assurance Packages available which provide independent qualified assurance, audit and advisory services. Our other packages assist your understanding of data processing principals including data architecture and migration so that your data privacy and data security efforts can demonstrate your ability to keep your territorial data sovereign and more importantly make it easier for others to interact with your business.
#RUCyberReady
What does 2026 mean for Cyber Security?
What does 2025 mean for Cyber Security?
What does 2024 mean for Cyber Security?
Securmeo & Cyberette
What does 2023 mean for Cyber Security?
What does 2022 mean for Cyber Security?
What it means for Cyber Security ?
Empower your customers and partners, by not being their digital weakest link.
What to expect in 2021 for digital ecosystems.
For your customer it means they feel safe and confident that your products or services are less likely to get caught out by the trending hack in the news. For your business, it means you are not the weakest link in the supply chain, and for industry, you can interact with others who also demonstrate good governance a chosen threat and vulnerability management framework. A vulnerability management framework has to consider assets, inherent risks and frequency of threats, including; Secure Development Life Cycle Programme User Acceptance Testing & Penetration Testing Risk Remediation & Ownership Resilience Services Patch Scheduling A vulnerability management programme will unite the above into one programme that will increase your security posture. If you are dependent on your online internet facing servers, laptops or devices, then having a dedicate resource is recommended, you can also look at outsourcing repeatable activities, however assessing each risk should have final sign-off from internal leads only. Internal risk postures are constantly moving as are external ones, so making the assessment on how actual attack vectors are going to effect your core business activities is best done internally as the vulnerability categories for risk remediation is only understood by you - including how they effect your security policy. You might have a vulnerability management policy, especially if you are risk appetite is low or your core business interacts with regulated products like heath devices, smart vehicles, utility services or any critical service. Having a dedicated policy will let you validate you have selected the right framework to make assessments of each vulnerability and making sure old vulnerability patterns are not repeated. A good vulnerability management programme will make sure you own your risk and have the right security controls in place, even if you use compensatory controls, they too will be in scope for vulnerability tests, so you must know how your resilience frameworks take effect if those controls fails. SAIBER Ltd's Vendor Neutral Vulnerability Management package will let you execute vulnerability management efficiently by empowering your resources will the correct mechanisms that consider all the above, including technical assessments. #RUCyberReady