PKF AvantEdge

Page 34 of 40

Personal Data Protection Act 2010 Enforced in Malaysia

November 18, 2013 / / 2 Comments

Here we are finally. After months of speculations, the Malaysian Personal Data Protection Act (PDPA) came in force last week on November 15, 2013. To be honest, we weren’t really expecting this, since deadlines after deadlines have gone by. We have been doing our workshops since December last year, and only had a vague prediction that 2014 could be the year it is enforced after it missed the August deadline this year.

Well, surprise, we are now in a new era of data privacy and protection, and companies and individuals will be going head to head over the new currency: Information.

For the benefit of those who haven’t attended any of our workshops, here’s a summary of the 7 principles of the Act:

1) General Principle – Consent is key for this principle. Any information collected must only be used for the purpose it was given. For instance, I am giving you my information for you to process my housing loan. The next thing I know, your company is trying to sell me frozen yoghurt. Not nice. Additionally, don’t collect more than what is needed for that purpose. If you are collecting for a lucky draw, you don’t technically need to know his Credit Card number, do you?

2) Notice and Choice – My favourite. This constitutes a privacy statement at data collection points. You need to tell data subjects the nature of the data processed, purpose, rights and obligations of subject and of course, in both Malay and English. Yes you need both languages. The data subject should have a record or copy of the agreed notification. Time to be creative.

3) Disclosure – Only disclose what the data subject has consented during collection and also maintain a disclosure list to third parties

4) Security – This is where we generally come in directly. While the others constitutes a lot of process changes, this principle simply states, “practical steps” must be taken to protect information from misuse, loss, modifications, destruction etc. Basically the entire scope of Confidentiality, Integrity and Availability. Unfortunately, breach notification and safe harbour principles are not included in the our PDPA.

5) Retention – Once the data has fulfilled its purpose, it should not be further retained.

6) Data Integrity – Steps must be taken to ensure personal data is accurate, complete, not misleading and updated to serve its purpose(s).

7) Access – Data subject must be able to access data held by the data user. The channel to correct inaccurate, misleading data must be provided to the data subject.

Additionally, PDPA has certain restrictions as follows:

a) Sensitive Personal Data – certain types of data (political opinions, religion, physical and mental health etc) cannot be processed without explicit consent. I suppose I won’t be seeing any more forms with “Religion” anymore. I always fill in “The Force” for fun, anyway.

b) Cross Border – This is a major one. Personal data cannot be transferred to a place outside Malaysia unless the minister specifies or individual has consented. In light with cloud computing, questions will arise if we store our customer CRM in the cloud like AWS or even Google Docs. How will this affect us?

c) Explicit rules for Direct Marketing – Direct marketing, to sell and solicit products and services, is affected the most. Now data subject can ask marketer to remove and not process the data anymore for direct marketing. There is a jail term of 2 years and RM300K fine.

d) Registration – Certain industries are required to register. For those not listed, well, we don’t need to register, but the Act still covers us!

e) Codes of Practices – In the near future, data user forums will be formed, where codes of practices/guidelines for compliance will be created. The commissioner still has the final say on the effectiveness of these codes of practices. This should be interesting, as in PKF we already have a special audit for Personal Information Management, as well as a product to specially scan for certain types of personal information in our client’s network.

In conclusion, we always knew this day would come so we are not overly surprised. We have given hundreds of hours of free workshops over last year and I hope, if you are one of them who received, that it has spurred you on to compliance even before this announcement.

Because 3 months is an awfully short time for compliance. No better time than now to get started! Contact us at avantedge@pkfmalaysia.com or +603 6203 1888 if you require more information on our Personal data services, scans and workshops.

PCI-DSS: Challenges faced in Malaysia

November 17, 2013 / / 0 Comments

What began as separate compliance programs by major card brands, are now under a unified umbrella called PCI-DSS (Payment Card Industry Data Security Standard). PCI-DSS serves to protect the cardholder data and also the interest of the card brands. VISA, AMEX, MasterCard, JCB, and Discover (Diners Club) established the Payment Card Data Security Standards Council (PCI SSC). The goal of PCI SSC is now to guide any institution, especially the financial institutions to have better security surrounding their credit & debit card businesses.

Is there a need for yet another compliance program? The short answer is a resounding yes. According to StatiscsBrain[1], as of 18th of June 2013, in the United States itself, businesses have suffered more than 11 thousand cases of card fraud with an average loss of $4,930 for each case of card fraud. In total, it has cause a financial loss of around $ 21 million on average.

In Malaysia itself, we are now faced with an alarming rise of card fraud cases. According to Bank Negara Malaysia (BNM), [2] while the cases of fraud have decreased overall, the fraud volume still remains high. If the customer, merchant and the banks do not put in a concerted effort to fight these fraud cases, many more will fall victim to increasingly sophisticated attacks. This is also supported by The United States Security Council (OSAC)[3] stating: “credit card fraud has decreased but still continues to become a problem”. In short, the frequency might be less but the amount that each case brings is still a problem to the authorities.

In terms of the PCI DSS certification, a majority of large financial institutions in Malaysia, especially banks and larger service providers are still undergoing the process. Some have taken more than 3 years to be certified. PCI DSS is already a difficult compliance to begin with, with more than 300 plus controls to deal with. Financial institutions are pressured by card brands to ensure that PCI DSS become their utmost priority, both internally as well as for any service provider or merchants dealing in card business.

In some cases, one of the reason for certification delay is the lack of documentation done on each system in the PCI scope, causing a lack of proper maintenance on the system. This covers from software to hardware and network devices. This will affect the certification in the remediation phase where the administrator really needs to identify each data flow concerning card data and needs to clean up to ensure that unnecessary rules, ports and services are disabled. The amount of legacy rules, unmanaged inventory are significantly large, especially for banks that own distributed branches. The undertaking is intimidatingly difficult.

Furthermore, the implementation of Malaysian Electronic Payment System (MEPS) which allows the sharing of ATM networks, gives the ability for customers to withdraw their money via a different ATM bank using a debit card. Debit cards are under the PCI purview, and is often doubled as an ATM card that can be used to make purchases just by deducting the account balance by swiping it. These have enabled the storing of user Primary Account Number (PAN) in the institutions and to some extent in clear text for settlement purposes which violates the requirements in PCI DSS. The transmission of the card data must also be addressed, as the card data might travel through non-secured channels such as normal emails, or open channels that can cause the data to be intercepted in transmission. Therefore controls have to be taken to ensure that all networks in and out are secured

Another point of concern is the PCI DSS exercise budget. Every organization big or small, private or public listed have a certain amount of budget allocated. While IT budgets have grown significantly, it has to be reminded that PCI is NOT an IT initiative. It is a business initiative and might take a large portion of the said budget. The budget would be used for the engagement of third party experts or actual products to mitigate the concerns. Due to budgeting, companies often overlook certain areas by cutting down the budget such as avoiding expert consultancy. They opt to do the certification or the remediation process by themselves in order to save some portion of the budget. This has short term yield but sacrifices the long term goals. Taking on PCI is akin to journeying through an uncharted maze. Having a guide is therefore critical especially for first timers in a relatively large company.

In conclusion, there is still a long way to go for Malaysian companies to abide 100% to the requirements of PCI-DSS. For that, they need to  fully understand the  requirements and ensure proper scoping is done (as there are cases where one can OVERDO the compliance). For a free scoping or advisory on how we can help you in your PCI-DSS journey, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

Article by: Wafiy Karim

PKF Avant Edge Sdn Bhd

PPWG (Protection Profile Working Group) Workshop at the Lexis

October 15, 2013 / / 0 Comments

On the 10th – 11th October 2013, we had a meeting of all the Protection Profile Working Groups (PPWG) in Lexis Hotel, Port Dickson.

The PPWG is an initiative under Thrust 3: Cyber Security technology framework of the National Cyber security policy (NCSP), which in turn is to address cyber risks pertaining to Malaysia’s Critical National Information Infrastructure (CNII). 4 PPWGs were established

1. Data Protection

2. Network Devices

3. Application

4. Smart Card and related devices

The idea behind this was to set up standards and frameworks for developers to adhere to, to ensure information security is embedded in the system, instead of tacked on. We are, in all aspirations, like the National Institute of Standards and Technology (NIST) in the US.

PKF Avant Edge was formerly invited at the beginning of this year to be part of the PPWG3 group, comprising representatives from MIMOS, Cybersecurity, IRIS, Bank Negara and a few other private companies. In our first meeting, there were several representatives from the industries aside from the ones named above; but by the time this workshop rolled in, and after several iterations of all day meetings to discuss on the standards and protection profile for banking applications; we were the only ones left.

The idea behind PKFAE’s participation and our continuous support for the PPWG is not so much for profit, than for our philosophy. We don’t get anything out of it. The meetings are all day, 9 – 5 in Technology Park, in MIMOS’ HQ, and PKFAE’s representative is the managing director himself, not any other member of the company. So time cost’s perspective, it doesn’t really make too much sense for us to be part of it. But our philosophy has always been to balance profitability and responsibility. These are reasons why we give free workshops on Personal data protection act and project management; why we give free talks and industry contribution to universities; why we spend time engaging the government and educational societies in bringing information security awareness: we don’t get paid at all, and yet we do it. The underlying idea is to contribute back to the industry in which you are part of. If not in charity or donations, then in time and value. It does sound utopian, but we started the company with these basic tenets, so why not just continue on?

As such, aside from the government agencies, we are one of the few, if not the only consulting firm that is participating in our PPWG. It takes a lot of hard work and sacrifice, as well as doing something without any fees. We are not looking for any reward, but simply as something we need to be part of, as the basic form of our existence.

Once in a while, it’s still nice to get away from it all to Port Dickson, of course.

Good View from my room

Session ongoing from one of the PPWG

PKF Avant Edge in the ASEAN Financial Institution Conference Hanoi

September 28, 2013 / / 0 Comments

I was invited to attend the 2013 ASEAN Financial Institution Conference in Hanoi as one of the speakers. My presentation (done in a video scribing mode) was on “Navigating the PCI-DSS Journey”. It was a topic close to heart of course, with many of our clients either undergoing PCI-DSS or starting the PCI DSS journey.

Overall, it was a great experience. I went with my Project Management Director, CB Chan, and met up with our PKF colleagues in Vietnam, who also joined us in the conference. We managed to not just meet with other technology partners and conference speakers, but also representatives from other banks in Vietnam.

As always, networking is vital for the survival of our business. The experience itself was an added bonus as Hanoi was a bustling city packed with motorbikes and people.

Possibly not the most photogenic people (we are technologists and accountants after all, not models) but we’re still proud of our little space for consultation and advisory.

Aside from those listed, where PKF is proudly the only consultation and advisory firm, Cybersecurity and MDEC were also represented from the Malaysian contingent.

Other mugshots we had:

 

What we can learn from Hollywood

June 28, 2013 / / 0 Comments

One of my favourite actor is Chris Evans.

That was before he decided to wear blue spandex, carry a shield with the American flag on  it and became decidedly the wimpiest of Avengers.

But before that, he was in the film called The Losers and in one of the most epic scenes of the film, he showed us how the best security can be circumvented by the weakest link of all: human.

 

In the above scene, albeit dramatised, and of course, relevant only to 2:30 minutes (the chase around the office etc was boderline ridiculous, but hey, it’s hollywood), it’s quite an interesting breakdown.

So the scene was that these guys had to break into a high security office to download a key to decode a disk (or something). Seems fair I think, except in real life, you wouldn’t keep a base encryption key in your desktop. Put in a Hardware Security Module, or lock up the USB in a safe. OK anyway, assuming they don’t do that, so basically Chris Evans need to get into the office and steal the key.

1. Dress as a courier. A courier always has business in a company, right? I mean packages get delivered right and left. He rides a bicycle in, which is notable, since  it’s easier for him to access. But wait, where’s the physical security? Even in Malaysia, a guard will be at the front door telling him to park somewhere else. Ok, it’s trivial. He’d still get past the guard.

2. Getting past front desk. He acts distracted with singing Don’t stop believing and listening to the song. He quickly gets past the front desk by jotting down some stuff. Wait. the girl must be in love with Captain America or something, because how on earth can a courier just get past like that? What if he was carrying a bomb? Isn’t there a procedure to state that he had to leave the package down at the center? It’s ideal, but hey, I’ve gone into dozens of companies the same way, where they don’t have turnstiles, I would either follow a crowd to the elevator area, or I simply walk past the front desk like I was an employee. Some companies I’ve gone too even had their lifts access directly from carpark to office floors without going through front desk! So, yes, this is believable.

3. Making sure no one enters the lift with him. This is stretching. It’s not easy for this to occur, even if he’s a weirdo. People generally don’t like to wait, so yeah, I’d go into the lift with a weirdo. I wouldn’t go into the lift with a guy who looks like Danny Trejo holding a machete of course. So Chris Evans acts weird and everyone is miraculously not in a hurry and decides to wait for the next lift. OK, this is acceptable…I mean he could have taken the stair case with the same results anyway.

4. He changes in the lift and gets spotted by some ladies. The ladies should technically raise the alarm, but hey, it’s Chris Evans, right. So this is totally believable.

5. He talks on the phone in a lift to get the security head out of his room. Well this is dumb luck really. What if Mr Andersen was taking a pee? Plus, how did he get a reception? OK, on the security end, why is it so easy for the front desk to patch Chris Evans through? And when it’s all said and done, what happened to his backpack? It magically converts into a briefcase.

6. Tailgating. This is totally believable. Someone opens the door, and he slips right in. Done this a dozen times, because in Malaysia, it’s considered rude to question people, especially if they have a tag and look like Captain America.

7. Getting past personal secretary. This is pretty good. First, he introduces himself as Skippy, like a nickname to try to establish a personal affinity with the girl. He also throws down a few technical jargons to sound official and assume that the PA has no idea what he’s chattering about. The PA did right, she didn’t let him in the room. He immediately says, “Upstairs is riding him etc”. This is psychologically believable…this is how employees build trust, by defining a common enemy, in this case, upper management. Which lower level employee had not faced the brunt of unreasonable pressure from senior management? You immediately relate to Chris Evans, and as someone quoted, “Great peril brings light the fraternity amongst strangers.” Try it next time. Focus on a common enemy, and you’ll be making great friends in your workplace. He ends it with a compliment, and she is immediately besotted.

8. Getting past the desktop. OK, this is not great, because the guy doesn’t even lock his computer up. Plus, we’ll give the benefit of doubt that he had a pretty high tech program to immediately find the key and downloading it in 10 seconds. It’d take me like 30 minutes to go through someone’s folders. He also says something about going into the mainframe. OK, this is VERY high tech stuff to search for the key in a mainframe, and bypassing remote access security.

Of course, he gets caught in the end but ends up escaping anyway. We learnt three things here:

1) The weakest link to IT security is People.

2) Acting bat crazy can get you into high security areas.

3) Also, looking like Captain America will generally get past any type of physical or logical security.

Enjoy!

 

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑