PKF AvantEdge

Tag: malaysia (Page 4 of 4)

PKF Avant Edge PDPA Workshop with Dr Zainal Abidin Sait

March 4, 2014 / / 0 Comments

On the 25th of February, PKF Avant Edge, along with the MAD Incubator organised our largest Personal Data Protection Act (PDPA) workshop. This was our 8th workshop on PDPA starting from November 2012, and our second one that was done with the MAD Incubator in the MSC Technology Commercialisation Centre in MMU, Cyberjaya. We had almost 200 people registered for this event, in a large part due to our speaker, Dr Zainal Abidin Sait, who is the Deputy of Director General of Personal Data Protection Department under the Ministry Communication & Multimedia. In other words, to many people, PDPA from the horses mouth.

It took some time for us to organise this, in part due to the festival season in January and February, but mainly because Dr Zainal was a very busy man. Even when we took the time to meet him in his Putrajaya office in the KKMM building to confirm the agenda with him, I only had him for 10 minutes or so. It would have been shorter, but I suspect he was polite enough to give us a bit more time seeing that we came all the way to see him over something that could have been done by email. I was, in many aspect, extremely old school in this regard. 10 minutes face to face was worth a 100 emails back and forth.

The main reason I wanted to organise this workshop was to shape it like a Q&A session. Aside from being the speaker for the past 7 workshops we’ve done (all for free–I see it as part of our CSR), I’ve attended many PDPA talks. In most of these cases, they were conducted by mainly legal practitioners. Very experienced ones. And they were very good, and they went through the act very thoroughly, dissecting it with appropriate legal pizazz that the Act deserves. But like me, they weren’t enforcers. Our interpretation is through our own lenses, and try as we might, we carry some bias, and probably some misunderstanding of the Act itself. This was exacerbated by experiences I heard from other clients about the stringent requirements of the Act, set forth by their company lawyers. Again. They are not enforcers, and legal practitioners, bless their soul, would rather err on the side of caution. So what happened, is that some of my clients are so exasperated at the Act, that requires them to get people to sign off consent when they pass Parkson gift vouchers to them. Yikes. Time to get the horse on board.

So I took the first session and went through a few illustrations of data breach for the audience. Basically, I used this illustration from www.informationisbeautiful.net. Aside from that, I demonstrated live a social trawler called Maltego by Paterva. We use this tool a lot in our penetration testing and social engineering services for our clients. This basically trawls the internet looking for publically available information about an individual. Suffice to say, these demonstrations of data mining was to set the context for Dr Zainal to work his magic. I went through the 7 principles quickly, had the coffee break session and then from around 10:30 am to 12:30 noon, Dr Zainal engaged the audience in his very frank dissection of the PDPA.

He only used one page of PDF. He advised us to read the act in Bahasa Malaysia. He broke down a lot of misconceptions of the Act, as well as who and what are in scope and not in scope. In all, his simple, straightforward talk on PDPA was the best I’ve heard. It was down to earth, easy to understand, and invited conversations and engagement with the people. It wasn’t someone holding a hammer over your head, it was a person who genuinely wanted to help. And so understandably, the questions started flowing in. He deftly answered most of them, in others, I only helped in rewording to make it clearer. It is a HUGE difference to have Dr Zainal speak compared to legal or IT practitioners. We are limited to how we see the act. He is not.

We managed to give him a nice speaker’s gift from PKF Avant Edge, a Royal Selangor dish with a thank you note engraved upon it. I hope there will be more sessions that we can arrange with him again. As far as first time speaker goes for us, Dr Zainal was a smashing success. Thank you, Dr.

My Slides can be downloaded here.

Dr Zainal didn’t use any slides, so if you missed his presentation, well…we’ll need to arrange another one!

PPWG (Protection Profile Working Group) Workshop at the Lexis

October 15, 2013 / / 0 Comments

On the 10th – 11th October 2013, we had a meeting of all the Protection Profile Working Groups (PPWG) in Lexis Hotel, Port Dickson.

The PPWG is an initiative under Thrust 3: Cyber Security technology framework of the National Cyber security policy (NCSP), which in turn is to address cyber risks pertaining to Malaysia’s Critical National Information Infrastructure (CNII). 4 PPWGs were established

1. Data Protection

2. Network Devices

3. Application

4. Smart Card and related devices

The idea behind this was to set up standards and frameworks for developers to adhere to, to ensure information security is embedded in the system, instead of tacked on. We are, in all aspirations, like the National Institute of Standards and Technology (NIST) in the US.

PKF Avant Edge was formerly invited at the beginning of this year to be part of the PPWG3 group, comprising representatives from MIMOS, Cybersecurity, IRIS, Bank Negara and a few other private companies. In our first meeting, there were several representatives from the industries aside from the ones named above; but by the time this workshop rolled in, and after several iterations of all day meetings to discuss on the standards and protection profile for banking applications; we were the only ones left.

The idea behind PKFAE’s participation and our continuous support for the PPWG is not so much for profit, than for our philosophy. We don’t get anything out of it. The meetings are all day, 9 – 5 in Technology Park, in MIMOS’ HQ, and PKFAE’s representative is the managing director himself, not any other member of the company. So time cost’s perspective, it doesn’t really make too much sense for us to be part of it. But our philosophy has always been to balance profitability and responsibility. These are reasons why we give free workshops on Personal data protection act and project management; why we give free talks and industry contribution to universities; why we spend time engaging the government and educational societies in bringing information security awareness: we don’t get paid at all, and yet we do it. The underlying idea is to contribute back to the industry in which you are part of. If not in charity or donations, then in time and value. It does sound utopian, but we started the company with these basic tenets, so why not just continue on?

As such, aside from the government agencies, we are one of the few, if not the only consulting firm that is participating in our PPWG. It takes a lot of hard work and sacrifice, as well as doing something without any fees. We are not looking for any reward, but simply as something we need to be part of, as the basic form of our existence.

Once in a while, it’s still nice to get away from it all to Port Dickson, of course.

Good View from my room

Session ongoing from one of the PPWG

Quit Calling Me or I will PDPA you!

February 21, 2013 / / 0 Comments

This might be what, in the near future, we- the hapless victims of thousands of unsolicited phone calls and emails and SMSes- can say to the perpetrators who haunt our dreams with midnight messages and ghostly voicemails.

Here’s the fact:

1) In my SMS inbox, I have three dozen messages from entities I don’t know over the last week. Half of them from politicians wishing me a good year of the Snake. Others from banks. Others from Astro. And I just had one telling me there’s an MACC stand up comedy coming up. What. The.

2) I have received some ridiculously timed phone calls. One came a few days back when Unifi was facing a nationwide outage, and which had all the TM support coming back from their homes to fix it, given that they had a one year downtime policy, with the commitment to give updates to customers every 500 hours of downtime. Yes, I am being sarcastic. Unifi is a good intention and we appreciate it, but there’s still a lot of holes to plug for that service. While halfway through one of the worst Unifi outage in the history of their short existence, I received a chirpy call from a woman identifying herself as a representative of TM. I immediately thank the gods for such superb, initiative from TM: to call me to apologise and to have my Unifi fixed immediately, without me lodging a call (since it was not possible due to Unifi support line also being down). Instead the chirpy woman started to ask me if I wanted to upgrade my Unifi package to better ones. I asked her if she was aware there has been a major outage and the entire world was tweeting #unifi and trending to #garbage. She happily responded she had no idea. I wish we could do an audit on Unifi support based on ISO20000 or ITIL. I bet we could add some value there.

3) How many emails have we received from companies we have unwittingly gave our information to? I am not talking about those health hormones, Nigeria scams, appendage enlargement junk email. I am talking about unsolicited marketing material from restaurants we have visited, companies we have met along the way etc. Admittedly we have also done such things (updating our customers)…but I have received piles and piles of emails and trilobytes of documents. It’s time for this madness to end.

So, Personal Data Protection Act? We’re not going to go through the 7 principles here. Many other websites have articulated it well enough. The question here is, if I have a company and we collect data as part of our CORE business, are we screwed?

No, you’re not. But you have some work to do.

You see, the PDPA is not telling you NOT to collect personal data. It’s governing the way you do it. It’s setting up rules, like putting a referee in a previously free for all football game. The good news is that, the rules are not extremely rigid or specific. So there’s what we unprofessionally call, wriggle room. Most consulting companies have fancy terms for this, but at PKF, we are what we term a coffee-shop jargon company. We don’t like to throw in big terms that can use an easy word to describe.

There are numerous ways to comply to PDPA, which we will touch on later. We provide IT and legal assistance for PDPA compliance. But the first thing you can do for yourself is this: do you have any policies and procedures governing your business processes? If the answer is no, then  there’s where you will generally need to begin. A documented approach on collecting, sharing and storing data is essential for compliance. If you already have, well, you’re on your way to compliance already even before you begin.

Let the new era of Data Protection begin!

Newer posts »

© 2024 PKF AvantEdge

Up ↑