🔐 CIA Triad & Security Principles
Confidentiality
Ensuring information is accessible only to authorized parties. Controls: Encryption, Access Control, Classification.
Integrity
Ensuring data accuracy and completeness. Controls: Hashing, Digital Signatures, Version Control.
Availability
Ensuring systems and data are accessible when needed. Controls: Redundancy, Backups, DDoS Protection.
Defense in Depth
Multiple layers of security controls. If one fails, others remain.
Least Privilege
Grant minimum access required for job function. Review regularly.
Zero Trust
"Never trust, always verify." No implicit trust based on network location.
⚖️ DPDPA 2023 - Key Provisions
Personal Data (Section 2(t))
Any data about an individual who is identifiable by or in relation to such data.
Data Fiduciary (Section 2(i))
Person determining purpose and means of processing personal data.
Valid Consent (Section 6)
Free, Specific, Informed, Unconditional, Unambiguous + Clear Affirmative Action
Data Principal Rights
- Right to Information (Section 11)
- Right to Correction/Erasure (Section 12)
- Right to Grievance Redressal (Section 13)
- Right to Nominate (Section 14)
Legitimate Uses (Section 7)
- Voluntary data provision
- State functions (subsidies, benefits)
- Legal obligations
- Medical emergency
- Employment purposes
Children (Section 9)
Below 18 years. Requires verifiable parental consent. No tracking/behavioral monitoring.
💰 DPDPA Penalty Matrix
Security Safeguards Failure
₹250 Crores Maximum
Section 8(5) - Failure to implement reasonable security
Breach Notification Failure
₹200 Crores Maximum
Section 8(6) - Failure to notify DPBI and Data Principals
Children's Data Violations
₹200 Crores Maximum
Section 9 - Non-compliance with children's data obligations
Significant DF Obligations
₹150 Crores Maximum
Section 10 - DPO, audits, DPIA requirements
Other Provisions
₹50 Crores Maximum
Breach of any other DPDPA provision
Aggregate Cap
₹500 Crores Maximum
Total penalties across all violations
🚨 Incident Response - NIST 800-61
Phase 1: Preparation
- IR policies and procedures
- Team training and tools
- Communication plans
- Playbooks ready
Phase 2: Detection & Analysis
- Monitor and detect
- Analyze and scope
- Prioritize by severity
- Document everything
Phase 3: Containment/Eradication/Recovery
- Short-term containment (isolate)
- Evidence preservation
- Eradicate threat completely
- Restore and verify
Phase 4: Post-Incident
- Lessons learned (1-2 weeks)
- Root cause analysis
- Update procedures
- Regulatory reporting
⏱️ Regulatory Reporting Timelines
📜 IT Act 2000 - Key Sections
Section 43
Unauthorized access/damage - ₹1 Crore compensation (Civil)
Section 66
Computer-related offences (hacking) - 3 years + ₹5 Lakh (Criminal)
Section 66C
Identity theft - 3 years + ₹1 Lakh
Section 66F
Cyber terrorism - Life imprisonment
Section 72
Breach of confidentiality - 2 years + ₹1 Lakh
Section 79
Intermediary safe harbor - Due diligence required
🎯 MITRE ATT&CK - 14 Tactics
1. Reconnaissance
Gathering information for attack planning
2. Resource Development
Creating attack infrastructure
3. Initial Access
Getting into the network
4. Execution
Running malicious code
5. Persistence
Maintaining foothold
6. Privilege Escalation
Getting higher permissions
7. Defense Evasion
Avoiding detection
8. Credential Access
Stealing credentials
9. Discovery
Learning the environment
10. Lateral Movement
Moving through network
11. Collection
Gathering target data
12. Command & Control
Communicating with compromised systems
13. Exfiltration
Stealing data out
14. Impact
Manipulation, destruction, disruption
📊 Key Security Metrics
MTTD
Mean Time to Detect - Target: <24 hours
MTTR
Mean Time to Respond - Target: <4 hours
Phishing Click Rate
Target: <5%
Patch Compliance
Critical patched in SLA - Target: >95%
Dwell Time
Breach to detection - Industry avg: 200+ days
Training Completion
Target: 100%