True Caller, breach of Privacy?

Me to Friend: "Hey I got a missed calls from this XXXXXX number, almost 10 times yesterday."
Friend to Me: "Give me 10 seconds & I'll find out who that is! I have True Caller App on my Android Phone"

Quite typical scenario, you may just feel - WoW that's awesome, very helpful app it is; But don't get too excited, there's a catch! Any unknown person can randomly search by a telephone number, that whom the number belongs to.

So what I did is, I changed last two digits of the ten digit mobile number series & I could get the name of the person to whom that number belongs. 

770 919 6001
770 919 6002
770 919 6003
770 919 6004
770 919 6005

I'm sure you might not be happy with this feature which you may call, 'search by Number'. TeleMarketing Companies must be making most use of this app, as they are getting 'Free' dump of potential leads all around the globe.

I don't want to touch any other Pros/Cons of True Caller, as I'm mainly interested in 'Search by Number' feature.

Let me give you an idea about, How True Caller gets you details?
Somebody who has your mobile number & name saved in his mobile number installs True Caller App. And he does nothing, his contact list gets sync with True Caller's Database! Basically you do not have the control on saving yourself from getting Listed in this Global Directory!

But don't get panic, True Caller offers you freedom to get unlisted from their Database/Global Directory. All you need to do is visit http://www.truecaller.com/unlist If you are very much concerned about your privacy, just unlist yourself!

True Caller in my view is 'New Generation Mobile Yellow Pages' which is being used all over the world. I often heard/saw people making Fuss about True Caller & breach of Privacy. But after reading http://www.truecaller.com/how-it-works/ one can understand why it's not really a 'Breach of Privacy'.

But there's still a catch, I'm unsure whether Unlisting from True Caller, really unlist you from True Caller's Database? They might be having a flag set next to every telephone number in their database which tells the app to show the number in search listing or not. So the number might not be actually deleted from True Caller's Database. In this case, yes this a MAJOR Privacy/Security breach. And I highly suspect that must be the case with True Caller.

Finally I would conclude, in this Digital & Connected world it is difficult to keep yourself 'Private'. The word Privacy holds literally no meaning, when you do not control the data/information that is flowing through web of interconnected electronic devices. If you want to hide yourself in the True Caller's Listing just Unlist yourself, but it might not actually Unlisting you from True Callers Database! So curse people for saving your telephone number in their Contact List, well that would be silly isn't it?

Compliance - The Dark Side

[Specific to Information Security]

Before touching main point, let me give you an idea about 'What exactly is Compliance'.

In simple words, compliance is nothing but Standard Rules that are accepted all over the world. Entities related with a particular industry has to comply to certain standards, to gain licenses/ customer trust in order to operate & generate cash flow.

For example, if you are an eCommerece Entrepreneur who deals heavily with Online Money  by using Third Party Payment solution which is PCI DSS compliant. If you want & if you have sufficient capability to operate Online Transaction on your own then you have to comply to PCI DSS standard, get your facility certified and you are ready to do business on your own!

Sounds simple, right? But this isn't simple at all!

Roughly I would say there are few steps

1. Identify your business vertical.
2. Find out different compliance/standards which may be mandate/help you to win customers! (Some of your customers may explicitly ask you to comply to certain standards like ISO 9001 - Quality, ISO 27001 - Information Security etc. before dealing with you)
3. Identify the scope for which you would like to go ahead and get certified. (Scope can be a department within the company or whole company)
4. Hire consultant, get the standard implemented & get it Certified from Certifying Authorities!

 Lets talk specifically about Information Security related compliance/standards like ISO 27001, PCI DSS etc.

Ideally once an organization get itself certified for the first time, it has to follow the guidelines/processes that are defined & then it has to undergo recertifications after stipulated time period, say after every 2 years. This ensures that organization comply with Industry best practices - standards.

But what exactly happens?

Case 1: XYZ, a software development firm contacts ABC, Information security consulting firm. Ask them to help them in getting ISO 27001 certified. ABC deploys it's resource on XYZ's premise and make sure all the processes are as per the required standard. Once implementation is done, Lead Auditor visits the firm, XYZ. Audits the processes with respect to ISO 27001 standard and eventually XYZ earns ISO 27001 Certification. Barely a month & they start operating how they used to do prior to earning the ISO 27001 certification. As if they have never heard of ISO 27001 compliance.
Meanwhile They keep winning customers by showing they comply to ISO 27001 & certified too!
Just before the Certification is expiring they contact XYZ & ask them to help in re certification. IT manager asks every Department head to make sure every body is following all the policies & again for a while the process document starts getting followed.

So why this *fuss* about Compliance? Organizations today worry about Compliance & not security but they forget, Merely getting a certificate to your organization doesn't guarantee you Security! Unless your people, your employee actually follow the processes religiously.

Hardening the servers, updating Log books just before Audit can fool the auditor but not the hackers. Today hackers are sophisticated, they do proper reconnaissance before attacking your organizations assets. They know your weak links, your people. It might be easy for you to Harden the Servers but it's a pain when it comes to Harden the People.

So how do you tackle this situation? A Surprise Audit, may be yes! This should be done by the Certifying Bodies (CBs) who gives out the Certification to Organizations. Once an Organization is Certified after some period CBs, should do a Surprise Audit to check if Organization is following the standard that is set! I have heard it from experts that - Audit's are never Surprise. But in my opinion there has to be a separate term called 'Surprise Audit' which should be done by the CBs in order to have certain discipline.

 In my opinion Flow should be as:
Compliance Implementation(Day 0 to Day 30) --> Internal Audit (Day 31) -->Patching of NCs(Day 32 to Day 36) --> Final Audit (Day 40) --> Surprise Audit (~ Day 110) 

Post Security Audit, CBs should produce NCs to Organization along with a Warning. Organization should patch the NCs and produce the report to CB. Any further NCs and Organization's Certificate should be revoked by the CB.

Though this will also not give guarantee of 100% security but it'll at least ensure things are more Harden than what they were earlier.This will help the overall Security Ecosystem.

*** IMPORTANT NOTE: THESE ARE MY PERSONAL VIEWS, THIS HAS NOTHING TO DO WITH ANY PARTICULAR ORGANIZATION THAT I WAS/AM ASSOCIATED WITH ***