Please note! This essay has been submitted by a student.
Semantic web is a representation of the World Wide Web by providing standards to express relationships between web information. The Semantic Web deals primarily with data instead of documents. It enables data to be annotated with machine understandable meta-data, allowing the automation of their retrieval and their usage in correct contexts .
Semantic Web technologies include languages such as Resource Description Framework (RDF) and Web Ontology Language (OWL) for defining ontologies and describing meta-data using these ontologies as well as tools for reasoning over these descriptions  . These technologies can be used to provide common semantics of privacy information and policies enabling all agents who understand basic Semantic Web technologies to
communicate and use each other’s data and Services effectively .
In one of our prior works, we described a new integrated methodology for the lifecycle of IT services delivered on the cloud and demonstrate how it can be used to represent and reason about services and service requirements and so automate service acquisition and consumption from the cloud  . In this paper also, we are building a knowledge graph with the help semantic web technology .
Consumer is mainly obligated to below regulations:
→Notify about Personal Data Breach to Supervisory Authority
→Communicating about personal breach to data subject
→Carry out Data Protection Impact assessment
→Consulting Supervisory Authority before processing if DPIA shows high risk
→Appointing Data Protection Officer while processing personal data on large scale
Provider Provider is mainly obligated to below regulations:
→Support consumer during data breaches
→Processing data as per consumer instructions
→Maintain records of all processing activities
→Provide sufficient data security to consumer
→Implement Privacy by Design / Default
→Assisting consumer in DPIAs review / for risk processing
→Removing all the personal data after end of provision
→Notify data consumer for subcontracting
→Cooperating with Supervisory Authority
→Comply with certification requirements
→Attain parental consent if any services are offered to a child
→Follow the requirements for appointing and acting as a DPO
→Fulfill with the data subject rights
→Comply with the rules while transferring the data outside EU
Table 1: Summary of GDPR obligations.
2.3) PCI DSS
In our previous work we have built PCI DSS ontology based on the 12 requirements defined by the PCI DSS council . The goal of the PCI DSS is to protect cardholder data wherever it is processed, stored or transmitted  . The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN – the primary account number printed on the front of a payment card . Figure 1 below represents details on card of a cardholder. This includes sensitive data that is printed on a card or stored on a card’s magnetic stripe or chip – and personal identification numbers entered by the cardholder  .
In general, if an organization deals in card transactions then it must follow the key policies listed in the sections below. These policies are part of latest PCI DSS Version 3.2 released in 2016  .
Build and maintain a Secure Network
‘Install and maintain a firewall configuration to protect cardholder data ’. The network configuration and its security requirements should be the shared by the IT team and cloud service providers  . ‘Define system password and its security parameters’ . This means that all the default passwords supplied by the providers should be changed when a system is getting installed in the configured network .
Protect Cardholder Data
‘Protect stored cardholder data’  . This means that only necessary data should be stored and at least every quarter any unnecessary data should be purges. PAN details should be masked, the first six and last four digits are the maximum number of digits you may display  . Also, PAN details must be made unreadable wherever it is being stored  . ‘Encrypt transmission of cardholder data across open, public networks’  . This rule of PCI DSS policy asks the organization to make use of strong cryptography and encryption technologies like SL/TLS, SSH or IPSec etc. in order to safeguard sensitive cardholder data during transmission over any networks  .
Maintain a Vulnerability Management Program
‘Us and regularly update anti-virus software or programs’  . All the systems and servers should have anti-virus software’s to prevent malicious activity. At the same time, anti-virus services should be running in the background and generating auditing logs  . ‘Develop and maintain secure systems and applications’  . This policy ensures that all the patches must be installed on time whenever any new patches are published by the vendors . Any changes to the system components, coding of applications must be done through proper change and control procedures  . Also, firewall protection should be ensured for any public facing web applications  .
Implement Strong Access Control Measures
‘Restrict access to cardholder data by business need to know’  . This policy ensures that the access is limited to system components and cardholder’s data. Also, an access control protocol for systems components should be in place for multiple users and it must restrict access based on a user’s needs and should be set to “deny all” unless specifically authorized  . ‘Assign a unique ID to each person with computer access’. These policies ensure that any person who is accessing the data should have a unique ID . This will help in tracing an individual’s activity in case of any violation or misuse . Also, there should be a two-factor authentication for remotely logging into the network for, such as making use of RSA token or other technologies that facilitate two-factor authentication   ‘. Restrict physical access to cardholder data’ . This ensures that proper facility controls should be applied to the cardholder data environment and individual only with proper authorization should be allowed to access cardholder’s data . For visitors, proper token should be given with an expiry and a visitor log must be maintained for tracking purposes  .
Regularly Monitor and Test Networks
‘Track and monitor all access to network resources and cardholder data’ . This ensures that an established process should be implemented to link access of individuals to system components . Log activities of the system components must be reviewed daily, and audit trail history must be retained for at least one year so that three months of
activity is available immediately . ‘Regularly test security systems and processes’ . This ensures that all the test procedures should be in place to detect access points and unauthorized users . Also, external and internal penetration testing should be performed, including network and application-layer penetration tests at least annually .
Maintain an Information Security Policy
‘Maintain a policy that addresses information security for all personnel’ . This ensures that the PCI DSS policies that has been established, published, maintained has descriptive clear definitions of the procedures that everyone in the system knows thoroughly; and such policy must be reviewed at least once a year .