Embed Size (px)
Citation preview
Privacy and Trust In Europe
Mike SmallPrincipal Consultant Security Management CA EMEA
CA Support for Privacy Trust and Compliance
CA’s Enterprise IT Management Approach is based on best standards and practices like COBIT and ISO 27002
Many of CA’s product are evaluated Common Criteria (ISO/ISEC 15048) for computer security .
CA’s IT Security practitioners are CISSP accredited
2 Meeting the challenges of privacy, trust and compliance
Privacy - Why Does it Matter?
Clarkson eats words over lost dataTV presenter Jeremy Clarkson said in a newspaper column that the data lost by staff at HM Revenue & Customs was useless, and published his own bank details in the article to prove his point.
However, he was forced to apologise publicly after £500 was quickly removed from his account.
3
Privacy - Why Does it Matter?
Unproven allegations kept on UK Criminal Records Bureau files
A High Court judge has acknowledged that workers' careers can be ruined by unproven allegations kept on police files but refused to allow a challenge to the rules.
Mr Justice Blake added that he was powerless to stop details of unproved accusations being passed to managers because the Government and police had clearly intended that they should be, in order to protect vulnerable groups.
1997 Police Act had placed officers under a duty to disclose allegations to employers, even when they had not been proved, provided they were relevant and not too historic.
UK Daily Telegraph 15th September, 2008
4
Principal ExplanationCollection Limitation
There should be limits to the collection of personal data and should be obtained with the knowledge or consent of the data subject.
Data Quality Personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete and kept up-to-date.
Purpose Specification
The purposes for which personal data are collected should be specified and the subsequent use limited to these.
Use Limitation Personal data should not be disclosed, made available or otherwise used for purposes other than those specified
Security Personal data should be protected by reasonable security safeguards
Openness There should be a general policy of openness about developments, practices and policies with respect to personal data.
Individual Participation
An individual should have the right to obtain data related to him in a timely and low cost manner and to correct errors.
Accountability A data controller should be accountable for complying with measures which give effect to the principles stated above.OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data. 23rd
September 1980
Privacy – OECD Principles
EU Directive 2002/58/EC (Directive on Privacy and Electronic Communications)
Providers of publicly available electronic communications services (i.e. telecommunications companies) must safeguard the security and confidentiality of communications on their services.
EU Directive 95/46/EC Personal data should be (Article 6)
Only collected for specified, explicit and legitimate purposes
Relevant and not excessive for the purpose collected
Accurate and where necessary, updated Maintained in a form that allows identification of
data subjects for no longer than necessary
Privacy – European Laws
This Directive applies to data processed by automated means and data contained in or intended to be part of non automated filing systems.
The Directive aims to protect the rights and freedoms of persons with respect to the processing of personal data by laying down guidelines determining when this processing is lawful.
Privacy – EU Directive 95/46/EC
EU Article 29 Working Party, Working Paper 55 on the surveillance of electronic communications in the workplace:
prevention should be more important than detection. any monitoring measure must pass a list of tests:
a) Is the monitoring activity transparent to the workers?
b) Is it necessary? Could not the employer obtain the same result with traditional methods of supervision?
c) Is the processing of personal data proposed fair to the workers?
d) Is it proportionate to the concerns that it tries to ally? employer must inform the worker of
i. the presence, use and purpose of any detection equipment and/or apparatus activated with regards to his/her working station and
ii. any misuse of the electronic communications detected (e-mail or the Internet), unless important reasons justify the continuation of the secret surveillance
Privacy – Employee Surveillance
Trust
A receipt for payment
9
Photo reproduced with permission from the Daily Telegraph (UK)
Which organizations do people trust?
Which organizations would you trust MOST to protect your personal data?
10
Poll by YouGov plc conducted between 3rd - 5th September 2007 in the UK with a sample size of 2,156 adults.
Banks
60%
Cre
dit
Card
Com
panie
s
40%G
overn
men
t
25%
Onlin
e
reta
iler
19%
Ensuring Privacy and Trust Standards and Best Practice
COBIT Common Criteria for Information
Technology Security Evaluation ISO/IEC 15408-1 to 15408-3
ISO 27001 Information security management systems - Requirements
ISO 27002 Code of practice for information security management
Payment Card Industry (PCI) Data Security Standard
11
Acquire & Implement
Specify Purpose for data collected
Inform data subjects Ensure subject aware of data
processing and reason
Deliver and Support
Ensure Data Quality Relevance, accuracy and
updating Ensure Security
IT Security measures Ensure subject participation Restrict Data Transfer
Plan & Organize
Justify processing consent, legal obligations,
justified interest Notify authorities
Unless exempted report processing to DPA or CPO
Monitor & Evaluate
Ensure Respect of Data Purpose
Monitor accuracy Monitor Security Monitor Data Transfer
Mapping Privacy to COBIT
Ensuring Privacy and Trust Training and Accreditation
ISACA (Information Systems Audit and Controls Association)
Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)
ISC2, the International Information Systems
Security Certification Consortium Certified Information Systems Security
Professional (CISSP) Systems Security Certified Practitioner
(SSCP)
13
Compliance Gap
A survey of 482 EMEA organizations during November 2007 found that 62% hold regulated information.
14 Meeting the challenges of privacy, trust and compliance
Compliance Gap
Only 31% of 482 organizations surveyed across EMEA had controls in place to identify “orphan” accounts
15 Meeting the challenges of privacy, trust and compliance
> ISO 27002 – 11.2.1 User Registration
There should be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.
Compliance Gap
Only 41% of 482 organizations surveyed across EMEA could report on users’ access rights.
16 Meeting the challenges of privacy, trust and compliance
> ISO 27002 – 11.2.4 Review of Access Rights
Management should review users’ access rights at regular intervals using a formal process.
Compliance Gap
Only 46% of 482 organizations surveyed across EMEA had controls in place to regulate administrators.
17 Meeting the challenges of privacy, trust and compliance
> ISO 27002 – 11.5 OS Access Control
Objective: To prevent unauthorized access to operating systems
Privacy
18 Meeting the challenges of privacy, trust and compliance
PRIVACYMatters
A ‘Framework’ forData Privacy Management
John T. Sabo, CISSPDirector, Global Government Relations, CA, Inc.
What is the ISTPA?
The International Security, Trust and Privacy Alliance (ISTPA), founded in 1999, is a global alliance of companies, institutions and technology providers working together to clarify and resolve existing and evolving issues related to security, trust, and privacy
ISTPA’s focus is on the protection of personal information (PI) – see www.istpa.org
ISTPA’s Perspective on Privacy
Operational, Technical, Architectural Focus …“making Privacy Operational” based on legal, policy and business process
drivers multi-dimensional privacy management with
support for temporal requirements
“Analysis of Privacy Principles: An Operational Study” published in 2007
Privacy Framework v1.1 published in 2002 supports the full “lifecycle” of Personal Information now under major revision
Principles/Legislation/Policies Many competing requirements and constraints on the collection
and use of personal information (PI) and personally identifiable information (PII)
Business Processes Business applications using PI/PII with privacy-related
components such as data collection, communications, processing and storage, customer/citizen relationship management, partner agreements, and compliance
Today’s Networked PI Lifecycle Digitally-based personal information and personally identifiable
information are now essentially networked and boundless
Absence of privacy-specific technical management standards Technical architectures which incorporate standardized,
universal privacy management services and controls not yet available
Privacy Drivers and Issues
See ISTPA “Analysis of Privacy Principles: An Operational Study” (2007)
Starting Point - Principles/Legislation/Policies
Many Laws, Directives, Codes
The Privacy Act of 1974 (U.S.)
OECD Privacy Guidelines UN Guidelines EU Data Protection Directive Canadian Standards
Association Model Code Health Insurance Portability
and Accountability Act (HIPAA)
•US FTC Fair Information Practice Principles
•US-EU Safe Harbor Privacy Principles
•Australian Privacy Act •Japan Personal Information
Protection Act•APEC Privacy Framework•California Security Breach
Bill
No Standardized Policies
Australian Privacy Principles – 2001
Collection Use and Disclosure Data Quality Data Security Openness Access and
Correction Identifiers Anonymity Transborder Data
Flows Sensitive
Information
APEC Privacy Framework – 2005
Preventing Harm Notice Collection
Limitation Uses of Personal
Information Choice Integrity of
Personal Information
Security Safeguards
Access and Correction
Accountability
See ISTPA “Analysis of Privacy Principles: An Operational Study” (2007)
OECD Guidelines – 1980
Collection Limitation Data Quality Purpose
Specification Use Limitation Security Safeguards Openness Individual
Participation Accountability
•Anonymity•Data Flow•Sensitivity
Need for Generalized Requirements Accountability Notice Consent Collection Limitation Use Limitation Disclosure Access & Correction Security/Safeguards
Data Quality Enforcement Openness
Time
Managing Privacy Requirements in Networked PI/PII Lifecycle?
AggregationAnd
Linkages
PI Collection
PI Use
PI Use
PI UseDestruction?
Time
Example: PI/PII Lifecycle Implications of “Notice”
PI Collection
Use, Linkage, Re-use, Aggregation Destruction?
PI over time
1, definition of the personal information collected
2. use (purpose specification)
3. disclosure to parties within or external to the entity
4. practices associated with maintenance and protection of the PI
5. options available to the data subject regarding the collector’s privacy practices
6. changes made to policies or practices
7. information provided to data subject at designated times under designated circumstances
A Dynamic Operationally-Focused Privacy Management Reference Model
PI Life Cycle Perspective
Most Models Assume Sequential Processes
PI
PI
PI
Subject
Requestor
Business Application Processor
Sequential Operational Privacy Management
PI Life Cycle Perspective
Today – Networked-Interactive Processes
PI
PI
PI
Data Subject
Requestors/Users
Business Application 1, 2… n
Processor/Aggregator 1, 2…n
•Non-sequential
•Data subject impacted directly and indirectly after initial data collections
PI
TimeRequestors/Users ..n …
ISTPA Privacy Framework Services
Negotiation - agreements, options, permissions Control – policies – data management Interaction - manages data/preferences/notice
Agent - software that carries out processes
Access - subject review/suggest updates to PI Usage - data use, aggregation, anonymization
Certification - credentials, trusted processes Audit - independent, verifiable accountability Validation - checks accuracy of PI Enforcement - including redress for violations
Original ISTPA Privacy Framework
Security Foundation
Usage
Assurance Services
PIContainer
(PIC)
Data Subject Data Requestor
Control
Negotiation
PI, Preferences& PIC Repository
Interaction
Control
Negotiation
Interaction
PIC Repository
Agent Agent
Audit EnforcementCertificationValidation
Legal, Regulatory, & Policy Context
From “Framework” to “Model”
From policy perspective, pushback on use of the term “framework”
Framework v1.1 services were validated, but in a relatively static model
difficult to understand applicability in contemporary privacy/data protection scenarios
Need to better incorporate use cases where PI is disassociated from the data collector and the data subject’s control
Temporality and data lifecycle Policy changes
Improved understanding of service to service relationships
PI and Policies
Making the FrameworkPI and Policy– Centric
PI and Policies
PI and Policies
PI and Policies
Managing Multiple Policy Instances
PI Objects
P-Rule Objects
PI as Objects - Rules as Objects…
PI Objects
PIRules Objects
…and Managed in “Lifecycle” Networked Context
AggregationAnd
Linkages
PI Collection
PI Use
PI Use
PI Use
Personal Information
AGENT
INTERACTION
CONTROL
NEGOTIATION
USAGE
ACCESSVALIDATION
CERTIFICATION
AUDIT
ENFORCEMENT
SECURITY
Modular Services
Legal, Regulatory, and Policy Context
Security Foundation
Agent
Control
Interaction
Negotiation
PI Touch Point
PI, Rules& PIC Repository
PIContainer
(PIC)
EnforcementAuditCertificationValidation
Touch Point Concept
Assurance Services
Usage
Access
- Each “Touch Point” node configured with operational stack
- Privacy policies are input “parameters” to Control
- Agent is the Touch Point programming persona
-“PIC” logically contains PI and usage agreements
Legal, Regulatory, and Policy Context
Security Foundation
Agent
Control
Interaction
Negotiation
Any n touch points in the PI life cycle
Usage
PI, Rules& PIC Repository
Agent
Control
Interaction
Negotiation
PI, Rules& PIC Repository
PIContainer
(PIC)
EnforcementAuditCertificationValidation
Multiple Instances
Assurance Services
Usage
Access
Framework WG completing revision of new “reference model”
Publication expected December 2008
Linkages to IT governance disciplines and current standards (such as XACML)
ISTPA has joined the OASIS standards organization as an institutional member
Exploring proposing an OASIS Privacy Management Technical Committee using v. 2.0
Work requires cross-disciplinary knowledge and desire to develop privacy management tools which reflect our global, digital, and networked information-based environment
Next Steps
