Complying with Singapore Personal Data Protection Act - A Practical Guide

Complying with the Singapore Personal Data Protection Act

A Practical Guide March 2014

1 | P a g e Complying with the Singapore Personal Data Protection Act - A Practical Guide - March 2014

Synopsis

The Singapore Personal Data Protection Act (PDPA), effective January 2013, obliges organizations to take specific responsibilities regarding the protection of personal information. These responsibilities concern the collection, accuracy, protection and disclosure of personal information and can significantly impact organization’s handling of personal information and data. This white paper outlines the data protection requirements under the PDPA, and provides information on available solutions to address the requirements, with a focus on Microsoft-specific security and privacy technologies. We also discuss several process-driven and technology-enabled approaches that emphasize the importance of IT management in supporting organizations to comply their PDPA obligations.

The views discussed in this white paper are jointly presented by Protiviti and Microsoft. The focus is on management awareness, roles and responsibilities, data mapping, data flow, personal data management processes, and, risk assessment and analysis to implement an organization’s compliance program. We will present a Microsoft data governance and access control framework that includes five key elements for the management and

protection of personal data Secure Infrastructure; Identity and Access Control; Data Encryption; Document Protection; and Auditing and Reporting. For each of these five elements, we discuss appropriate tools and technologies developed by Microsoft and applicable to Microsoft systems.

We conclude by encouraging organizations seeking to comply with the PDPA to engage their IT departments actively in the process and to partner with external experts where applicable to develop a process that would address the risks inherent in compliance-related implementation. Organizations should also deploy relevant tools, technologies, and products to automate control over private information as much as possible and ensure organization-wide consistency in how personal information is handled and managed.

Disclaimer

All rights, products, company names, brand names, trademarks and logos are the property of their respective owners. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any product. You may copy and use this document for your internal, reference purposes.


Overview

The nature of technology today allows for an increasing volume of personal data to be captured, stored, and processed with great ease. The wide availability of personal information – whether employee, visitor, customer or contractor – provides opportunities for companies to increase productivity and improve their marketing. At the same time, the advancement of technology also calls for greater responsibility in managing and protecting personal information.

The enactment of the PDPA in January 2013 tasks organizations that process personal data with new responsibilities for protecting personal information. Because of the technology-driven nature of businesses, IT management will be required to play an important role and support the efforts by organizations to meet their obligations under the PDPA.

The PDPA governs the consent, purpose, reasonableness of collection, use, disclosure and care of individuals’ personal data by organizations. Figure 1 summarizes both data protection and Do-Not-Call (DNC) provisions of the PDPA. DNC is already in force since January 2014, and the deadline for complying with the data protection provisions is July 2, 2014.

Figure 1: The Data Protection and DNC Provisions of PDPA


Data Protection Provisions – Nine Obligations

Figure 2 below outlines the PDPA’s nine obligations for organizations that own and process personal data. The obligations apply to data stored in both electronic and physical forms.

Figure 2: The Nine Obligations of PDPA

Impact of PDPA on Organizations

Complying with the PDPA is a legal requirement for organizations. In January 2013, the Personal Data Protection Commission (PDPC) was set up to administer and enforce the PDPA. Apart from undertaking promotional and outreach activities, the PDPC is empowered to conduct investigations – upon complaint or on its own accord – to establish whether an organization is complying with all nine PDPA obligations.

If the PDPC finds that an organization is in breach of any of the data protection provisions of the PDPA, it can direct the organization to rectify the breach with a specific action such as ceasing to collect, correcting, or removing the affected personal data, and it can also impose a financial penalty on the organization of up to S$1 million. Any person found to have violated the provisions, knowingly or otherwise, may be subject to a fine not exceeding S$5,000 or to imprisonment for up to 12 months or both.

If the breach consists of authorizing sales and marketing messages to individuals on the Singapore Do Not Call registry, in the form of voice calls, text or fax, the organization can be found to have contravened the DNC (Do Not Call) provisions of the PDPA and can be liable, upon conviction, for fines of up to S$10,000 for each offense.


How IT Management Can Support the PDPA Obligations

Some organizations may act quickly to address personal data protection at the operational level but have a limited idea on how to engage with IT management to meet the PDPA obligations. IT management needs to engage and support the data protection officer (DPO) and business users in achieving, maintaining and monitoring for PDPA compliance.

To do so, IT management first needs to understand the key data protection program milestones and devise the correct engagement strategy. The following sections discuss these milestones in detail.

Milestone 1: Management Awareness and Support for Data Protection

Leading practices for Personal Data Protection (PDP) programs initially involve the awareness-creation session for the organization’s senior management. Once the awareness is created, management should decide on the roles and responsibilities of the DPO necessary to support the organization in its compliance with the PDPA. The DPO may establish a task force to enable effective execution of the PDP program. For the program to be successful, it is imperative that IT management be involved as a member of this task force.

Milestone 2: Identify Different Roles and Responsibilities in Data Protection

IT management should understand the roles and responsibilities of the various parties in the task force. Table 1 below suggests how IT could involve the various roles and responsibilities for data protection. Microsoft has developed a technology framework for data governance and access control which provides a flexible and comprehensive approach to managing and protecting personal data. It consists of five key elements, all of which are necessary to protect and manage personal data responsibly in a distributed device and computing infrastructure. The five key elements are: Secure Infrastructure, Identity and Access Control, Data Encryption, Document Protection, Auditing and Reporting. These elements will be further explained in the later sections of this paper. The data protection roles and responsibilities to be considered for each of the five key elements in this framework are presented in Table 1 below.

The roles and responsibilities are initiated following these definitions:

Responsible – Party responsible for performing the process

Accountable – Party accountable and contactable regarding the decision and process effectiveness

Contributing (or Consulted) – Party providing information and/or advice needed to make the process

successful

Informed – Party concerned or dependent upon the information that is managed by this process


Table 1: The Data Protection Roles & Responsibilities Mapping To Microsoft Technology Framework

Data Protection Roles and Responsibilities

Microsoft Technology

Framework for Data

Governance and Access

Control

Roles Responsibilities

Se

cu

re

Infr

as

tru

ctu

re

Ide

nti

ty a

nd

Ac

ce

ss

Co

ntr

ol

Da

ta E

nc

ryp

tio

n

Do

cu

me

nt

Pro

tec

tio

n

Au

dit

ing

an

d

Re

po

rtin

g

Management and

Sponsor

Refers to an organization's management (person

or team) that is accountable to comply with the

PDPA obligations over personal data.

A A A A A

Data Protection

Officer

A Data Protection Officer is an individual or

individuals responsible for ensuring that the

organization complies with the PDPA, including

the implementation of personal data protection

policies within the organization. The business

contact information of at least one DPO should be

made available to the public. Compliance with the

PDPA remains the responsibility of the

organization's management.

I R C I R

Data Controller A Data Controller is the person who determines

(alone or jointly with others) the purpose and

manner in which any personal data is, or is going

to be, processed.

I R I R I

Data Processor A Data Processor, in relation to personal data, is

any person (other than an employee of the Data

Controller) who processes personal data on

behalf of the Data Controller.

I R R R I

Data Subject A Data Subject is an individual whose personal

data is in the control of the organization. - - I I I

Data Intermediary A Data Intermediary is a person or persons who

may be contracted to use or process personal

data on behalf of the organization. A Data

Intermediary is any person/organization other

than the Data Subject, the Data Controller, Data

Processor or any other person authorized to use

and/or process data for the Data Controller or

Processor.

I R R R I


Milestone 3: Complete Personal Data Inventory Map and Data Flow Diagrams

After understanding the roles and responsibilities of the different parties involved in data protection, the next step is to create a personal data inventory map. The data inventory map includes possible record classifications and record types organized by business function. The DPO will work with the respective data controllers to determine which record types are in-scope for PDPA purposes and should be included in the company’s PDP program. IT management should be instrumental in defining and completing the data inventory map. IT should work with the DPO and other task force members to develop an in-depth understanding of the organization’s personal data and corresponding application architecture.

A personal data inventory map may include the attributes highlighted in Table 2:

Table 2: Personal Data Inventory Map Attributes

Data Inventory Attributes Description

Record Class Record Class classifies data by the business function. ADM

(Administration), HUM (Human Resource), and FIN (Finance) are

possible examples of Record Classes.

Record Class Name A Record Class Name indicates the specific information type that

belongs to the record class. For example, the record class ADM would

have a record class name “Internal Services” that could be described as:

“Records related to internal support provided to the organization’s

personnel, including services and products. Also includes records related

to the procurement of travel services, transportation, and lodging. These

records document the extent and purpose of travel undertaken by

employees on Company business, and include trip itineraries and copies

of tickets.”

Content Type The Content Type provides the specific document name or attributes.

The record class name “Internal Services” may include:

Transport Ticket Copies

Travel Itineraries

Traveler Profiles

PDPA In-Scope (Y/N) Content type is either PDPA in-scope or not in-scope. The Data

Controller would determine this.

The data inventory map could be further customized for those records indicated as PDPA in-scope. For instance, the DPO and Data Controller could identify and document the associated purpose, policies, guidelines, and even retention requirements for each of the PDPA in-scope records.

Leading practices in the area of data protection also recommend the use of a data flow diagram for each of the PDPA in-scope content types. Data flow diagrams give DPOs and the data controller better visibility of the personal data source, points of collection, the data owners, controllers and processors, as well as how the data is kept and secured on which IT server/application. A sample data flow diagram may involve the details presented in Figure 3. Similar tools and references are available to Protiviti KnowledgeLeader® subscribers.


Figure 3: Sample Personal Data Flow Diagram

Upon understanding the data inventory map and data flow diagram, IT management could assist the DPO and data controller to classify personal data that resides in the identified IT servers and applications. The Microsoft five elements of technology framework for data governance and access control provided in this paper could be considered for each of the IT servers and applications identified.

IT management could consider established IT security standards and leading practices such as the ISO 27001 over the use of data classification. Table 3 provides extracts from ISO 27001 specific to data classification controls that the DPO and IT could evaluate across ISO 27001 suggested elements: Business Policies; Business Processes; People and Organization; Management Reports; Methodologies; Systems and Data.

Table 3: ISO 27001 Control Objectives and Control Attributes

ISO 27001 Control Objectives

Section 7.2: Information

Classification

Suggested Control Attributes

To ensure that information receives

an appropriate level of protection.

Classification Guidelines Information shall be classified in terms of

its value, legal requirements, sensitivity, and criticality to the

organization. Control attributes include:

A security classification scheme for major assets

Security classification scheme is formalized

Security classification includes value, legal requirements,

sensitivity and criticality to the organization


ISO 27001 Control Objectives

Section 7.2: Information

Classification

Suggested Control Attributes

Information Labeling and Handling An appropriate set of

procedures for information labeling and handling shall be developed

and implemented in accordance with the classification scheme

adopted by the organization. Control attributes include:

Procedures are implemented for the labeling and handling

of information/assets that require security protection

Procedures are regularly reviewed and updated

Procedures consider identification (labeling) of electronic

and physical sensitive/critical assets

Milestone 4: Establish the Personal Data Management Process

The DPO is also required to establish a set of procedures to support the PDPA obligations. To facilitate the personal data management process, Protiviti developed the Personal Data Protection (PDP) Process Classification Scheme (PCS). This scheme helps organize required PDP practices according to relevant processes, and defines the areas that should be addressed for each of the nine obligations. Identifying each PDP practice as a set of defined processes or sub-processes helps promote a common language and provides a “roadmap” to help identify process-related risks and potential controls that may be applicable in compliance with the PDPA. A sample of the Protiviti PCS meeting the Consent, Purpose, Notification and Protect obligations of the PDPA is illustrated in Figure 4.

Figure 4: Sample of Personal Data Management Process Classification Scheme

The PCS is not an all-inclusive list of existing PDP processes. The Protiviti PCS (processes and associated sub-processes) needs to be customized to fit the facts, circumstances and culture of the organization. IT management could, however, understand the major process activities and areas to identify necessary IT platform attributes for personal data protection and management.


Milestone 5: Assessment and Gap Analysis

With the data inventory map, data flow diagrams and processes designed, it is necessary to conduct an initial assessment over these areas to identify gaps and improvement opportunities. Protiviti’s assessment approach considers the PDPA requirements in the context of the Generally Accepted Privacy Principles (GAPP). The objective is to enable the Management/Sponsor to determine whether the company has defined and is managing personal data following the PDPA guidelines. As part of this assessment (see Figure 5), interviews with staff in different data protection roles and responsibilities are conducted to identify improvement opportunities.

Figure 5: Sample of Assessment and Gap Analysis Report

Each of the milestones discussed above concerns specific IT platforms and management considerations to support the protection and management of personal data. However, attempting to address every IT platform with its own unique attributes can be expensive and time-consuming. A more effective approach is to complement the program with a technology framework in managing and protecting personal data. The Microsoft five elements of technology framework for data governance and access control discussed in the next section could be considered to support the improvement opportunities and action plans.


A Technology Framework for Data Governance and Access Control

Microsoft has developed a technology framework for data governance and access control that provides a flexible and comprehensive approach to managing and protecting personal data. It consists of five key elements, all of which are necessary to protect and manage personal data responsibly in a distributed device and computing infrastructure. The five elements are described in Table 4.

Table 4: Microsoft Technology Framework for Data Governance and Access Control

Key Elements Description

Secure Infrastructure Safeguards that help protect against malware, intrusions and

unauthorized access to personal information, and protect systems from

evolving threats.

Identity and Access Control Systems that help protect personal information from unauthorized

access or use, and provide management controls for identity access

and provisioning.

Data Encryption Safeguards that help protect sensitive personal information by

converting data into incomprehensible code that requires a “key” for

decoding, with the key held by an authorized recipient.

Document Protection Protection of personal information stored in a document throughout its

entire life cycle via digital signature, encryption, and file validation.

Auditing and Reporting Monitoring the integrity of systems and data in compliance with

business policies.

The following sections describe some of products and technologies Microsoft provides relative to each of the five elements of the technology framework listed above.

Secure Infrastructure

The growing importance of information technologies to the way we work underscores the need of securing the underlying infrastructure as much as possible. Fundamentally, safeguarding and managing personal identifiable information (PII) depends on a secure infrastructure that protects against malicious software and hacker intrusions. Table 5 describes a number of Microsoft products and technologies which could help provide a secure infrastructure.


Table 5: Secure Infrastructure - Products and Technologies

Product or Technology Description

Windows Client Security Technologies

Windows Firewall A host-based firewall controls access to inbound and outbound

communications.

Automatic Updates This feature enables Windows computers to automatically update the

operating system with the latest security updates.

User Account Control (UAC)

This technology allows users to run with the least-required privilege and help

prevent malware from installing in the background without the user’s

knowledge. UAC presents an obstacle to non-UAC aware malware.

Service Hardening Windows services are designed and configured to run with the least-required

privilege, reducing the harm that can be done by a compromised service.

Kernel Patch Protection

This technology helps prevent malware from making alterations to the

operating system kernel, which helps prevent installation and execution of

root kits.

Windows Defender

An anti-malware, anti-virus application in Windows 8/8.1 that helps prevent

the installation and execution of spyware and other unwanted software.

Windows Security Essential was the equivalent software for earlier versions

of Windows.

Network Access Protection A network-access control solution which helps prevent unapproved client and

server systems from connecting to network resources.

USB and Removable

Device Control

A hardware control system enables administrators to block access to USBs

and other removable devices.

AppLocker

A flexible, easy-to-administer mechanism that allows IT to specify what is

allowed to run in the desktop infrastructure and gives users the ability to run

applications, installation programs, and scripts that they require to be

productive.

BitLocker

A technology that helps prevent a thief who boots another operating system

or runs a software hacking tool from breaking Windows 7/8 file and system

protections or performing offline viewing of the files stored on the

safeguarded drive.

Secure Boot

A security standard developed by members of the PC industry to help make

sure that PC/server boots using only firmware that is trusted by the PC

manufacturer. Windows 8.1, Windows Server 2012 R2, Windows RT 8.1,

Windows 8, and Windows Server 2012 support this technology.

System Center Endpoint

Protection

A technology that uses the monitoring and deployment capabilities of System

Center Configuration Manager (SCCM) to streamline the deployment of

antimalware definitions and uses SCCM to provide an in-console monitoring

solution. You can also use Endpoint Protection to configure Windows Firewall

settings on computers in the enterprise.



Microsoft Server Security Technologies

Fundamental Server Security

These fundamental security elements work together to define trusted users, servers, connections, and operations to help provide a secure foundation for Microsoft server products such as Windows Server, SQL Server, SharePoint, Dynamics CRM/AX, Lync, etc.

Active Directory Domain Services integration

Role-based access control

Public Key Infrastructure

TLS, HTTPS, MTLS support

Industry standard protocol for authentication

Security features provided by Windows PowerShell that are enabled

by default so that users cannot easily or unknowingly run scripts

Exchange Server 2013 Data

Loss Prevention

Performs deep content analysis through keyword matches, dictionary

matches, regular expression evaluation, and other content examination to

help detect content that violates organizational DLP policies.

SQL Server Security Labeling Provides fine-grained access control at the row and cell level of database

tables.

System Center Data

Protection Manager (DPM)

Enables disk-based and tape-based data protection and recovery for servers

such as SQL Server, Exchange Server, SharePoint, virtual servers, file

servers, and support for Windows desktops and laptops. DPM can also

centrally manage system state and Bare Metal Recovery (BMR).

Credential Protection

Features and methods introduced in Windows Server 2012 R2 and Windows

8.1 for credential protection and domain authentication controls to reduce

credential theft.

Windows Phone Security Technologies

Embedded Trusted Platform

Module (TPM) 2.0 Chip

The TPM chip protects encryption keys, contains a crypto processing engine,

and is a foundational element of a secure boot chain.

Unified Extensible Firmware

Interface (UEFI) Secure Boot

In a UEFI Secure Boot process the firmware, the bootloader, the kernel and

kernel extensions, are all cryptographically signed. This makes it easy to

detect when any of these layers has been tampered with.

Integrated Information Rights

Management (IRM)

The built-in IRM could help prevent authenticated users on a trusted device

from sharing data with unintended parties, willingly or unwillingly.

Device locking and BitLocker

Support

Windows Phone supports alpha-numeric and complex passwords for device-

locking. It also supports the same BitLocker technology used in Windows 7/8

client to encrypt the data on the phone.

Crypto signing from OS kernel

to the apps

The entire OS and every app on the system are code-signed to establish a

chain of trust from the hardware all the way up.

Local/Remote device wipe Local device wipe occurs after a specified number of incorrect login attempts.

Remote device wipe erases data and helps to prevent unauthorized use.


Identity and Access Control

To reduce the risk of a deliberate or accidental data breach, and to help organizations comply with PDPA compliance requirements, Microsoft offers identity and access control technologies that help protect PII from unauthorized access, while facilitating its availability to legitimate users.

Table 6 describes a number of Microsoft products and technologies that could help meet identity and access control challenges in a distributed computing environment.

Table 6: Identity and Access Control - Products and Technologies


Active Directory A centralized database of user and machine accounts enables centralized

management of machines and users within the organization.

Active Directory Federation

Services

This technology enables federation of multiple Windows domains, which

streamlines management and control of partner access to corporate

resources.

Forefront Identity Manager

The technology provides self-service identity management for users,

automated lifecycle management across heterogeneous platforms for

administrators, and a rich policy framework for enforcing corporate security

policies and detailed audit capabilities.

Windows Smart Card Support This technology enables two-factor authentication for user logon and data

access for Windows clients.

Exchange Server support for

two-factor authentication

Two-factor authentication requires two methods to gain access to

resources. Typically users provide a physical card or token and a PIN to

access authorized resources.

Dynamic Access Control

In Windows Server 2012, you can apply data governance across your file

servers to control who can access information and to audit who has

accessed information. It enables data classification, central access policy

definition and auditing, and automatic rights management protection.


Data Encryption

Supported by strong identity and access controls, data encryption can help safeguard information that is stored in databases, on mobile devices, laptops and desktop computers, or transferred via email, across the Internet or other non-trusted networks. Encryption used to secure storage, transmission and disposal of sensitive information greatly reduces the risk of a harmful data breach by an intruder or hacker break-in, or from a lost or stolen computer or mobile device. Table 7 describes a number of Microsoft products and technologies that support data encryption in a distributed computing scenario.

Table 7: Data Encryption - Products and Technologies


Encrypting File System (EFS) EFS encrypts disk data on a per-file or per-folder basis.

BitLocker Encryption This technology helps prevent offline and other attacks against the disk data

by encrypting all data on the system disk volume.

Virtual Private Networking

and IPSec

This encryption and network access control technology can be used to

control access to servers and encrypt data over the network.

Exchange Server support for

encrypted email

Encrypted email helps prevent unauthorized persons from reading or

capturing email in transit.

SQL Server Transparent Data

Encryption

TDE causes the data and log files (and full-text catalogs, if present) to be

encrypted on disk. The encryption occurs transparently as data moves

through the SQL Server’s IO buffers, so no complicated setup is required

and the encryption is all-encompassing for the encrypted database.

Document Protection

Rights Management tools help assure document protection. These technologies can be applied to desktop productivity, email and line-of-business applications to help safeguard information and control how information is used, through “persistent protection” that extends throughout the life of the document. They also help prevent sensitive data such as PII or confidential email messages from getting into the wrong hands, intentionally or accidentally.

Table 8 describes a number of Microsoft products and technologies that could help protect documents in a distributed environment.


Table 8: Document Protection - Products and Technologies


Rights Management Services

A collection of technologies controls which users can access documents

and what they can do with those documents. They can be integrated with

SharePoint and Exchange servers for strong document/mail access

control and auditing.

Support for XrML/XPS

XrML is a technology that enables rights management controls for virtually

any type of document. XPS is a document format that enables strong

access controls based on Rights Management Services.

Exchange Server Ethical

Firewall

This policy-based solution enables organizations to control what content is

allowed through the email channel. It can be implemented via transport

rules on Hub Transport servers.

Office file encryption

Office 2013, in addition to maintaining support for Cryptography API

(CryptoAPI), also includes support for CNG (CryptoAPI: Next Generation).

CNG allows for more agile encryption, where encryption and hashing

algorithms that are supported on the host computer can be specified for

use during the document encryption process. CNG also allows for better

extensibility encryption, where third-party encryption modules can be

used.

Office file digital signature

Users can digitally sign an Office 2013 Excel, PowerPoint, or Word

document for many of the same reasons that they might place a

handwritten signature on a paper document. A digital signature is used to

help authenticate the identity of the creator of digital information, such as

documents, email messages, and macros, by using cryptographic

algorithms.

Office file validation

A security feature in Office 2013 that helps prevent file format attacks by

scanning Office binary file formats before they are opened in Excel 2013,

PowerPoint 2013, or Word 2013.

Auditing and Reporting

Compliance with internal policies, government regulations, and consumer demands for better control over PII requires the use of monitoring technologies to assist organizations with audit and reporting related to data, systems and applications. Systems management and monitoring technologies can help verify that system and data access controls are operating effectively, and identify suspicious or noncompliant activities.

Table 9 describes a number of Microsoft products and technologies that could help audit and report tasks for data protection and incident investigation.


Table 9: Auditing and Reporting - Products and Technologies


System Center Operations Manager

An enterprise-ready network and server management solution enables centralized reporting and management of all computing devices on the network. Operations Manager also provides strong Audit Collections functionality (through Audit Collections Services) and provides data segregation, thus providing separation of duties and non-repudiation.

System Center Configuration Manager

An enterprise-ready systems management solution enabling centralized software deployment and management throughout the organization.

SharePoint eDiscovery and Compliance

The SharePoint 2013 eDiscovery and Compliance features allow enterprises to manage and recover evidence used in civil litigation, and manage the records for the whole organization. A central SharePoint site is used to manage preservation (in-place hold), search, and export of content stored across SharePoint farms and Exchange servers.

SQL Server Audit

The Audit feature allows fine-grained, secure auditing of any access to objects in a database. In particular, it is an excellent tool for rigorously tracking changes to the metadata tables and role memberships in the label policy.

Personal Data Protection Considerations Using Cloud Services

Cloud computing has become an important part of corporate IT strategy for many companies in recent years because of its merits such as readily expandable resources, a pay-as-you-go charge model, and faster time-to-market, which traditional on-premises technology deployment model can hardly match. Unlike conventional IT outsourcing and hosting arrangements where service providers supplies IT infrastructure and services to customers through dedicated environment and staff resources, cloud service providers deliver IT infrastructure and services to customers through a multi-tenant, shared environment from data centers around the world. Because of that, many market studies and the dialogues among prospective customers and service providers show that certain themes have emerged as potential barriers to rapid adoption of cloud services, where security, privacy, reliability, and operational control are top concerns.

Whether a consumer’s personal information is stored on their own computer or in an online setting, or whether an organization’s mission-critical data is stored on premises or is on a hosted server and cloud, Microsoft recognizes that all of these environments must provide the trustworthy computing experience through focus on three areas:

Utilizing a risk-based information security program that assesses and prioritizes security and operational threats to the business;

Maintaining and updating a detailed set of security controls that mitigate risk;

Operating a compliance framework that ensures controls are designed appropriately and are operating effectively;

Based on these trustworthy computing principles, we illustrated in previous sections the Microsoft technology framework for data governance and access control which Microsoft has developed through years of experience managing security risks in traditional development and operating environments. Since the launch of MSN® in 1994, Microsoft has also been building and running cloud services at the global scale based on the same security and governance framework. Global Foundation Services (GFS) division of Microsoft delivers the core infrastructure and foundational technologies for the company’s over 200 online businesses including Bing, MSN, Office 365, Xbox Live, Skype, SkyDrive and the Windows

http://www.bing.com/

http://www.msn.com/

http://www.office365.com/

http://www.xboxlive.com/

http://www.skype.com/en/

http://www.skydrive.com/

http://www.windowsazure.com/


Azure platform. The infrastructure is comprised of a large global portfolio of data centers, servers, content distribution networks, edge computing nodes, and fiber optic networks. The portfolio is built and managed by a team of subject matter experts working 24x7x365 to support services for more than 1 billion customers and 20 million businesses in over 89 countries worldwide. Microsoft’s Online Information Security Program defines how Online Services Security and Compliance (OSSC) team operates in GFS. The program has been independently certified by British Standards Institute (BSI) Management Systems America as being compliant with ISO/IEC 27001:2005.

To help customers avoid financial loss and other consequences of opportunistic and targeted online attacks, and as part of a steadfast commitment to trustworthy computing, Microsoft employs people, processes, and technologies leveraging its broad experience and deep expertise to provide a safer digital experience for consumer and a more secure global operating environment for businesses, be it on premises or in the cloud.

Some companies in Singapore are also concerned about how or where their data would be stored and processed if they were to use cloud services for their business. Besides general concerns about data security and privacy in the cloud, Clause 26 of PDPA also states that personal data may only be transferred to a country or territory outside of Singapore in compliance with requirements prescribed under the PDPA to ensure that organizations provide a standard of protection that is comparable to the protection under PDPA. The implementing regulations which will prescribe these requirements in Clause 26 have yet to be finalized. Microsoft is monitoring this closely and will put in place the necessary arrangements to ensure compliance. Customers using Microsoft cloud services such Office 365 and Windows Azure may specify the geographic area(s) ("geos" and "regions") of the Microsoft data centers in which customer data will be stored. For example, customers can choose “Southeast Asia” as the “Region” to specify that their data should reside in Microsoft Singapore data center. Information on available geos and regions of Microsoft data centers are available at the Trust Center websites listed in References section of this white paper.

Microsoft may transfer customer data within a geo (e.g., within Europe) for data redundancy or other purposes. For example, Windows Azure replicates Blob and Table data between two regions within the same geo for enhanced data durability in case of a major data center disaster, however, customer can choose to disable the geo-redundancy to avoid data being transferred out of Singapore. Microsoft will not transfer customer data outside the geo(s) the customer specifies (for example, from Europe to the United States or from the United States to Asia) except where necessary for Microsoft to provide customer support, troubleshoot the service, or comply with legal requirements; or where the customer configures the account to enable such transfer of customer data, including through the use of:

Features that do not enable geo selection, such as Content Delivery Network (CDN), which provides a global caching service;

Web and Worker Roles, which back-up software deployment packages to the United States regardless of deployment geo;

Preview, beta, or other pre-release features that may store or transfer customer data to the United States regardless of deployment geo;

Windows Azure Active Directory (except for Access Control), which may transfer Active Directory Customer Data to the United States for European customers, or to the United States or Europe for Asian customers;

However, Microsoft does not control or limit the geos from which customers or their end users may access customer data. For more information on how Microsoft online services address security, privacy and compliance issues, please refer to the Trust Center websites in the Reference section of this white paper.

http://www.windowsazure.com/


Conclusion

Organizations seeking to comply with the PDPA should engage their IT departments actively in the process, and partner with external experts to develop a process that will take full consideration of the requirements and also address the risks inherent in compliance-related implementations. Organizations should also deploy relevant tools, technologies and products to automate control over personal information as much as possible, and ensure organization wide consistency in how personal data is handled and managed.

Call to Action

In this white paper, we propose a general approach and framework to guide organizations in addressing PDPA compliance requirements from people, process, and technology perspectives. The journey toward compliance is likely to be a continuous process as the regulation adjusts to meet the changing landscape of international business practices and the legal environment. Protiviti and Microsoft can provide further assistance to help our clients kick-start this journey by identifying capability gaps, prioritizing initiatives, and developing an organization and architecture blueprint, which could help set the foundation for a sustainable culture transformation and technical enablement for PDPA compliance in the long run. For inquiries about topics in this white paper, or to find out more about our offerings, products and services, please approach your Microsoft or Protiviti representatives, or contact the following:

Ivan Leong Protiviti Singapore +65 6220-6066 [email protected]

Daniel Li Microsoft Singapore +65 6888-7409 [email protected]

mailto:[email protected]

mailto:[email protected]


References

Generally Accepted Privacy Principles: http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/GenerallyAcceptedPrivacyPrinciples/Pages/default.aspx

Protiviti KnowledgeLeader: http://www.knowledgeleader.com

“Information Protection Strategies for Financial Services,” Microsoft U.S. National Security Team, Co-authored by Thomas W. Shinder and Norm Barber, Sept 2007

“Microsoft’s Compliance Framework for Online Services,” Microsoft Global Foundation Services, Oct 2009

“Information Security Management System for Microsoft Cloud Infrastructure,” Microsoft Corporation, Nov 2010

“Securing Microsoft’s Cloud Infrastructure,” Microsoft Corporation, May 2009

Global Foundation Service Security & Compliance: http://www.globalfoundationservices.com/security-and-compliance.aspx

O365 Trust Center: http://office.microsoft.com/en-us/business/office-365-trust-center-cloud-computing-security-FX103030390.aspx \

Windows Azure Trust Center: http://www.windowsazure.com/en-us/support/trust-center/

Dynamics CRM Online Trust Center: http://www.microsoft.com/en-us/dynamics/crm-trust-center.aspx

Microsoft Windows Safety & Security Center: http://www.microsoft.com/security/default.aspx

Active Directory Rights Management Services: http://technet.microsoft.com/en-us/library/cc771234(v=ws.10).aspx

Windows Phone Security: http://www.windowsphone.com/en-US/business/security

Secure Windows Server 2012: http://technet.microsoft.com/en-us/library/hh831360.aspx

SQL Server 2012 Security & Compliance: http://www.microsoft.com/en-us/sqlserver/solutions-technologies/mission-critical-operations/security-and-compliance.aspx

The Security Model of Microsoft Dynamics CRM: http://msdn.microsoft.com/en-us/library/gg309524.aspx

Authentication, Authorization, and Security in SharePoint 2013: http://msdn.microsoft.com/en-us/library/office/ms457529.aspx

Microsoft Lync Server 2010 Security Guide: http://www.microsoft.com/en-us/download/details.aspx?id=2729

System Center 2012 Configuration Manager, Operations Manager, Endpoint Protection, and Data Protection: http://technet.microsoft.com/en-us/library/hh546785.aspx

Exchange Server Data Loss Prevention: http://technet.microsoft.com/library/jj150527(EXCHG.150)

http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/GenerallyAcceptedPrivacyPrinciples/Pages/default.aspx

http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/GenerallyAcceptedPrivacyPrinciples/Pages/default.aspx

http://www.knowledgeleader.com/

http://www.globalfoundationservices.com/security-and-compliance.aspx

http://office.microsoft.com/en-us/business/office-365-trust-center-cloud-computing-security-FX103030390.aspx%20/

http://office.microsoft.com/en-us/business/office-365-trust-center-cloud-computing-security-FX103030390.aspx%20/

http://www.windowsazure.com/en-us/support/trust-center/

http://www.microsoft.com/en-us/dynamics/crm-trust-center.aspx

http://www.microsoft.com/security/default.aspx

http://technet.microsoft.com/en-us/library/cc771234(v=ws.10).aspx

http://www.windowsphone.com/en-US/business/security

http://technet.microsoft.com/en-us/library/hh831360.aspx

http://www.microsoft.com/en-us/sqlserver/solutions-technologies/mission-critical-operations/security-and-compliance.aspx

http://www.microsoft.com/en-us/sqlserver/solutions-technologies/mission-critical-operations/security-and-compliance.aspx

http://msdn.microsoft.com/en-us/library/gg309524.aspx

http://msdn.microsoft.com/en-us/library/office/ms457529.aspx

http://www.microsoft.com/en-us/download/details.aspx?id=2729

http://technet.microsoft.com/en-us/library/hh546785.aspx

http://technet.microsoft.com/library/jj150527(EXCHG.150)


About Microsoft

Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential. To know more, please visit www.microsoft.com/en-sg

Microsoft, Office, Windows, Windows XP, Windows Vista, Windows 8, Windows Server, Visual Studios, SharePoint, Dynamics CRM/AX, and SQL Server are either registered trademarks or trademarks of the Microsoft group of companies. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

© 2014 Microsoft. All rights reserved

About Protiviti

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000

® and

FORTUNE Global 500® companies. Protiviti and its

independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

© 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.

http://www.protiviti.com/