1 / 43

Privacy and Trust In Europe

Privacy and Trust In Europe. Mike Small Principal Consultant Security Management CA EMEA. CA Support for Privacy Trust and Compliance. CA’s Enterprise IT Management Approach is based on best standards and practices like COBIT and ISO 27002

aideen
Download Presentation

Privacy and Trust In Europe

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Trust In Europe Mike Small Principal Consultant Security Management CA EMEA

  2. CA Support for Privacy Trust and Compliance CA’s Enterprise IT Management Approach is based on best standards and practices like COBIT and ISO 27002 Many of CA’s product are evaluated Common Criteria (ISO/ISEC 15048) for computer security . CA’s IT Security practitioners are CISSP accredited 2 Meeting the challenges of privacy, trust and compliance

  3. Clarkson eats words over lost data TV presenter Jeremy Clarkson said in a newspaper column that the data lost by staff at HM Revenue & Customs was useless, and published his own bank details in the article to prove his point. However, he was forced to apologise publicly after £500 was quickly removed from his account. Privacy - Why Does it Matter? 3

  4. Unproven allegations kept on UK Criminal Records Bureau files A High Court judge has acknowledged that workers' careers can be ruined by unproven allegations kept on police files but refused to allow a challenge to the rules. Mr Justice Blake added that he was powerless to stop details of unproved accusations being passed to managers because the Government and police had clearly intended that they should be, in order to protect vulnerable groups. 1997 Police Act had placed officers under a duty to disclose allegations to employers, even when they had not been proved, provided they were relevant and not too historic. UK Daily Telegraph 15th September, 2008 Privacy - Why Does it Matter? 4

  5. Privacy – OECD Principles OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data. 23rd September 1980

  6. EU Directive 2002/58/EC (Directive on Privacy and Electronic Communications) Providers of publicly available electronic communications services (i.e. telecommunications companies) must safeguard the security and confidentiality of communications on their services. EU Directive 95/46/EC Personal data should be (Article 6) Only collected for specified, explicit and legitimate purposes Relevant and not excessive for the purpose collected Accurate and where necessary, updated Maintained in a form that allows identification of data subjects for no longer than necessary Privacy – European Laws

  7. This Directive applies to data processed by automated means and data contained in or intended to be part of non automated filing systems. The Directive aims to protect the rights and freedoms of persons with respect to the processing of personal data by laying down guidelines determining when this processing is lawful. Privacy – EU Directive 95/46/EC

  8. Privacy – Employee Surveillance • EU Article 29 Working Party, Working Paper 55 on the surveillance of electronic communications in the workplace: • prevention should be more important than detection. • any monitoring measure must pass a list of tests: • Is the monitoring activity transparent to the workers? • Is it necessary? Could not the employer obtain the same result with traditional methods of supervision? • Is the processing of personal data proposed fair to the workers? • Is it proportionate to the concerns that it tries to ally? • employer must inform the worker of • the presence, use and purpose of any detection equipment and/or apparatus activated with regards to his/her working station and • any misuse of the electronic communications detected (e-mail or the Internet), unless important reasons justify the continuation of the secret surveillance

  9. Trust A receipt for payment Photo reproduced with permission from the Daily Telegraph (UK) 9

  10. Which organizations do people trust? Which organizations would you trust MOST to protect your personal data? 60% 40% 25% Credit Card Companies 19% Government Online retailer Banks Poll by YouGov plc conducted between 3rd - 5th September 2007 in the UK with a sample size of 2,156 adults. 10

  11. Ensuring Privacy and Trust Standards and Best Practice COBIT Common Criteria for Information Technology Security Evaluation ISO/IEC 15408-1 to 15408-3 ISO 27001 Information security management systems - Requirements ISO 27002 Code of practice for information security management Payment Card Industry (PCI) Data Security Standard 11

  12. Acquire & Implement • Specify Purpose • for data collected • Inform data subjects • Ensure subject aware of data processing and reason • Deliver and Support • Ensure Data Quality • Relevance, accuracy and updating • Ensure Security • IT Security measures • Ensure subject participation • Restrict Data Transfer • Plan & Organize • Justify processing • consent, legal obligations, justified interest • Notify authorities • Unless exempted report processing to DPA or CPO • Monitor & Evaluate • Ensure Respect of Data Purpose • Monitor accuracy • Monitor Security • Monitor Data Transfer Mapping Privacy to COBIT

  13. Ensuring Privacy and Trust Training and Accreditation ISACA (Information Systems Audit and Controls Association) Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM) ISC2, the International Information Systems Security Certification Consortium Certified Information Systems Security Professional (CISSP) Systems Security Certified Practitioner (SSCP) 13

  14. Compliance Gap A survey of 482 EMEA organizations during November 2007 found that 62% hold regulated information. 14 Meeting the challenges of privacy, trust and compliance

  15. Compliance Gap Only 31% of 482 organizations surveyed across EMEA had controls in place to identify “orphan” accounts • ISO 27002 – 11.2.1 User Registration • There should be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services. 15 Meeting the challenges of privacy, trust and compliance

  16. Compliance Gap Only 41% of 482 organizations surveyed across EMEA could report on users’ access rights. • ISO 27002 – 11.2.4 Review of Access Rights • Management should review users’ access rights at regular intervals using a formal process. 16 Meeting the challenges of privacy, trust and compliance

  17. Compliance Gap Only 46% of 482 organizations surveyed across EMEA had controls in place to regulate administrators. • ISO 27002 – 11.5 OS Access Control • Objective: To prevent unauthorized access to operating systems 17 Meeting the challenges of privacy, trust and compliance

  18. Privacy PRIVACYMatters 18 Meeting the challenges of privacy, trust and compliance

  19. A ‘Framework’ forData Privacy Management John T. Sabo, CISSP Director, Global Government Relations, CA, Inc.

  20. What is the ISTPA? • The International Security, Trust and Privacy Alliance (ISTPA), founded in 1999, is a global alliance of companies, institutions and technology providers working together to clarify and resolve existing and evolving issues related to security, trust, and privacy • ISTPA’s focus is on the protection of personal information (PI) – see www.istpa.org

  21. ISTPA’s Perspective on Privacy • Operational, Technical, Architectural Focus • …“making Privacy Operational” • based on legal, policy and business process drivers • multi-dimensional privacy management with support for temporal requirements • “Analysis of Privacy Principles: An Operational Study” published in 2007 • Privacy Framework v1.1 published in 2002 • supports the full “lifecycle” of Personal Information • now under major revision

  22. Privacy Drivers and Issues • Principles/Legislation/Policies • Many competing requirements and constraints on the collection and use of personal information (PI) and personally identifiable information (PII) • Business Processes • Business applications using PI/PII with privacy-related components such as data collection, communications, processing and storage, customer/citizen relationship management, partner agreements, and compliance • Today’s Networked PI Lifecycle • Digitally-based personal information and personally identifiable information are now essentially networked and boundless • Absence of privacy-specific technical management standards • Technical architectures which incorporate standardized, universal privacy management services and controls not yet available

  23. See ISTPA “Analysis of Privacy Principles: An Operational Study” (2007) Starting Point - Principles/Legislation/Policies

  24. The Privacy Act of 1974 (U.S.) OECD Privacy Guidelines UN Guidelines EU Data Protection Directive Canadian Standards Association Model Code Health Insurance Portability and Accountability Act (HIPAA) Many Laws, Directives, Codes • US FTC Fair Information Practice Principles • US-EU Safe Harbor Privacy Principles • Australian Privacy Act • Japan Personal Information Protection Act • APEC Privacy Framework • California Security Breach Bill

  25. Australian Privacy Principles – 2001 Collection Use and Disclosure Data Quality Data Security Openness Access and Correction Identifiers Anonymity Transborder Data Flows Sensitive Information No Standardized Policies See ISTPA “Analysis of Privacy Principles: An Operational Study” (2007) • OECD Guidelines – 1980 • Collection Limitation • Data Quality • Purpose Specification • Use Limitation • Security Safeguards • Openness • Individual Participation • Accountability • APEC Privacy Framework – 2005 • Preventing Harm • Notice • Collection Limitation • Uses of Personal Information • Choice • Integrity of Personal Information • Security Safeguards • Access and Correction • Accountability

  26. Accountability Notice Consent Collection Limitation Use Limitation Disclosure Access & Correction Security/Safeguards Data Quality Enforcement Openness Need for Generalized Requirements • Anonymity • Data Flow • Sensitivity

  27. Managing Privacy Requirements in Networked PI/PII Lifecycle? Time Destruction? Time

  28. Example: PI/PII Lifecycle Implications of “Notice” 7. information provided to data subject at designated times under designated circumstances 3. disclosure to parties within or external to the entity 1, definition of the personal information collected 2. use (purpose specification) 4. practices associated with maintenance and protection of the PI 6. changes made to policies or practices 5. options available to the data subject regarding the collector’s privacy practices

  29. A Dynamic Operationally-Focused Privacy Management Reference Model

  30. PI Life Cycle Perspective Most Models Assume Sequential Processes PI Requestor Sequential Operational Privacy Management Subject PI PI Business Application Processor

  31. PI Life Cycle Perspective Requestors/Users ..n … Time Requestors/Users PI Today – Networked-Interactive Processes PI • Non-sequential • Data subject impacted directly and indirectly after initial data collections Data Subject PI PI Business Application 1, 2… n Processor/Aggregator 1, 2…n

  32. ISTPA Privacy Framework Services • Negotiation - agreements, options, permissions • Control – policies – data management • Interaction - manages data/preferences/notice • Agent - software that carries out processes • Access - subject review/suggest updates to PI • Usage - data use, aggregation, anonymization • Certification - credentials, trusted processes • Audit- independent, verifiable accountability • Validation - checks accuracy of PI • Enforcement - including redress for violations

  33. Original ISTPA Privacy Framework

  34. From “Framework” to “Model” • From policy perspective, pushback on use of the term “framework” • Framework v1.1 services were validated, but in a relatively static model • difficult to understand applicability in contemporary privacy/data protection scenarios • Need to better incorporate use cases where PI is disassociated from the data collector and the data subject’s control • Temporality and data lifecycle • Policy changes • Improved understanding of service to service relationships

  35. Making the Framework PI and Policy– Centric PI and Policies

  36. Managing Multiple Policy Instances PI and Policies PI and Policies PI and Policies

  37. PI as Objects - Rules as Objects… PI Objects P-Rule Objects

  38. …and Managed in “Lifecycle” Networked Context PI Objects PI Rules Objects

  39. Modular Services INTERACTION ACCESS VALIDATION NEGOTIATION CONTROL USAGE CERTIFICATION Personal Information AUDIT ENFORCEMENT AGENT SECURITY

  40. Touch Point Concept PI Touch Point Legal, Regulatory, and Policy Context Security Foundation Agent Interaction • Each “Touch Point” node configured with operational stack • Privacy policies are input “parameters” to Control • Agent is the Touch Point programming persona • “PIC” logically contains PI and usage agreements Access Negotiation Control Usage PIContainer(PIC) PI, Rules & PIC Repository Assurance Services Validation Certification Audit Enforcement

  41. Multiple Instances Any n touch points in the PI life cycle Legal, Regulatory, and Policy Context Security Foundation Agent Agent Interaction Interaction Access Negotiation Negotiation Control Control Usage Usage PIContainer(PIC) PI, Rules & PIC Repository PI, Rules & PIC Repository Assurance Services Validation Certification Audit Enforcement

  42. Next Steps • Framework WG completing revision of new “reference model” • Publication expected December 2008 • Linkages to IT governance disciplines and current standards (such as XACML) • ISTPA has joined the OASIS standards organization as an institutional member • Exploring proposing an OASIS Privacy Management Technical Committee using v. 2.0 • Work requires cross-disciplinary knowledge and desire to develop privacy management tools which reflect our global, digital, and networked information-based environment

  43. Questions? John Sabo john.t.sabo@ca.com

More Related