100 likes | 221 Views
Privacy Management for a Global Enterprise. Tomas Sander Secure Systems Lab, HP Labs Princeton tomas.sander@hp.com. What is privacy. For corporations, privacy is about:
E N D
Privacy Management for a Global Enterprise Tomas Sander Secure Systems Lab, HP Labs Princeton tomas.sander@hp.com
What is privacy • For corporations, privacy is about: • The application of laws, policies, standards and processes by which “personally identifiable information” of individuals is managed.” • For global companies requires ability to manage • complex local/global regulatory environment • their own company’s related privacy polices and practices • Company positions vary: • Liability based model • Avoid reputation risk • View good privacy as a way to enhance trust in their brand • Accountability based approach • Include ethical principles in business decision making
Challenge • Include good privacy decision making in all your business processes
Example: Privacy issues in Outsourcing • Excessive media scrutiny • Continuous reassurance required by customers and government agencies on data protection • Risks and liabilities • Significant volumes of privacy sensitive data processed • Large number of staff required in data processing • Contractual liabilities • Reputation risk!!
Privacy in outsourcing • From a compliance team’s perspective • Technical point solutions do only address small part of problem • Tools that are missing today • Tools that support (practical) privacy management • Needs to be able to manage privacy requirements, activities and control • HP Labs in cooperation with the HP Privacy Office and HP BPO Business Unit has built a tool that • Takes as input data specifying a particular BPO deal • Outputs requirements, advice, warnings and controls which apply in the specified scenario • Tool is deployed within HP BPO
Problem 1 • Create formal policy language framework, so that the output is at “medium” level of detail and understandable and actionable for human users. • Should to allow to • Model Security and privacy relevant activities and controls • Model business processes at appropriate level of detail • Translate higher level policies and regulatory requirements into actionable chunks
Problem 2: Add Accountability - what does it mean? • Liability-Based: • Privacy Laws & Regulations • Case Law Interpretation, Codes of Conduct, Safe Harbor, Contracts • Accountability-Based: • Assertions, Promises, Policies • Ethics- and Values-driven Considerations & Decision Making
Problem 3 • Provide decision support for privacy and security in corporate settings • Policy Effectiveness, • e.g. (Mathematical) Modeling of the behavior of systems and networks and also the users of systems, both internal (operators, staff) and external (customers, regulators), in the context of security policies and protocols; • Operations and Assurance • including finding meaningful, measurable, and actionable metrics that can be leveraged to evaluate the risk exposure of an enterprise as well as to decide how well security and governance decisions are performing operationally. • Developing deeper insights into how the economics of security can be modeled in an enterprise