Privacy and Trust In Europe Mike Small Principal Consultant Security Management CA EMEA
CA Support for Privacy Trust and Compliance n CA’s Enterprise IT Management Approach is based on best standards and practices like COBIT and ISO n Many of CA’s product are evaluated Common Criteria (ISO/ISEC 15048) for computer security. CA ’ s IT Security practitioners are CISSP accredited 2Meeting the challenges of privacy, trust and compliance
Privacy - Why Does it Matter? Clarkson eats words over lost data TV presenter Jeremy Clarkson said in a newspaper column that the data lost by staff at HM Revenue & Customs was useless, and published his own bank details in the article to prove his point. However, he was forced to apologise publicly after £500 was quickly removed from his account. 3
Privacy - Why Does it Matter? n Unproven allegations kept on UK Criminal Records Bureau files n A High Court judge has acknowledged that workers' careers can be ruined by unproven allegations kept on police files but refused to allow a challenge to the rules. n Mr Justice Blake added that he was powerless to stop details of unproved accusations being passed to managers because the Government and police had clearly intended that they should be, in order to protect vulnerable groups. n 1997 Police Act had placed officers under a duty to disclose allegations to employers, even when they had not been proved, provided they were relevant and not too historic. n UK Daily Telegraph 15 th September,
PrincipalExplanation Collection Limitation There should be limits to the collection of personal data and should be obtained with the knowledge or consent of the data subject. Data QualityPersonal data should be relevant to the purposes for which they are to be used, and should be accurate, complete and kept up-to-date. Purpose Specification The purposes for which personal data are collected should be specified and the subsequent use limited to these. Use LimitationPersonal data should not be disclosed, made available or otherwise used for purposes other than those specified SecurityPersonal data should be protected by reasonable security safeguards OpennessThere should be a general policy of openness about developments, practices and policies with respect to personal data. Individual Participation An individual should have the right to obtain data related to him in a timely and low cost manner and to correct errors. AccountabilityA data controller should be accountable for complying with measures which give effect to the principles stated above. OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data. 23rd September 1980 Privacy – OECD Principles
n EU Directive 2002/58/EC (Directive on Privacy and Electronic Communications) n Providers of publicly available electronic communications services (i.e. telecommunications companies) must safeguard the security and confidentiality of communications on their services. n EU Directive 95/46/EC l Personal data should be (Article 6) n Only collected for specified, explicit and legitimate purposes n Relevant and not excessive for the purpose collected n Accurate and where necessary, updated n Maintained in a form that allows identification of data subjects for no longer than necessary Privacy – European Laws
n This Directive applies to data processed by automated means and data contained in or intended to be part of non automated filing systems. n The Directive aims to protect the rights and freedoms of persons with respect to the processing of personal data by laying down guidelines determining when this processing is lawful. Privacy – EU Directive 95/46/EC
n EU Article 29 Working Party, Working Paper 55 on the surveillance of electronic communications in the workplace: n prevention should be more important than detection. n any monitoring measure must pass a list of tests: a)Is the monitoring activity transparent to the workers? b)Is it necessary? Could not the employer obtain the same result with traditional methods of supervision? c)Is the processing of personal data proposed fair to the workers? d)Is it proportionate to the concerns that it tries to ally? n employer must inform the worker of i.the presence, use and purpose of any detection equipment and/or apparatus activated with regards to his/her working station and ii.any misuse of the electronic communications detected ( or the Internet), unless important reasons justify the continuation of the secret surveillance Privacy – Employee Surveillance
Trust A receipt for payment 9 Photo reproduced with permission from the Daily Telegraph (UK)
Which organizations do people trust? n Which organizations would you trust MOST to protect your personal data? 10 Poll by YouGov plc conducted between 3rd - 5th September 2007 in the UK with a sample size of 2,156 adults. Banks 60% Credit Card Companies 40% Government 25% Online retailer 19%
Ensuring Privacy and Trust n Standards and Best Practice COBIT Common Criteria for Information Technology Security Evaluation ISO/IEC to ISO Information security management systems - Requirements ISO Code of practice for information security management Payment Card Industry (PCI) Data Security Standard 11
Acquire & Implement Specify Purpose for data collected Inform data subjects Ensure subject aware of data processing and reason Deliver and Support Ensure Data Quality Relevance, accuracy and updating Ensure Security IT Security measures Ensure subject participation Restrict Data Transfer Plan & Organize Justify processing consent, legal obligations, justified interest Notify authorities Unless exempted report processing to DPA or CPO Monitor & Evaluate Ensure Respect of Data Purpose Monitor accuracy Monitor Security Monitor Data Transfer Mapping Privacy to COBIT
Ensuring Privacy and Trust n Training and Accreditation l ISACA (Information Systems Audit and Controls Association) n Certified Information Systems Auditor (CISA) n Certified Information Security Manager (CISM) l ISC2, the International Information Systems Security Certification Consortium n Certified Information Systems Security Professional (CISSP) n Systems Security Certified Practitioner (SSCP) 13
Compliance Gap n A survey of 482 EMEA organizations during November 2007 found that 62% hold regulated information. 14Meeting the challenges of privacy, trust and compliance
Compliance Gap n Only 31% of 482 organizations surveyed across EMEA had controls in place to identify “orphan” accounts 15Meeting the challenges of privacy, trust and compliance >ISO – User Registration There should be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.
Compliance Gap n Only 41% of 482 organizations surveyed across EMEA could report on users’ access rights. 16Meeting the challenges of privacy, trust and compliance >ISO – Review of Access Rights Management should review users’ access rights at regular intervals using a formal process.
Compliance Gap n Only 46% of 482 organizations surveyed across EMEA had controls in place to regulate administrators. 17Meeting the challenges of privacy, trust and compliance >ISO – 11.5 OS Access Control Objective: To prevent unauthorized access to operating systems
Privacy 18Meeting the challenges of privacy, trust and compliance PRIVACY Matters
A ‘Framework’ for Data Privacy Management John T. Sabo, CISSP Director, Global Government Relations, CA, Inc.
What is the ISTPA? n The International Security, Trust and Privacy Alliance (ISTPA), founded in 1999, is a global alliance of companies, institutions and technology providers working together to clarify and resolve existing and evolving issues related to security, trust, and privacy n ISTPA’s focus is on the protection of personal information (PI) – see
ISTPA’s Perspective on Privacy n Operational, Technical, Architectural Focus l …“making Privacy Operational” l based on legal, policy and business process drivers l multi-dimensional privacy management with support for temporal requirements n “Analysis of Privacy Principles: An Operational Study” published in 2007 n Privacy Framework v1.1 published in 2002 l supports the full “lifecycle” of Personal Information l now under major revision
n Principles/Legislation/Policies l Many competing requirements and constraints on the collection and use of personal information (PI) and personally identifiable information (PII) n Business Processes l Business applications using PI/PII with privacy-related components such as data collection, communications, processing and storage, customer/citizen relationship management, partner agreements, and compliance n Today’s Networked PI Lifecycle l Digitally-based personal information and personally identifiable information are now essentially networked and boundless n Absence of privacy-specific technical management standards l Technical architectures which incorporate standardized, universal privacy management services and controls not yet available Privacy Drivers and Issues
See ISTPA “Analysis of Privacy Principles: An Operational Study” (2007) Starting Point - Principles/Legislation/Policies
Many Laws, Directives, Codes n The Privacy Act of 1974 (U.S.) n OECD Privacy Guidelines n UN Guidelines n EU Data Protection Directive n Canadian Standards Association Model Code n Health Insurance Portability and Accountability Act (HIPAA) US FTC Fair Information Practice Principles US-EU Safe Harbor Privacy Principles Australian Privacy Act Japan Personal Information Protection Act APEC Privacy Framework California Security Breach Bill
No Standardized Policies n Australian Privacy Principles – 2001 l Collection l Use and Disclosure l Data Quality l Data Security l Openness l Access and Correction l Identifiers l Anonymity l Transborder Data Flows l Sensitive Information n APEC Privacy Framework – 2005 l Preventing Harm l Notice l Collection Limitation l Uses of Personal Information l Choice l Integrity of Personal Information l Security Safeguards l Access and Correction l Accountability See ISTPA “Analysis of Privacy Principles: An Operational Study” (2007) n OECD Guidelines – 1980 l Collection Limitation l Data Quality l Purpose Specification l Use Limitation l Security Safeguards l Openness l Individual Participation l Accountability
Anonymity Data Flow Sensitivity Need for Generalized Requirements n Accountability n Notice n Consent n Collection Limitation n Use Limitation n Disclosure n Access & Correction n Security/Safeguards n Data Quality n Enforcement n Openness
Time Managing Privacy Requirements in Networked PI/PII Lifecycle? Destruction? Time
Example: PI/PII Lifecycle Implications of “Notice” 1, definition of the personal information collected 2. use (purpose specification) 3. disclosure to parties within or external to the entity 4. practices associated with maintenance and protection of the PI 5. options available to the data subject regarding the collector’s privacy practices 6. changes made to policies or practices 7. information provided to data subject at designated times under designated circumstances
A Dynamic Operationally-Focused Privacy Management Reference Model
PI Life Cycle Perspective Most Models Assume Sequential Processes PI Subject Requestor Business Application Processor Sequential Operational Privacy Management
PI Life Cycle Perspective Today – Networked-Interactive Processes PI Data Subject Requestors/Users Business Application 1, 2… n Processor/Aggregator 1, 2…n Non-sequential Data subject impacted directly and indirectly after initial data collections PI Time Requestors/Users..n …
ISTPA Privacy Framework Services n Negotiation - agreements, options, permissions n Control – policies – data management n Interaction - manages data/preferences/notice n Agent - software that carries out processes n Access - subject review/suggest updates to PI n Usage - data use, aggregation, anonymization n Certification - credentials, trusted processes n Audit - independent, verifiable accountability n Validation - checks accuracy of PI n Enforcement - including redress for violations
Original ISTPA Privacy Framework
From “Framework” to “Model” n From policy perspective, pushback on use of the term “framework” n Framework v1.1 services were validated, but in a relatively static model l difficult to understand applicability in contemporary privacy/data protection scenarios n Need to better incorporate use cases where PI is disassociated from the data collector and the data subject’s control l Temporality and data lifecycle l Policy changes n Improved understanding of service to service relationships
PI and Policies Making the Framework PI and Policy– Centric
PI and Policies Managing Multiple Policy Instances
PI Objects P-Rule Objects PI as Objects - Rules as Objects…
PI Objects PI Rules Objects …and Managed in “Lifecycle” Networked Context
Personal Information AGENT INTERACTION CONTROL NEGOTIATION USAGE ACCESS VALIDATION CERTIFICATION AUDIT ENFORCEMENT SECURITY Modular Services
Legal, Regulatory, and Policy Context Security Foundation Agent Control Interaction Negotiation PI Touch Point PI, Rules & PIC Repository PI Container (PIC) EnforcementAuditCertificationValidation Touch Point Concept Assurance Services Usage Access - Each “Touch Point” node configured with operational stack - Privacy policies are input “parameters” to Control - Agent is the Touch Point programming persona -“PIC” logically contains PI and usage agreements
Legal, Regulatory, and Policy Context Security Foundation Agent Control Interaction Negotiation Any n touch points in the PI life cycle Usage PI, Rules & PIC Repository Agent Control Interaction Negotiation PI, Rules & PIC Repository PI Container (PIC) EnforcementAuditCertificationValidation Multiple Instances Assurance Services Usage Access
n Framework WG completing revision of new “reference model” l Publication expected December 2008 n Linkages to IT governance disciplines and current standards (such as XACML) n ISTPA has joined the OASIS standards organization as an institutional member l Exploring proposing an OASIS Privacy Management Technical Committee using v. 2.0 n Work requires cross-disciplinary knowledge and desire to develop privacy management tools which reflect our global, digital, and networked information-based environment Next Steps
Questions? John Sabo