Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October 2012 1.

Slides:

Advertisements

Similar presentations

Module N° 7 – SSP training programme

Advertisements

Module N° 4 – ICAO SSP framework

The data retention directive: data protection aspects Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg 375 B-1040.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Global Marketing Overview of Supply Chain Security Assurance Certification/membership in supply chain security programs –Different programs focus on particular.

The Data Protection (Jersey) Law 2005.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

Dr. Julian Lo Consulting Director ITIL v3 Expert

Contractor Management and ISO 14001:2004

Information Systems Security Officer

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Corporate Ethics Compliance *

Session 3 – Information Security Policies

Information Systems Controls for System Reliability -Information Security-

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.

Data Protection Overview

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

Internal Auditing and Outsourcing

G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.

Basics of OHSAS Occupational Health & Safety Management System

Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

SWISS DATA PROTECTION LAW AND PERSONAL DATA SECURITY MEASURES.

Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.

Why the Office of Compliance and Ethics was Created

Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.

CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Roadmap For An Effective Compliance And Ethics Program The Top Ten Things the Board Must Know [Name of Presenter] [Title] [Date]

Programme Performance Criteria. Regulatory Authority Objectives To identify criteria against which the status of each element of the regulatory programme.

Guide - Recordkeeping for business activities carried out by contractors Natalie Dewson Senior Advisor Government Recordkeeping Programme Archives New.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.

The Internet of Things and Consumer Protection

DATA IT Senate Data Governance Membership IT Senate Data Governance Committee Membership Annie Burgad, Senior Programmer, Central IT Julie Cannon, Director.

PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:

ISO CONCEPTS Is a management standard, it is not performance or product standard. The underlying purpose of ISO 1400 is that companies will improve.

SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: Mob:

Human Rights Reporting: The Telecommunications Industry Dialogue Christine Diamente Alcatel-Lucent Head of Brand & Corporate Sustainability Ethical Corporation.

Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Program Performance Criteria.

Business Challenges in the evolution of HOME AUTOMATION (IoT)

COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Protection of Personal Information Act An Analysis on the impact.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

-1- WORKSHOP ON DATA PROTECTION AND DATA TRANSFERS TO THIRD COUNTRIES Technical and organizational security measures Skopje, 16 May - 17 May 2011 María.

CS457 Introduction to Information Security Systems

Roadmap For An Effective Compliance And Ethics Program

CPA Gilberto Rivera, VP Compliance and Operational Risk

Privacy principles Individual written policies

Data protection headaches: GDPR, brexit AND perimeter risk

General Data Protection Regulation

Data Protection Act.

INTRODUCTION TO ISO 9001:2015 FOR IMPLEMENTATION Varinder Kumar CISA, ISO27001 LA, ISO 9001 LA, ITIL, CEH, MEPGP IT, Certificate course in PII & Privacy.

Bob Siegel President Privacy Ref, Inc.

Cyberforum 2018 March 8, 2018 Los Angeles GDPR & SECURITY

6 Principles of the GDPR and SQL Provision

EU Reference Centres for Animal Welfare

General Data Protection Regulation

Governing the risk of GDPR compliance

Presentation transcript:

Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October

Company Confidential Three questions Why do we need security requirements? 2.How does Nokia organize privacy compliance? 3.How are privacy and security requirements implemented in collaboration cases?

Company Confidential What does the law say about security requirements? 3

Company Confidential Finnish Law 4 Henkilötietolaki § 5: General commitment to „ hyvää tietojenkäsittelytapaa“ § 32: obligation to implement technical and organizational measures depending on the circumstances Sähköisen viestinnän tietosuojalaki § 2: Definition of data security = administrative and technical measures to make sure only those entitled may process the data) Degrees from Finnish Communications Regulatory authority (viestintäviraston määräykset)viestintäviraston määräykset

Company Confidential Directive 95/46 5 Article 17 Security of processing 1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. 2. Summary: applies for processors, too Summary: need a contract in writing and instructions

Company Confidential DRAFT General Data Protection Regulation (1)General Data Protection Regulation 6 Article 23 Data protection by design and by default Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Company Confidential DRAFT GDPR(2)GDPR(2) 7 Article 30 Security of processing 1. The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation. 2. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data. 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the technical and organizational measures referred to in paragraphs 1 and 2 […]

Company Confidential How is privacy and security organized in Nokia? 8

Company Confidential Nokia Privacy Program elements 9 1.Executive Oversight 2.Training and Awareness* 3.Policies and processes to implement the policies 4.Staffing and delegation 5.Risk assessment and mitigation 6.Issue Response Management 7.Internal enforcement 8.Redress

Company Confidential Different needs for training 10 All Employee s Privacy 2500 Privacy Network Basic knowledge => eLearning Role Specific knowledge => face to face or other tailored learnings Expert knowledge => Privacy Academy + Certifications

Company Confidential How are privacy and security requirements implemented in collaboration cases?

Company Confidential 12 TARGET: ~ Ensuring Security in Extended Nokia HOW: ~ Team effort of several stakeholders using consistent and fit for purpose security principles TARGET: ~ Ensuring Security in Extended Nokia HOW: ~ Team effort of several stakeholders using consistent and fit for purpose security principles

Company Confidential Risk Management based approach What are the risks? Compliance based approach (privacy, ethical business) Business continuity (availability) Leak prevention and asset protection Consumer / personnel data (confidentiality) ICM / L&C service delivery (integrity) Product security (various risks) How to adresse the risk? Contractual controls IT security controls Document/onsite review Relationship/governance Support/knowledge sharing Awareness raising

Company Confidential Introducing Third Party Security Management (3PSM)

Company Confidential Four aspects of 3PSM Requirements Lay the foundation of the 3PSM arrangement. E.g. Common or Advanced Security Requirements, Nokia Supplier Requirements Processes Ensure consistent implementation of 3PSM practices. E.g. Consultative review, self- assessment, Preventive & Corrective Actions People Deliver the 3PSM requirements through physical or virtual means. E.g. Sourcing, 3PSM experts, Business People Tools Help the case for Sourcing, Business & 3PSM network. E.g. Case profiling tool, Current State Analysis tool, Reporting tool

Company Confidential Modular requirements structure Case Profile Specific Security Requirement (e.g. Web Application) Specific Security Requirement (e.g. Web Application) Specific Security Requirement (e.g.. Hosting Services) Specific Security Requirement (e.g.. Hosting Services) Specific Security Requirement (e.g.. Software Development) Specific Security Requirement (e.g.. Software Development) Common Security Requirements for Nokia Third Parties 3PSM Expert Pre-set, all cases Pre-set, decided case-by- case Adhoc, decided case-by- case

Company Confidential Case Profiling Tool Case profiling tool helps Business and Sourcing to understand what kind of security requirements are needed for a collaboration case and how critical the case is from a security point of view. The tool has two sections: −Control selection – case specific requirements for agreements −Mini BIA (business impact assessment)

Company Confidential Locate use case © Nokia 2012 Mobile Industry Privacy Challenge Kiitos!