Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy and Trust In Europe Mike Small Principal Consultant Security Management CA EMEA.

Published byMagdalen Morris Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy and Trust In Europe Mike Small Principal Consultant Security Management CA EMEA."— Presentation transcript:

1 Privacy and Trust In Europe Mike Small Principal Consultant Security Management CA EMEA

2 CA Support for Privacy Trust and Compliance n CA’s Enterprise IT Management Approach is based on best standards and practices like COBIT and ISO 27002 n Many of CA’s product are evaluated Common Criteria (ISO/ISEC 15048) for computer security. CA ’ s IT Security practitioners are CISSP accredited 2Meeting the challenges of privacy, trust and compliance

3 Privacy - Why Does it Matter? Clarkson eats words over lost data TV presenter Jeremy Clarkson said in a newspaper column that the data lost by staff at HM Revenue & Customs was useless, and published his own bank details in the article to prove his point. However, he was forced to apologise publicly after £500 was quickly removed from his account. 3

4 Privacy - Why Does it Matter? n Unproven allegations kept on UK Criminal Records Bureau files n A High Court judge has acknowledged that workers' careers can be ruined by unproven allegations kept on police files but refused to allow a challenge to the rules. n Mr Justice Blake added that he was powerless to stop details of unproved accusations being passed to managers because the Government and police had clearly intended that they should be, in order to protect vulnerable groups. n 1997 Police Act had placed officers under a duty to disclose allegations to employers, even when they had not been proved, provided they were relevant and not too historic. n UK Daily Telegraph 15 th September, 2008 4

5 PrincipalExplanation Collection Limitation There should be limits to the collection of personal data and should be obtained with the knowledge or consent of the data subject. Data QualityPersonal data should be relevant to the purposes for which they are to be used, and should be accurate, complete and kept up-to-date. Purpose Specification The purposes for which personal data are collected should be specified and the subsequent use limited to these. Use LimitationPersonal data should not be disclosed, made available or otherwise used for purposes other than those specified SecurityPersonal data should be protected by reasonable security safeguards OpennessThere should be a general policy of openness about developments, practices and policies with respect to personal data. Individual Participation An individual should have the right to obtain data related to him in a timely and low cost manner and to correct errors. AccountabilityA data controller should be accountable for complying with measures which give effect to the principles stated above. OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data. 23rd September 1980 Privacy – OECD Principles

6 n EU Directive 2002/58/EC (Directive on Privacy and Electronic Communications) n Providers of publicly available electronic communications services (i.e. telecommunications companies) must safeguard the security and confidentiality of communications on their services. n EU Directive 95/46/EC l Personal data should be (Article 6) n Only collected for specified, explicit and legitimate purposes n Relevant and not excessive for the purpose collected n Accurate and where necessary, updated n Maintained in a form that allows identification of data subjects for no longer than necessary Privacy – European Laws

7 n This Directive applies to data processed by automated means and data contained in or intended to be part of non automated filing systems. n The Directive aims to protect the rights and freedoms of persons with respect to the processing of personal data by laying down guidelines determining when this processing is lawful. Privacy – EU Directive 95/46/EC

8 n EU Article 29 Working Party, Working Paper 55 on the surveillance of electronic communications in the workplace: n prevention should be more important than detection. n any monitoring measure must pass a list of tests: a)Is the monitoring activity transparent to the workers? b)Is it necessary? Could not the employer obtain the same result with traditional methods of supervision? c)Is the processing of personal data proposed fair to the workers? d)Is it proportionate to the concerns that it tries to ally? n employer must inform the worker of i.the presence, use and purpose of any detection equipment and/or apparatus activated with regards to his/her working station and ii.any misuse of the electronic communications detected (e-mail or the Internet), unless important reasons justify the continuation of the secret surveillance Privacy – Employee Surveillance

9 Trust A receipt for payment 9 Photo reproduced with permission from the Daily Telegraph (UK)

10 Which organizations do people trust? n Which organizations would you trust MOST to protect your personal data? 10 Poll by YouGov plc conducted between 3rd - 5th September 2007 in the UK with a sample size of 2,156 adults. Banks 60% Credit Card Companies 40% Government 25% Online retailer 19%

11 Ensuring Privacy and Trust n Standards and Best Practice  COBIT  Common Criteria for Information Technology Security Evaluation ISO/IEC 15408-1 to 15408-3  ISO 27001 Information security management systems - Requirements  ISO 27002 Code of practice for information security management  Payment Card Industry (PCI) Data Security Standard 11

12 Acquire & Implement  Specify Purpose  for data collected  Inform data subjects  Ensure subject aware of data processing and reason Deliver and Support  Ensure Data Quality  Relevance, accuracy and updating  Ensure Security  IT Security measures  Ensure subject participation  Restrict Data Transfer Plan & Organize  Justify processing  consent, legal obligations, justified interest  Notify authorities  Unless exempted report processing to DPA or CPO Monitor & Evaluate  Ensure Respect of Data Purpose  Monitor accuracy  Monitor Security  Monitor Data Transfer Mapping Privacy to COBIT

13 Ensuring Privacy and Trust n Training and Accreditation l ISACA (Information Systems Audit and Controls Association) n Certified Information Systems Auditor (CISA) n Certified Information Security Manager (CISM) l ISC2, the International Information Systems Security Certification Consortium n Certified Information Systems Security Professional (CISSP) n Systems Security Certified Practitioner (SSCP) 13

14 Compliance Gap n A survey of 482 EMEA organizations during November 2007 found that 62% hold regulated information. 14Meeting the challenges of privacy, trust and compliance

15 Compliance Gap n Only 31% of 482 organizations surveyed across EMEA had controls in place to identify “orphan” accounts 15Meeting the challenges of privacy, trust and compliance >ISO 27002 – 11.2.1 User Registration There should be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.

16 Compliance Gap n Only 41% of 482 organizations surveyed across EMEA could report on users’ access rights. 16Meeting the challenges of privacy, trust and compliance >ISO 27002 – 11.2.4 Review of Access Rights Management should review users’ access rights at regular intervals using a formal process.

17 Compliance Gap n Only 46% of 482 organizations surveyed across EMEA had controls in place to regulate administrators. 17Meeting the challenges of privacy, trust and compliance >ISO 27002 – 11.5 OS Access Control Objective: To prevent unauthorized access to operating systems

18 Privacy 18Meeting the challenges of privacy, trust and compliance PRIVACY Matters

19 A ‘Framework’ for Data Privacy Management John T. Sabo, CISSP Director, Global Government Relations, CA, Inc.

20 What is the ISTPA? n The International Security, Trust and Privacy Alliance (ISTPA), founded in 1999, is a global alliance of companies, institutions and technology providers working together to clarify and resolve existing and evolving issues related to security, trust, and privacy n ISTPA’s focus is on the protection of personal information (PI) – see www.istpa.org

21 ISTPA’s Perspective on Privacy n Operational, Technical, Architectural Focus l …“making Privacy Operational” l based on legal, policy and business process drivers l multi-dimensional privacy management with support for temporal requirements n “Analysis of Privacy Principles: An Operational Study” published in 2007 n Privacy Framework v1.1 published in 2002 l supports the full “lifecycle” of Personal Information l now under major revision

22 n Principles/Legislation/Policies l Many competing requirements and constraints on the collection and use of personal information (PI) and personally identifiable information (PII) n Business Processes l Business applications using PI/PII with privacy-related components such as data collection, communications, processing and storage, customer/citizen relationship management, partner agreements, and compliance n Today’s Networked PI Lifecycle l Digitally-based personal information and personally identifiable information are now essentially networked and boundless n Absence of privacy-specific technical management standards l Technical architectures which incorporate standardized, universal privacy management services and controls not yet available Privacy Drivers and Issues

23 See ISTPA “Analysis of Privacy Principles: An Operational Study” (2007) Starting Point - Principles/Legislation/Policies

24 Many Laws, Directives, Codes n The Privacy Act of 1974 (U.S.) n OECD Privacy Guidelines n UN Guidelines n EU Data Protection Directive n Canadian Standards Association Model Code n Health Insurance Portability and Accountability Act (HIPAA) US FTC Fair Information Practice Principles US-EU Safe Harbor Privacy Principles Australian Privacy Act Japan Personal Information Protection Act APEC Privacy Framework California Security Breach Bill

25 No Standardized Policies n Australian Privacy Principles – 2001 l Collection l Use and Disclosure l Data Quality l Data Security l Openness l Access and Correction l Identifiers l Anonymity l Transborder Data Flows l Sensitive Information n APEC Privacy Framework – 2005 l Preventing Harm l Notice l Collection Limitation l Uses of Personal Information l Choice l Integrity of Personal Information l Security Safeguards l Access and Correction l Accountability See ISTPA “Analysis of Privacy Principles: An Operational Study” (2007) n OECD Guidelines – 1980 l Collection Limitation l Data Quality l Purpose Specification l Use Limitation l Security Safeguards l Openness l Individual Participation l Accountability

26 Anonymity Data Flow Sensitivity Need for Generalized Requirements n Accountability n Notice n Consent n Collection Limitation n Use Limitation n Disclosure n Access & Correction n Security/Safeguards n Data Quality n Enforcement n Openness

27 Time Managing Privacy Requirements in Networked PI/PII Lifecycle? Destruction? Time

28 Example: PI/PII Lifecycle Implications of “Notice” 1, definition of the personal information collected 2. use (purpose specification) 3. disclosure to parties within or external to the entity 4. practices associated with maintenance and protection of the PI 5. options available to the data subject regarding the collector’s privacy practices 6. changes made to policies or practices 7. information provided to data subject at designated times under designated circumstances

29 A Dynamic Operationally-Focused Privacy Management Reference Model

30 PI Life Cycle Perspective Most Models Assume Sequential Processes PI Subject Requestor Business Application Processor Sequential Operational Privacy Management

31 PI Life Cycle Perspective Today – Networked-Interactive Processes PI Data Subject Requestors/Users Business Application 1, 2… n Processor/Aggregator 1, 2…n Non-sequential Data subject impacted directly and indirectly after initial data collections PI Time Requestors/Users..n …

32 ISTPA Privacy Framework Services n Negotiation - agreements, options, permissions n Control – policies – data management n Interaction - manages data/preferences/notice n Agent - software that carries out processes n Access - subject review/suggest updates to PI n Usage - data use, aggregation, anonymization n Certification - credentials, trusted processes n Audit - independent, verifiable accountability n Validation - checks accuracy of PI n Enforcement - including redress for violations

33 Original ISTPA Privacy Framework

34 From “Framework” to “Model” n From policy perspective, pushback on use of the term “framework” n Framework v1.1 services were validated, but in a relatively static model l difficult to understand applicability in contemporary privacy/data protection scenarios n Need to better incorporate use cases where PI is disassociated from the data collector and the data subject’s control l Temporality and data lifecycle l Policy changes n Improved understanding of service to service relationships

35 PI and Policies Making the Framework PI and Policy– Centric

36 PI and Policies Managing Multiple Policy Instances

37 PI Objects P-Rule Objects PI as Objects - Rules as Objects…

38 PI Objects PI Rules Objects …and Managed in “Lifecycle” Networked Context

39 Personal Information AGENT INTERACTION CONTROL NEGOTIATION USAGE ACCESS VALIDATION CERTIFICATION AUDIT ENFORCEMENT SECURITY Modular Services

40 Legal, Regulatory, and Policy Context Security Foundation Agent Control Interaction Negotiation PI Touch Point PI, Rules & PIC Repository PI Container (PIC) EnforcementAuditCertificationValidation Touch Point Concept Assurance Services Usage Access - Each “Touch Point” node configured with operational stack - Privacy policies are input “parameters” to Control - Agent is the Touch Point programming persona -“PIC” logically contains PI and usage agreements

41 Legal, Regulatory, and Policy Context Security Foundation Agent Control Interaction Negotiation Any n touch points in the PI life cycle Usage PI, Rules & PIC Repository Agent Control Interaction Negotiation PI, Rules & PIC Repository PI Container (PIC) EnforcementAuditCertificationValidation Multiple Instances Assurance Services Usage Access

42 n Framework WG completing revision of new “reference model” l Publication expected December 2008 n Linkages to IT governance disciplines and current standards (such as XACML) n ISTPA has joined the OASIS standards organization as an institutional member l Exploring proposing an OASIS Privacy Management Technical Committee using v. 2.0 n Work requires cross-disciplinary knowledge and desire to develop privacy management tools which reflect our global, digital, and networked information-based environment Next Steps

43 Questions? John Sabo john.t.sabo@ca.com

Download ppt "Privacy and Trust In Europe Mike Small Principal Consultant Security Management CA EMEA."

Similar presentations

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Confidentiality and HIPAA

Confidentiality and HIPAA
Criteria For Approval 45 CFR 46.111 25 CFR 56.111 Minimized risks Reasonable risk/benefit ratio Equitable subject selection Informed consent process Informed.

Criteria For Approval 45 CFR CFR Minimized risks Reasonable risk/benefit ratio Equitable subject selection Informed consent process Informed.
Data Protection.

Data Protection.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
A European View of Privacy Protection John Woulds Director of Operations UK Data Protection Commissioner National Conference on Privacy, Technology & Criminal.

A European View of Privacy Protection John Woulds Director of Operations UK Data Protection Commissioner National Conference on Privacy, Technology & Criminal.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Per Anders Eriksson

Per Anders Eriksson
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Similar presentations

Ads by Google