privacy and trust in europe mike small principal consultant security management ca emea

Privacy and Trust In Europe

Mike SmallPrincipal Consultant Security Management CA EMEA

CA Support for Privacy Trust and Compliance

CA’s Enterprise IT Management Approach is based on best standards and practices like COBIT and ISO 27002

Many of CA’s product are evaluated Common Criteria (ISO/ISEC 15048) for computer security .

CA’s IT Security practitioners are CISSP accredited

2 Meeting the challenges of privacy, trust and compliance

Privacy - Why Does it Matter?

Clarkson eats words over lost dataTV presenter Jeremy Clarkson said in a newspaper column that the data lost by staff at HM Revenue & Customs was useless, and published his own bank details in the article to prove his point.

However, he was forced to apologise publicly after £500 was quickly removed from his account.

3

Privacy - Why Does it Matter?

Unproven allegations kept on UK Criminal Records Bureau files

A High Court judge has acknowledged that workers' careers can be ruined by unproven allegations kept on police files but refused to allow a challenge to the rules.

Mr Justice Blake added that he was powerless to stop details of unproved accusations being passed to managers because the Government and police had clearly intended that they should be, in order to protect vulnerable groups.

1997 Police Act had placed officers under a duty to disclose allegations to employers, even when they had not been proved, provided they were relevant and not too historic.

UK Daily Telegraph 15th September, 2008

4

Principal ExplanationCollection Limitation

There should be limits to the collection of personal data and should be obtained with the knowledge or consent of the data subject.

Data Quality Personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete and kept up-to-date.

Purpose Specification

The purposes for which personal data are collected should be specified and the subsequent use limited to these.

Use Limitation Personal data should not be disclosed, made available or otherwise used for purposes other than those specified

Security Personal data should be protected by reasonable security safeguards

Openness There should be a general policy of openness about developments, practices and policies with respect to personal data.

Individual Participation

An individual should have the right to obtain data related to him in a timely and low cost manner and to correct errors.

Accountability A data controller should be accountable for complying with measures which give effect to the principles stated above.OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data. 23rd

September 1980

Privacy – OECD Principles

EU Directive 2002/58/EC (Directive on Privacy and Electronic Communications)

Providers of publicly available electronic communications services (i.e. telecommunications companies) must safeguard the security and confidentiality of communications on their services.

EU Directive 95/46/EC Personal data should be (Article 6)

Only collected for specified, explicit and legitimate purposes

Relevant and not excessive for the purpose collected

Accurate and where necessary, updated Maintained in a form that allows identification of

data subjects for no longer than necessary

Privacy – European Laws

This Directive applies to data processed by automated means and data contained in or intended to be part of non automated filing systems.

The Directive aims to protect the rights and freedoms of persons with respect to the processing of personal data by laying down guidelines determining when this processing is lawful.

Privacy – EU Directive 95/46/EC

EU Article 29 Working Party, Working Paper 55 on the surveillance of electronic communications in the workplace:

prevention should be more important than detection. any monitoring measure must pass a list of tests:

a) Is the monitoring activity transparent to the workers?

b) Is it necessary? Could not the employer obtain the same result with traditional methods of supervision?

c) Is the processing of personal data proposed fair to the workers?

d) Is it proportionate to the concerns that it tries to ally? employer must inform the worker of

i. the presence, use and purpose of any detection equipment and/or apparatus activated with regards to his/her working station and

ii. any misuse of the electronic communications detected (e-mail or the Internet), unless important reasons justify the continuation of the secret surveillance

Privacy – Employee Surveillance

Trust

A receipt for payment

9

Photo reproduced with permission from the Daily Telegraph (UK)

Which organizations do people trust?

Which organizations would you trust MOST to protect your personal data?

10

Poll by YouGov plc conducted between 3rd - 5th September 2007 in the UK with a sample size of 2,156 adults.

Banks

60%

Cre

dit

Card

Com

panie

s

40%G

overn

men

t

25%

Onlin

e

reta

iler

19%

Ensuring Privacy and Trust Standards and Best Practice

COBIT Common Criteria for Information

Technology Security Evaluation ISO/IEC 15408-1 to 15408-3

ISO 27001 Information security management systems - Requirements

ISO 27002 Code of practice for information security management

Payment Card Industry (PCI) Data Security Standard

11

Acquire & Implement

Specify Purpose for data collected

Inform data subjects Ensure subject aware of data

processing and reason

Deliver and Support

Ensure Data Quality Relevance, accuracy and

updating Ensure Security

IT Security measures Ensure subject participation Restrict Data Transfer

Plan & Organize

Justify processing consent, legal obligations,

justified interest Notify authorities

Unless exempted report processing to DPA or CPO

Monitor & Evaluate

Ensure Respect of Data Purpose

Monitor accuracy Monitor Security Monitor Data Transfer

Mapping Privacy to COBIT

Ensuring Privacy and Trust Training and Accreditation

ISACA (Information Systems Audit and Controls Association)

Certified Information Systems Auditor (CISA)

Certified Information Security Manager (CISM)

ISC2, the International Information Systems

Security Certification Consortium Certified Information Systems Security

Professional (CISSP) Systems Security Certified Practitioner

(SSCP)

13

Compliance Gap

A survey of 482 EMEA organizations during November 2007 found that 62% hold regulated information.

14 Meeting the challenges of privacy, trust and compliance

Compliance Gap

Only 31% of 482 organizations surveyed across EMEA had controls in place to identify “orphan” accounts

15 Meeting the challenges of privacy, trust and compliance

> ISO 27002 – 11.2.1 User Registration

There should be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.

Compliance Gap

Only 41% of 482 organizations surveyed across EMEA could report on users’ access rights.

16 Meeting the challenges of privacy, trust and compliance

> ISO 27002 – 11.2.4 Review of Access Rights

Management should review users’ access rights at regular intervals using a formal process.

Compliance Gap

Only 46% of 482 organizations surveyed across EMEA had controls in place to regulate administrators.

17 Meeting the challenges of privacy, trust and compliance

> ISO 27002 – 11.5 OS Access Control

Objective: To prevent unauthorized access to operating systems

Privacy

18 Meeting the challenges of privacy, trust and compliance

PRIVACYMatters

A ‘Framework’ forData Privacy Management

John T. Sabo, CISSPDirector, Global Government Relations, CA, Inc.

What is the ISTPA?

The International Security, Trust and Privacy Alliance (ISTPA), founded in 1999, is a global alliance of companies, institutions and technology providers working together to clarify and resolve existing and evolving issues related to security, trust, and privacy

ISTPA’s focus is on the protection of personal information (PI) – see www.istpa.org

ISTPA’s Perspective on Privacy

Operational, Technical, Architectural Focus …“making Privacy Operational” based on legal, policy and business process

drivers multi-dimensional privacy management with

support for temporal requirements

“Analysis of Privacy Principles: An Operational Study” published in 2007

Privacy Framework v1.1 published in 2002 supports the full “lifecycle” of Personal Information now under major revision

Principles/Legislation/Policies Many competing requirements and constraints on the collection

and use of personal information (PI) and personally identifiable information (PII)

Business Processes Business applications using PI/PII with privacy-related

components such as data collection, communications, processing and storage, customer/citizen relationship management, partner agreements, and compliance

Today’s Networked PI Lifecycle Digitally-based personal information and personally identifiable

information are now essentially networked and boundless

Absence of privacy-specific technical management standards Technical architectures which incorporate standardized,

universal privacy management services and controls not yet available

Privacy Drivers and Issues

See ISTPA “Analysis of Privacy Principles: An Operational Study” (2007)

Starting Point - Principles/Legislation/Policies

Many Laws, Directives, Codes

The Privacy Act of 1974 (U.S.)

OECD Privacy Guidelines UN Guidelines EU Data Protection Directive Canadian Standards

Association Model Code Health Insurance Portability

and Accountability Act (HIPAA)

•US FTC Fair Information Practice Principles

•US-EU Safe Harbor Privacy Principles

•Australian Privacy Act •Japan Personal Information

Protection Act•APEC Privacy Framework•California Security Breach

Bill

No Standardized Policies

Australian Privacy Principles – 2001

Collection Use and Disclosure Data Quality Data Security Openness Access and

Correction Identifiers Anonymity Transborder Data

Flows Sensitive

Information

APEC Privacy Framework – 2005

Preventing Harm Notice Collection

Limitation Uses of Personal

Information Choice Integrity of

Personal Information

Security Safeguards

Access and Correction

Accountability

See ISTPA “Analysis of Privacy Principles: An Operational Study” (2007)

OECD Guidelines – 1980

Collection Limitation Data Quality Purpose

Specification Use Limitation Security Safeguards Openness Individual

Participation Accountability

•Anonymity•Data Flow•Sensitivity

Need for Generalized Requirements Accountability Notice Consent Collection Limitation Use Limitation Disclosure Access & Correction Security/Safeguards

Data Quality Enforcement Openness

Time

Managing Privacy Requirements in Networked PI/PII Lifecycle?

AggregationAnd

Linkages

PI Collection

PI Use

PI Use

PI UseDestruction?

Time

Example: PI/PII Lifecycle Implications of “Notice”

PI Collection

Use, Linkage, Re-use, Aggregation Destruction?

PI over time

1, definition of the personal information collected

2. use (purpose specification)

3. disclosure to parties within or external to the entity

4. practices associated with maintenance and protection of the PI

5. options available to the data subject regarding the collector’s privacy practices

6. changes made to policies or practices

7. information provided to data subject at designated times under designated circumstances

A Dynamic Operationally-Focused Privacy Management Reference Model

PI Life Cycle Perspective

Most Models Assume Sequential Processes

PI

PI

PI

Subject

Requestor

Business Application Processor

Sequential Operational Privacy Management

PI Life Cycle Perspective

Today – Networked-Interactive Processes

PI

PI

PI

Data Subject

Requestors/Users

Business Application 1, 2… n

Processor/Aggregator 1, 2…n

•Non-sequential

•Data subject impacted directly and indirectly after initial data collections

PI

TimeRequestors/Users ..n …

ISTPA Privacy Framework Services

Negotiation - agreements, options, permissions Control – policies – data management Interaction - manages data/preferences/notice

Agent - software that carries out processes

Access - subject review/suggest updates to PI Usage - data use, aggregation, anonymization

Certification - credentials, trusted processes Audit - independent, verifiable accountability Validation - checks accuracy of PI Enforcement - including redress for violations

Original ISTPA Privacy Framework

Security Foundation

Usage

Assurance Services

PIContainer

(PIC)

Data Subject Data Requestor

Control

Negotiation

PI, Preferences& PIC Repository

Interaction

Control

Negotiation

Interaction

PIC Repository

Agent Agent

Audit EnforcementCertificationValidation

Legal, Regulatory, & Policy Context

From “Framework” to “Model”

From policy perspective, pushback on use of the term “framework”

Framework v1.1 services were validated, but in a relatively static model

difficult to understand applicability in contemporary privacy/data protection scenarios

Need to better incorporate use cases where PI is disassociated from the data collector and the data subject’s control

Temporality and data lifecycle Policy changes

Improved understanding of service to service relationships

PI and Policies

Making the FrameworkPI and Policy– Centric

PI and Policies

PI and Policies

PI and Policies

Managing Multiple Policy Instances

PI Objects

P-Rule Objects

PI as Objects - Rules as Objects…

PI Objects

PIRules Objects

…and Managed in “Lifecycle” Networked Context

AggregationAnd

Linkages

PI Collection

PI Use

PI Use

PI Use

Personal Information

AGENT

INTERACTION

CONTROL

NEGOTIATION

USAGE

ACCESSVALIDATION

CERTIFICATION

AUDIT

ENFORCEMENT

SECURITY

Modular Services

Legal, Regulatory, and Policy Context

Security Foundation

Agent

Control

Interaction

Negotiation

PI Touch Point

PI, Rules& PIC Repository

PIContainer

(PIC)

EnforcementAuditCertificationValidation

Touch Point Concept

Assurance Services

Usage

Access

- Each “Touch Point” node configured with operational stack

- Privacy policies are input “parameters” to Control

- Agent is the Touch Point programming persona

-“PIC” logically contains PI and usage agreements

Legal, Regulatory, and Policy Context

Security Foundation

Agent

Control

Interaction

Negotiation

Any n touch points in the PI life cycle

Usage

PI, Rules& PIC Repository

Agent

Control

Interaction

Negotiation

PI, Rules& PIC Repository

PIContainer

(PIC)

EnforcementAuditCertificationValidation

Multiple Instances

Assurance Services

Usage

Access

Framework WG completing revision of new “reference model”

Publication expected December 2008

Linkages to IT governance disciplines and current standards (such as XACML)

ISTPA has joined the OASIS standards organization as an institutional member

Exploring proposing an OASIS Privacy Management Technical Committee using v. 2.0

Work requires cross-disciplinary knowledge and desire to develop privacy management tools which reflect our global, digital, and networked information-based environment

Next Steps

Questions?Questions?

John Sabo john.t.sabo@ca.com