View
225
Download
3
Category
Preview:
Citation preview
ISO 29100HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK?
When Recognition Matters
WHITEPAPER
www.pecb.com
CONTENT____
Introduction
About ISO/IEC 29100 Why should PII be protected? Consequences of not protecting PII
WhataretheBenefitsofhavingaPrivacyFramework?
Why is PECB a Worthy Choice?
StepsforObtainingaPECBCertification
3
3
5
5
6
7
8
PRINCIPAL AUTHORSEric LACHAPELLE, PECB Bardha AJVAZI, PECB Fitim RAMA, PECB
ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK?2
INTRODUCTION____
Duringthepastyears,wehavewitnessedhugerecordlossesbecauseofmanyinformationsecurityincidentsinvolving personally identifiable information (PII) that have affected both individuals and organizations.Some examples of various incidents involve legal liability, identity theft, and recovery costs. Therefore,organizationsshould implementan international informationsecuritystandard thatprovidesguidelinesonhow toprotect their privacynetworksandPII, toalignwith the increasedusageof informationandcommunicationtechnologies(ICT)thatprocessPII.
Inresponsetoon-goingprivacyrelatedincidentshappeningto large corporations, small companies, and to famous individuals, in2011, ISOhasdevelopedthe ISO/IEC29100Privacy framework and ISO 29101 Privacy frameworkarchitecturetoprovideahigherlevelframeworkforsecuringPersonallyIdentifiableInformationPIIwithInformationandCommunication Technology systems. Organizations canuse these standards to design, implement, operate and maintain their ICT systems that will allow the protection of PII and improve organization’s privacy programs throughindustry best practices.
About ISO/IEC 29100ISO/IEC 29100 is intended to be used by persons and organizations involved in designing, developing,procuring, architecting, testing, maintaining, and operating information and communication technology systemswhereprivacycontrolsarerequiredforthefunctioningofPII.
Thisprivacyframeworkisdevelopedwiththepurposeofservingasassistancetoorganizationstodefinetheirprivacysafeguardingrequirementsrelatedtoallinformationinvolvedthroughtheseattributes:
• byspecifyingacommonprivacyterminology;• bydefiningtheactorsandtheirrolesinprocessingPII;• bydescribingprivacysafeguardingconsiderations;and• byprovidingreferencestoknownprivacyprinciplesforIT.
Althoughthereareseveralexistingstandardsrelatedtosecuritysuchas(ISO27001,ISO27002,andISO27018etc.),ISO/IEC29100focusesmoreontheprocessingofPII.
ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK? 3
PII is any information that can be used to uniquely identify, contact or locateanindividual,orcanbeusedwith other sources to uniquely identify a person.
Examples of PII are:• Firstandlastname• Location information• Credit card numbers• Age• Criminal record
Thecontinually increasedcomplexity of ICTsystemshavemade it difficult for organizations to ensurethattheirprivacyisprotected,andwiththehighcommercialuseofPII,achievingcompliancewithvariousapplicable laws has become harder nowadays.
Therefore,theISO/IEC29100standardhaselevensubstantiveprivacyprinciples(presentedinthechartbelow)thataredevelopedtotakeaccountofapplicablelegalandregulatory,contractual,commercialandother relevant factors.All theseprinciplesaredevelopedbyanumberofstates,countriesanddifferentinternationalorganizationsworldwide.
Besidesthattheseprinciplescanbeusedtoguide,design,develop,andimplementprivacypoliciesandcontrols, they can also be used as a reference point in the monitoring and measurement of performance benchmarkingandauditingaspectsofprivacymanagementprogramsinanorganization.
Moreover, the basic elements that encompass the ISO/IEC29100PrivacyFramework are presented inthe figure below, which is taken from theWG5 in the ISO/IEC/FIDIS/ITU-T JointWorkshop on IdentityManagementStandards,Lucern,Switzerland,2007.Inaddition,thefigureshowsthatPIIProvidersandPIIReceiversareidentifiedasActors.PIIproviderscanbeusersofaninformationcommunicationtechnologysystem,dataownersorsubscribers,whereastheapplicationprovidersoradministratorsareknownasthePIIreceivers.PrivacypreferencesaresetbyPIIproviderswhilethesafeguardingcontrolsareappliedduringthe information lifecycle that include the collection, storage, usage, transfer and deletion of information.
1. Consent and choice
4. Data minimization
7. Openness, transparency
and notice
2. Purpose legitimacy and specification
5. Use, retention and disclosure
limitation
8. Individual participation and access
3. Collection limitation
6. Accuracy and quality
9. Accountability
10. Information security
11. Privacy compliance
ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK?4
Why is it important for the PII to be protected?Personallyidentifiableinformationmayincludeveryconfidentialdatathatareintendedonlyforrestricteduse. Their protection is crucial for the main purpose that nondisclosure of information may result in many consequences(seenextsection).ThemainreasonswhyorganizationsprotecttheirPIIarethefollowing:
• toprotectthePIIprincipal’sprivacy• to meet legal and regulatory requirements• to practice corporate responsibility• to increase consumer credibility, and• to reduce the number of security breaches
Consequences of not protecting PIIFurthermore,bynottakingseriousconsiderationsagainstprotectingPII,manyorganizationsmaycomeacross issues which will result in huge costs. When a security breach occurs, not only will the information beharmed,butitalsocausesadominoeffect, inwhichcaseyourclientsoryourclient’sclientsmaybedamaged.Thischainofdestructionwillbringmanyunintendedproblemstoorganizations,suchasexactionoffinesandcourttrials,dissatisfiedstakeholders,anoutrageousincreaseindisasterrecoverycosts,andlastbutnotleastharmofreputation.Belowalistofonlyafewmostrecentincidentsthathaveoccurredinvariousorganizations:
“43%ofcompanieshaveexperiencedadatabreach in the last year, which is up 10% from
a year ago.” Ponemon Institute report
Providing personally identifiable information
Assuring Required Privacy Safeguarding Control
PllProvide PllReceiver
Data subject User Data Owner Subscriber...
Applicationproviderdata controlleradminisrationData Conlector...
PrivacyPreferences Internal
Rules
IssuesPrivacyPolicy based on
requirements
Busi
ness
Use
Cas
e
Lega
l Re
quire
men
ts
Privacy Preferences
Privacy Safeguarding
Controls
Opt
iona
l ch
eckag
ains
tprivac
yprinciple
Collect
Store
Use
Transfer
Destroy
A B C
ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK? 5
2014 Sony Pictures Entertainment Hack
• OnNovember2014,confidentialinformationincludinginformationaboutemployees,internale-mails,executivesalaries,copiesofunreleasedfilmsetc.wereexposed.ItisbelievedthatthiscyberhackhascostSonyPictures approximately $15million damage recovery. In addition, the leak of information(especiallye-mailsbetweenemployees)hascausedchaosbetweenmanywell-knowncelebrities,andahighnumberofcourttrialshavebeensentenced.
2014 Home Depot Data Breach
• OnSeptember2014,hackershadbrokenintoaninstalledpaymentsystemwhichresultedin53millionstolencustomere-mailsand56millioncustomercreditcardaccounts.Itisbelievedthatthisincidenthascostthecompany$34milliontoovercomethissituation.
2012 TD Bank Data Breach
• OnMarch2012,TDBankexperienceddatabreachofwhichasmanyas260,000customer’spersonalinformation such as account information, Social Security numbers etc., were exposed, resulting in $625,000 settlement.
WhataretheBenefitsofhavingaPrivacyFramework?ImplementingandmaintainingaPrivacyFrameworkbasedon the ISO/IEC29100standard,hascrucialbenefitsforeveryorganizationandindividualdealingwithpersonallyidentifiableinformation,suchas:
• Itservesasabasisforpreferredadditionalprivacystandardizationinitiatives,forexampleatechnicalreference architecture, the use of specific privacy technologies, an overall privacy management,assurance of privacy compliance for outsourced data processes, privacy impact assessments andengineering terms,
• Itdefinesprivacysafeguardingrequirementsastheyrelatetoallpersonallyidentifiableinformationandcommunication systems,
• It is applicable onawidescaleandsetsacommonprivacyterminology,definesprivacyprincipleswhenprocessingPII,classifiesprivacyfeaturesandrelatesalldescribedprivacyaspectstoexistingsecurityguidelines,
• It is closelylinkedtoexistingsecuritystandardsthathavebeenwidelyimplementedintopractice,• It places organizational, technical, procedural and regulatory aspects in perspective and addresses
system-specificmattersonahigh-level,and• It provides guidance relating information and communication system requirements for processing
personallyidentifiableinformationtocontributetotheprivacyofpeopleonaninternationallevel.
Why should you use ISO/IEC 29100?TheISO/IEC29100PrivacyFrameworkservesasabaseforotherrelevantstandardsthatareinternationallyapplicableandgeneralinnature.Inotherwords,thisstandardtakesintoaccountorganizational,technical,procedural and regulatorymatters, by setting common privacy terminology and principles. It also listsprivacyfeaturestobeupheldinconjunctionwithsecurityguidelines.
Moreover,aPrivacyFrameworkwillcontributetoimprovementsinprivacy,assistanceinmaintaininggoodgovernance,reducingoverheadcostsrelatedtosecurity,andserveasagoodmarketingstrategytopromoteyourcredibilitywithinternationallyknownISOstandards.
These are only some of the reasons why every organization should highly focus on having securityspecialistswhoarecertifiedininformationsecurityandhaveappropriateknowledgeandexperiencetolinkdatasecuritywiththecompany’sgoals,inadditiontoworkingunderthelegalandregulatoryrequirements.
ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK?6
1.PLAN
2.DO
3.CHECK
4.ACT
1.1 Initiating the framework
1.2 Understanding the Organization
1.3 Analyze the Existing System
1.4 Leadership and Project Approval
1.5 Scope
1.6 Security Policy
2.1 Organizational Structure
2.2 Document Management
2.3 Design of Controls & Procedures
2.4 Communication
2.5 Awareness & Training
2.6 Implementation of Controls
2.7 Incident Management
3.1 Monitoring, Measurement, Analysis and Evaluation
3.2 Internal Audit
3.3 Management Review
4.1 Treatment of Non-conformities
4.2 Continual Improvement
1.7 Risk Assessment
1.8 Control Statement 2.8 Operations Management
Why is PECB a Worthy Choice?Implementation of the Privacy Framework with IMS2 methodology
ConsideringthewelldocumentedbenefitsofimplementingaPrivacyFrameworkbasedonISO/IEC29100,makestheproposaleasiertodecideon.
Most companies now realize that it is not sufficient to implement a generic, “one size fits all” privacyframework.Foraneffectiveresponse,withrespecttomaintainingtheprivacyframework,suchaframeworkmustbecustomizedtofittoacompany.Amoredifficulttaskisthecompilationofaprivacyframeworkthatbalancestherequirementsofthestandard,thebusinessneedsandthecertificationdeadline.
ThereisnosingleblueprintforimplementingISO/IEC29100thatwillworkforeverycompany,buttherearesome common steps that will allow you to balance the frequent conflicting requirements and prepare you forasuccessfulcertificationaudit.
PECBhasdevelopedamethodology(pleaseseeexamplebelow)forimplementingaPrivacyFramework;the“IntegratedImplementationMethodologyforManagementSystemsandStandards(IMS2)”,andit isbased on applicable best practices. This methodology is based on the guidelines of ISO standards and also meets the requirements of ISO/IEC 29100.
IMS2isbasedonthePDCAcyclewhichisdividedintofourphases:Plan,Do,CheckandAct.Eachphasehasbetween2and8stepsforatotalof21steps.Inturn,thesestepsaredividedinto101activitiesandtasks.This‘PracticalGuide’considersthekeyphasesoftheimplementationprojectfromthestartingpointtothefinishingpointandsuggeststheappropriate‘bestpractice’foreachone,whiledirectingyoutofurtherhelpfulresourcesasyouembarkonyourISO/IEC29100journey.
ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK? 7
PLAN
4 PHASES 18 STEPS 101 ACTIVITES UNDEFINED TASKS
DO
CHECK
ACT
Privacy Framework
Projects
The sequence of steps can be changed (inversion, merge). For example, the implementation of themanagement procedure or documented information can be done before the understanding of the organization.Manyprocessesareiterativebecauseoftheneedforprogressivedevelopmentthroughouttheimplementationproject;forexample,communicationandtraining.
By followingastructuredandeffectivemethodology,anorganizationcanbesure itcoversallminimumrequirements for the implementation of the framework.Whatevermethodology used, the organizationmustadaptittoitsparticularcontext(requirements,sizeoftheorganization,scope,objectives,etc...)andnotapplyitlikeacookbook.
StepsforobtainingaPECBCertificationToensurethatorganizationsorindividualsachieveplannedanddesiredresults,thefollowingstepswillserveasguidanceonhowtobecomePECB Certified Lead Privacy Implementer.
For organizations: For individuals:
1.Implementtheprivacyframework 1.Participate in the training course
2.Performinternalauditandreviews 2.Registerforthecertificationexam
3.Selectpreferredcertificationbody 3.Sitforthecertificationexam
4.Performapre-assessmentaudit(optional) 4.Applyforthecertificationschemeuponsuccessfulexamcompletionandfulfillmentofcertificationrequirements(statedonourwebsite)
5.Perform the stage 1 audit 5.Obtaincertification
6.Performthestage2audit(on-site)
7.Performafollow-upaudit(optional)
8.Registerthecertification
9.Assurecontinualimprovementbyconductingsurveillanceaudits
ForfurtherdetailsrelatingthetypesoftrainingsandcertificationsthatPECBoffers,pleasevisitourwebsite:www.pecb.com
ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK?8
www.pecb.com
+1-844-426-7322
customer@pecb.com
CustomerService
Recommended