Upload
dale-banks
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Company Confidential
1
How to implementprivacy and security requirements in practice?Tobias Bräutigam, OTT Senior Legal Counsel, Nokia8 October 2012
Company Confidential
2
Three questions ...
1.Why do we need security requirements?
2.How does Nokia organize privacy compliance?
3.How are privacy and security requirements implemented in collaboration cases?
Company Confidential
4
Finnish Law
Henkilötietolaki
• § 5: General commitment to „ hyvää tietojenkäsittelytapaa“• § 32: obligation to implement technical and organizational
measures depending on the circumstances
Sähköisen viestinnän tietosuojalaki
• § 2: Definition of data security = administrative and technical measures to make sure only those entitled may process the data)Degrees from Finnish Communications
Regulatory authority (viestintäviraston määräykset)
Company Confidential
5
Directive 95/46Article 17 Security of processing
1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.2. Summary: applies for processors, too.3.+4. Summary: need a contract in writing and instructions
Company Confidential
6
DRAFT General Data Protection Regulation (1)Article 23 Data protection by design and by default
Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Company Confidential
7
DRAFT GDPR(2)
Article 30 Security of processing1. The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.
2. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the technical and organizational measures referred to in paragraphs 1 and 2 […]
Company Confidential
9
Nokia Privacy Program elements
1. Executive Oversight2. Training and Awareness*3. Policies and processes to implement
the policies4. Staffing and delegation5. Risk assessment and mitigation6. Issue Response Management7. Internal enforcement8. Redress
Company Confidential
10
Different needs for training
All Employe
es
Privacy 2500
Privacy Networ
k
Basic knowledge => eLearning
Role Specific knowledge => face to face or other
tailored learnings
Expert knowledge => Privacy Academy +
Certifications
Company Confidential
12
TARGET:~
Ensuring Security in Extended Nokia
HOW:~
Team effort of several stakeholders using
consistent and fit for purpose security principles
Company Confidential
Risk Management based approach
What are the risks?
Compliance based approach (privacy, ethical business)Business continuity (availability)
Leak prevention and asset protection
Consumer / personnel data (confidentiality)
ICM / L&C service delivery (integrity)
Product security (various risks)
How to adresse the risk?
Contractual controls
IT security controls
Document/onsite review
Relationship/governance
Support/knowledge sharing
Awareness raising
Company Confidential
Four aspects of 3PSM
Requirements• Lay the foundation of the
3PSM arrangement. • E.g. Common or Advanced
Security Requirements, Nokia Supplier Requirements
Processes• Ensure consistent
implementation of 3PSM practices.
• E.g. Consultative review, self-assessment, Preventive & Corrective Actions
People• Deliver the 3PSM
requirements through physical or virtual means.
• E.g. Sourcing, 3PSM experts, Business People
Tools• Help the case for Sourcing,
Business & 3PSM network. • E.g. Case profiling tool,
Current State Analysis tool, Reporting tool
Company Confidential
Modular requirements structure
Case Profile
SpecificSecurity
Requirement
(e.g. Web Application)
SpecificSecurity
Requirement (e.g.. Hosting
Services)
SpecificSecurity
Requirement
(e.g.. Software Development)
Common Security Requirements for Nokia Third Parties
3PSM Expert
Pre-set, all cases
Pre-set,
decided
case-by-
case
Adhoc, decide
dcase-by-
case
Company Confidential
Case Profiling Tool
•Case profiling tool helps Business and Sourcing to understand what kind of security requirements are needed for a collaboration case and how critical the case is from a security point of view.
•The tool has two sections:−Control selection – case specific requirements for agreements
−Mini BIA (business impact assessment)