SlideShare a Scribd company logo
1 of 21
Download to read offline
Shankar Subramaniyan
ISACA Greater Houston Chapter
August 17,2015
IT Perspectives in Implementing Privacy
Framework
1
• Privacy vs Security
• Privacy Standards
• Privacy Implementation Approach
• Key components
2
Agenda
Privacy Vs Security
3
Breach of
Confidentiality
IntrusionDistortion/Error
Disclosure of
untrue facts
Exclusion/
Discrimination
Unfair advantage
/Power
imbalance
Automated /
Harmful
decisions against
individual
Identity theft Surveillance
Privacy is the right of the individuals to determine when, how and to what extent
they share information about themselves with others.
Any action affecting the individual’s ability/right is the privacy concern. 4
Individual’s Privacy Concerns
Secrecy Control
APEC Privacy
framework
Fair Information
Privacy
Principles
Generally
Accepted
Privacy
Principles
Privacy Principles are developed to address Privacy concerns
Privacy by
design
• Notice / Awareness
• Choice / Consent
• Access / Participation
• Integrity / security
• Purpose specification
• Collection and Use Limitation
• Enforcement/ Accountability
OECD
ISO29100
* Sample Privacy Principles
5
Privacy Principles
FTC section 5HIPAA GLBA
Privacy regulations are developed to enforce Privacy Principles
CAN SPAM Privacy Act COPPA
Fair Credit
Reporting Act
Data Breach
Notification Laws
Safe Harbor/EU
Directive
6
Privacy Regulations in US
Privacy Vs Security
PII
C I
A
Employee Customer
Supplier Partner
Trade
Secret
Financial
information
Intellectual
Property
Competitive
Information
Privacy
Rights
Purpose
specification
Accountability
and transparency
7
Inadequate Protection of sensitive
information
Inappropriate collection, use,
disclosure, retention of information in
violation of privacy policy/notice
Failure to deliver Privacy Notice
Inappropriate solicitation in violation
of user preference
Failure to detect Privacy breach
Failure to handle breach
investigation promptly per
applicable laws
Failure to deliver and complete
Privacy awareness training
Inappropriate access to privacy
data
8
Organization’s Privacy Risks
Privacy Standards
9
• *NIST Privacy Risk Management for Federal Information Systems
• ISO27018:2014- Information technology -- Security techniques -- Code of
practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors
• ISO29100:2011- Information technology -- Security techniques -- Privacy
framework
10
Privacy Standards
11
NIST Privacy Risk Management for Federal Information Systems
Privacy Risk = Likelihood of Problematic Data Action X impact of Problematic Data Action
• Provides set of controls for Cloud Providers acting as PII processors
• Interprets ISO27002 for Cloud Providers handling PII
• Additional Controls are mentioned in Annexure in line with Privacy
Principles of ISO29100
• PII only processed as per instructions of PII Controller (per contract)
• Recording of security data breaches
• Intended destination of target for transmitted PII
• Documented Policy about geographical area for PII storage
12
ISO27018:2014: Data Protection of PII for CSP
• 4.5 Privacy safeguarding
requirements
• 4.5.1 Legal and regulatory factors
• 4.5.2 Contractual factors
• 4.5.3 Business factors
• 4.5.4 Other factors
• 4.6 Privacy policies
• 4.7 Privacy controls – identify and
implement privacy controls based on privacy
risk assessment process
5 The privacy principles of ISO/IEC 29100
5.1 Overview of privacy principles
5.2 Consent and choice
5.3 Purpose legitimacy and specification
5.4 Collection limitation
5.5 Data minimization
5.6 Use, retention and disclosure
limitation
5.7 Accuracy and quality
5.8 Openness, transparency and notice
5.9 Individual participation and access
5.10 Accountability
5.11 Information security
5.12 Privacy compliance
These privacy principles should be used to
guide the design, development, and
implementation of privacy policies and
privacy controlsISO27002 ISO27018 *ISO29151
* Under Development 13
ISO29100: 2011 Privacy Framework
Privacy Implementation Approach
14
BCR/Safe
Harbor/Model contract
Data Privacy Policy/Manual
Data Privacy Guidelines
DP Compliance
Communications
Training
Governance Framework – Monitoring & Assurance
Local Law requirements
Define &
Implement
Controls
Assessment
Monitor
Compliance
Contractual
requirements
Business requirements
Scoping
Privacy Impact Assessment
Business
Process
IT
Systems
Third party
Agreements
Screening
Implementation
Monitor
Implementation Model
15
• PIA is a due diligence process to identify and address privacy risks and
gaps in applicable privacy principles
• Personal data collected
• Source of data
• To whom it is transferred
• How used
• Where stored
• When disposed
• PIA is done at 3 levels- Top level, Condensed version, Full scale
• Output of PIA results in a set of business controls and IT controls
Employee Data( incl.
trainees, students, temporary
employees, contractors, retired
employee, dependents of
employee, other former
employee )
Third Party Data ( incl. Job
applicants, customers, suppliers,
creditors, debtors, visitors to
building or public online services,
Shareholders )
IT Environment ( incl.
Archive, Backup, Sandbox,
Staging, Dev, Test,
Acceptance, Production,
UAT, Other)
Privacy Impact Assessment (PIA)
16
Risk based
Information
security
program
Data masking
& Data
encryption
Access control
& Logging
(privacy data
specific)
Data disposal
plan & Data
preservation
planData breach
notification &
Digital
forensics
capability
Controls while
transferring
data to third
parties /
locations
PII discovery
& data flow
diagrams
Key IT Components
17
FTC
• Processing personal data only for legitimate business purposes defined in
the Data Privacy Manual
• Processing Only data that is relevant for attaining a specific legitimate
business purpose
• Consent of the individuals whose data is processed may be required
• Individuals must always be notified that their personal data is processed for
specific purposes
• Adequate contract agreements in the event personal data is transferred to a
third party
• Identification of all the countries where the processing of personal data is to
take place and address any local law data privacy requirements
• Subject Access Request: Implementing a process by which people can gain
access to, correct and object to the holding of their Personal Data
• Individual should be given access to the logic involved in automated
decision making
Sample Business Controls
18
Project Organization Structure
Privacy Compliance Project
Project Manager
Business Controls LeadIT Controls Lead
IT Controls & Embedding PIA Live IT Systems
Information Security SME
Communication & Awareness / Training Analyst
Legal Advisor
Process
Owners
IT Application
Owner
Contract
Team
Steering Committee
19
• Emerging and continuously evolving rules and regulations making it
difficult to track and implement
• Local regulatory knowledge is important
• Requirements are ambiguous making it difficult to decide the
correct course of actions
• Lack of application features/ Technical limitation
• Lack of Privacy awareness
• Changing Technical Landscape
• Identification of PII
• Management support
Implementation Challenges
20
Thank You
2contactshankar@gmail.com 21

More Related Content

What's hot

GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessGDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessOlivier BARROT
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findwise
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Stephanie Vasey
 
ACI Europe - GDPR CUPPS Presentation
ACI Europe - GDPR CUPPS PresentationACI Europe - GDPR CUPPS Presentation
ACI Europe - GDPR CUPPS PresentationStephen H. Baird
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRHans Demeyer
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)Huub de Jong
 
Migration approachquestionnaire checklist
Migration approachquestionnaire checklistMigration approachquestionnaire checklist
Migration approachquestionnaire checklistNandeep Nagarkar
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
 
GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality Susan Moran
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?Frederick Penaud
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?VYTIS MALECKAS
 
General Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, LondonGeneral Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, LondonBrowne Jacobson LLP
 

What's hot (20)

GDPR
GDPRGDPR
GDPR
 
GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessGDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your business
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
 
ACI Europe - GDPR CUPPS Presentation
ACI Europe - GDPR CUPPS PresentationACI Europe - GDPR CUPPS Presentation
ACI Europe - GDPR CUPPS Presentation
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPR
 
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC  approach to GDPR V 0.1 www.3grc.co.uk3GRC  approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk
 
MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)
 
Data protection
Data protectionData protection
Data protection
 
Migration approachquestionnaire checklist
Migration approachquestionnaire checklistMigration approachquestionnaire checklist
Migration approachquestionnaire checklist
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
 
GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality GDPR – The Practicalities of a New Reality
GDPR – The Practicalities of a New Reality
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
 
General Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, LondonGeneral Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, London
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
 
GDPR for dummies
GDPR for dummies  GDPR for dummies
GDPR for dummies
 

Similar to IT Perspectives in Implementing Privacy Framework

Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Frank Dawson
 
What You Should Know About Data Privacy- Knobbe Martens Webinar Series for St...
What You Should Know About Data Privacy- Knobbe Martens Webinar Series for St...What You Should Know About Data Privacy- Knobbe Martens Webinar Series for St...
What You Should Know About Data Privacy- Knobbe Martens Webinar Series for St...Knobbe Martens - Intellectual Property Law
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protectionRachel Aldighieri
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...Harrison Clark Rickerbys
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?Patrick Soenen
 
An introduction to data protection - Edinburgh
An introduction to data protection - EdinburghAn introduction to data protection - Edinburgh
An introduction to data protection - EdinburghRachel Aldighieri
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...LiamKelly95
 
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...LiamKelly95
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare IndustryEMMAIntl
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 

Similar to IT Perspectives in Implementing Privacy Framework (20)

Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 
What You Should Know About Data Privacy- Knobbe Martens Webinar Series for St...
What You Should Know About Data Privacy- Knobbe Martens Webinar Series for St...What You Should Know About Data Privacy- Knobbe Martens Webinar Series for St...
What You Should Know About Data Privacy- Knobbe Martens Webinar Series for St...
 
What does GDPR mean for your business?
What does GDPR mean for your business?What does GDPR mean for your business?
What does GDPR mean for your business?
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
Ppt
PptPpt
Ppt
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protection
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?
 
An introduction to data protection - Edinburgh
An introduction to data protection - EdinburghAn introduction to data protection - Edinburgh
An introduction to data protection - Edinburgh
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
 
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 

Recently uploaded

AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 

Recently uploaded (20)

AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 

IT Perspectives in Implementing Privacy Framework

  • 1. Shankar Subramaniyan ISACA Greater Houston Chapter August 17,2015 IT Perspectives in Implementing Privacy Framework 1
  • 2. • Privacy vs Security • Privacy Standards • Privacy Implementation Approach • Key components 2 Agenda
  • 4. Breach of Confidentiality IntrusionDistortion/Error Disclosure of untrue facts Exclusion/ Discrimination Unfair advantage /Power imbalance Automated / Harmful decisions against individual Identity theft Surveillance Privacy is the right of the individuals to determine when, how and to what extent they share information about themselves with others. Any action affecting the individual’s ability/right is the privacy concern. 4 Individual’s Privacy Concerns Secrecy Control
  • 5. APEC Privacy framework Fair Information Privacy Principles Generally Accepted Privacy Principles Privacy Principles are developed to address Privacy concerns Privacy by design • Notice / Awareness • Choice / Consent • Access / Participation • Integrity / security • Purpose specification • Collection and Use Limitation • Enforcement/ Accountability OECD ISO29100 * Sample Privacy Principles 5 Privacy Principles
  • 6. FTC section 5HIPAA GLBA Privacy regulations are developed to enforce Privacy Principles CAN SPAM Privacy Act COPPA Fair Credit Reporting Act Data Breach Notification Laws Safe Harbor/EU Directive 6 Privacy Regulations in US
  • 7. Privacy Vs Security PII C I A Employee Customer Supplier Partner Trade Secret Financial information Intellectual Property Competitive Information Privacy Rights Purpose specification Accountability and transparency 7
  • 8. Inadequate Protection of sensitive information Inappropriate collection, use, disclosure, retention of information in violation of privacy policy/notice Failure to deliver Privacy Notice Inappropriate solicitation in violation of user preference Failure to detect Privacy breach Failure to handle breach investigation promptly per applicable laws Failure to deliver and complete Privacy awareness training Inappropriate access to privacy data 8 Organization’s Privacy Risks
  • 10. • *NIST Privacy Risk Management for Federal Information Systems • ISO27018:2014- Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors • ISO29100:2011- Information technology -- Security techniques -- Privacy framework 10 Privacy Standards
  • 11. 11 NIST Privacy Risk Management for Federal Information Systems Privacy Risk = Likelihood of Problematic Data Action X impact of Problematic Data Action
  • 12. • Provides set of controls for Cloud Providers acting as PII processors • Interprets ISO27002 for Cloud Providers handling PII • Additional Controls are mentioned in Annexure in line with Privacy Principles of ISO29100 • PII only processed as per instructions of PII Controller (per contract) • Recording of security data breaches • Intended destination of target for transmitted PII • Documented Policy about geographical area for PII storage 12 ISO27018:2014: Data Protection of PII for CSP
  • 13. • 4.5 Privacy safeguarding requirements • 4.5.1 Legal and regulatory factors • 4.5.2 Contractual factors • 4.5.3 Business factors • 4.5.4 Other factors • 4.6 Privacy policies • 4.7 Privacy controls – identify and implement privacy controls based on privacy risk assessment process 5 The privacy principles of ISO/IEC 29100 5.1 Overview of privacy principles 5.2 Consent and choice 5.3 Purpose legitimacy and specification 5.4 Collection limitation 5.5 Data minimization 5.6 Use, retention and disclosure limitation 5.7 Accuracy and quality 5.8 Openness, transparency and notice 5.9 Individual participation and access 5.10 Accountability 5.11 Information security 5.12 Privacy compliance These privacy principles should be used to guide the design, development, and implementation of privacy policies and privacy controlsISO27002 ISO27018 *ISO29151 * Under Development 13 ISO29100: 2011 Privacy Framework
  • 15. BCR/Safe Harbor/Model contract Data Privacy Policy/Manual Data Privacy Guidelines DP Compliance Communications Training Governance Framework – Monitoring & Assurance Local Law requirements Define & Implement Controls Assessment Monitor Compliance Contractual requirements Business requirements Scoping Privacy Impact Assessment Business Process IT Systems Third party Agreements Screening Implementation Monitor Implementation Model 15
  • 16. • PIA is a due diligence process to identify and address privacy risks and gaps in applicable privacy principles • Personal data collected • Source of data • To whom it is transferred • How used • Where stored • When disposed • PIA is done at 3 levels- Top level, Condensed version, Full scale • Output of PIA results in a set of business controls and IT controls Employee Data( incl. trainees, students, temporary employees, contractors, retired employee, dependents of employee, other former employee ) Third Party Data ( incl. Job applicants, customers, suppliers, creditors, debtors, visitors to building or public online services, Shareholders ) IT Environment ( incl. Archive, Backup, Sandbox, Staging, Dev, Test, Acceptance, Production, UAT, Other) Privacy Impact Assessment (PIA) 16
  • 17. Risk based Information security program Data masking & Data encryption Access control & Logging (privacy data specific) Data disposal plan & Data preservation planData breach notification & Digital forensics capability Controls while transferring data to third parties / locations PII discovery & data flow diagrams Key IT Components 17 FTC
  • 18. • Processing personal data only for legitimate business purposes defined in the Data Privacy Manual • Processing Only data that is relevant for attaining a specific legitimate business purpose • Consent of the individuals whose data is processed may be required • Individuals must always be notified that their personal data is processed for specific purposes • Adequate contract agreements in the event personal data is transferred to a third party • Identification of all the countries where the processing of personal data is to take place and address any local law data privacy requirements • Subject Access Request: Implementing a process by which people can gain access to, correct and object to the holding of their Personal Data • Individual should be given access to the logic involved in automated decision making Sample Business Controls 18
  • 19. Project Organization Structure Privacy Compliance Project Project Manager Business Controls LeadIT Controls Lead IT Controls & Embedding PIA Live IT Systems Information Security SME Communication & Awareness / Training Analyst Legal Advisor Process Owners IT Application Owner Contract Team Steering Committee 19
  • 20. • Emerging and continuously evolving rules and regulations making it difficult to track and implement • Local regulatory knowledge is important • Requirements are ambiguous making it difficult to decide the correct course of actions • Lack of application features/ Technical limitation • Lack of Privacy awareness • Changing Technical Landscape • Identification of PII • Management support Implementation Challenges 20