This document discusses privacy frameworks and their implementation. It begins by distinguishing privacy from security, then outlines several common privacy principles like notice, choice, and consent. It also reviews some key privacy standards and regulations. The document then presents an approach for implementing privacy that involves conducting privacy impact assessments, defining business and technical controls, and establishing an implementation project structure. It identifies some common challenges to privacy implementation like evolving rules and technical limitations.

1. Shankar Subramaniyan
ISACA Greater Houston Chapter
August 17,2015
IT Perspectives in Implementing Privacy
Framework
1

2. • Privacy vs Security
• Privacy Standards
• Privacy Implementation Approach
• Key components
2
Agenda

3. Privacy Vs Security
3

4. Breach of
Confidentiality
IntrusionDistortion/Error
Disclosure of
untrue facts
Exclusion/
Discrimination
Unfair advantage
/Power
imbalance
Automated /
Harmful
decisions against
individual
Identity theft Surveillance
Privacy is the right of the individuals to determine when, how and to what extent
they share information about themselves with others.
Any action affecting the individual’s ability/right is the privacy concern. 4
Individual’s Privacy Concerns
Secrecy Control

5. APEC Privacy
framework
Fair Information
Privacy
Principles
Generally
Accepted
Privacy
Principles
Privacy Principles are developed to address Privacy concerns
Privacy by
design
• Notice / Awareness
• Choice / Consent
• Access / Participation
• Integrity / security
• Purpose specification
• Collection and Use Limitation
• Enforcement/ Accountability
OECD
ISO29100
* Sample Privacy Principles
5
Privacy Principles

6. FTC section 5HIPAA GLBA
Privacy regulations are developed to enforce Privacy Principles
CAN SPAM Privacy Act COPPA
Fair Credit
Reporting Act
Data Breach
Notification Laws
Safe Harbor/EU
Directive
6
Privacy Regulations in US

7. Privacy Vs Security
PII
C I
A
Employee Customer
Supplier Partner
Trade
Secret
Financial
information
Intellectual
Property
Competitive
Information
Privacy
Rights
Purpose
specification
Accountability
and transparency
7

8. Inadequate Protection of sensitive
information
Inappropriate collection, use,
disclosure, retention of information in
violation of privacy policy/notice
Failure to deliver Privacy Notice
Inappropriate solicitation in violation
of user preference
Failure to detect Privacy breach
Failure to handle breach
investigation promptly per
applicable laws
Failure to deliver and complete
Privacy awareness training
Inappropriate access to privacy
data
8
Organization’s Privacy Risks

9. Privacy Standards
9

10. • *NIST Privacy Risk Management for Federal Information Systems
• ISO27018:2014- Information technology -- Security techniques -- Code of
practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors
• ISO29100:2011- Information technology -- Security techniques -- Privacy
framework
10
Privacy Standards

11. 11
NIST Privacy Risk Management for Federal Information Systems
Privacy Risk = Likelihood of Problematic Data Action X impact of Problematic Data Action

12. • Provides set of controls for Cloud Providers acting as PII processors
• Interprets ISO27002 for Cloud Providers handling PII
• Additional Controls are mentioned in Annexure in line with Privacy
Principles of ISO29100
• PII only processed as per instructions of PII Controller (per contract)
• Recording of security data breaches
• Intended destination of target for transmitted PII
• Documented Policy about geographical area for PII storage
12
ISO27018:2014: Data Protection of PII for CSP

13. • 4.5 Privacy safeguarding
requirements
• 4.5.1 Legal and regulatory factors
• 4.5.2 Contractual factors
• 4.5.3 Business factors
• 4.5.4 Other factors
• 4.6 Privacy policies
• 4.7 Privacy controls – identify and
implement privacy controls based on privacy
risk assessment process
5 The privacy principles of ISO/IEC 29100
5.1 Overview of privacy principles
5.2 Consent and choice
5.3 Purpose legitimacy and specification
5.4 Collection limitation
5.5 Data minimization
5.6 Use, retention and disclosure
limitation
5.7 Accuracy and quality
5.8 Openness, transparency and notice
5.9 Individual participation and access
5.10 Accountability
5.11 Information security
5.12 Privacy compliance
These privacy principles should be used to
guide the design, development, and
implementation of privacy policies and
privacy controlsISO27002 ISO27018 *ISO29151
* Under Development 13
ISO29100: 2011 Privacy Framework

14. Privacy Implementation Approach
14

15. BCR/Safe
Harbor/Model contract
Data Privacy Policy/Manual
Data Privacy Guidelines
DP Compliance
Communications
Training
Governance Framework – Monitoring & Assurance
Local Law requirements
Define &
Implement
Controls
Assessment
Monitor
Compliance
Contractual
requirements
Business requirements
Scoping
Privacy Impact Assessment
Business
Process
IT
Systems
Third party
Agreements
Screening
Implementation
Monitor
Implementation Model
15

16. • PIA is a due diligence process to identify and address privacy risks and
gaps in applicable privacy principles
• Personal data collected
• Source of data
• To whom it is transferred
• How used
• Where stored
• When disposed
• PIA is done at 3 levels- Top level, Condensed version, Full scale
• Output of PIA results in a set of business controls and IT controls
Employee Data( incl.
trainees, students, temporary
employees, contractors, retired
employee, dependents of
employee, other former
employee )
Third Party Data ( incl. Job
applicants, customers, suppliers,
creditors, debtors, visitors to
building or public online services,
Shareholders )
IT Environment ( incl.
Archive, Backup, Sandbox,
Staging, Dev, Test,
Acceptance, Production,
UAT, Other)
Privacy Impact Assessment (PIA)
16

17. Risk based
Information
security
program
Data masking
& Data
encryption
Access control
& Logging
(privacy data
specific)
Data disposal
plan & Data
preservation
planData breach
notification &
Digital
forensics
capability
Controls while
transferring
data to third
parties /
locations
PII discovery
& data flow
diagrams
Key IT Components
17
FTC

18. • Processing personal data only for legitimate business purposes defined in
the Data Privacy Manual
• Processing Only data that is relevant for attaining a specific legitimate
business purpose
• Consent of the individuals whose data is processed may be required
• Individuals must always be notified that their personal data is processed for
specific purposes
• Adequate contract agreements in the event personal data is transferred to a
third party
• Identification of all the countries where the processing of personal data is to
take place and address any local law data privacy requirements
• Subject Access Request: Implementing a process by which people can gain
access to, correct and object to the holding of their Personal Data
• Individual should be given access to the logic involved in automated
decision making
Sample Business Controls
18

19. Project Organization Structure
Privacy Compliance Project
Project Manager
Business Controls LeadIT Controls Lead
IT Controls & Embedding PIA Live IT Systems
Information Security SME
Communication & Awareness / Training Analyst
Legal Advisor
Process
Owners
IT Application
Owner
Contract
Team
Steering Committee
19

20. • Emerging and continuously evolving rules and regulations making it
difficult to track and implement
• Local regulatory knowledge is important
• Requirements are ambiguous making it difficult to decide the
correct course of actions
• Lack of application features/ Technical limitation
• Lack of Privacy awareness
• Changing Technical Landscape
• Identification of PII
• Management support
Implementation Challenges
20

21. Thank You
2contactshankar@gmail.com 21