Business Privacy needs

13,880 views

Published on

Business Privacy Needs

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
13,880
On SlideShare
0
From Embeds
0
Number of Embeds
11,275
Actions
Shares
0
Downloads
33
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Business Privacy needs

  1. 1. PrivacyFoundations of Information Security Series Vicente Aceituno @vaceituno (c)Inovement Europe 2014
  2. 2. Vicente Aceituno vac@zenobia.es - Skype: vaceituno Linkedin - linkedin.com/in/vaceituno Inovement Europe - inovement.es Video Blog - youtube.com/user/vaceituno Blog - ism3.com Twitter - twitter.com/vaceituno Presentations - slideshare.net/vaceituno/presentations Articles - slideshare.net/vaceituno/documents
  3. 3. Foundations of Information Security Series  Needs  Secrecy  Intellectual Property you Own  Intellectual Property you Use  Privacy  Availability  Retention  Expiration  Quality  Obligations  Technical  Compliance  Legal
  4. 4. What is Information Security?  “Information Security” is an emergent property of people using information.  People have expectations about information.  If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.
  5. 5. What is Information Security?  When expectations about information are met, there is “Security”.  When expectations about information are not met, there is an “Incident”.
  6. 6. What is Information Security?  Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.  Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.
  7. 7. Privacy
  8. 8. Privacy  Some expectations of people about information are related to ownership, control and use of information over time.
  9. 9. Privacy  Ownership is defined having legal rights and duties on something.  Control is defined as having the ability to:  Grant or deny access to users.  Attribute to specific users their use of information.  Use is defined as having access to read, write or modify information.
  10. 10. Privacy  Privacy can be seen as a person’s right and ability to select what other people or organizations knows about him or her.  From the point of view of information security, Privacy expectations are related to Personal information and Personal identifiable information.
  11. 11. Privacy Personal identifiable information is any information that identifies uniquely an individual person. For example:  Name  Address  Electronic Addresses (Phone number, URLs, IPs, etc)  Electronic IDs (Email, Login name, nickname, etc)  Official IDs (National ID, tax ID, health ID, etc)  Property IDs (Plate number, License number, Credit card number)  Biological traits (Face, fingerprints, DNA, etc)  Behavioral traits (Handwriting, gait, etc)  Other (Date of birth, Birthplace, etc)
  12. 12. Privacy legislation  Legally the ownership of personal information is different in different regions of the world. Some examples:  In the European Union, people legally own their personal information, and legislation aims to provide them with control over this information.  In USA, the person or organization that uses or controls personal information, legally owns it.
  13. 13. Privacy Needs  There is an expectation that personal information will be held by authorized administrators only, for no longer than required.  There is an expectation that personal information will be controlled by their owners or authorized administrators only, for as long as they are authorized.
  14. 14. Privacy Needs  There is an expectation that personal information will be used by authorized users only, for a valid purpose and for as long as they are authorized.  In certain cases there is an expectation that personal information will be used by authorized users only, in a way that preserves anonymity.
  15. 15. Privacy Needs  Privacy expectations can be determined answering the following questions:  Who should control the personal information, and for how long?  Who should not control the personal information?  What are the valid uses of the personal information?  Who should make valid use of the personal information , and for how long?  Who should not use the personal information?  Should it be possible to identify the owner of the personal information?
  16. 16. Privacy Needs  If these expectations are met or not is independent of the observer and repeatable.  Answering the aforementioned questions renders lists that can be enumerated, measured and managed.
  17. 17. Privacy Obligations Organizations often must comply with legal obligations related to personal information, among these obligations the following are frequent:  Personal information completeness must be proportional to its use.  Personal information can't be kept for longer than needed.
  18. 18. Privacy Obligations  The owner of the personal information must agree for it to be collected and he has the right to check it, fix it and approve how it will be used or ceded.  The owner of personal information will be given notice when his information is being collected, including who is collecting the information.
  19. 19. Privacy Obligations  Repositories with personal information have to be registered with a Data Protection agency.  Personal information must be used for the purpose agreed with the information owner.
  20. 20. Privacy Obligations  Personal information must not be disclosed without the agreement of the information owner.  Personal information owners will have means to make data collectors accountable for their use of their personal information.  Personal information must be protected using certain security measures depending on its sensitivity.
  21. 21. Privacy needs related incidents  When personal information is controlled by people who are not or have never been the owners or the authorized administrators. For example:  Granting access to unauthorized users.  Denying access to authorized users.  Lack of, or misattribution to specific users of their use of personal information.
  22. 22. Privacy needs related incidents  When personal information is used by people who are not or have never been authorized users.  When personal information is used by authorized users for invalid purposes.  When anyone identifies uniquely the owner of personal information, when it should have remained anonymous. For a more complete list of incidents check tiny.cc/incidents
  23. 23. Privacy obligations related incidents  When personal information is more complete than need to be.  When personal information is kept for longer than needed.  When the owner of the personal information is not given or denied the opportunity to agree for it to be collected, or when he is not given or denied the right to check it, fix it and approve how it will be used or ceded.  When the owner of personal information is not given notice when his information is being collected, including who is collecting the information.
  24. 24. Privacy obligations related incidents  When repositories with personal information are not registered with a Data Protection agency within a certain period of time.  When personal information used for a purpose other than the one agreed with the information owner.  When personal information is used by people without the agreement of the information owner.  When personal information is not protected using certain security measures depending on its sensitivity.
  25. 25. Achieving Privacy  In order to achieve Privacy, normally Access Control and Compliance measures are taken.  Cryptography is an important technology for Access Control.  The Access Control related O-ISM3 processes are:  OSP-12 User Registration  OSP-11 Access Control  The Compliance related O-ISM3 processes are:  OSP-21: Information Quality and Compliance Assessment
  26. 26. Privacy
  27. 27. The O-ISM3 Challenge  This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.  Check the exercise in full at tiny.cc/indepth  A summary of conclusions from the exercise, in relation to Privacy, follow.
  28. 28. Secrecy Business Needs Intellectual Property Privacy Confidentiality Business Obligations Confidentiality
  29. 29. Confidentiality  ISO Definition: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.  ITIL Definition: A security principle that requires that data should only be accessed by authorized people.  CobIT Definition: Concerns the protection of sensitive information from unauthorized disclosure.
  30. 30. Privacy and Confidentiality  Confidentiality can’t be measured (it doesn’t have units). Therefore is not independent of the observer nor repeatable like Privacy is.  Privacy can be used to measure, communicate and manage a specific expectation of people about information.  Confidentiality is not necessary to understand or measure Privacy.
  31. 31. Privacy and Confidentiality  Privacy and Confidentiality are not equivalent.  Confidentiality and Privacy are not synonymous.  Confidentiality is not useful to understand Privacy.
  32. 32.  Follow the Foundations of Information Security Series by joining the Linkedin O-ISM3 Group at: tiny.cc/osim3LG  Learn Advanced Information Security Management, joining us at an O-ISM3 Course: tiny.cc/osim3

×