Information Security How to be GDPR compliant? CREOBIS 08/06/2017 1 Alain Cieslik
What Is the Difference Between Security and Privacy? Security: The primary goal of InfoSec is to protect confidentiality, integrity and availability of protected information Confidentiality (ISO 27000) Property that information is not made available or disclosed to unauthorized individuals, entities or processes Integrity (ISO 27000) Property of protecting the accuracy and completeness of assets ICT Control Availability (ISO 27000) Property of being accessible and usable upon demand by an authorized entity Source: https://www.cocc.edu/its/infosec/concepts/cia-triad/ 2
What Is the Difference Between Security and Privacy? Privacy: is the rights of an individual to trust that others will appropriately and respectfully use, store, share and dispose of his/her associated personal and sensitive information within the context, and according to the purposes, for which it was collected or derived. Security is a process is action is the strategy is a state of being free ICT from Control danger Privacy is a consequence is a result of successful actions is the outcome is a state of being free from unsanctioned intrusion Source: ISACA Privacy principles and program management guide 3
What Is Risk with Respect To Information Security? Security controls or countermeasures are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets ICT Control 1/06/2017 Asset (ISO 27000) Anything that has value to the organization Source: ISACA Privacy principles and program management guide 4
What Is Risk With Respect To GDPR? Recital 75: The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymisation, or any other significant economic or social disadvantage; ICT Control 1/06/2017 5
I. How privacy risks can be evaluated? 6
I. How to evaluate privacy risks The privacy risk level is estimated in terms of severity and likelihood by doing a Privacy Impact Assessment PIA vs DPIA A Privacy Impact Assessment (PIA) is a questionnaire to identify and help reduce privacy risk A Data Protection Impact Assessment (DPIA) is a specific type of PIA that is described in the EU GDPR and comes with unique obligations A compliance approach is implemented by carrying out a PIA is based on the respect of the following principles Source: https://iapp.org/media/pdf/resource_center/onetrust-pia-dpia-ultimate-handbook.pdf 7
I. How to evaluate privacy risks PIA Manual 1 -Methodology(how to carry out a PIA) https://www.cnil.fr/sites/default/files/typo/document/cnil-pia-1-methodology.pdf PIA Manual 2 -Tools (templates and knowledge bases) https://www.cnil.fr/sites/default/files/typo/document/cnil-pia-1-methodology.pdf 8
I. How to evaluate privacy risks In summary, to comply with GDPR, it is necessary to: 1. Context: Define and describe the context of the processing of personal data under consideration and its stakes; 2. Controls: Identify existing or planned controls 3. Risks: Assess privacy risks to ensure they are properly treated; 4. Decisions: make the decision to validate the manner in which it is planned to comply with privacy principles and treat the risks,v * The current CNIL Approach is still based on the French regulation and not 100% GDPR oriented at legal point of view. 9
I. How to evaluate privacy risks CNIL Approach ICT Control 1/06/2017 10
I. Evaluer le niveau de sécurité requis par le GDPR CNIL Approach ICT Control Risk Id Risk description Probability Impact 1 Listening unprotected data used by 6/1/2017 mobile application John Smith 01/08/2017 11
I. How to evaluate privacy risks What can be done to mitigate risks? Define Security Controls that Reduce the impact Reduce the probability controls 12
I. How to evaluate privacy risks CNIL Approach Task Id Non conformity issue detected 1/06/2017 1 Data inventory Describe data process by the application XYZ 2 Information Security Implement HTTPS for each communication Security controls Assigned to Due date Status John Smith 01/08/2017 Not Started John Doe 01/07/2017 Not Started 13
II. Information security 14
II. Information security Different type of security controls ICT Control 1/06/2017 15
II. Information security Protecting the personal information during the data full lifecylce Create Store Use Share Backup Destroy Information security addresses the protection goals confidentiality, integrity, availability during the full data lifecycle. All of these goals are important also from a privacy and data protection perspective that specifically requires that unauthorized access and processing, manipulation, loss, destruction and damage are prevented. 16
II. Information Security Defense in depth is an information assurance concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Least privilege principle: A security principle in which a person or a process is given only the minimum level of access rights (permissions) that is necessary to complete an assigned operation Separation of duties: A security principle in which an organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals 17
II. Information Security Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it. A digital signature is a mathematical scheme for demonstrating the authenticity of digital messages or documents. A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message was not altered in transit (integrity). Source: https://en.wikipedia.org/wiki/digital_signature 18
III. Privacy by design 19
III. Privacy by design Pseudonymity Unobservability SECURITY CONTOLS Confidentiality Personal Data Anonymity Unlinkability Security Controls Authentication Authorization Auditing Non-repudiation Encryption Hashing File Signature Secure Architecture Integrity Availability Privacy Controls Unobservability Anonymisation Pseudonimisation Privacy Design technics Database Design technics 20
III. Privacy by design Anonymization is a type of information sanitization whose intent is privacy protection. It is the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous. Pseudonymizationis a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. 21
III. Privacy by design The 7 Foundational Principles 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality Positive-Sum, not Zero-Sum 5. End-to-End Security Full Lifecycle Protection 6. Visibility and Transparency Keep it Open 7. Respect for User Privacy Keep it User-Centric Source: https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf 22
III. Privacy by design The principle Privacy/data protection by design is based on the insight that building in privacy features from the beginning of the design process is preferable over the attempt to adapt a product or service at a later stage. The principle Privacy/data protection by default means that in the default setting the user is already protected against privacy risks. Privacy and Data protection by design https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design Privacy by design in big data https://www.enisa.europa.eu/publications/big-data-protection 23
IV. Example of GDPR Accountability 24
IV. Example of GDPR Accountability Privacy By default: No data collection Consent lifecycle Privacy By Default Consent given Data collection Consent Remove No data collection Consent given Data collection System Smartphone No data collection Consent: Geolocation permission Collect Geolocation info Withdraw Consent No data collection Consent: Geolocation permission Collect Geolocation info Consent given Consent removed Consent given Accountability 01/01/2017 08:00 Legitimate process 01/02/2017 08:00 01/03/2017 08:00 Legitimate process 25
IV. Example of GDPR Accountability Consent given: Data collection is allowed Consent lifecycle Privacy By Default Consent given Data collection Consent Remove No data collection Consent given Data collection System Smartphone No data collection Consent: Geolocation permission Collect Geolocation info Withdraw Consent No data collection Consent: Geolocation permission Collect Geolocation info Consent given Consent removed Consent given Accountability 01/01/2017 08:00 Legitimate process 01/02/2017 08:00 01/03/2017 08:00 Legitimate process 26
IV. Example of GDPR Accountability Consent withdrawn: Data collection is not allowed Consent lifecycle Privacy By Default Consent given Data collection Consent Remove No data collection Consent given Data collection System Smartphone No data collection Consent: Geolocation permission Collect Geolocation info Withdraw Consent No data collection Consent: Geolocation permission Collect Geolocation info Consent given Consent removed Consent given Accountability 01/01/2017 08:00 Legitimate process 01/02/2017 08:00 01/03/2017 08:00 Legitimate process 27
IV. Example of GDPR Accountability Consent given: Data collection is allowed Consent lifecycle Privacy By Default Consent given Data collection Consent Remove No data collection Consent given Data collection System Smartphone No data collection Consent: Geolocation permission Collect Geolocation info Withdraw Consent No data collection Consent: Geolocation permission Collect Geolocation info Consent given Consent removed Consent given Accountability 01/01/2017 08:00 Legitimate process 01/02/2017 08:00 01/03/2017 08:00 Legitimate process 28
V. Data breach Extract from the Programme in European Data Protection (GDPR) Speaker: Jöelle Jouret - 18/05/2017 Source: www.solvay.edu/gdpr 29
V. Data breach 1. PREPARING FOR A CYBER SECURITY INCIDENT 2. DETECTING AND IDENTIFYING POTENTIAL CYBER SECURITY INCIDENTS 3. HANDLING AN ACTUAL INCIDENT: CONTAIN, ERADICATE AND RECOVER 4. COMMUNICATION DURING A CYBER SECURITY INCIDENT 5. INCIDENT FOLLOW-UP AND CLOSURE: LEARN FROM EACH INCIDENT! Source: CYBER SECURITY INCIDENT MANAGEMENT GUIDE 30
V. Data breach Extract from the Programme in European Data Protection (GDPR) Speaker: Jöelle Jouret - 18/05/2017 Source: www.solvay.edu/gdpr What kind of procedures do you need? Internal procedures to report and to record all breaches Procedures to Notify to the DPA within 72h data breaches that present a risk for the rights of the DS Communicate a data breach to the public, if requested (= that present a high risk for the rights of the DS) What kind or form could be helpful? Internal forms to report and record breaches Internal form helping for the communication to the public External forms (from the DPA) to notify 31
V. Data breach Extract from the Programme in European Data Protection (GDPR) Speaker: Jöelle Jouret - 18/05/2017 Source: www.solvay.edu/gdpr Internal form to report and to record Example 32
V. Data breach Extract from the Programme in European Data Protection (GDPR) Speaker: Jöelle Jouret - 18/05/2017 Source: www.solvay.edu/gdpr Internal form to report and to record Example ICT Control 1/06/2017 33
V. Data breach Internal form to report and to record Example Extract from the Programme in European Data Protection (GDPR) Speaker: Jöelle Jouret - 18/05/2017 Source: www.solvay.edu/gdpr ICT Control 1/06/2017 34
Programme in European Data Protection Solvay.edu/gdpr 5 days education Starting again in September 35
Call: +322 340 3200 email: ac@ictc.eu Active since 1999, ICT CONTROL NV-SA is connected to SOLVAY BRUSSELS SCHOOL OF ECONOMICS AND MANAGEMENT, ISACA international 36
Call: +322 340 3200 email: xv@ictc.eu