30 Whitepapers Iso 29100 How Can Organizations Secure Its Privacy Network
30 Whitepapers Iso 29100 How Can Organizations Secure Its Privacy Network
WHITEPAPER
ISO 29100
HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK?
www.pecb.com
CONTENT
____
3
Introduction
3
5
5
PRINCIPAL AUTHORS
Eric LACHAPELLE, PECB
Bardha AJVAZI, PECB
Fitim RAMA, PECB
2
INTRODUCTION
____
During the past years, we have witnessed huge record losses because of many information security incidents
involving personally identifiable information (PII) that have affected both individuals and organizations.
Some examples of various incidents involve legal liability, identity theft, and recovery costs. Therefore,
organizations should implement an international information security standard that provides guidelines
on how to protect their privacy networks and PII, to align with the increased usage of information and
communication technologies (ICT) that process PII.
In response to on-going privacy related incidents happening
to large corporations, small companies, and to famous
individuals, in 2011, ISO has developed the ISO/IEC 29100
Privacy framework and ISO 29101 Privacy framework
architecture to provide a higher level framework for securing
Personally Identifiable Information PII with Information and
Communication Technology systems. Organizations can
use these standards to design, implement, operate and
maintain their ICT systems that will allow the protection of
PII and improve organizations privacy programs through
industry best practices.
ISO/IEC 29100 is intended to be used by persons and organizations involved in designing, developing,
procuring, architecting, testing, maintaining, and operating information and communication technology
systems where privacy controls are required for the functioning of PII.
This privacy framework is developed with the purpose of serving as assistance to organizations to define
their privacy safeguarding requirements related to all information involved through these attributes:
Although there are several existing standards related to security such as (ISO 27001, ISO 27002, and ISO
27018 etc.), ISO/IEC 29100 focuses more on the processing of PII.
The continually increased complexity of ICT systems have made it difficult for organizations to ensure
that their privacy is protected, and with the high commercial use of PII, achieving compliance with various
applicable laws has become harder nowadays.
Therefore, the ISO/IEC 29100 standard has eleven substantive privacy principles (presented in the chart
below) that are developed to take account of applicable legal and regulatory, contractual, commercial and
other relevant factors. All these principles are developed by a number of states, countries and different
international organizations worldwide.
1. Consent and
choice
3. Collection
limitation
4. Data
minimization
5. Use, retention
and disclosure
limitation
6. Accuracy and
quality
7. Openness,
transparency
and notice
8. Individual
participation
and access
9. Accountability
10. Information
security
11. Privacy
compliance
Besides that these principles can be used to guide, design, develop, and implement privacy policies and
controls, they can also be used as a reference point in the monitoring and measurement of performance
benchmarking and auditing aspects of privacy management programs in an organization.
Moreover, the basic elements that encompass the ISO/IEC 29100 Privacy Framework are presented in
the figure below, which is taken from the WG5 in the ISO/IEC/FIDIS/ITU-T Joint Workshop on Identity
Management Standards, Lucern, Switzerland, 2007. In addition, the figure shows that PII Providers and PII
Receivers are identified as Actors. PII providers can be users of an information communication technology
system, data owners or subscribers, whereas the application providers or administrators are known as the
PII receivers. Privacy preferences are set by PII providers while the safeguarding controls are applied during
the information lifecycle that include the collection, storage, usage, transfer and deletion of information.
Pll Provide
Data subject
User
Data Owner
Subscriber...
Pll Receiver
Privacy
Preferences
Privacy
Safeguarding
Controls
Store
Internal
Rules
Use
Optional
check against
privacy principle
Legal
Requirements
Business
Use Case
Privacy
Preferences
Collect
Application provider
data controller
adminisration
Data Conlector...
Transfer
Issues Privacy
Policy based on
requirements
Destroy
On November 2014, confidential information including information about employees, internal e-mails,
executive salaries, copies of unreleased films etc. were exposed. It is believed that this cyberhack has
cost Sony Pictures approximately $15 million damage recovery. In addition, the leak of information
(especially e-mails between employees) has caused chaos between many well-known celebrities, and a
high number of court trials have been sentenced.
On September 2014, hackers had broken into an installed payment system which resulted in 53 million
stolen customer e-mails and 56 million customer credit card accounts. It is believed that this incident
has cost the company $34 million to overcome this situation.
On March 2012, TD Bank experienced data breach of which as many as 260,000 customers personal
information such as account information, Social Security numbers etc., were exposed, resulting in
$625,000 settlement.
It serves as a basis for preferred additional privacy standardization initiatives, for example a technical
reference architecture, the use of specific privacy technologies, an overall privacy management,
assurance of privacy compliance for outsourced data processes, privacy impact assessments and
engineering terms,
It defines privacy safeguarding requirements as they relate to all personally identifiable information and
communication systems,
It is applicable on a wide scale and sets a common privacy terminology, defines privacy principles when
processing PII, classifies privacy features and relates all described privacy aspects to existing security
guidelines,
It is closely linked to existing security standards that have been widely implemented into practice,
It places organizational, technical, procedural and regulatory aspects in perspective and addresses
system-specific matters on a high-level, and
It provides guidance relating information and communication system requirements for processing
personally identifiable information to contribute to the privacy of people on an international level.
1.
PLAN
2.
DO
3.
CHECK
4.
ACT
4.1 Treatment of
Non-conformities
2.4 Communication
1.5 Scope
2.6 Implementation of
Controls
IMS2 is based on the PDCA cycle which is divided into four phases: Plan, Do, Check and Act. Each phase
has between 2 and 8 steps for a total of 21 steps. In turn, these steps are divided into 101 activities and
tasks. This Practical Guide considers the key phases of the implementation project from the starting point
to the finishing point and suggests the appropriate best practice for each one, while directing you to further
helpful resources as you embark on your ISO/IEC 29100 journey.
ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK?
4 PHASES
18 STEPS
101 ACTIVITES
UNDEFINED TASKS
PLAN
DO
Privacy
Framework
Projects
CHECK
ACT
The sequence of steps can be changed (inversion, merge). For example, the implementation of the
management procedure or documented information can be done before the understanding of the
organization. Many processes are iterative because of the need for progressive development throughout
the implementation project; for example, communication and training.
By following a structured and effective methodology, an organization can be sure it covers all minimum
requirements for the implementation of the framework. Whatever methodology used, the organization
must adapt it to its particular context (requirements, size of the organization, scope, objectives, etc...) and
not apply it like a cookbook.
For individuals:
5.Obtain certification
+1-844-426-7322
Customer Service
www.pecb.com