Privacy and Security Assessment. Technical Security and Data Privacy in a Single Process.

Transcription

1 Privacy and Security Assessment. Technical Security and Data Privacy in a Single Process. Deutsche Telekom AG Friedrich-Ebert-Allee 140 D Bonn

2 Contents. 2 Technical Security and Data Privacy at Deutsche Telekom 2 Foreword 4 Privacy and Security Assessment 4 Scope of validity 6 Objectives 8 Consulting approach 10 Interrelationship between project and system level 12 Benefits of the process 14 Opinions on the process 16 Annex 16 Glossary 17 Publication details / Contact

3 Foreword 2 3 Technical Security and Data Privacy at Deutsche Telekom. Dear Readers, This brochure is designed to explain the Privacy and Security Assessment process (PSA process) a core element in safeguarding technical security and data privacy at Deutsche Telekom. One of the main objectives of the Data Privacy, Legal Affairs and Compliance (DRC) Board of Management department is to ensure a suitable level of security and data privacy. Since the DRC department was set up, our two Group IT Security (GIS) and Group Privacy (GPR) units have been cooperating increasingly in this Board of Management department. The technical and organizational requirements of GIS and GPR are closely linked in terms of content. Against this background, we developed the PSA process in 2009, with the common goal of integrating the fulfillment of technical security and data privacy requirements at an early stage in the relevant Deutsche Telekom development processes. The new standardized process implements security and data privacy requirements as part of product and system development, thus ensuring greater transparency, improved project support as well as a suitable level of protection for our products. The PSA process has enabled us to put in place the foundation for uniform support in relation to security and data privacy issues. All development projects that create or change IT or NT systems are categorized, taking into account the data being processed, attack vulnerability from the public Internet (hereinafter referred to as criticality) as well as complexity. Security and data privacy experts provide ongoing consulting and review functions for highly critical and complex projects. Before such projects go live, they need to be explicitly approved. Standardized requirements are provided for less complex and less critical projects. These requirements enable the responsible employees themselves to achieve a suitable level of security and data privacy. This is confirmed by a Statement of Compliance, which is archived for documentation purposes. In 2010, the PSA process was integrated into the key product and system development processes in Germany as well as on a cross-functional Group level. More than 2,000 projects undergo the PSA process every year. In future, the process will also be applied at Deutsche Telekom s international subsidiaries. The PSA process already enjoys a high level of acceptance throughout the entire Group. It received the seal of quality according to the internationally recognized ISO certificate and has also served as a role model outside the company. Yours, Dr. Stefan Pütz PSA process owner for technical security Stefan Pütz has been head of Production Infrastructure Security within Group IT Security (GIS) in the Data Privacy, Legal Affairs and Compliance Board of Management department since Together with Dr. Kornel Knöpfle, he is responsible for the PSA process and manages its further development from a security perspective. Stefan Pütz started out at Deutsche Telekom in 1997 and has since been in charge of various technical security areas. He studied electrical engineering, specializing in communications engineering, at the University of Siegen and completed a doctorate in the security of modern mobile communications systems. Dr. Kornel Knöpfle PSA process owner for data privacy Kornel Knöpfle has been working for Deutsche Telekom since He has been in charge of Privacy Audit & Technical Knowhow Management within Group Privacy (GPR) in the Data Privacy, Legal Affairs and Compliance Board of Management department since April Together with Dr. Stefan Pütz, he has developed the PSA process, which he supports from a data privacy perspective. Prior to this, Kornel Knöpfle spent several years at T-Online International AG in Darmstadt, holding various management posts in the IT Strategy and IT Security department. Kornel Knöpfle has a doctorate in physics from the Technical University of Darmstadt. Dr. Stefan Pütz Dr. Kornel Knöpfle PSA process owners for technical security and data privacy

4 Scope of validty 4 5 Scope of validty. Summary Integration of security and data privacy in product and system development. Consulting, documentation and approval regarding technical security and data privacy. PSA mandatory in Germany; international roll-out in The PSA process standardizes key activities in the area of technical security and data privacy, and governs the creation of security and data privacy concepts for IT or NT systems. The process is also used to provide support and advice from GIS and GPR experts, as well as to ensure approval of systems from a security and data privacy law perspective. The PSA process is used in product or system development when new systems are created or existing systems are updated technically or in terms of the type of data processing. Typically, new systems are created or systems are updated in the course of versioning (new release). This process ensures that the changes caused by the new version are adapted in the data privacy and security concept. The PSA process can be used on all IT or NT systems, regardless of their range and complexity. The new PSA process completely replaces all older requirements for drawing up security and data privacy concepts. However, in order to ensure a smooth transition from the old to the new process, existing security and data privacy concepts continue to apply until the end of Up to this point, managers can decide whether to continue applying the old concepts or to switch to the new ones. The use of the PSA process is mandatory for all German companies as well as for all Deutsche Telekom common projects, provided they are to be managed from Germany. In the course of 2011, the PSA process will be gradually rolled out in the Deutsche Telekom international subsidiaries in close cooperation with the IT and technology units in a form geared to local circumstances. The roll-out will be conducted jointly with the Corporate IT security organization. International roll-out of the PSA process. Roll-out complete Roll-out in the pipeline

5 Objectives 6 7 Objectives. Summary Safeguarding a uniform, suitable level of security and data privacy. Integrated process for technical security and data privacy. Project support level according to to project complexity and criticality. GIS and GPR establish important fundamentals within Deutsche Telekom for reliable products that also satisfy strict requirements for security and data privacy. They have introduced the PSA process jointly in order to ensure that all development projects within the Group can satisfy requirements for technical security and data privacy. Group IT Security (GIS) GIS is responsible for technical security within Deutsche Telekom. Therefore a suitable level of security needs to be defined and implemented using suitable measures. Group Privacy (GPR) GPR determines the Group s strategic alignment in terms of data privacy and defines the requirements from a legal, technical and organizational perspective. It also represents the Group in all data privacy matters, both internally and externally. Security Platform SDSK Detailed Design Realization Design Initial Rollout Idea Standardization Comp liance Systems Privacy Concept Data Privacy Implementation Pro ject Manager Criticality Benefit Feasibility Study Privacy Requirements Sytem Owner Secur ity Requirements PSA-Template DRC PSA Process Live Operation GPR Products GIS Security Level PMT suitable appropriate Realization The new process addresses the following aims: A consistent and adequate security and data privacy level in all products, systems and platforms that are updated or created from scratch. An integrated process for technical security and data privacy as a component of the product and system development processes. A support level adapted to project complexity and criticality through the introduction of categorization at the start of each development project. Deutsche Telekom operates several thousand different IT systems and network platforms. This implies a huge challenge integrating security and data privacy in a single process. These IT systems and network platforms are designed, implemented and constantly developed further via a host of different processes as well as through the involvement of functional and technical stakeholders. It is an extremely complex undertaking to set up a single procedure ensuring technical security and data privacy throughout the entire system landscape. Additionally this new procedure has to be integrated functionally into the existing development processes.

6 Consulting approach 8 9 Consulting approach. Summary Integration in the product and system development processes. Categorization in terms of security and data privacy relevance. Approval prior to live operation. The following drawing describes the PSA process methodology along a generic development process. It explains the integration in the development process as well as the differences that result depending on the particular project categorization. The PSA process at a glance. Initial idea Feasibility study Detailed design Realization Operation Gate: Start of project Gate Gate Gate: Live operation Categorization A B C Assign consutant and requirements Identification of requirements Sample tests Sample tests Creation of security and data privacy concept (SDSK) Project consulting concerning SDSK Creation of security and data privacy concept Approval Self declaration / Review by local security organizations Sample tests Integration in the development processes. The PSA process is integrated into Deutsche Telekom s main development processes, which basically follow the generic model of a development process presented here (initial idea feasibility study detailed design realization operation). At the decision gates between each process step, a decision is made as to whether the next process step is to be taken. This requires an explicit gate decision by the responsible management. The PSA process is linked to the decision gates at the start of the project and at the launch of live operation. At the start of the project, in the idea generation phase, the project is categorized in terms of its security and data privacy relevance. At the end of the realization phase, i.e., before the launch of live operation, the PSA process must have been completed successfully. As such, all necessary approvals must be in place. If live operation is subject to certain conditions, the resulting measures must be implemented by the time the project is completed. If GIS and GPR are not directly involved in consulting the project, the effectiveness of the PSA process is tested on a sample basis. Project categorization. Before the decision gate for the start of the project, a project manager categorizes his project using a categorization tool. This tool determines in three different categories (A, B, C) the criticality and complexity of the requirements resulting from the project in terms of technical security and data privacy. This defines the level of detail on the basis of which the project is consulted and approved. The categorization is based on characteristics such as processing of particularly sensitive data, the complexity of the platforms or systems, or the strategic and financial significance of the products. Relevance and level of support of the projects. Category Relevance/level of support/approval Distribution by percent* A B C * Distribution of the categorization in High relevance, as projects are complex and/or critical. The project is supported, advised and approved directly by security and/or data privacy experts from GIS and GPR. Relevant, but projects are less complex with less sensitive data. Standard requirements are implemented by the project teams themselves, with support from local security organizations if required. Approval is given through a self-declaration by the project manager and, if appropriate, is reviewed by local security organizations; GIS and GPR review these approvals on a sample basis. No changes or generally irrelevant. The projects do not result in any changes relevant for security and/or data privacy. No approval is required; GIS and GPR review the project categorizations on a sample basis. 46 % 35 % 19 %

7 Interrelationship between project and system level Interrelationship between project and system level. Summary Documentation of project categorization and approval in the PSA template. Documentation of implementation of security and data privacy requirements and approvals in the SDSK. The PSA process is based on two central documents: the PSA template and the standardized data privacy and security concept (SDSK). PSA template. The PSA template is the form used to document the project categorization and approval. It is prepared by the project manager at project level. Project approval is generally only given and documented in the PSA template once all systems have been approved. As such, the approval of all systems in the PSA template is the prerequisite for project approval for live operation. SDSK. The SDSK is drawn up and updated for each system by the system owner. The system owner is responsible for ensuring the respective system meets the requirements for technical security and data privacy. He documents the implementation of security and data privacy requirements at IT or NT system level as well as their approval or self-declaration in the SDSK. The role and area of responsibility of the system owners are not dependent on specific projects and apply for the entire life cycle of a system. Privacy and Security Assessment Documentation on project categorization and approval Textbox Project information Headline Project name: Short text Project contact: Name, phone number Privacy Assessment Cat. Approval (A) unconditional A conditional* not issued* Date, name, org. unit Self Declaration (B1/B2) poss. Assessment local DPC B1 unconditional B2 conditional* not issued* Date, name, org. unit Date, name, org. unit C No information 1. Development process: PMT, RLT etc. Project number: SAP no., PMT no., RLT no. Security Assessment Categorization Cat. Approval (A) Embed the completed unconditional categorization tool here (using Objekt einfügen A conditional* [Insert object], als Symbol not issued* [as symbol]). Link to the tool: Date, name, org. unit Wiki-link to the Self Declaration (B) poss. Assessment local PSM B categorization tool unconditional conditional* not issued* Date, name, org. unit Date, name, org. unit Version: x.y C No information Date: dd.mm.yyyy Confirmation of Data Privacy and Security system approvals for new or modified IT/NT systems System owner Data Privacy system Approval / Self declaration / poss. Assessment Security system Approval / Self declaration / poss. Assessment System Release Cate- Uncon- Con- Not Approval / Self Possible name Approval / Self Possible Categorditionaditional issued Uncon- Con- Not Name, phone Org. unit Declaration Assessment gory ditional ditional issued Declaration Assessment (name) (name) (name) (name) System 1 No. Name, phone Org. unit A name n.a. X A name n.a. X System 2 No. Name, phone Org. unit A name n.a. X A name n.a. X System 3 No. Name, phone Org. unit A name n.a. X A name n.a. X System 4 No. Name, phone Org. unit C n.a. n.a. B name (name) X 2. Notes on the PSA template. 1. Documentation of project categorization and approval by the project manager, the security and data privacy experts from GIS and GPR or the local security and data privacy units. 2. List of newly created or modified IT or NT systems concerned including approval status. Notes on the SDSK. 1. The SDSK consists of: System description Data privacy information Authorization concept Requirements catalogs Action plan System categorization 2. Since the SDSK is maintained over the entire lifecycle of a system, it includes the update of the particular releases, including the release status. Standardized Data Privacy and and Security Concept (SDSK) System Textbox System information headline System System name: name: Short Short text text SDSK SDSK version: version: No. No. Last Last update: update: xx.xx.xxxx System System Identifier: e.g. e.g. App-ID, App-ID, ICTO-ID ICTO-ID System System owner: owner: Name Name Org. Org. unit: unit: Org. Org. Phone Phone no.: no.: (xxx) (xxx) xxxxxxxx xxxxxxxx Documentation on the on the Standardized Data Data Privacy Privacy and and Security Security Concept 1. System System description Authorization concept concept Data Data privacy privacy info info Requirements catalog catalog Embed Embed the system the system description description as a as a Embed Embed the authorization the authorization concept conceptembed Embed the completed the completed data Privacy data Privacy Embed Embed both the both completed the completed SoCs as SoCs as Action Action plan plan Embed Embed the completed the completed action action Categorization Optional Optional (** see (** backside) see backside) file here. file Link here. to Link the template: to the template: as a file as here. a file Link here. to Link the template: to the template: information information as a file as here: a file here: a file here: a file here: plan as plan a file as here. a file Link here. to Link the to the Embed Embed the categorization the categorization tool tool Weblink Weblink to the to data the data Weblink Weblink to the to Data the Data template: template: for systems for systems as a file as here. a file here. privacy info for info category for category A A Privacy Privacy SoC SoC Weblink Weblink to the to template the template Weblink Weblink to the to template the template of ofweblink Weblink to the to template the template of of privacy Weblink Weblink to the to the and B1 and B1 of the of action the action plan plan the system the system description description the the authorization concept concept Weblink Weblink to the to Security the Security categorization tool tool Weblink Weblink to the to data the data SoC SoC privacy privacy info for info category for category B2 B2 Date: Date: dd.mm.yyyy dd.mm.yyyy Date: Date: dd.mm.yyyy dd.mm.yyyy Date: Date: dd.mm.yyyy dd.mm.yyyy Date: Date: dd.mm.yyyy dd.mm.yyyy dd.mm.yyyy dd.mm.yyyy Date: Date: dd.mm.yyyy dd.mm.yyyy Date: Date: dd.mm.yyyy dd.mm.yyyy Change Textbox Change history history Headline 2. SDSK SDSK Vers. Vers. Data Data Privacy Privacy Approval Approval (GPR)/ (GPR)/ Self declaration Self declaration (specialist (specialist unit) unit) /poss. /poss. Security Security Approval Approval (GIS)/ (GIS)/ Self Declaration Self Declaration (specialist (specialist unit) /poss. unit) /poss. Assessment Assessment local local PSM PSM Assessment local local DPC DPC System System Rel. Rel. Data Data Date Date Approval/ Approval/ Poss. Poss. Assessmenment local local DPC DPC condi- condi- tional tional issued issued Category Category decl. decl. ment ment local local condi- condi- di- di- issued issued Assess-Un- Un- Condi- Condi- Not NotSecurity Security Date Date Approval/ Approval/ Self Self Poss. Poss. Assess- Assess- Un- Un- Con- Con- Not Not Privacy Privacy Self decl. Self decl. Category Category (name) (name) (name) (name) tional tional (name) (name) PSM (name) PSM (name) tional tional tional tional B1 B A A name name (name) (name) X name name n.a.* X X n.a.* X C C A A n.a.* n.a.* n.a.* n.a.* X n.a.* n.a.* n.a.* n.a.* X B1 B C C name name (name) (name) X name name n.a.* X n.a.* B1 B A A name name (name) (name) X name name n.a.* X X n.a.* X * A system * A system approval approval is not is required not required if no if data no data privacy privacy or or security-relevant changes changes are made are made with with the release the release of the of IT/NT the IT/NT system. system. Version Version 1.1 Feb Feb Classification according to information security guideline: internal Version 1.1 ( ) * If an approval is rejected or has only been issued with conditions, then please attach an informal document to this template (or embed it electronically) which documents the respective conditions or justifies the rejection. Classification according according to to Information Security Security Guideline: Guideline: Confidential

8 Benefits of the process Benefits of the process. Summary Greater structure and transparency of security and data privacy work. Suitable level of security and data privacy thanks to standardized procedural model. Greater efficiency thanks to early integration. The roll-out of the Privacy and Security Assessment (PSA process) gives more structure and transparency to Deutsche Telekom s security and data privacy work. The process gives development projects a uniform and suitable level of security and data privacy, which is documented efficiently in standardized templates. Project support for technical security and data privacy is provided along a uniform procedural model. This procedural model helps to ensure that all security and data privacy requirements are identified early on. Prompt integration has the advantage of preventing costly reworking and unnecessary compromises. The benefits of the PSA process at a glance. Benefit Description of the benefit Consistency Technical security and data privacy are reviewed and evaluated based on uniform requirements and criteria. Reduction in effort Redundant documentation is minimized as a result of uniform, standardized templates. Timeliness Integration into development processes ensures technical security and data privacy are incorporated into the relevant topics at an early stage. Optimization of resources Project prioritization ensures that critical, complex projects are supported by experts from GIS and GPR. It also prevents projects from possibly having to be stopped before going live as a result of GIS and GPR involvement that is too late. Thanks to the project cate gorization, GIS and GPR can optimally focus the level of consulting for technical security and data privacy on the key issues, and hence sustainably support rapid project work. Reliable implementation The modular, requirement-based approach enables the project teams to ensure implementation.

9 Opinions on the process Opinions on the process. External opinions on the PSA process Internal opinions on the PSA process Bernhard Petri Monika Wojtowicz Peter Rothfeld and Ingo Vasen Dr. Ralf Schneider Boris Riese Andreas Hörnes Nokia Siemens Networks GmbH & Co KG, Head of CTO Security Team Munich LL.M., TÜV Informationstechnik GmbH, TÜV NORD group of companies, Head of the TÜV Data Protection and Evaluation Center External auditors at DQS GmbH, Deutsche Gesellschaft zur Zertifizierung von Managementsystemen, as part of ISO certification Chief Compliance Officer, Telekom Deutschland GmbH Head of Group Audit Information & Communication Technology, Deutsche Telekom Head of Competence Center Subscriber Data Management, Group Technology, Deutsche Telekom Deutsche Telekom developed the PSA process to ensure compliance with security and data privacy specifications in products, systems and platforms. Thanks to its security specifications, the process fully covers issues of technical security and ensures implementation of secure solutions in the Deutsche Telekom network. The PSA process is well thought-out and important. The PSA process provides NSN as a telecommunications vendor with a process that complements its own security processes and supports rapid project acceptance. As part of our data privacy audit and certification, the SDSK was submitted to us as documentation and as the basis for the audit. Deutsche Telekom is way above the general standard with this consolidated documentation of data privacy and security aspects and the technical/organizational measures implemented. Based on our long-standing experience in auditing and certification, the SDSK is an extremely positive development. As part of ISO certification of Deutsche Telekom s centralized security management, the PSA process was also presented as a service process provided by Group IT Security. The process was rated positively in the certification process as a good, sensible way of prioritized processing development projects in respect of data privacy and security. The PSA process ensures that the security requirements for IT and NT systems developed by Group IT Security are taken into account in the IT and NT projects and actively supported by Group IT Security as part of the associated operational implementation. Technical security and data privacy are crucial to the commercial success of Telekom Deutschland GmbH. That s why exacting requirements need to be made of their implementation. The Privacy and Security Assessment process is a key component in meeting these requirements. As Chief Compliance Officer at Telekom Deutschland I therefore emphatically welcome this standardized process as it contributes to our compliance with legal provisions and internal guidelines, helping ensure the reputation of our company is not tarnished. The PSA process involves the rollout of an entirely logical, process-oriented model, which systematically envisages for the first time the inclusion of security and data privacy requirements as part of system implementations and modifications as an integral component of the development processes. I therefore explicitly welcome it and wish all my colleagues a great deal of success. The PSA process is extremely important from a security and data privacy perspective, especially for a system platform such as the CNTDB (Common Network Technology Data Base) with centralized subscriber data storage. At the end of the process you have a platform that is certified in accordance with security and data privacy requirements. The PSA process offers a harmonized, standardized procedural model for creating security and data privacy concepts; the modular structuring of platform documentation reduces the cost in the case of subsequent changes managed by projects. In addition to this valuable, compact platform and project documentation, the data privacy and security concept also provides an agreed roadmap for further improvement measures.

10 16 17 Annex. Glossary. Action plan Documentation of measures through which the requirements will be met in future Authorization concept Description of roles and access rigths Data privacy information Description of the purpose of processing personal data or data that can be traced back to a given individual in the IT / NT system concerned DRC Data Privacy, Legal Affairs and Compliance Board of Management department GIS Group IT Security GPR Group Privacy IT or NT system Systems that process or transmit information in electronic form. These generally consist of a number of computer systems or network elements with the same or similar purpose, e.g. servers, IT or NT networks and platforms PSA The PSA process is intended to ensure a suitable level of data privacy and security Requirements catalogs Documentation of the degree of compliance with technical security and data privacy requirements SDSK Standardized data privacy and security concept System description Documentation of the responsibilities, along with functional and technical system description Publication details. Deutsche Telekom AG Group IT Security / Group Privacy Friedrich-Ebert-Allee 140 D Bonn, Germany Design: HGB Hamburger Geschäftsberichte GmbH & Co. KG Last revised: March 2011 Contact. Group IT Security: SecurityDemandManagement@telekom.de Group Privacy: datenschutz@telekom.de