SECURITY MEASURES RELATED WITH DATA PROTECTION. A PRACTICAL APPROACH: THE IMPORTANCE OF THE ORGANIZATIONAL MEASURES

21 22 September 2007, BULGARIA 19 Proceedings of the International Conference on Information Technologies (InfoTech-2007) 21 st 22 nd September 2007, Bulgaria vol. 1 SECURITY MEASURES RELATED WITH DATA PROTECTION. A PRACTICAL APPROACH: THE IMPORTANCE OF THE ORGANIZATIONAL MEASURES Joaquín Pérez Data Inspector, Telecommunication Engineer, CISA, CISM (ISACA) e-mail(s): jpc@аgpd.es Spain Abstract: The author describes in the document his own experience more than ten years in the field of data protection security as data inspector at the Spanish Data Protection Agency. In the presentation, the author speaks about a collection of a set of files that have been investigated to illustrate the three main conclusions of this experience. Key words: security, data protection, technical measures, organizational measures. 1. INTRODUCTION The Spanish Data Protection Agency (SDPA: http://www.agpd.es) is an independent and public body of the Kingdom of Spain in charge of data protection issues. The European Union Directive 95/46/EC establishes the principles and rights of the European citizens related to personal data protection. One of these rights says that a minimum set of security measures has to be implemented for personal data protection in order to guarantee its security. The recital number 46 of the Directive says that whereas the protection of the rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organizational measures be taken, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorized processing; whereas it is incumbent on the Member States to ensure that controllers comply with these measures; whereas these measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their

20 PROCEEDINGS of the International Conference InfoTech-2007 implementation in relation to the risks inherent in the processing and the nature of the data to be protected. According to this recital, the article 17 of the Directive says the following in relation with the security of processing: 1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. 2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures. 3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that: 1. the processor shall act only on instructions from the controller, 2. the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor. 4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form. To sum up, we can say that the security measures for personal data must ensure an appropriate security level in its three areas: confidentiality, integrity and availability, taking into account the state of art, the risk, the cost and the nature of the data. To reach the correct security level, an appropriate set of technical and organizational measures have to be implemented. The European Directive has been implemented in the Spanish national law through the Organic Law 15/1999. This Law establishes the same principles as the ones of the EU Directive in relation with security of personal data and introduces a provision to develop those principles in a secondary legislation. This secondary legislation was the Royal Decree 499/1999 (English version available on https://www.agpd.es/upload/reglamento_ingles_pdf.pdf), which appro-

21 22 September 2007, BULGARIA 21 ves the Regulation on Mandatory Security Measures for the Computer Files containing Personal Data. This regulation classifies the security measures in three levels: basic, medium and high, bearing in mind the nature of the information processed, in relation to the extent to which it is necessary to guarantee the confidentiality and integrity of the information. The regulation establishes that all the security measures have to be drawn up in the form of a compulsory document for staff who have access to automated personal data and information systems. The security document must be kept up to date at all times, and must be revised whenever relevant changes are made to the information system or to how it is organised and must cover the following aspects, as a minimum: a) the scope of the document, with a detailed specification of protected resources; b) measures, standards, procedures, rules and norms to guarantee the level of security required by this Regulation; c) the functions and obligations of staff; d) the structure of files containing personal data and a description of the information systems on which these are processed; e) the procedures for reporting, managing and responding to incidents; f) the procedures for making backup copies and recovering data; The regulation also include provisions for all medium and high level files containing personal data to perform a mandatory security audit every two years and to define and appoint a security officer who shall be responsible for coordinating and monitoring the measures defined in the security document. This regulation has made the Spanish public and private institutions aware of the security of personal data and has generated a new and very active market in the fields of the auditing and consultancy about personal data security. In this context, since 1999 the SDPA have been developing a substantial number of inspections and audits about personal data security, analysing the technical and organizational measures implemented in many private and public organizations. The presentation collects some relevant cases that had been investigated by the SDPA in order to illustrate the main conclusions:

22 PROCEEDINGS of the International Conference InfoTech-2007 International Conference on Information Technologies Security measures related with data protection. A practical approach: The importance of the organizational measures 1 Security measures related with data protection. A practical approach Index: 1. Basic concepts about security 2. Some examples, the importance of the organizational measures 3. Conclusions 2

21 22 September 2007, BULGARIA 23 What about security? Authenticity Confidentiality Integrity Availability State of the art in technology Risk Security Cost Organizational measures Technical measures Nonrepudiation Nature of the data 3 The security in a organization: wrong approach Vertical concept of security CEO Staff Information Tecnology Clients Marketing Security is seen as a problem of the IT Department: IT SECURITY HH.RR Accounting 4

24 PROCEEDINGS of the International Conference InfoTech-2007 The security in a organization: correct approach Horizontal concept of security CEO Staff Information Tecnology Clients Marketing Information security strategy Senior management commitment Security manager (CISM) Definition of roles and responsibilities Assets inventory HH.RR Security is a problem of the whole organization: INFORMATION SYSTEM SECURITY Information security governance: Financials Legal and regulatory framework Policies, standards, procedures and guidelines about security Information security program investments 5 What about security? Authenticity Confidentiality Integrity Availability State of the art in technology Risk Security Cost Organizational measures Technical measures Nonrepudiation Nature of the data 6

21 22 September 2007, BULGARIA 25 Technical and organizational measures Some technical measures: locks, doors, etc. Cipher technologies Access control devices Access log s... Some : Lock and keys management Key management Access policy Table without papers log files checkup Awareness (prevent social engineering)... 7 A person wants to be client of a on-line insurance company. He signs up by Internet 8

26 PROCEEDINGS of the International Conference InfoTech-2007 Signing-up procedure on the Internet: The client fills in an application form in the web site using a secure protocol (HTTPS). Basic personal data, User ID, and passwords have to be submitted by the new client to be used in the future. After the client is signed up, the company sends a welcome email to the client including the User ID and passwords The contract says that the client is responsible for the use of the User ID and passwords. 9 Very important insurance company The procedure does not guarantee the univocal identification of the user 10

21 22 September 2007, BULGARIA 27 A person wants to be a client of a on-line bank. He signs up by Internet 11 12

28 PROCEEDINGS of the International Conference InfoTech-2007 13 Password distribution protocol Passwords have to been known only by the user 14

21 22 September 2007, BULGARIA 29 15 Log files checkup Political scandal in the Regional Parliament of Madrid 16

PROCEEDINGS of the International Conference InfoTech-2007 30 17 18

21 22 September 2007, BULGARIA 31 Log files checkup Employment history of the worker obtained from the social security files 19 Desk without paper policy What happens at the workplace after the working hours are over (from 17:00 to 9:00)? 20

32 PROCEEDINGS of the International Conference InfoTech-2007 Employee awareness What has an employee been informed about? Prevention of the social engineering 21 (Part of the labour contract) 22

21 22 September 2007, BULGARIA 33 The indoors information of the company 23 Protect the information, its security depends on you Do not share your passwords 24

PROCEEDINGS of the International Conference InfoTech-2007 34 The information is an asset of the company: protect it The security of information depends on you 25 Use the paper shredder, never the basket The security of information depends on you 26

21 22 September 2007, BULGARIA 35 Fatal error A person wants to be a client of an on-line bank. He signs up by telephone 27 Signing-up procedure : The client asks for the signing up to the bank by telephone. The tele operator asks the new client for his User ID and passwords. When the client uses his User ID and Password on the Internet, he gets access to the account of another client 28

36 PROCEEDINGS of the International Conference InfoTech-2007 Identification and authentication system: BANK CALL CENTER CLIENT INTERNET 29 Identification and authentication system: Identification: unique sequence of 8 numbers defined as data base key The client have to provide the 8 numbers to get access Password: sequence of 8 numbers The client has to provide 2 random positions to get access 7 5 3 8 0 1 3 5 (100 mill. of user id s) 2 3 5 2 5 3 5 6 (100 mill. of passwords) 30

21 22 September 2007, BULGARIA 37 Identification and authentication system: BANK CALL CENTER CLIENT 75380135 2352 5356 INTERNET 31 Identification and authentication system: BANK CALL CENTER CLIENT 2 (denouncer) User ID 2 4 6 8 0 1 3 5 password 3 0 0 7 1 9 7 8 (date of birth 30-07-1978). Tele operator assigns the birthday as the password This connection was off line when the denouncer singed up. Data base key control was not performed for the User ID. User ID 24680135 already exits in the data base for the CLIENT 1 32

38 PROCEEDINGS of the International Conference InfoTech-2007 Client1 (his data was seen by the denouncer) (date of birth date 19-01-1956) 2 4 6 8 0 1 3 5 1 9 0 1 1 9 5 6 (It is also the identification of client 1 No data base key control was performed) Client 2 (denouncer) (date of birth 30-07-1978) 2 4 6 8 0 1 3 5 3 0 0 7 1 9 7 8 33 President Staff Information Tecnology Clients Marketing Vertical security concept Security is seen as a problem of the IT Department: IT SECURITY HH.RR Conclusion of the case: Wrong security strategy (the security policy is not according to organization's goals) Security had been a problem of the IT Department (Vertical security concept ) Clients Department had not been involved in the definition of the security procedures Technical and organizational measures unbalanced Financials 34

21 22 September 2007, BULGARIA 39 Technical measures The complexity of the technical measures can provide a false feeling of security i.e.: Risks on Internet 35 Internet security Internet risks Firewall Web Server Firewall Application Server Data Base Server Internet Unprotected zone Risks: SQL insertions Session robbery Web errors Log (get) Etc. Demilitarized zone ( DMZ) Protected zone Measures: Cipher (SSL) Digital signature Firewalls IDS 36

40 PROCEEDINGS of the International Conference InfoTech-2007 Security measures related with data protection. A practical approach Conclusions: Authenticity State of the art in technology The equation of security: Confidentiality Integrity Availability Risk Security Cost Organizational measures Technical measures Nonrepudiation Nature of the data Information security strategy and governance Information Systems Security YES Information Technology Security NO Technical and organizational security measures appropriated and balanced 37 2. CONCLUSION A first conclusion is that organizations focus on the problem of security in a wrong way, thinking that security is only a problem of the Information Technology (IT) Department IT security instead of a problem of the entire organization Information System Security. A second conclusion is that although organizations make very serious efforts to spend a lot of money on technical measures in order to improve their security, in fact of, in many cases the organizational measures implemented are not enough whereas a balance between these two kinds of measures is imperative. This weakness in the organizational measures can jeopardize the effectiveness of the technical measures implemented and obviously the security and the investment in this field. Finally, the third conclusion in that the enemy is inside. In almost all of the cases that had been investigated by the SDPA, the origin of the problem was inside the organization: disloyal employees, errors in system configurations, etc. Actually, in a very few of the cases that have been investigated by the SDPA, there was an attack from outside the organization.