Practical Overview on responsibilities of Data Protection Officers. Security measures

Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency mvl@agpd.es Security measures Agenda: The rol of DPO on security measures Scope Regulatory framework Concepts of information security Minimum requirements for the adequate protection of personal data 1

Security measures Agenda: The rol of DPO on security measures Scope Regulatory framework Concepts of information security Minimum requirements for the adequate protection of personal data The rol of DPO on security measures to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation. Security manager rol vs DPO rol. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) Art. 37 2

Security measures Agenda: The rol of DPO on security measures Scope Regulatory framework Concepts of information security Minimum requirements for the adequate protection of personal data Scope : Controller, processor Categories of personal data processed: citizens, employees, clients, suppliers and business partners. Special categories of personal data. Electronic and paper-based processing: Processing of personal data by electronic means and in systematically accessible paperbased filing systems. 3

Security measures Agenda: The rol of DPO on security measures Scope Regulatory framework Concepts of information security Minimum requirements for the adequate protection of personal data Regulatory framework : Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Directive 95/46/CE The Act on Personal Data Protection (Art. 18) Regulation on the manner of keeping the records of personal data filing systems and the pertinent records form (Art. 15 The measures taken to protect the personal data) Regulation on the procedure for storage and special measures relating to the technical protection of special categories of personal data Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) 4

Regulatory framework : Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data: Appropriate security measures shall be taken for the protection of personal data stored in automated data files against accidental or unauthorised destruction or accidental loss as well as against unauthorised access, alteration or dissemination. Directive 95/46/EC (Art.17): Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected Regulatory framework : The Act on Personal Data Protection (Art. 18) : Personal data in personal data filing systems shall be adequately protected from accidental or deliberate abuse, destruction, loss, unauthorized alteration or access. The personal data filing system controller and user shall be obliged to undertake appropriate technical, staffing and organisational measures aimed at protecting personal data, necessary for the protection of personal data from accidental loss or destruction and from unauthorized access, unauthorized alterations, unauthorized dissemination and all other forms of abuse, and to determine the obligation of all persons entrusted with the processing of personal data to maintain the confidentiality of these data. 5

Regulatory framework : Proposal for a REGULATION on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (66) In order to maintain security and to prevent processing in breach of this Regulation, the controller or processor should evaluate the risks inherent to the processing and implement measures to mitigate those risks. These measures should ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks and the nature of the personal data to be protected. When establishing technical standards and organisational measures to ensure security of processing, the Commission should promote technological neutrality, interoperability and innovation, and, where appropriate, cooperate with third countries. Regulatory framework : Proposal for a REGULATION on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation. 6

Regulatory framework : Proposal for a REGULATION on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received; (b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits; (c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation; (d) to ensure that the documentation referred to in Article 28 is maintained; (e) to monitor the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32; Security measures Agenda: The rol of DPO on security measures Scope Regulatory framework Concepts of information security Minimum requirements for the adequate protection of personal data 7

Information security: preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved ISO/IEC 27001:2005 Information technology - Security techniques Information security management systems Requirements Security is the capability of networks or information systems to resist accidents or illegal or malicious actions that compromise the availability, authenticity, integrity and confidentiality of the data stored or transmitted and of the services that these networks and systems offer or make accessible, with a specific level of confidence. MAGERIT version 2 Methodology for Information Systems Risk Analysis and Management Information security: Availability: the property of being accessible and usable upon demand by an authorized entity Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes Integrity: The maintenance of the completeness and correctness of the data. Without integrity, information may appear to be altered, corrupt or incomplete. Integrity directly affects the correct undertaking of an organisation s functions. Authenticity (of who uses the data or services): There must be no doubt as to who is responsible for information or for providing a service, both in order to trust on them and to follow up non-compliances or errors. 8

Security as an integral process Security must be understood as an integral process, constituted by all the technical, human, material and organisational elements related to the system Security management based on risks The analysis and management of risks will form an essential part of the security process and must be kept permanently updated. Risk management will allow the maintenance of a controlled environment, reducing risks to acceptable levels. 9

Risk analysis and management Risk RISK = f(threat, vulnerability, impact) 10

Clasical Method: Matrix (+ or X) Risk value: from 0 to 8 Threat value Low Medium High Vulnerability value L M H L M H L M H Asset value 0 0 1 2 1 2 3 2 3 4 1 1 2 3 2 3 4 3 4 5 2 2 3 4 3 4 5 4 5 6 3 3 4 5 4 5 6 5 6 7 4 4 5 6 5 6 7 6 7 8 Criteria Aceptable level: 5 Threat value Low Medium High Vulnerability value L M H L M H L M H Asset 0 0 1 2 1 2 3 2 3 4 1 1 2 3 2 3 4 3 4 5 2 2 3 4 3 4 5 4 5 6 3 3 4 5 4 5 6 5 6 7 4 4 5 6 5 6 7 6 7 8!" #$ 11

Risks level treatment Threat VL L M H VH I M P A C T LOW RISK MEDIUM RISK HIGH RISK VL L M H VH assume treatment Treatment + audit!""# Risk analysis Strategy Method Techniques ISO 27002 Avoiding Externalising Reducing Assuming SoA 12

Prevention, reaction and recovery. The security of the system will include aspects such as prevention, detection and mitigation. The prevention measures must eliminate or at least reduce the possibility of the threats materialising and harming the system. The detection measures will be accompanied by reactive measures, so that security incidents are prevented in time. The recovery measures will allow the information and the services to be restored. The system will guarantee the preservation of data and information in an electronic information device. The system will ensure that the services continue to be available during the whole life cycle of the digital information. Defense in depth The system must have a protective strategy, formed by multiple security layers. The defence lines will be constituted by organisational, physical and logical measures. 13

Regular re-evaluation The security measures will be re-evaluated and updated regularly, to adapt their efficacy. - Define the scope - Define the information security policy. - Define risk assessment approach - Carry out the risk assessment Assess the risks - Select the controls - Prepare the Statement of Applicability (SoA) - Formulation risk treatment plan - Documentation - Procedures - Implementation of the risk treatment plan and planned controls - Training - Implementation of procedures - Monitoring, reviewing, testing and audit - Document and implement changes in the check phase 14

Segregation of duties Segregation of duties will be made between the party responsible for the information, the party responsible for the service and the party responsible for security. The party responsible for the security of the information systems will be different from the party responsible for providing the service. The organisation s security policy will detail the attributes of each responsible party and the mechanisms for coordination and for solving conflicts. Security measures Agenda: The rol of DPO on security measures Scope Regulatory framework Concepts of information security Minimum requirements for the adequate protection of personal data 15

Minimum requirements to be established in the security policy: Organisation and implementation of security processes Risk analysis and management Personnel management Professionalism Authorisation and control of accesses Protection of the premises Product purchases Security by default Integrity and updating of the system Protection of the information stored and in transit Prevention in the presence of other interconnected information systems Recording of activity Security incidents Continuity of the activity Ongoing improvement of the security process Organisation and implantation of the security process Security will be a priority for all the members of the organisation. The security policy will identify a clear set of responsibilities in enforcing their compliance, and be known to all the members of the organisation. 16

Risk analysis and management To carry out its own risk management. By analysing and processing the risks to which the system is exposed.. Measures adopted will be proportional to the risks. Personnel management Personnel trained and informed of their duties and obligations regarding security issues. Apply the security principles when performing their tasks. Each user accessing the system information will be personally identified. 17

Professionalism The security of the systems will be reviewed and audited Training. Authorisation and control of accesses Access to the information system will be controlled and restricted to duly authorised users, processes, devices and other information systems. 18

Protection of the premises The systems will be installed in separate areas, equipped with an access control procedure. The rooms will be closed, at least, and the keys to such rooms will be subject to control. Product purchases In purchasing security preference will be given to those having their security functionality certified in relation to the purpose of the acquisition. 19

Security by default The system will provide the minimum functionality required for the organisation to achieve its objectives, and not include any other functionality. The operating, administration and activity recording functions will be the minimum necessary. In operating systems, functions that are of no interest will be eliminated or disabled by configuration control. Integrity and updating of the information system All physical or logical elements will require formal authorisation before being installed in the system. The security status of the systems will be known at all times, in relation to the manufacturers specifications, vulnerable aspects and updates that affect them, and diligent action will be taken to control the risk in view of the security status thereof. 20

Protection of the information stored and in transit Special attention to information stored or transiting through unsafe environments:(laptops, personal assistants (PDAs), peripheral devices, information devices and communications on open networks or ones with weak ciphering. Security includes procedures that ensure the retrieval and long-term preservation of electronic documents produced by Public Administrations. All information not contained on electronic devices that has been generated by or is the direct consequence of the electronic information will be protected with the same grade of security as that information. Prevention in the presence of other interconnected information systems The system must protect the perimeter, specially, if connection is made to public networks. In all cases the risks arising from the system interconnection through networks with other systems will be analysed, and their union points will be controlled. 21

Recording of activity The activities of users will be recorded, allowing the person who is performing the activity to be identified at any time. Security incidents A procedure will be established for detecting and taking action to confront malicious codes. All security incidents taking place will be recorded in addition to the treatment actions taken. These records will be used to ensure ongoing improvement in the system security. 22

Continuity of the activity The systems will use backup copies and other mechanisms to guarantee the continuity of the operations. Ongoing improvement of the security processes The integral security process implanted will be updated and improved continuously. 23

Hvala lijepa 24