Protecting Personal Information

1. For information privacy, protecting personal information (which is sometimes referred to as personal data or personally identifiable information) starts with privacy by design; includes determining which information security privacy controls are needed; and continues through ensuring those controls are successfully designed, engineered, deployed and monitored in whatever it is (e.g., product, service, IT system, business process) that is processing personal information.

8.1 Privacy by Design

1. Originating in the mid-1990s and developed by Ann Cavoukian, former information and privacy commissioner of Ontario, the Privacy by Design (PbD) framework dictates that privacy and data protection are embedded throughout the entire lifecycle of technologies, from the early design stage through deployment, use and ultimate disposal or disposition.

2. PbD consists of seven foundational principles:

   1. Proactive, not reactive; Preventative, not remedial. PbD anticipates and prevents privacy invasive events before they happen, rather than waiting for privacy risks to materialize.

   2. Privacy as the default. No action is required by individuals to maintain their privacy; it is built into the system by default. This concept has been introduced in the EU General Data Protection Regulation (GDPR).

   3. Privacy embedded into design. Privacy is an essential component of the core functionality being designed and delivered. The FTC has adopted this principle in its consumer privacy framework, calling for companies to promote consumer privacy throughout the organization and at every stage of product development.

   4. Full functionality—positive-sum, not zero-sum. PbD seeks to accommodate all legitimate interests and objectives, rather than making unnecessary trade-offs.

   5. End-to-end security—full lifecycle protection. Strong security measures are essential to privacy, from start to finish of the lifecycle of data.

   6. Visibility and transparency. Component parts and operations remain visible and transparent to users and providers alike. Visibility and transparency are essential to establishing accountability and trust.

   7. Respect for user privacy. Above all, PbD requires keeping the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.

8.1.1 Paradigm of Privacy by Design

1. The PbD paradigm ensures that privacy and security controls are aligned with an organization’s tolerance for risk, its compliance with regulations, and its commitment to building a sustainable privacy-minded culture. Notably, though, the paradigm is not a formal security/privacy engineering process [i.e., a system development lifecycle (SDLC)].

2. The qualities of the paradigm include:

   1. Being proactive. By default, privacy controls are part of the system engineering requirements. They are tested for effectiveness and monitored continuously.

   2. Embedded privacy controls. This involves putting them into systems and applications, auditing them for regulatory compliance, and evaluating them when new threats to information systems are discovered.

   3. Demonstrating respect for users. Privacy and security controls coexist transparently to a user. They do not diminish the necessary authorizations to access data. The protection of organizational information assets is enabled without unnecessary trade-offs

1. 4. Privacy has historically been viewed as an impediment to innovation and progress, but that’s so yesterday and so ineffective as a business model. Without user trust, technologies can’t move forward.

8.2 Data Protection by Design and by Default

1. Following are Article 25 from Chapter IV of the EU GDPR and Recital 78, which articulate what is meant by data protection by design and default from an EU perspective. While different in language and principles, they are highly similar in concept and in goal: that information privacy should be built in to the design process and not added on as an afterthought.

8.3 Diagramming Privacy by Design

1. One way to approach PbD is to visually lay out, at a high level, data flow diagrams, include administrative and end users, first-party and third-party processors, and geographic locations (see Figure 8-3), then add the data flow (see Figure 8-4).

Next, begin to work through likely, less likely, and edge-case risks (harms, threats, vulnerabilities) and, with each, identify what privacy and information security controls are warranted or what must change about the design (see Figure 8-5).

8.4 Information Security

1. Whether you use PbD, the GDPR’s Article 25 data protection by design and default, or privacy engineering as the means to design, develop, deploy, manage and retire things that process personal information, throughout the things lifecycle, there will be a dependency on information security in the protection of the data that is being processed.

2. Therefore, as a privacy program manager, it is important to understand the connections and disconnects information security has with information privacy.

8.4.1 Confidentiality, Integrity, Availability

1. Information security aims to ensure the confidentiality, integrity and availability of information throughout the data lifecycle. Confidentiality, integrity and availability are often referred to as CIA. Confidentiality means prevention of unauthorized disclosure of information. Integrity ensures information is protected from unauthorized or unintentional alteration, modification or deletion. Availability means information is readily accessible to authorized users.

8.4.2 Information Security Practices

1. Like information privacy, information security involves a continual, ongoing set of practices that are applied throughout the data lifecycle—from creating/collection of data to its destruction. Information security defines risk as the combination of the probability of an event and its consequence (ISO/IEC 73).

2. Information security builds upon risk management practices to provide:

   1. Identification of risk

   2. Selection and implementation of controls and measures to mitigate risk

   3. Tracking and evaluation of risk to validate the first two parts

   4. Examples of information security risks include:

      1. Technology with weak security

      2. Social media attacks

      3. Mobile malware

      4. Third-party entry

      5. Neglect of proper configurations

      6. Outdated security software

      7. Social engineering

      8. Lack of encryption

      9. Corporate data on personal devices

      10. Inadequate security technology

8.4.3 Controls

1. Information security uses controls to manage risk. ISACA defines controls as “The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature.”

2. Controls are divided into the following categories:

   1. Preventive controls are intended to prevent an incident from occurring. They are used to avoid undesirable events, errors and other occurrences that an enterprise has determined could have a negative impact on a process or end product (e.g., by locking out unauthorized intruders).12

   2. Detective controls are intended to identify and characterize an incident in progress. They detect and report when errors, omissions and unauthorized uses of entries occur (e.g., by sounding an alarm and alerting the appropriate person).13

   3. Corrective controls are intended to limit the extent of any damage caused by the incident. They are designed to correct errors, omissions and unauthorized uses and intrusions once they are detected (e.g., by recovering the organization to normal working status as efficiently as possible).14

   4. Physical controls govern physical access to hard copies of data and the

systems that process and store electronic copies (e.g., fences, doors, locks

and fire extinguishers).15

1. 5. Administrative or policy controls govern an organization’s business practices (e.g., incident response processes, management oversight, security awareness and training, policies regarding how the organization handles data).16

   6. Technical controls govern software processes and data [e.g., user authentication (login) and logical access controls, antivirus software, firewalls].17

8.4.4 Information Security Standards

1. Information security practices use standards and guidelines for consistent application of management, technical, and operational controls to reduce the risks to confidentiality, availability, and integrity of information.

2. The best known and most prominent are the International Organization for Standardization (ISO) Standards. ISO/IEC 27001 Annex A contains a summary of security controls, while ISO/IEC 27002 examines controls and control objectivesin more depth. These include:

   1. ISO/IEC 27000. Information security management systems. Overview and vocabulary. ISO/IEC 27000:2018 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards.

   2. ISO/IEC 27001. Information security management systems— Requirements. ISO/IEC 27001 is the best-known standard in the family providing requirements for an ISMS. What is an ISMS? An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

   3. ISO/IEC 27002. Code of practice for information security management. ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices, including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).

   4. ISO/IEC 27003. Information security management system implementation guidance. ISO/IEC 27003:2017 describes the process of ISMS specification and design from inception to the production of dimplementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS, and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan.

   5. ISO/IEC 27004. Information security management—Measurement. ISO/IEC 27004:2016 provides guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of an information security management system.

   6. ISO/IEC 27005. Information security risk management. ISO/IEC 27005:2018 provides guidelines for information security risk management and is designed to assist the satisfactory implementation of information security based on a risk management approach.

   7. ISO/IEC 27006. Requirements for bodies providing audit and certification information security management systems. ISO/IEC 27006:2015 specifies requirements and provides guidance for bodies providing audit and certification of an ISMS. It is primarily intended tport the accreditation of certification bodies providing ISMS certification.25

   8. ISO/IEC 27010. Information technology, security techniques, information security management for inter-sector and interorganizational lcommunications. ISO/IEC 27010:2015 provides guidelines in addition to the guidance given in the ISO/IEC 27000 family of standards for implementing information security management within information-sharing communities.26

   9. ISO/IEC 27011. Information security management guidelines for telecommunications organizations based on ISO/IEC 27002. The scope of Recommendation | ISO/IEC 27011:2016 is to define guidelines supporting the implementation of information security controls in telecommunications organizations.

   10. ISO/IEC 27031. Guidelines for information and communications technology readiness for business continuity. ISO/IEC 27031:2011 describes the concepts and principles of information and communication technology (ICT) readiness for business continuity and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization’s ICT readiness to ensure business continuity.28

   11. ISO/IEC 27033-1. Network security overview and concepts. ISO/IEC 27033-1:2015 provides an overview of network security and related definitions. It defines and describes the concepts associated with, and provides management guidance on, network security.29

   12. ISO/IEC 27035. Information security incident management. ISO/IEC 27035-1:2016 is the foundation of this multipart international standard. It presents basic concepts and phases of information security incident management and combines these concepts with principles in a structured approach to detecting, reporting, assessing, and responding to incidents, and applying lessons learnt.30

   13. ISO 27799. Information security management in health using ISO/IEC 27002. ISO 27799:2016 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk q 1environment(s).31

8.5 Information Privacy and Information Security

1. Privacy addresses the rights of individuals to control how and to what extent information about them—their personal information—is collected and further processed.

1. In addition to the fact that both information security and privacy are data protection regimens, other areas of overlap are:

   1. Integrity (information security) and accuracy (privacy)

   2. Availability (information security) and access (privacy)

   3. Accountability (both) Confidentiality (when the data is both personal information and nonpublic)

   4. Information security’s focus on data integrity overlaps with privacy’s accuracy requirement in that both target ensuring the data is not altered without authorization.

   5. Information security’s availability requirement supports privacy’s access requirement.

8.5.1 The Disconnects

1. The reason there is not a complete overlap between privacy and information security is threefold. First, privacy has a wider set of obligations and responsibilities than information security does, such as:

   1. Collection limitation

   2. Openness

   3. Relevancy

   4. Use limitation

2. Privacy and information security have orthogonal information classification systems:

   1. Information privacy classifies personal information into two categories:

      1. private information and sensitive private information

   2. Information security protects information differently, usually along the lines of degree of confidentiality:

      1. Public

      2. Confidential

      3. highly confidential

      4. Restricted

      5. top secret

8.5.2 Alignment

1. Information privacy and information security are both data protection regimes and, as noted, while they have different focuses, they do have significant overlaps.

2. Information privacy professionals have a vested interest in ensuring security controls are implemented and are operating effectively. The business partners of both, information privacy and information security, also have a vested interest in privacy and security being effectively and efficiently implemented, so that assets and people are protected but not unnecessarily encumbered from getting work done.

3. With this nexus identified, it is not surprising that the same survey found that some of the ways for information privacy and information security programs to align are:

   1. Increased involvement of privacy personnel on information security teams and vice versa

   2. Employment of core privacy functions with an IT motivated to get a better handle on their data and the extent of their corporate risk

   3. Increased investment in privacy technology

   4. Increased use of privacy impact assessments and data inventory and classification

   5. Increased use of data retention policies

4. Fourth, rank and prioritize. Not all problems can be solved or mitigated at once,

and having an agreed-upon ranking of risk factors is key to prioritizing and allocating resources and evaluating outcomes.

8.5.3 Access Control

1. Access to an organization’s information systems should be tied to an employee’s role. No employees should have greater information access than is necessary to perform their job functions.

   1. Segregation of duties. Ensure one person cannot exploit or gain access to information inappropriately.

   2. Least privilege. Grant access at the lowest possible level required to perform the function.

   3. Need-to-know access. Restrict access to only information that is critical to the performance of an authorized, assigned mission.

   4. Guidelines for user access management (also known as identity access management) include the following:

   5. Unique user IDs Credentials for ID (e.g., smart card, password, two-factor authentication, machine certificate)

   6. Level of access based on business purpose

   7. Formal logical access process for granting and removing

   8. Password management

   9. Review of user access rights (e.g., privileged accounts, job function changes, employment termination)

   10. User responsibility

   11. Users required to follow good security practices in selecting and protecting passwords

   12. Clean desk policy for papers and removable storage media

8.5.4 Data Classification

1. To properly protect data, it needs to be classified. Most information security classification schemas use the following categories:

   1. Public

   2. Confidential

   3. Highly confidential

   4. Restricted

8.6 Privacy Policy and Technical Controls

For data protection, controls need to be implemented with privacy in mind.

Required (or suggested) administrative or policy controls for privacy can be

found in four areas. See Table 8-2 for examples.

1. Technical controls fall into four main areas: 35

   1. Obfuscation: Personal data is made obscure, unclear or unintelligible (e.g., masking, tokenization, randomization, noise, hashing)

   2. Data minimization: The collection of personal information is limited to that which is directly relevant and necessary to accomplish a specified purpose (e.g., granulation, data segregation, deletion, de-identification, aggregation)

   3. Security: Protective privacy measures are used to prevent unauthorized access (e.g., encryption, access controls for physical and virtual systems, data loss management, destruction, auditing, testing)

   4. Privacy engineering technologies: Technologies ensure engineered systems provide acceptable levels of privacy (e.g., secure multiparty computations, homomorphic encryption, differential privacy, mix networks, anonymous digital credentials)

2. Data Destruction

   1. One important way to protect personal information and privacy is to destroy personal information when it is no longer needed.

      1. Two ways of electronically destroying data are overwriting and degaussing.

      2. Three ways of physically destroying data are shredding, melting and burning.

      3. Regardless of the methodology selected, privacy professionals should work with their data retention functions so agreed-upon policies, standards and guidelines are in place to ensure personal information is destroyed when it is supposed to be destroyed.36

8.7 Summary

1. Protecting personal information is an ongoing effort. Many failures are related to inability to imagine the worst or to understand evolving technologies. It is important to stay abreast of new technologies, to ensure that system, product, and application updates are reviewed, and that new or different privacy controls are not needed.