Information security: DP enabler - Europa
Transcript of Information security: DP enabler - Europa
![Page 1: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/1.jpg)
Information security: DP
enabler
Fidel Santiago
DPO meeting
5 November 2015
![Page 2: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/2.jpg)
This workshop
• Security as a fundamental enabler for data
protection
• Security based on (information security) risk
management
• The involvement of the DPO is of paramount
importance
2
![Page 3: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/3.jpg)
3
![Page 4: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/4.jpg)
Security as a DP enabler
Security principles
• Confidentiality
• Integrity
• Availability
DP principles
• Fair & lawful
• Purpose limitation
• Accurate and up-
to-date
• Conservation
periods
• Data subject rights
![Page 5: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/5.jpg)
Information/IT security
6
• Security operations
• Service management
• Monitoring
• Auditing
• Review
• Security requirements
• Implementation
• Identification
• Analysis
• Evaluation
• Treatment
Risk assessment
Security measures
Operation Monitoring
![Page 6: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/6.jpg)
ISRM 101
• ISRM : Information
Security Risk
Management
• ISO 27005 (among
others…)
7
![Page 7: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/7.jpg)
ISRM 101: Risk identification
1. Context establishment
2. Risk identification
– Assets (p.d. and more…)
– Vulnerabilities
– Threats
– Existing controls
– Impact
8
![Page 8: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/8.jpg)
ISRM 101: Analysis & treatment
3. Risk analysis
– Methodology
– Impact assessment
– Likelihood assessment
– Risk
4. Risk treatment
– Avoid
– Reduce
– Transfer
– Accept
9
![Page 9: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/9.jpg)
ISRM 101 – Outcomes
• Security plan
• Residual risk
• Monitoring and review
10
![Page 10: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/10.jpg)
Art 22.1. Reg 45/2001 –
Security of processing
• “Having regard to the state of the art and the cost
of their implementation, the controller shall
implement appropriate technical and
organisational measures to ensure a level of
security appropriate to the risks represented
by the processing and the nature of the
personal data to be protected.”
12
![Page 11: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/11.jpg)
Art 22.1. Reg 45/2001 –
Security of processing
• “Having regard to the state of the art and the cost
of their implementation, the controller shall
implement appropriate technical and
organisational measures to ensure a level of
security appropriate to the risks
represented by the processing and the
nature of the personal data to be protected.”
13
![Page 12: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/12.jpg)
Art 22.1. Reg 45/2001 –
Security of processing
• “Having regard to the state of the art and the cost
of their implementation, the controller shall
implement appropriate technical and
organisational measures to ensure a level of
security appropriate to the risks
represented by the processing and the
nature of the personal data to be protected.”
14
Risk management process: systematic application of
management policies, procedures and practices to the
activities of communicating, consulting, establishing the
context and identifying, analysing, evaluating, treating,
monitoring and reviewing risk*
*ISO 27000
![Page 13: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/13.jpg)
Art 22.1. Reg 45/2001 –
Security of processing • “Such measures shall be taken in particular to
prevent any unauthorised disclosure or access,
accidental or unlawful destruction or accidental
loss, or alteration, and to prevent all other unlawful
forms of processing.”
15
![Page 14: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/14.jpg)
Art 22.1. Reg 45/2001 –
Security of processing – “Such measures shall be taken in particular to
prevent any unauthorised disclosure or access,
accidental or unlawful destruction or accidental
loss, or alteration, and to prevent all other
unlawful forms of processing.”
16
Information security: preservation of confidentiality,
integrity and availability of information*
*ISO 27000
![Page 15: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/15.jpg)
17
![Page 16: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/16.jpg)
Professional Stds. DPO
• 3.5.1. Advice on application of DP provisions:
– Discusses any legal, practical or technical
issues having impact on DP;
• Best practices. Involvement in relevant discussion
groups: “For instance, the DPO should be involved
in the work of the security committee, if existing”
• Art. 24 Reg 45/2001 - […] tasks of the DPO
18
![Page 17: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/17.jpg)
Art 24. Reg 45/2001 - […] tasks
of the DPO • “1.(c) ensuring in an independent manner the
internal application of the provisions of this
Regulation;”
• “[The DPO] shall thus ensure that the rights and
freedoms of the data subjects are unlikely to be
adversely affected by the processing operations.”
19
![Page 18: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/18.jpg)
20
Security
DPO
Controller
![Page 19: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/19.jpg)
How?
• (The DPO) Not alone!!
• With the LISO/SSO/SO…
– Information Security complex enough
specific professionals!
• Controller accountable but DPO also a very
important role “fundamental in insuring the
respect of data protection”
21
![Page 20: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/20.jpg)
Accountability
• (GDPR):
– measures to be able to demonstrate that the processing […] is performed in compliance with this Regulation.
– mechanisms to verify the effectiveness of the measures taken.
• Controller's accountability instruments:
– Policies
– Security requirements
– Data Protection Officer
– Audits
22
![Page 21: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/21.jpg)
(Other) Stakeholders
• Information Security Officer (LSIO/SSO/SO…)
• Data Protection Officer
• Business process owners (controllers)
• Process/Project officers
• Documents Manager
• …
23
![Page 22: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/22.jpg)
Recap
• InfoSec DP enabler (control)
• InfoSec based on ISRM
• Together (DPO & Sec)!!!!!!
24
![Page 23: Information security: DP enabler - Europa](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169e3ed11a7b741a34c8031/html5/thumbnails/23.jpg)
Some Q’s for you
• Approach to Art 22. of Reg 45/2001
• Relation with the LISO/SSO/SO…
• Involvement in security governance
25