Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret...
Transcript of Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret...
![Page 1: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/1.jpg)
Session ID:
Session Classification:
JOHN ELLIOTT
BLACKFOOT UK
Ways to Interpret Security Standards – What We Can Learn From the Law
GRC-207
Intermediate
![Page 2: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/2.jpg)
… the Lawyer and the Information Security Hero…
Murder
Explosion
Drinking
Unfair dismissal
![Page 3: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/3.jpg)
Which is the worst?
3
vulnerability
vulnerability
vulnerability
vulnerability
vulnerability
![Page 4: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/4.jpg)
The bear market* for regulation
Stop hackers
Breach notification
Reasonable security
Standards as legal
requirements
*Stewart Room, Butterworths Data Security Law & Practice
![Page 5: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/5.jpg)
5
Information Security in Law
![Page 6: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/6.jpg)
Massachusetts 201 CMR 17.00
Secure user authentication protocols …
Secure access control measures …
Encryption of personal data on public networks
Reasonable monitoring
Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions.
6
![Page 7: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/7.jpg)
Oregon Senate Bill 583
Technical safeguards including:
Assesses risks in network and software design
Assesses risks in information processing, transmission and storage
Detects, prevents and responds to attacks or system failures
Regularly tests and monitors the effectiveness of key controls, systems and procedures
7
![Page 8: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/8.jpg)
PCI Compliance
Nevada NRS 603A.215
If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the PCI DSS.
Washington House Bill 1149
If.. the processor, business, or vendor was certified compliant with the PCI DSS … . A processor, business, or vendor will be considered compliant.
8
![Page 9: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/9.jpg)
Information Commissioner’s Office
“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back. This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”
Making soft-law (PCI) into hard-law (DPA)
![Page 10: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/10.jpg)
Italian Data Protection Code
a password shall consist of at least eight characters…
an ID code, if used, may not be assigned to another person in charge of the processing even at a different time
Authentication credentials shall be de-activated if they have not been used for at least six months …
10
![Page 11: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/11.jpg)
Spanish Organic Data Protection Law
There are three levels of security measures, basic, medium and high.
Basic: … mechanisms to avoid a user being able to access resources …
Medium: … limit the possibility of repeated attempts of unauthorised access …
High: … for each attempt at access … identification of the user, date, time and whether authorised or denied …
11
![Page 12: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/12.jpg)
Other EU States With Technical Security Requirements in Data Protection Law
12
![Page 13: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/13.jpg)
Proposed EU Data Protection Regulation
A regulation applies EU-wide
Current data protection law was established with a directive
Implemented differently in each country
One set of data protection rules for the entire EU
What about information security?
13
![Page 14: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/14.jpg)
A Regulation …
14
applies directly
would probably
be adopted
![Page 15: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/15.jpg)
Proposed EU Data Protection Regulation
Article 30(3) The Commission shall be empowered to adopt delegated measures… for the purpose of further specifying the criteria and conditions for the technical and organisational measures … including the determinations of what constitutes the state of the art … in particular taking account of developments in technology and solutions for privacy by design and data protection by default
15
![Page 16: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/16.jpg)
Proposed EU Regulation– Article 36
The Member States and the Commission shall encourage the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors
The Commission may lay down technical standards for certification mechanisms and data protection seals and marks ...
![Page 17: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/17.jpg)
A Challenge for Information Security
Stop hackers
Reasonable
security
Breach notification
Standards as legal
requirements
![Page 18: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/18.jpg)
Words can have many meanings
The Commission may lay down technical standards for certification
mechanisms and data protection seals and marks ...
data protection seal navy seal
![Page 19: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/19.jpg)
19
The Rules Lawyers Use
![Page 20: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/20.jpg)
What We Can Learn From The Law
500 years of written history
Parliament passes statutes (acts)
Judges have to interpret statutes
They have developed a number of approaches (rules)
![Page 21: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/21.jpg)
Road Traffic Act 1988
[An insurance policy] must insure such person, persons or classes of persons as may be specified in the policy in respect of any liability which may be incurred by him or them in respect of the death of or bodily injury to any person or damage to property caused by, or arising out of, the use of a vehicle on a road in Great Britain… 145(3)(a) Road Traffic Act 1988
![Page 22: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/22.jpg)
Cutter v Eagle Star Insurance Company
Mr Cutter was sitting in a car parked in a multi-story car park
Lighter fuel had leaked on to the back seat
The driver returned and lit a cigarette
Mr Cutter was injured
Explosion The car was not being used on a road so the insurance
company was not liable.
![Page 23: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/23.jpg)
Literal Rule
Words must be given their plain, ordinary meaning
![Page 24: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/24.jpg)
Administration of Estates Act
The residuary estate of an intestate shall be distributed in the manner .. mentioned in this section, namely:
If the intestate leaves issue but no spouse or civil partner, the residuary estate of the intestate shall be held on the statutory trusts for the issue of the intestate
s46(ii) Administration of Estates Act 1925
![Page 25: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/25.jpg)
Re: Sigsworth
Mary Ann Sigsworth died intestate
She had one son, Thomas Sigsworth
who murdered his mother
Thomas Sigsworth could not inherit.
Murder
![Page 26: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/26.jpg)
Golden Rule
Words must be given their plain, ordinary meaning
UNLESS that produces an ABSURDITY or an affront to public policy
![Page 27: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/27.jpg)
Licensing Act
Every person who is drunk while in charge on any highway or other public place of any carriage, horse, cattle, or steam engine, or who is drunk when in possession of any loaded firearms, shall be liable to a penalty …, or in the discretion of the court to imprisonment for any term not exceeding one month. s12 Licensing Act 1872
![Page 28: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/28.jpg)
Corkery v Carpenter
Shane Corkery was arrested for being drunk in charge of a bicycle on the highway
It was argued that a bicycle was not a carriage
It won't be a stylish marriage,
I can't afford a carriage,
But you'll look sweet, upon the seat
Of a bicycle made for two.
A bicycle is a carriage.
Binge drinking
![Page 29: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/29.jpg)
Mischief and Purposive Approach
What was the state of the law before the act?
What was the mischief Parliament wanted to remedy?
What is the purpose of the act
“We do not sit here to pull the language of Parliament to pieces
and make nonsense of it. We sit here to find out the intention of
Parliament and carry it out and we do this better by filling in the
gaps and making sense of the enactment than by opening it up
to destructive analysis” Denning LJ
![Page 30: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/30.jpg)
Transfer of Undertakings (Protection of Employment)
“to provide for the protection of employees in the event of a change of employer, in particular, to ensure that their rights are safeguarded . . .”
Any reference. . . above to a person employed in an undertaking or part of one transferred by a relevant transfer is a reference to a person so employed immediately before the transfer… S5(3) TUPE
![Page 31: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/31.jpg)
Litster v Forth Dry Dock and Engineering
Employees (unfairly) terminated at 15:30
Business sold at 16:30
Employees therefore not employed immediately before the transfer
Read as: “employed immediately before the transfer or would have been so employed if he had not been unfairly dismissed”
Unfair dismissal
![Page 32: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/32.jpg)
Teleological Approach
Used in interpreting European law
Consider aims
Follow the spirit of the legislation
![Page 33: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/33.jpg)
Summary of Rules
Literal
Golden
Mischief / Purpose
Teleological approach
Integrated
![Page 34: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/34.jpg)
Emphasis on
Words
Literal / Golden
Problems
Mischief / Purposive
Solutions
Teleological
Pedants Big
picture
1500 - 1960
1945- 2012
1990 - 2012
![Page 35: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/35.jpg)
35
An Example: PCI DSS*
* Which is most likely to be used as the basis of a law
![Page 36: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/36.jpg)
PCI DSS – an example
3.2 Do not store sensitive authentication data after authorization (even if encrypted).
3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.
![Page 37: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/37.jpg)
Typical process
Receive Authorise Store OK? Delete
Bank End
![Page 38: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/38.jpg)
Risk
Receive Authorise Store OK? Delete
Bank End
Backup? Database
logs?
Do not store sensitive authentication data after authorization
![Page 39: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/39.jpg)
Literal approach: Store
1. Keep or accumulate (something) for future use
2. Retain or enter (information) for future electronic retrieval
= write to disk
Do not store sensitive authentication data after authorization
![Page 40: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/40.jpg)
Literal 1
Receive Authorise Store OK? Delete
Bank End
store:
Keep or accumulate (something) for future use
Do not store sensitive authentication data after authorization
![Page 41: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/41.jpg)
Literal 2
Receive Authorise Store OK? Delete
Bank End
store:
Retain or enter (information)
for future electronic retrieval = write to disk
Do not store sensitive authentication data after authorization
![Page 42: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/42.jpg)
Mischief / Purposive Approach
The purpose of the card validation code is to protect "card-not-present" transactions—Internet or mail order/telephone order (MO/TO) transactions—where the consumer and the card are not present. … If this prohibited data is stored and subsequently stolen, malicious individuals can execute fraudulent Internet and MO/TO transactions..
Do not store sensitive authentication data after authorization
![Page 43: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/43.jpg)
Mischief / Purposive
Receive Authorise Store OK? Delete
Bank End
Do not store sensitive authentication data after authorization
![Page 44: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/44.jpg)
Mischief / Purposive
Receive Authorise Store OK? Delete
Bank End
Ability to process payments
Do not store sensitive authentication data after authorization
![Page 45: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/45.jpg)
Teleological approach
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.
Do not store sensitive authentication data after authorization
![Page 46: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/46.jpg)
Teleological
Receive Authorise Store OK? Delete
Bank End
Store for as short a time period as possible
Add audit controls, encrypt
= Enhance cardholder data security
Do not store sensitive authentication data after authorization
![Page 47: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/47.jpg)
Information security approach
Words
Literal / Golden
Problems
Mischief / Purposive
Solutions
Teleological
Pedants Big
picture
Checklists
Binary thought
Risk-based approach
Skill and expertise
![Page 48: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/48.jpg)
In summary
Judges have been interpreting written statutes for more than 500 years
A strictly literal interpretation has largely been replaced by a purposive approach
The teleological approach is preferred when interpreting legislation that implements European law
The most likely source of statute / regulation of written data security standards will be Europe
![Page 49: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/49.jpg)
How to Apply This
Do not get injured in a car in a car park
If you want to inherit the family wealth, do not murder your mother
Do not ride a bicycle when drunk
… the Lawyer and the Information Security Hero…
![Page 50: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/50.jpg)
How to Apply This
When you get involved in a discussion or have to interpret a standard:
Words have multiple meanings Everyone might be using a different meaning
Test interpretation three ways literal, purposive and teleological
Catalogue the written standards that you have to comply with
Be aware of the EU Data Protection Regulation
50
![Page 51: Ways to Interpret Security Standards What We Can Learn ... · PDF fileWays to Interpret Security Standards – What We Can Learn From the Law GRC-207 Intermediate ... Corkery v Carpenter](https://reader031.fdocuments.in/reader031/viewer/2022020302/5aafba447f8b9a59478dab28/html5/thumbnails/51.jpg)
51
Questions?