2. Privacy Origin Human Rights The right to a dignified life Legal order independence Universal Declaration of Rights (1942) Right to intimacy Information self-determination / Privacy
3. What do we understand by Privacy? Having control over my personal information The ability to limit: Who keeps it What can be done with it Purposes of use
5. Legal and Institutional Frameworks International: Standardization efforts European: Under revision US: Consumer Protection approach Canada: Sector based approach Latin America: European Model? Others
13. Chief Privacy Officer What is a Chief Privacy Officer? Which is his place in the organization? Solid knowledge and ample experience Certified Data Privacy Professional
18. Specific Aspects and Challenges Specific Aspects Financial Data Auto-regulation Criminal charges Fines up to US $2.8M Challenges Privacy Notice: proof Strategy for compliance Privacy Awareness
73. So yes, privacy is a growing concern And not only at a reputational level
74. Privacy is always a risk for INDIVIDUALS An organization’s risk always translates to individual stakeholder risks Employees get fired Users or customers are damaged Shareholders lose money
101. Two types of Privacy Intimacy Privacy Regulation Risk Management Identity Value Based Risk Management
102. They are divided into two groups: Redundancy Availability? Business Impact BIA Filters andAuthentication Confidentiality and Integrity? Market Value IVA
103. Information Value Analysis Information Risk= Impact x Probability Impact is determined by estimatingEconomic Value Probabilityismeasured by calculating Potential Connections
105. Intentionality Information Assets Information User Profiles Potential Losses Possible Attacks High Risk Nodes EconomicValue Access to High Risk Nodes Attacker Profit Known Attacks
106.
107. We need to accept Risk Potential moves are infinite
117. Value Management Method Possible Incidents Real Incidents Applicable Incidents Recurring Incidents Measurement of Added Value Prioritized Incidents
122. COBIT Risks EfectividadEficienciaConfidencialidadIntegridadDisponibilidadCumplimientoConfiabilidad Business Requirements AplicacionesInfraestructuraInformaciónPersonas DOMINIOS PROCESOSACTIVIDADES IT Resources IT Processes Nodes Connections
123. Types ofNodes Information User Connection Information Node User Node Transfer Process Store Consult
135. Always R1 Weak password storage protocol R5 R2 R2 Absence of robust password policy R3 Absence of data entry validation for web applications R3 R4 Possible Probability R1 R6 R4 Existing applications with vulnerable remote support R5 Weak wireless ciphered communication protocol R6 Absence of operating system security configuration Almost never Very high Insignificant Medium Impact Main Risks
136. Quick Hits High S1 S2 Password Policy S5 S4 S2 Migration of wireless communication protocol Strategic Quick Hits S6 S3 S1 Strategic S7 S3 Security configuration guidelines for applications Moderate Positive Impact of Implementation S4 Security configuration guidelines for operating systems Not Viable Nice To Have S5 Migration of passwords storage protocols S6 Secure application development process Minimum S7 Migration of remote support protocol Minor Medium Major Effort Action Plan
137. Procesos Gente Tecnología Policies and Configuration Guidelines S3 Security configuration guidelines for applications S4 Security configuration guidelines for operating systems Governance S1 Password policy Processes and Roles S1 Superior Technologies User controls S7 S8 S0 S9 Migration of remote support protocols Network controls S5 Migration of password storage protocols S2 Migration of wireless communication protocols S2 Host controls S4 S5 Recommendations for Sustainability Application controls S3 4 S7 S8 Secure change process administration Data level controls S9 Risk administration process S0 Vulnerability patches and updates process S6 Secure application development process Recommendations
138. Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Risk Administration Implementation Secure application development implementation Vulnerability patches and updates process administration Secure change process administration Migration to robust remote support protocols Migration of wireless communication protocol Migration of password storage Password policy Security configuration guidelines for operating system Security configuration guidelines for applications 2010 2011 Mitigation Roadmap
139. Demystifying the Privacy Implementation Process Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
140. Business Process Analysis Business Process Analysis Data Lifecycle Inventory Identification of applicable Law Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
141. Business Process Analysis Stakeholder Information acquisition Types of data Internal and external data flows Purpose of treatment Information systems and security measures Retention policies Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
142. Data Lifecycle Inventory Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
143. Privacy Legal & Regulatory Requirements (PIA) 1. Legal & Regulatory Contracts Clauses Privacy notices Authorizations Jurisdictions Other regulations Money laundering Sectorial Etc. Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
144. Privacy Legal & Regulatory Requirements (PIA) 2. Technical Authentication & authorization Access control Incident log Removable media and document management Security copies Recovery tests Physical Access Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
145. Privacy Legal & Regulatory Requirements (PIA) 3. Organizational Data privacy officer Roles and responsibilities Policies, procedures and standards Notifications to authorities Audits Compliance and evidence Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
146. Legal & Regulatory Data Categories High Risk Syndicate Affiliation Health Sexual life Beliefs Racial Origin Medium Risk Financial Profile Personal Fines Credit Scoring Tax Payment Information Basic Risk Personal Identifying Information Employment Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
147. External Economic Data Value (IVA) Black Market Value Sale price News Value Newspaper Magazines Television Competition Market Value Brand Value Political Value Authorities Fines Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
148. Data Value Categories Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
149. Asset Inventory Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
150. Policy Generation How should this data be: generated? stored? transferred? processed? accessed? backed-up? destroyed? monitored? How should we react and escalate an incident or breach? How will we punish compliance? Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
151. Controls, Standards & Procedures Business Process Analysis Data Lifecycle Inventory Controls are defined and mapped for each policy level Technical Standards Procedures Compensatory Controls Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
152. Controls, Standards & Procedures Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
153. Implementation & Audit Business Process Analysis Data Lifecycle Inventory BestPractices Laws and Regulations Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory PROCESSES Policy Generation APPLICATIONS PEOPLE Controls Controls, Standards, Procedures Evidence Implementation & Audit I.ACT D.SEG LOPD SOX LSSI ASSETS NETWORKS COMUNIC. CONTRACT
154. Implementation & Audit Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
155. RegulatoryRisk Management Types Impact Fines Reputation Image Good Corporative Governance Laws and norms Indemnities Client Forfeits Internal Operative Improvement Contracts Risk Management Competitive Difference Business Continuity Guarantee Standards and Codes Stockholder trust Corporative Culture Fight Internalfraud Internalpolicies 155
156. How can Privacy Risks be classified? Economic Operational Reputational Competition
157. Quick tips Doing International Business What to watch out for? Localization Local regulations Due diligence Audit Monitoring Contact with authorities Jurisdiction
158. Non compliance TOP 5 Employee awareness Lack of transparency Third parties Intercompany data flows Collection of unnecessary information
159. Two types of Privacy Intimacy Privacy Regulation Compliance Identity Information Value Risk Management
160. 3 Main Aspects of Privacy Legal Organizational Technical
161. Privacy is not only about Compliance! Through Privacy we guarantee individual rights. By doing so, we increase stakeholder trust and increase our competitiveness.
162. Privacy Risk Management: Stakeholders Trust Management “Trust is the belief that a person or group will be able or willing to act an adequate and predictable manner under certain situations.”
Determinism is a system in which no randomness is involved since causes are directly linked to consequences and, therefore, results are predictable..
To calculate the probability of an attack we use Graph Theory. It shows us the best route (least obstacles) by which an attacker may obtain the criminal objective be it by way of one or various nodes.
Graphic analysis of risks using probability versus impact.