2. Privacy Origin Human Rights The right to a dignified life Legal order independence Universal Declaration of Rights (1942) Right to intimacy Information self-determination / Privacy
3. What do we understand by Privacy? Having control over my personal information The ability to limit: Who keeps it What can be done with it Purposes of use
12. Chief Privacy Officer What is a Chief Privacy Officer? Which is his place in the organization? Solid knowledge and ample experience Certified Data Privacy Professional
71. So yes, privacy is a growing concern And not only at a reputational level
72. Privacy is always a risk for INDIVIDUALS An organization’s risk always translates to individual stakeholder risks Employees get fired Users or customers are damaged Shareholders lose money
99. Two types of Privacy Intimacy Privacy Regulation Risk Management Identity Value Based Risk Management
100. They are divided into two groups: Redundancy Availability? Business Impact BIA Filters andAuthentication Confidentiality and Integrity? Market Value IVA
101. Information Value Analysis Information Risk= Impact x Probability Impact is determined by estimatingEconomic Value Probabilityismeasured by calculating Potential Connections
103. Intentionality Information Assets Information User Profiles Potential Losses Possible Attacks High Risk Nodes EconomicValue Access to High Risk Nodes Attacker Profit Known Attacks
104. We need to accept Risk Potential moves are infinite
114. Value Management Method Possible Incidents Real Incidents Applicable Incidents Recurring Incidents Measurement of Added Value Prioritized Incidents
119. COBIT Risks EfectividadEficienciaConfidencialidadIntegridadDisponibilidadCumplimientoConfiabilidad Business Requirements AplicacionesInfraestructuraInformaciónPersonas DOMINIOS PROCESOSACTIVIDADES IT Resources IT Processes Nodes Connections
120. Types ofNodes Information User Connection Information Node User Node Transfer Process Store Consult
132. Always R1 Weak password storage protocol R5 R2 R2 Absence of robust password policy R3 Absence of data entry validation for web applications R3 R4 Possible Probability R1 R6 R4 Existing applications with vulnerable remote support R5 Weak wireless ciphered communication protocol R6 Absence of operating system security configuration Almost never Very high Insignificant Medium Impact Main Risks
133. Quick Hits High S1 S2 Password Policy S5 S4 S2 Migration of wireless communication protocol Strategic Quick Hits S6 S3 S1 Strategic S7 S3 Security configuration guidelines for applications Moderate Positive Impact of Implementation S4 Security configuration guidelines for operating systems Not Viable Nice To Have S5 Migration of passwords storage protocols S6 Secure application development process Minimum S7 Migration of remote support protocol Minor Medium Major Effort Action Plan
134. Procesos Gente Tecnología Policies and Configuration Guidelines S3 Security configuration guidelines for applications S4 Security configuration guidelines for operating systems Governance S1 Password policy Processes and Roles S1 Superior Technologies User controls S7 S8 S0 S9 Migration of remote support protocols Network controls S5 Migration of password storage protocols S2 Migration of wireless communication protocols S2 Host controls S4 S5 Recommendations for Sustainability Application controls S3 4 S7 S8 Secure change process administration Data level controls S9 Risk administration process S0 Vulnerability patches and updates process S6 Secure application development process Recommendations
135. Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Risk Administration Implementation Secure application development implementation Vulnerability patches and updates process administration Secure change process administration Migration to robust remote support protocols Migration of wireless communication protocol Migration of password storage Password policy Security configuration guidelines for operating system Security configuration guidelines for applications 2010 2011 Mitigation Roadmap
136. Demystifying the Privacy Implementation Process Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
137. Business Process Analysis Business Process Analysis Data Lifecycle Inventory Identification of applicable Law Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
138. Business Process Analysis Stakeholder Information acquisition Types of data Internal and external data flows Purpose of treatment Information systems and security measures Retention policies Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
139. Data Lifecycle Inventory Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
140. Privacy Legal & Regulatory Requirements (PIA) 1. Legal & Regulatory Contracts Clauses Privacy notices Authorizations Jurisdictions Other regulations Money laundering Sectorial Etc. Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
141. Privacy Legal & Regulatory Requirements (PIA) 2. Technical Authentication & authorization Access control Incident log Removable media and document management Security copies Recovery tests Physical Access Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
142. Privacy Legal & Regulatory Requirements (PIA) 3. Organizational Data privacy officer Roles and responsibilities Policies, procedures and standards Notifications to authorities Audits Compliance and evidence Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
143. Legal & Regulatory Data Categories High Risk Syndicate Affiliation Health Sexual life Beliefs Racial Origin Medium Risk Financial Profile Personal Fines Credit Scoring Tax Payment Information Basic Risk Personal Identifying Information Employment Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
144. External Economic Data Value (IVA) Black Market Value Sale price News Value Newspaper Magazines Television Competition Market Value Brand Value Political Value Authorities Fines Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
145. Data Value Categories Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
146. Asset Inventory Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
147. Policy Generation How should this data be: generated? stored? transferred? processed? accessed? backed-up? destroyed? monitored? How should we react and escalate an incident or breach? How will we punish compliance? Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
148. Controls, Standards & Procedures Business Process Analysis Data Lifecycle Inventory Controls are defined and mapped for each policy level Technical Standards Procedures Compensatory Controls Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
149. Controls, Standards & Procedures Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
150. Implementation & Audit Business Process Analysis Data Lifecycle Inventory BestPractices Laws and Regulations Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory PROCESSES Policy Generation APPLICATIONS PEOPLE Controls Controls, Standards, Procedures Evidence Implementation & Audit I.ACT D.SEG LOPD SOX LSSI ASSETS NETWORKS COMUNIC. CONTRACT
151. Implementation & Audit Business Process Analysis Data Lifecycle Inventory Data Value (IVA) Legal & Regulatory Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
152. Two types of Privacy Intimacy Privacy Regulation Compliance Identity Information Value Risk Management
153. 3 Main Aspects of Privacy Legal Organizational Technical
154. Privacy is not only about Compliance! Through Privacy we guarantee individual rights. By doing so, we increase stakeholder trust and increase our competitiveness.
155. Privacy Risk Management: Stakeholders Trust Management “Trust is the belief that a person or group will be able or willing to act an adequate and predictable manner under certain situations.”
Determinism is a system in which no randomness is involved since causes are directly linked to consequences and, therefore, results are predictable..
To calculate the probability of an attack we use Graph Theory. It shows us the best route (least obstacles) by which an attacker may obtain the criminal objective be it by way of one or various nodes.
Graphic analysis of risks using probability versus impact.