PrivacyFoundations of Information Security Series

Vicente Aceituno @vaceituno

(c)Inovement Europe 2014

Vicente Aceituno

vac@zenobia.es - Skype: vaceituno

Linkedin - linkedin.com/in/vaceitunoInovement Europe - inovement.esVideo Blog - youtube.com/user/vaceitunoBlog - ism3.comTwitter - twitter.com/vaceitunoPresentations - slideshare.net/vaceituno/presentationsArticles - slideshare.net/vaceituno/documents

Foundations of Information Security Series

Needs

Secrecy Intellectual Property you Own

Intellectual Property you Use

Privacy

Availability

Retention

Expiration

Quality

Obligations

Technical

Compliance

Legal

What is Information Security?

“Information Security” is an emergent property of people using information.

People have expectations about information.

If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.

What is Information Security?

When expectations about information are met, there is “Security”.

When expectations about information are not met, there is an “Incident”.

What is Information Security?

Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.

Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.

Privacy

Privacy

Some expectations of people about informationare related to ownership, control and use of information over time.

Privacy

Ownership is defined having legal rights and duties on something.

Control is defined as having the ability to: Grant or deny access to users.

Attribute to specific users their use of information.

Use is defined as having access to read, writeor modify information.

Privacy

Privacy can be seen as a person’s right and ability to select what other people or organizations knows about him or her.

From the point of view of information security, Privacy expectations are related to Personal information and Personal identifiable information.

Privacy

Personal identifiable information is any information that identifies uniquely an individual person. For example: Name Address Electronic Addresses (Phone number, URLs, IPs, etc) Electronic IDs (Email, Login name, nickname, etc) Official IDs (National ID, tax ID, health ID, etc) Property IDs (Plate number, License number, Credit card

number) Biological traits (Face, fingerprints, DNA, etc) Behavioral traits (Handwriting, gait, etc) Other (Date of birth, Birthplace, etc)

Privacy legislation

Legally the ownership of personal information is different in different regions of the world. Some examples:

In the European Union, people legally own their personal information, and legislation aims to provide them with control over this information.

In USA, the person or organization that uses or controls personal information, legally owns it.

Privacy Needs

There is an expectation that personal informationwill be held by authorized administrators only, for no longer than required.

There is an expectation that personal informationwill be controlled by their owners or authorized administrators only, for as long as they are authorized.

Privacy Needs

There is an expectation that personal informationwill be used by authorized users only, for a valid purpose and for as long as they are authorized.

In certain cases there is an expectation that personal information will be used by authorized users only, in a way that preserves anonymity.

Privacy Needs

Privacy expectations can be determined answering the following questions: Who should control the personal information, and for how long?

Who should not control the personal information?

What are the valid uses of the personal information?

Who should make valid use of the personal information , and for how long?

Who should not use the personal information?

Should it be possible to identify the owner of the personal information?

Privacy Needs

If these expectations are met or not is independent of the observer and repeatable.

Answering the aforementioned questions renders lists that can be enumerated, measured and managed.

Privacy Obligations

Organizations often must comply with legal obligations related to personal information, among these obligations the following are frequent:

Personal information completeness must be proportional to its use.

Personal information can't be kept for longer than needed.

Privacy Obligations

The owner of the personal information must agree for it to be collected and he has the right to check it, fix it and approve how it will be used or ceded.

The owner of personal information will be given notice when his information is being collected, including who is collecting the information.

Privacy Obligations

Repositories with personal information have to be registered with a Data Protection agency.

Personal information must be used for the purpose agreed with the information owner.

Privacy Obligations

Personal information must not be disclosed without the agreement of the information owner.

Personal information owners will have means to make data collectors accountable for their use of their personal information.

Personal information must be protected using certain security measures depending on its sensitivity.

Privacy needs related incidents

When personal information is controlled by peoplewho are not or have never been the owners or the authorized administrators. For example:

Granting access to unauthorized users.

Denying access to authorized users.

Lack of, or misattribution to specific users of their use of personal information.

Privacy needs related incidents

When personal information is used by people who are not or have never been authorized users.

When personal information is used by authorized usersfor invalid purposes.

When anyone identifies uniquely the owner of personal information, when it should have remained anonymous.

For a more complete list of incidents check tiny.cc/incidents

Privacy obligations related incidents

When personal information is more complete than need to be.

When personal information is kept for longer than needed.

When the owner of the personal information is not given or denied the opportunity to agree for it to be collected, or when he is not given or denied the right to check it, fix it and approve how it will be used or ceded.

When the owner of personal information is not given notice when his information is being collected, including who is collecting the information.

Privacy obligations related incidents

When repositories with personal information are not registered with a Data Protection agency within a certain period of time.

When personal information used for a purpose other than the one agreed with the information owner.

When personal information is used by peoplewithout the agreement of the information owner.

When personal information is not protected using certain security measures depending on its sensitivity.

Achieving Privacy

In order to achieve Privacy, normally Access Control and Compliance measures are taken.

Cryptography is an important technology for Access Control.

The Access Control related O-ISM3 processes are:

OSP-12 User Registration

OSP-11 Access Control

The Compliance related O-ISM3 processes are:

OSP-21: Information Quality and Compliance Assessment

Privacy

The O-ISM3 Challenge

This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.

Check the exercise in full at tiny.cc/indepth

A summary of conclusions from the exercise, in relation to Privacy, follow.

Secrecy Business Needs

Intellectual

Property

PrivacyConfidentiality

Business

Obligations

Confidentiality

Confidentiality

ISO Definition: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

ITIL Definition: A security principle that requires that data should only be accessed by authorized people.

CobIT Definition: Concerns the protection of sensitive information from unauthorized disclosure.

Privacy and Confidentiality

Confidentiality can’t be measured (it doesn’t have units). Therefore is not independent of the observernor repeatable like Privacy is.

Privacy can be used to measure, communicate and manage a specific expectation of people about information.

Confidentiality is not necessary to understand or measure Privacy.

Privacy and Confidentiality

Privacy and Confidentiality are not equivalent.

Confidentiality and Privacy are not synonymous.

Confidentiality is not useful to understand Privacy.

Follow the Foundations of Information Security Series by joining the LinkedinO-ISM3 Group at: tiny.cc/osim3LG

Learn Advanced Information Security Management, joining us at an O-ISM3 Course: tiny.cc/osim3