Privacy Flashcards
Organization for Economic Cooperation and Development (OECD)
Issued guidelines on the Protection of Privacy and Trans-border Flows of personal data which have been classified privacy principles
OECD Privacy Guidelines/Principles
Notice - data subjects should be given notice when their data is being collected
Purpose - data should only be used for purpose stated and for no other purpose
Consent - data should not be disclosed without the data subjects consent
Security - collected data should be kept secure from any potential abuses
Disclosure - data subjects should be informed as to who is collecting their data
Access - data subjects should be allowed to access their data and make corrections to any inaccurate data
Accountability - data subjects should have a method available to them to hold data collectors accountable for not following the other principles
No Purple Car Sold, Do Act Alarmed
General Data Protection Regulation (GDPR)?
Who must enact?
Who is penalized for violations and what penalties do they face?
Privacy regs enacted by the EU to protect citizens from data breaches resulting in loss of privacy of PII
Includes 9 EU Privacy Principles - Supersedes and strengthens EU Data Protection Directives
All EU members states were required to enact
Consequences for companies that control or process PII for EU citizens including heavy fines for violation
EU Privacy Principles
- Collection Limitation Principle
- Data Quality Principle
- Purpose Specification
- Use Limitation Principle
- Security Safeguard Principle
- Open Principle
- Individual Participation Principle
- Accountable Principle
- Right to be Forgotten or Erased
U COPS RAID
EU Data Protection Directive 95/46/EC
in 1995 EU directive enacted concerning protection for individuals WRT processing personal data and the free movement of such data
2012 The Right to be Forgotten was added
Penalties for GDPR
Can be fined a rate of 2% annual global profit or 10M Euro for initial breach
Subsequent breach cost up to 4% annual global profit or 20M Euro
Self reporting is mandatory, violators usually incur heaviest fines - data breaches must be reported to the DPA (Data Protection Authority) within 72 hours of discovery
Additional EU Privacy Subjects
- E-Privacy Directive - deals with regulation of information confidentiality, treatment of traffic data, spam, and use of cookies
- Safe Harbor Program - a program that required US companies processing EU citizens PII to meet various standards developed by US Dept of Commerce
- Model Contracts - EU approved contracts which create a bond between multinational companies that process EU citizen PII
- Privacy Shield - provides companies with a mechanism to comply with EU data protection requirements when transferring data from the EU to the US
- EU Data Retention Directive - a currently discontinued directive that required ISPs and phone providers to track connection information.
National Laws Compliant with EU GDPR
- All EU countries
- Argentina
- Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)
- Israel
- Singapore
- Andorra
- Australia - Privacy Act 1988, Australian Privacy Principles 2014
- European Free Trade Association - Iceland, Lichtenstein, Norway, Switzerland
- Japan
- Uruguay
Other Countries/Regions Data Privacy Regulations
- African Personal Data Protection Regulations
- Asia - Pacific Economic Cooperation (APEC)
- Australia and New Zealand Privacy Principles
African Personal Data Protection Regulations
About 2/3rds of African Nations have adopted these regulations
Data protections include:
- Notice
- Choice and consent
- Data Security
- Data access and correction
- Data quality
- Data retention and destruction
- Registration with a Data Protection Authority (DPA)
- Cross border transfer
- Personal data breach notification
- Appointment of a Data Protection Officer (DPO)
Asia - Pacific Economic Cooperation (APEC)
ensure the free flow of information and open conduct of business within the region, while protecting privacy
not as stringent as the GDPR
includes 9 privacy principles
Australia and New Zealand Privacy Principles
Makes it difficult to move sensitive information to a CSP that stores the data outside Australia and New Zealand
Australian National Privacy provides guidelines on how to collect, store, secure, process and disclose PII and PHI
Replaced by Australian Privacy Principles focuses on handling personal information with 13 principles
Health Information Portability and Accountability Act - HIPAA
A national standard for electronic Heath care transactions and national identifiers for providers, health plans, and employers
Defines rules around handling and treatment of PHI
PHI can be stored in the cloud as long as it is stored in a manner compliant with HIPAA
Gramm-Leach Bliley Act (GLBA)
a law to control the ways financial organizations deal with individual private information
requires financial organizations to give their customers written privacy notices that explain their information sharing practices
3 sections
- Financial Privacy Rules - regulates collection and disclosure of private information
- Safeguards Rule - requires financial institutions to implement security programs to protect individuals private information
- Pretexting Provisions - prohibits accessing private information using false pretenses
Family Education Rights and Privacy (FERPA)
Protects student data, including adult students
Once a person turns 18 parents can’t get student data without consent from the student
Sarbanes - Oxley Act (SOX)
Protects investors from fraudulent corporate accounting activities. Publicly traded companies can’t lie to their investors.
Children Online Privacy Protection Act (COPPA)
imposed certain requirements on web operators or online services directed to children under 13 years old or that have actual knowledge that they are collecting personal information from a child under 13 years old
Clarifying Overseas Use of Data (CLOUD) Act
gives broad powers to US law enforcement officials to force US based organizations to release data regardless of where the company stores data
codifies the US right to access individuals data which conflicts with the GDPR
Generally Accepted Privacy Principles (GAPP)
AICPA have documented 74 privacy principles, detailed in the GAPP report
There are 10 main privacy principles groups:
1. Management 2 Notice 3. Choice and consent 4. Collection 5. Use, Retention and Disposal 6. Access 7. Disclosure 8. Security for Privacy 9. Quality 10. Monitor and Enforcement
What are the CMM maturity levels and CMM level key phrases they align to?
- Initial - Process Unpredictable, Poorly controlled, and Poorly defined
- Managed - Process characterized for projects and is often Reactive
- Defined - Process characterized for the organization and is proactive
- Quantitatively Managed - Process is Measured and Controlled
- Optimized - Focus on Continuous Process Improvement
(IMDQO)
Privacy Level Agreement
The Cloud Security Alliance (CSA) defines baselines for compliance with data protection legislation and leading practices in a standard format called PLA
By use of PLA, the CSP declares the level of personal data protection and security that it sustains for relevant data processing
Internal Audit
An orgs internal audit, performed by an internal team acts as a 3rd line of defense after the business/IT functions and Risk Management by:
Independently verifies the cloud programs effectiveness
Providing assurance to the board and risk management team on the organizations cloud risk exposure
External Audit
Performed by an external audit organization and may take the form of SOC report or ISO 27001 certification
Audit Planning Steps In Order
- Define audit objective
- Define audit scope
- Refine audit process from lessons learned
- Fieldwork
- Analysis
- Reporting
(2DR-FAR)
Gap analysis
is a tool designed to help you understand where you are and what you need to do to get to where you want to be
A function to begin benchmarking and identifying areas where requirements are not yet met against framework or standard.
Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
Maps Frameworks to security/privacy controls
The cloud controls matrix provides a mapping with the main industry accepted security standards as well as regulatory, and control frameworks e.g. ISO 27001, COBIT5, PCI DSS, PIPEDA, NERC/CIP, etc.
A registry of cloud security controls arranged in separate security domains
Cloud Security Alliance (CSA) Security, Trust, Assurance Registry (STAR)
A publicly accessible registry that documents security and privacy controls provided by cloud computing offerings
Provides a way to evaluate CSPs
Maps Controls to Providers
CSA STAR Level 1
A self assessment done by CSP
The CSP submits one of the following:
- Consensus Assessment Initiative Questionnaire (CAIQ) - documents the CSP security controls
- Cloud Control Matrix
If the CSP must conform with GDPR they must submit the following two documents
- Code of Conduct (CoC) Statement of Adherence
- Self assessment results from PLA Code of Practice (CoP) Template
CSA STAR Level 2
3rd Party Assessment based certification (ISO) or attestation (SOC)
To get this level organizations must submit one of the following:
- STAR Attestation - SOC 2 engagement
- STAR Certification - ISO 27001 certification
- C-STAR - GB/T (China’s equivalent of ISO)- Applicable only to China
- GDPR Code of Conduct Certification
CSA STAR Level 3
Continuous Monitoring - cloud providers employ automated process of reporting on monitoring on a monthly basis, from self assessments to 3rd party attestations and certifications
highest comprehensive level of assurance a CSP can give to consumers
NIST 800-34r4
A privacy framework for security and privacy controls for Federal Information Systems and Organizations
NIST 800 69/2=34 remainder 4 all, lets call that 34r4
North American Electronic Reliability Corporation/Critical Infrastructure Protection (NERC/CIP)
A regulatory authority whose mission is to ensure the reliability of the North American bulk power system; includes Canadian and American power grids
If you are a bulk power system owner, operator, or user you must comply with NERC CIP standards: e.g. Required to register with NERC
CSPs and CSBs are not subject to NERC/CIP but power companies they contract with are
What are the Privacy Maturity Model (PMM) maturity levels and PMM level key phrases they align to?
- Ad Hoc - Poorly defined
- Repeatable - Reactive
- Defined - Proactive
- Managed - Measured and Controlled
- Optimized - Continuous Improvement
(ARDMO)
US Privacy Laws
- Health Information Portability and Accountability Act - HIPAA
- Gramm-Leach Bliley Act (GLBA)
- Family Education Rights and Privacy (FERPA)
- Sarbanes - Oxley Act (SOX)
- Children Online Privacy Protection Act (COPPA)
- Clarifying Overseas Use of Data (CLOUD) Act