ISO 29100HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK?

When Recognition Matters

WHITEPAPER

www.pecb.com

CONTENT____

Introduction

About ISO/IEC 29100 Why should PII be protected? Consequences of not protecting PII

WhataretheBenefitsofhavingaPrivacyFramework?

Why is PECB a Worthy Choice?

StepsforObtainingaPECBCertification

3

3

5

5

6

7

8

PRINCIPAL AUTHORSEric LACHAPELLE, PECB Bardha AJVAZI, PECB Fitim RAMA, PECB

ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK?2

INTRODUCTION____

Duringthepastyears,wehavewitnessedhugerecordlossesbecauseofmanyinformationsecurityincidentsinvolving personally identifiable information (PII) that have affected both individuals and organizations.Some examples of various incidents involve legal liability, identity theft, and recovery costs. Therefore,organizationsshould implementan international informationsecuritystandard thatprovidesguidelinesonhow toprotect their privacynetworksandPII, toalignwith the increasedusageof informationandcommunicationtechnologies(ICT)thatprocessPII.

Inresponsetoon-goingprivacyrelatedincidentshappeningto large corporations, small companies, and to famous individuals, in2011, ISOhasdevelopedthe ISO/IEC29100Privacy framework and ISO 29101 Privacy frameworkarchitecturetoprovideahigherlevelframeworkforsecuringPersonallyIdentifiableInformationPIIwithInformationandCommunication Technology systems. Organizations canuse these standards to design, implement, operate and maintain their ICT systems that will allow the protection of PII and improve organization’s privacy programs throughindustry best practices.

About ISO/IEC 29100ISO/IEC 29100 is intended to be used by persons and organizations involved in designing, developing,procuring, architecting, testing, maintaining, and operating information and communication technology systemswhereprivacycontrolsarerequiredforthefunctioningofPII.

Thisprivacyframeworkisdevelopedwiththepurposeofservingasassistancetoorganizationstodefinetheirprivacysafeguardingrequirementsrelatedtoallinformationinvolvedthroughtheseattributes:

• byspecifyingacommonprivacyterminology;• bydefiningtheactorsandtheirrolesinprocessingPII;• bydescribingprivacysafeguardingconsiderations;and• byprovidingreferencestoknownprivacyprinciplesforIT.

Althoughthereareseveralexistingstandardsrelatedtosecuritysuchas(ISO27001,ISO27002,andISO27018etc.),ISO/IEC29100focusesmoreontheprocessingofPII.

ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK? 3

PII is any information that can be used to uniquely identify, contact or locateanindividual,orcanbeusedwith other sources to uniquely identify a person.

Examples of PII are:• Firstandlastname• Location information• Credit card numbers• Age• Criminal record

Thecontinually increasedcomplexity of ICTsystemshavemade it difficult for organizations to ensurethattheirprivacyisprotected,andwiththehighcommercialuseofPII,achievingcompliancewithvariousapplicable laws has become harder nowadays.

Therefore,theISO/IEC29100standardhaselevensubstantiveprivacyprinciples(presentedinthechartbelow)thataredevelopedtotakeaccountofapplicablelegalandregulatory,contractual,commercialandother relevant factors.All theseprinciplesaredevelopedbyanumberofstates,countriesanddifferentinternationalorganizationsworldwide.

Besidesthattheseprinciplescanbeusedtoguide,design,develop,andimplementprivacypoliciesandcontrols, they can also be used as a reference point in the monitoring and measurement of performance benchmarkingandauditingaspectsofprivacymanagementprogramsinanorganization.

Moreover, the basic elements that encompass the ISO/IEC29100PrivacyFramework are presented inthe figure below, which is taken from theWG5 in the ISO/IEC/FIDIS/ITU-T JointWorkshop on IdentityManagementStandards,Lucern,Switzerland,2007.Inaddition,thefigureshowsthatPIIProvidersandPIIReceiversareidentifiedasActors.PIIproviderscanbeusersofaninformationcommunicationtechnologysystem,dataownersorsubscribers,whereastheapplicationprovidersoradministratorsareknownasthePIIreceivers.PrivacypreferencesaresetbyPIIproviderswhilethesafeguardingcontrolsareappliedduringthe information lifecycle that include the collection, storage, usage, transfer and deletion of information.

1. Consent and choice

4. Data minimization

7. Openness, transparency

and notice

2. Purpose legitimacy and specification

5. Use, retention and disclosure

limitation

8. Individual participation and access

3. Collection limitation

6. Accuracy and quality

9. Accountability

10. Information security

11. Privacy compliance

ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK?4

Why is it important for the PII to be protected?Personallyidentifiableinformationmayincludeveryconfidentialdatathatareintendedonlyforrestricteduse. Their protection is crucial for the main purpose that nondisclosure of information may result in many consequences(seenextsection).ThemainreasonswhyorganizationsprotecttheirPIIarethefollowing:

• toprotectthePIIprincipal’sprivacy• to meet legal and regulatory requirements• to practice corporate responsibility• to increase consumer credibility, and• to reduce the number of security breaches

Consequences of not protecting PIIFurthermore,bynottakingseriousconsiderationsagainstprotectingPII,manyorganizationsmaycomeacross issues which will result in huge costs. When a security breach occurs, not only will the information beharmed,butitalsocausesadominoeffect, inwhichcaseyourclientsoryourclient’sclientsmaybedamaged.Thischainofdestructionwillbringmanyunintendedproblemstoorganizations,suchasexactionoffinesandcourttrials,dissatisfiedstakeholders,anoutrageousincreaseindisasterrecoverycosts,andlastbutnotleastharmofreputation.Belowalistofonlyafewmostrecentincidentsthathaveoccurredinvariousorganizations:

“43%ofcompanieshaveexperiencedadatabreach in the last year, which is up 10% from

a year ago.” Ponemon Institute report

Providing personally identifiable information

Assuring Required Privacy Safeguarding Control

PllProvide PllReceiver

Data subject User Data Owner Subscriber...

Applicationproviderdata controlleradminisrationData Conlector...

PrivacyPreferences Internal

Rules

IssuesPrivacyPolicy based on

requirements

Busi

ness

Use

Cas

e

Lega

l Re

quire

men

ts

Privacy Preferences

Privacy Safeguarding

Controls

Opt

iona

l ch

eckag

ains

tprivac

yprinciple

Collect

Store

Use

Transfer

Destroy

A B C

ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK? 5

2014 Sony Pictures Entertainment Hack

• OnNovember2014,confidentialinformationincludinginformationaboutemployees,internale-mails,executivesalaries,copiesofunreleasedfilmsetc.wereexposed.ItisbelievedthatthiscyberhackhascostSonyPictures approximately $15million damage recovery. In addition, the leak of information(especiallye-mailsbetweenemployees)hascausedchaosbetweenmanywell-knowncelebrities,andahighnumberofcourttrialshavebeensentenced.

2014 Home Depot Data Breach

• OnSeptember2014,hackershadbrokenintoaninstalledpaymentsystemwhichresultedin53millionstolencustomere-mailsand56millioncustomercreditcardaccounts.Itisbelievedthatthisincidenthascostthecompany$34milliontoovercomethissituation.

2012 TD Bank Data Breach

• OnMarch2012,TDBankexperienceddatabreachofwhichasmanyas260,000customer’spersonalinformation such as account information, Social Security numbers etc., were exposed, resulting in $625,000 settlement.

WhataretheBenefitsofhavingaPrivacyFramework?ImplementingandmaintainingaPrivacyFrameworkbasedon the ISO/IEC29100standard,hascrucialbenefitsforeveryorganizationandindividualdealingwithpersonallyidentifiableinformation,suchas:

• Itservesasabasisforpreferredadditionalprivacystandardizationinitiatives,forexampleatechnicalreference architecture, the use of specific privacy technologies, an overall privacy management,assurance of privacy compliance for outsourced data processes, privacy impact assessments andengineering terms,

• Itdefinesprivacysafeguardingrequirementsastheyrelatetoallpersonallyidentifiableinformationandcommunication systems,

• It is applicable onawidescaleandsetsacommonprivacyterminology,definesprivacyprincipleswhenprocessingPII,classifiesprivacyfeaturesandrelatesalldescribedprivacyaspectstoexistingsecurityguidelines,

• It is closelylinkedtoexistingsecuritystandardsthathavebeenwidelyimplementedintopractice,• It places organizational, technical, procedural and regulatory aspects in perspective and addresses

system-specificmattersonahigh-level,and• It provides guidance relating information and communication system requirements for processing

personallyidentifiableinformationtocontributetotheprivacyofpeopleonaninternationallevel.

Why should you use ISO/IEC 29100?TheISO/IEC29100PrivacyFrameworkservesasabaseforotherrelevantstandardsthatareinternationallyapplicableandgeneralinnature.Inotherwords,thisstandardtakesintoaccountorganizational,technical,procedural and regulatorymatters, by setting common privacy terminology and principles. It also listsprivacyfeaturestobeupheldinconjunctionwithsecurityguidelines.

Moreover,aPrivacyFrameworkwillcontributetoimprovementsinprivacy,assistanceinmaintaininggoodgovernance,reducingoverheadcostsrelatedtosecurity,andserveasagoodmarketingstrategytopromoteyourcredibilitywithinternationallyknownISOstandards.

These are only some of the reasons why every organization should highly focus on having securityspecialistswhoarecertifiedininformationsecurityandhaveappropriateknowledgeandexperiencetolinkdatasecuritywiththecompany’sgoals,inadditiontoworkingunderthelegalandregulatoryrequirements.

ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK?6

1.PLAN

2.DO

3.CHECK

4.ACT

1.1 Initiating the framework

1.2 Understanding the Organization

1.3 Analyze the Existing System

1.4 Leadership and Project Approval

1.5 Scope

1.6 Security Policy

2.1 Organizational Structure

2.2 Document Management

2.3 Design of Controls & Procedures

2.4 Communication

2.5 Awareness & Training

2.6 Implementation of Controls

2.7 Incident Management

3.1 Monitoring, Measurement, Analysis and Evaluation

3.2 Internal Audit

3.3 Management Review

4.1 Treatment of Non-conformities

4.2 Continual Improvement

1.7 Risk Assessment

1.8 Control Statement 2.8 Operations Management

Why is PECB a Worthy Choice?Implementation of the Privacy Framework with IMS2 methodology

ConsideringthewelldocumentedbenefitsofimplementingaPrivacyFrameworkbasedonISO/IEC29100,makestheproposaleasiertodecideon.

Most companies now realize that it is not sufficient to implement a generic, “one size fits all” privacyframework.Foraneffectiveresponse,withrespecttomaintainingtheprivacyframework,suchaframeworkmustbecustomizedtofittoacompany.Amoredifficulttaskisthecompilationofaprivacyframeworkthatbalancestherequirementsofthestandard,thebusinessneedsandthecertificationdeadline.

ThereisnosingleblueprintforimplementingISO/IEC29100thatwillworkforeverycompany,buttherearesome common steps that will allow you to balance the frequent conflicting requirements and prepare you forasuccessfulcertificationaudit.

PECBhasdevelopedamethodology(pleaseseeexamplebelow)forimplementingaPrivacyFramework;the“IntegratedImplementationMethodologyforManagementSystemsandStandards(IMS2)”,andit isbased on applicable best practices. This methodology is based on the guidelines of ISO standards and also meets the requirements of ISO/IEC 29100.

IMS2isbasedonthePDCAcyclewhichisdividedintofourphases:Plan,Do,CheckandAct.Eachphasehasbetween2and8stepsforatotalof21steps.Inturn,thesestepsaredividedinto101activitiesandtasks.This‘PracticalGuide’considersthekeyphasesoftheimplementationprojectfromthestartingpointtothefinishingpointandsuggeststheappropriate‘bestpractice’foreachone,whiledirectingyoutofurtherhelpfulresourcesasyouembarkonyourISO/IEC29100journey.

ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK? 7

PLAN

4 PHASES 18 STEPS 101 ACTIVITES UNDEFINED TASKS

DO

CHECK

ACT

Privacy Framework

Projects

The sequence of steps can be changed (inversion, merge). For example, the implementation of themanagement procedure or documented information can be done before the understanding of the organization.Manyprocessesareiterativebecauseoftheneedforprogressivedevelopmentthroughouttheimplementationproject;forexample,communicationandtraining.

By followingastructuredandeffectivemethodology,anorganizationcanbesure itcoversallminimumrequirements for the implementation of the framework.Whatevermethodology used, the organizationmustadaptittoitsparticularcontext(requirements,sizeoftheorganization,scope,objectives,etc...)andnotapplyitlikeacookbook.

StepsforobtainingaPECBCertificationToensurethatorganizationsorindividualsachieveplannedanddesiredresults,thefollowingstepswillserveasguidanceonhowtobecomePECB Certified Lead Privacy Implementer.

For organizations: For individuals:

1.Implementtheprivacyframework 1.Participate in the training course

2.Performinternalauditandreviews 2.Registerforthecertificationexam

3.Selectpreferredcertificationbody 3.Sitforthecertificationexam

4.Performapre-assessmentaudit(optional) 4.Applyforthecertificationschemeuponsuccessfulexamcompletionandfulfillmentofcertificationrequirements(statedonourwebsite)

5.Perform the stage 1 audit 5.Obtaincertification

6.Performthestage2audit(on-site)

7.Performafollow-upaudit(optional)

8.Registerthecertification

9.Assurecontinualimprovementbyconductingsurveillanceaudits

ForfurtherdetailsrelatingthetypesoftrainingsandcertificationsthatPECBoffers,pleasevisitourwebsite:www.pecb.com

ISO 29100 // HOW CAN ORGANIZATIONS SECURE ITS PRIVACY NETWORK?8

www.pecb.com

+1-844-426-7322

customer@pecb.com

CustomerService