Embed Size (px)
Citation preview
www.pecb.org
Personally IdentifiableInformation Protection
“If we’re going to be connected, then we need to be protected. As Americans, we shouldn’t have to forfeit our basic privacy when we go online to do our business. Each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests.” These words were spoken two weeks ago by the American president Barack Obama, who urged Congress to pass a series of cybersecurity and privacy laws that will protect even more the data privacy of customers and children in schools. Once again the data Privacy and Regulation topic became newspaper headlines. In 2014 Privacy and Regulation issues have continued affecting lots of levels, and looking ahead to 2015, according to Information Security Forum (ISF), this topic will still dominate as one of the five security trends together with cybercrime, threats from third-party providers, bring-your-own BYO, and people. Even more, it is predicted that in 2015 all these security trends will just continue to increase their complexity and sophistication. So, for every organization the concept of privacy specifically the concept of Personally Identifiable Information (PII) protection will have critical role to achieve organizations objectives. Nowadays every organization has to balance its own interests with those of the customers. It has to comply with various applicable laws to reduce regulatory sanctions inside the state where it functions, and also to treat data privacy protection as a business risk, all this to reduce possible reputation damage and loss of customers due to privacy breaches.
However the massive numbers of information and communication technologies (ICT) which are used to transmit, share, collect and carry data information and the enormous amount of data that pass everyday through these processes have made privacy protection a very complex task. One of the reasons for this is that data privacy breaches are influenced directly by technology innovations, and the fact that legislation can never be fast enough to answer technology developments makes it very difficult to maintain regulations regarding this issue.
Another reason is that in different countries there are already different laws that regulate and protect the use of Personally Identifiable Information (PII), and they have penalties for these kinds of threats. Compliance to all these regulations is hard and confusing for international organizations. There are already some states in US and EU that are developing stronger protections and have created several penalties for customers’ data loss. Since states are creating regulation systems in independent way, to have to comply with all these laws its costly and it is bringing more work for organizations which need to have resources, specific management structure and control toward this issue.
2
As a result, it is more than needed to have international information security standards as a global point of reference to PII protection. The International Organization for Standardization has already published some standards and is intending to have specific standards that will protect PII from different points of view. Code of practice for information security controls known as ISO 27002 is considered one of them. This standard was developed taking into account the controls requirement already contained in ISO 27001. So, ISO 27002 is a technical standard providing a number of requirements and good practices designed to ensure information security of data in general. Personally Identifiable Information PII requires that organizations develop and implement a policy that will protect Personally Identifiable Information.
In addition to this, standards such as ISO 29100 Privacy framework and ISO 29101 Privacy framework architecture are developed to provide a higher level framework for the protection of Personally Identifiable Information PII within information and communication technology systems. These standards can be used to design, implement, operate and maintain information and communication technologies system that will enable the protection of PII and will improve organizations’ privacy programs through the use of best practices.
The vast amount of data that nowadays is saved in cloud systems have ushered into scope another standard, namely Code of practice for protection of PII or ISO 27018, which requires PII protection at certain functions within the cloud services. This standard is useful for cloud service providers to offer adequate quality and secure cloud services concerning the privacy of data. Furthermore, given the prominence that the issue of privacy security enjoys among customers, the aforementioned standard can facilitate the decision making process of customers when selecting the most feasible option regarding cloud service providers.
Compliance with all standards controls will help organizations and will improve their information security system, however in every country such controls implementation depend on national legislation which can impose different obligation and can have different restrictions toward personally identifiable information. This is the reason why every organization should give full attention to have security specialists who are certified on information security and have appropriate knowledge and experience to link data security with company’s goals and to work under the legal and regulatory requirements.
Professional Evaluation and Certification Board (PECB) is a personnel certification body on a wide range of professional standards. It offers ISO 27001, ISO 27005, ISO 29100 and ISO 27002, training and certification services for professionals wanting to support organizations on the implementation of these management systems. Regarding privacy PECB offers Certified Lead Privacy Implementer training and certification based on ISO 29100.
ISO Standards and Professional Trainings offered by PECB:
• Certified Lead Implementer (5 days)• Certified Lead Auditor (5 days)• Certified Foundation (2 days)• ISO Introduction (1 day)
Lead Auditor, Lead Implementer and Master are certification schemes accredited by ANSI ISO/IEC 17024.
Rreze Halili is the Security, Continuity, Recovery (SCR) Product Manager at PECB. She is in charge of developing and maintaining training courses related to SCR. If you have any questions, please do not hesitate to contact: [email protected].
For further information, please visit www.pecb.org/en/training
3
