Privacy Frameworks

a. PDPSI

Specific frameworks of compliance of Privacy have been released now in the form of BS 10012 and ISO 27701.

The needs for compliance in India to be compliant with the current Indian laws and the proposed Personal Data Protection laws has necessitated an exclusive framework to be developed in India.

Naavi/Cyberlaw college has already put out an indigenous standard that is compliant with the Indian laws and the framework is called the Personal Data Protection Standard of India. (PDPSI)

This standard will incorporate the best practices in the other frameworks and address the Indian needs specifically.

A comparative narration of the three standards is also provide here:PDPSI Vs ISO 27701 Vs BS 10012

b. DSCI

Data Security Council of India (DSCI) is an industry body promote by NASSCOM and has developed its own framework for Privacy called DSCI Privacy Framework.

DSCI Framework is built on nine factors spread over three layers namely

Layer I: Privacy Strategy and Processes

  1. Visibility over Personal Information (VPI)
  2. Privacy Organization and Relationship (POR)
  3. Privacy Policy and Processes (PPP)
  4. Regulatory Compliance Intelligence (RCI)
  5. Privacy Contract Management (PCM)
  6. Layer II: Information Usage, Access, Monitoring and Training

  7. Privacy Monitoring and Incident Management (MIM)
  8. Information Usage and Access (IUA)
  9. Privacy Awareness Training (PAT)
  10. Layer III: Personal Information Security

  11. Personal Information Security

c. ISO

Privacy Compliance under ISO 27001 and 27018

ISO 27001 and 27018 refer to the standards for Information Security and Cloud Security promoted by the International Standards Organization. ISO standards carry wide industry acceptance though the proprietary nature of the specifications make it more as a “Best Practice followed voluntarily by the conforming organizations”.

ISO27001 specifies an Information Security Management System containing a set of activities to manage information security risks. ISO 27002 is an associated standard that mandates specific information security controls and are often used along with ISO 27001 framework to manage ISMS in organizations.

Following mandatory documentation is explicitly required for certification by an auditor under ISO 27001.

  1. ISMS scope
  2. Information security policy
  3. Information risk assessment process
  4. Information risk treatment process
  5. Information security objectives
  6. Evidence of the competence of the people working in information security
  7. Other ISMS-related documents deemed necessary by the organization
  8. Operational planning and control documents
  9. The results of the risk assessments
  10. The decisions regarding risk treatment
  11. Evidence of the monitoring and measurement of information security
  12. The ISMS internal audit program and the results of audits conducted
  13. Evidence of top management reviews of the ISMS
  14. Evidence of nonconformities identified and corrective actions arising
  15. Others: Annex A, which is normative, mentions but does not fully specify further documentation including the rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws, regulations and contractual obligations plus the associated compliance procedures and information security continuity procedures.

Certification auditors will check that these fifteen types of documentation are (a) present, and (b) fit for purpose.

The standard does not specify precisely what form the documentation should take, but talks about aspects such as the titles, authors, formats, media, review and approval, document control, etc.

ISO 27001 was meant as means of assessing the information security risks and mitigating them through a formal process. It was not however focussed on regulatory compliance though there is an attempt to extend the ISO 27001 compliance to some legal aspects such as IPR and ITA 2008 to the extent those laws prescribe any technical measures for protecting the Confidentiality, Integrity and Availability of information.

Privacy laws which have similar prescriptions on the manner of protecting the Confidentiality, Integrity and Availability of information (Personal or Sensitive Personal Information) also may be looked at by an auditor as a requirement of the ISMS policy of the organization.

Annexure A of ISO 27001 lists the following security controls

A.5 Information security policies – controls on how the policies are written and reviewed

A.6 Organization of information security –controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking

A.7 Human resources security – controls prior to employment, during, and after the employment

A.8 Asset management - controls related to inventory of assets and acceptable use, also for information classification and media handling

A.9 Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities

A.10 Cryptography – controls related to encryption and key management

A.11 Physical and environmental security –controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc.

A.12 Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.

A.13 Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc.

A.14 System acquisition, development and maintenance – controls defining security requirements and security in development and support processes

A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers

A.16 Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence

A.17 Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy

A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security

A18 refers to the controls that an organization need to maintain for complying with the laws related to personal data protection.

ISO 27002 provides the detailed explanation on how to implement the ISO 27001 prescriptions.

ISO 27018

ISO 27018 provides guidance aimed at “Cloud Providers” and offers recommended information security controls to protect the privacy of their customer’s clients by securing PII (Personally Identifiable Information) entrusted to them.

The standard is intended to be “a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001, or as a guidance document for organizations for implementing commonly accepted PII protection controls”

The standard is primarily concerned with public-cloud computing service providers (such as Amazon Web Services and Google’s Compute Engine) acting as PII processors.

It does not officially cover PII principals (i.e. individuals processing their own PII in the cloud, for example using Google Drive) or PII controllers (i.e. cloud service customers processing PII of their clients/customers/employees and others in the cloud), although they clearly share many concerns and have an interest in the cloud service provider’s privacy controls.

The standard interprets rather than duplicates ISO/IEC 27002:2013 in the context of securing personal data processed in the cloud. An annex extends 27002, for example advising cloud service providers to advise their customers if they use sub-contractors.

Annex A of ISO 27018 lists the following additional controls (that do not exist in ISO 27001/27002) that should be implemented in order to increase the level of protection of personal data in the cloud:

  • Rights of the customer to access and delete the data
  • Processing the data only for the purpose for which the customer has provided this data
  • Not using the data for marketing and advertising
  • Deletion of temporary files
  • Notification to the customer in case of a request for data disclosure
  • Recording all the disclosures of personal data
  • Disclosing the information about all the sub-contractors used for processing the personal data
  • Notification to the customer in case of a data breach
  • Document management for cloud policies and procedures
  • Policy for return, transfer and disposal of personal data
  • Confidentiality agreements for individuals who can access personal data
  • Restriction of printing the personal data
  • Procedure for data restoration
  • Authorization for taking the physical media off-site
  • Restriction of usage of media that does not have encryption capability
  • Encrypting data that is transmitted over public networks
  • Destruction of printed media with personal data
  • Usage of unique IDs for cloud customers
  • Records of user access to the cloud
  • Disabling the usage of expired user IDs
  • Specifying the minimum-security controls in contracts with customers and subcontractors
  • Deletion of data in storage assigned to other customers
  • Disclosing to the cloud customer in which countries will the data be stored
  • Ensuring the data reaches the destination

More ISO Guidance

ISO/IEC 27000, 27001 and 27002 are cited as ‘normative’ (i.e. essential) standards, along with ISO/IEC 17788 “Cloud computing – overview and vocabulary” and ISO/IEC 29100 “Privacy framework”.

Information on ISO/IEC17788 is available here.

ISO/IEC 29100:2011 provides a privacy framework which specifies a common privacy terminology;

defines the actors and their roles in processing personally identifiable information (PII); describes privacy safeguarding considerations; and provides references to known privacy principles for information technology.

ISO/IEC 29100:2011 is applicable to natural persons and organizations involved in specifying, procuring, architecting, designing, developing, testing, maintaining, administering, and operating information and communication technology systems or services where privacy controls are required for the processing of PII.

More Information on ISO/IEC 29100 is available here

d. NIST

NIST (National Institute of Standards and Technology), USA is the repository of open source standards pertaining to various Information Security standards including the Privacy Risk Management standards. For all organizations who are not bound by other regulatory standards, NIST is the best source of guidance.

NIST has issued a draft Privacy Risk Management Framework (PRMF) in 2015 to address the Privacy Risks in an organization. Though NIST guidelines can be considered as mandatory for the US Federal agencies they are good enough to be followed by even private sector subject to minor modifications that may be required.

The PRMF is composed of the following six processes:

  1. Framing business objectives
  2. Framing organizational privacy governance
  3. Assessing system design
  4. Assessing privacy risk
  5. Designing privacy controls
  6. Monitoring change

NIST first released SP 800-53 in 2005 to provide guidance to agencies on applying a catalog of controls to manage information security risks in accordance with the requirements of the Federal Information Security Management Act (FISMA).

As part of the fourth revision of SP 800-53 in 2013, NIST added an Appendix J, which comprises a set of privacy controls drafted by an interagency working group of privacy officers.

Further revisions and improvements are underway. OMB (Us Office of Management and Budget) update in July 2016 to Circular A-130 clarified that federal agencies’ obligations with respect to managing privacy risk and information resources extends beyond compliance with privacy laws, regulations, and policies, and that agency must apply the NIST Risk Management Framework (NIST RMF) to their privacy programs and Information Systems.

NIST Special Publication (SP) 800-53 Security and Privacy Controls for Federal Information Systems and Organizations is scheduled to be updated in 2017. The draft document (NISTIR 802) on a revised Privacy Risk Management system for Federal Information Systems has been issued by NIST for which public comments have been collected. This is now under process and should reflect in any revised document that may come forth.

The emerging guidelines may particularly address the Privacy concerns that may arise out of IoT, Big Data, Smart Cities etc.

Credits and Courtesy of the above content to http://privacy.ind.in/ and Naavi (Naa Vijayshankar Sir)