How can the ISO 27701 help to design, implement, operate and improve a privacy information management system Hernan Huwyler
0 likes565 views
The document discusses how ISO 27701 can assist organizations in establishing and enhancing a privacy information management system, covering areas like application controls, data protection compliance, risk assessment, policy management, and user management. It outlines specific controls for managing personal data, including technical, legal, and security measures, as well as the importance of training and awareness for employees. Additionally, it stresses the need for ongoing compliance and the role of a privacy officer in adhering to privacy laws and best practices.
How can the ISO 27701 help to design, implement, operate and improve a privacy information management system Hernan Huwyler
- 1. How can ISO 27701 help to designing, implementing, operating and improving a privacy information management system Prof. Hernan Huwyler, MBA, CPA January 28th 2020
- 2. Agenda Applications Controls Preparation • Additional control for privacy • Priorities • Implementation and audit tips
- 3. • Tools to manage a privacy system for ISO 27701 and compliance • Documentation and traceability • Global policies enforcement • Single point of control for transfers • Real-time alerts and incident management • Internal and external audit management for vulnerability remediation Applications Tools Data protection Compliance
- 4. • Technical controls • Enforcing encryption, anonymization, pseudonymization and tokenization • Preventing data losses • Managing user permissions • Finding and protecting at-risk data on endpoints and in the cloud • Preventing virus, malware and ransomware attacks • Logging user activities Applications Tools Data protection Compliance
- 5. • Legal controls • Completing subject access requests • Keeping a record of processing activities • Scanning for personal data • Managing of consents and cookies • Performing data protection impact assessments • Managing 3rd party relationships Applications Tools Data protection Compliance
- 6. • Security risk assessment on personal data • Starting from – Objectives in the privacy policy – Requirements in the privacy laws – Assets in the record on processing activities • Models to quantify information security risks • Probability of successful attacks • Financial loss per attack related to affected assets • Priorized action plans • Investment budget • Extention of cyber controls Planning control assessment
- 7. • Appoint a privacy officer • Develop, execute and monitor controls for the privacy program • Monitor compliance with privacy laws (DPO role) • Assess the effectiveness of the role • Independence (from for CISO) • Reporting to top management • Expertise in data protection and privacy laws • Training to employees and top management • Advice in privacy impact assessments Planning control assessment
- 8. • Update the procedure for data breach management and the notification protocol • Update policies that contribute to privacy by design and privacy by default with • guidance on personal data protection and the implementation of the privacy principles in the software development lifecycle • privacy and personal data protection requirements in the design phase, which can be based on the output from a privacy risk assessment and a privacy impact assessment • data protection checkpoints within project milestones • required privacy and personal data protection knowledge • by default minimize processing of personal data Control on policies
- 9. • Ensure to plan for training and awareness sessions based on privacy incidents and near-misses • Cover all groups of employees and contractors managing personal information • Communicate on privacy breaches • the legal and reputational consequences for the organization • the disciplinary consequences for the employee • the impact on the data subjects Control on training
- 10. • Ensure to classify personal information according to the overall categories • GDPR special category data identified in the RoPA a restricted category • Link categories to security controls and protocols • Labeling for data and volumes with personal information • Restricting removable media with personal information, in particular, outside premises Control on data classification
- 11. • Focus on the sensible personal information • Agree the cryptographic controls with processors • Encrypt personal data in transit • In physical transfers, such as to offsite backups and data processors • In emails • In particupar, using untrusted networks such as public internet • Restrict decryption capabilities to authorized personnel Control on encryption
- 12. • Enhance procedures for registration, de- registration and certification of users of systems with personal information • Avoid reissuing expired and deactivated users • Agree on the validated users with data controller and document procedures when processing data on its behalf • Define the frequency to check unused credentials • Update user profiles for personal information Control on user management
- 13. • Update procedures for backups with personal information • Link backups to the record retention policy and legal requirement • Agree backups capabilities with data processors • Log performed backups on personal information • Implement integrity controls with restoring personal information • Erase or de-identify backups with returning unneded data to controllers Control on backups
- 14. • Update the logging procedures for events related to the personal information life cycle • Ensure the completeness of logs > access type, timestap, additions, modifications and deletions • Validate users with access to the logs (wich also contains personal data) • Protect the logs • Review the log and alarms on accesses to personal information • Ensure that the controllers only access to their personal data managed by the processors (not to data of other clients) Control on logging
- 15. • Incorporate clauses with processors and co- controllers to define • minimum technical and organizational measures • roles and responsibilities • controls to ensure compliance • activities by fourth parties • Audit rights or independent certifications Control on third parties
- 16. • Implement explicit erasure of personal information • Restrict the printing of documents with personal information • Review the confidentially agreements for all the employees and subcontractors managing personal data • Avoid using personal data in testing environments • Incorporate the new costs of non-compliance with privacy laws into the information security risk assessments Other controls
- 17. • Perform a gap analysis between the ISO 27701 requirements and current security audit plans including those by controllers • Consider Agile + Scrum for managing the preparation program • Test compliance with new controls • Prepare SMEs for interviews and set time for them to get ready • Agree on the accredited certification body with controllers, marketing and other stakeholders Preparation for ISO certification
- 19. Thanks!
- 20. The copyright of this work belongs to The GDPR Institute® and none of this presentation, either in part or in whole, in any manner or form, may be copied, reproduced, transmitted, modified or distributed or used by other means without permission from The GDPR Institute®. Carrying out any unauthorized act in relation to this copyright notice may result in both a civil claim for damages and criminal prosecution. Copyright notice