1 / 18

Information security : Governance, Do’s and Don’ts; November 11 th 2013

Mr.Cees.Zwinkels MPC CPC Computer/Law Institute , Vrije Universiteit Amsterdam c.zwinkels@rechten.vu.nl. Information security : Governance, Do’s and Don’ts; November 11 th 2013. Content. NIB Directive Directive Privacy Protection Wbp

amena
Télécharger la présentation

Information security : Governance, Do’s and Don’ts; November 11 th 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mr.Cees.Zwinkels MPC CPC Computer/Law Institute, Vrije Universiteit Amsterdam c.zwinkels@rechten.vu.nl Information security : Governance, Do’s and Don’ts; November 11th 2013

  2. Content NIB Directive Directive Privacy Protection Wbp CBP Instructions about security of personal data Case ANPR Do’s and Don’ts

  3. Regulation : Directive Security Networks and Information Systems The NIB directive (2012) is a concept, not already approved. Focus of the directive is to handle all incidents with a high impact on security See art.2 sub 2 : Security is the ability of a network and information sytem to resist, at a given level of confidence, accident or malicious action that compromise the availibility, authenticity, integrity and confidentiality of stored and transmitted data or the related service offered by or accessible via that network and information system. See art.3 sub 3 : Risk means any circumstance or event having a potential adverse effect on security

  4. Regulation : Directive Security Networks and Information Systems See art.14 sub 1 : Public administration and market operators (1) take appropiate technical and organisational measures (2) to manage the risks posed to the security of the networks and information systems (3) which they control and use in their networks (4). These measures shall guarantee a level of security appropiate to the risk presented (5).

  5. Regulation : Privacy Protection Law (WBP) : The WBP is based on the Directive Privacy Protection 1995. The new directive will replace the directive of 1995. See art.17 sub 1 : member states shall implement appropriate technisal and organizational measures to protect personal data against accidental or unlawful destruction or loss. Having regard to the state of the art and the cost of their implementation Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. See art.17 lid 2 : The controller must ensure compliance with the measures.

  6. Regulation : Privacy Protection Law (WBP) : Article 13 = The responsible organisation or person (1) is in control (2) with technical and organisation measures (3) in accordance with the appropriate level of security (4) based on the analyse of the risks (5) and regarding the state of technical art and regarding costs of implementation (6)

  7. Regulation : Law Privacy Protection (WBP) : Article 14 = The responsible organisation or person (1) is in control (2) with the technical and organisation measures (3) which the external party (3) has taken in accordance with the adequate level of security (4)

  8. Regulation/Other EU Directives The Directive Electronic Identification is in concept (2012) available. The Directive Data Protection will replace the existing Directive

  9. Regulation/Privacy Impact Assessment (PIA) PIA is not directly based on Europan or national regulation. PIA is a type of instruction about how to analyse the privacy impact of new regulation or an IT – project at the beginning of the process of developing new law or project. So, PIA is not an instrument for checking compliance. PIA is not the same as DPIA (Data Protection Impact Asessment)

  10. Governance : How to be in control See CBP (College Protection Personal Data) : Instructionsregaring the protection of personal data. Is there a document with information about information security policy? How aboutrolesandresponsibilitiesbetween the stakeholders : • The Board? • Management? • End users • CSO? How aboutidentificationandauthorisation?

  11. Governance : How to be in control See CBP (College Protection Personal Data) : Is there a type of loggingregarding the identificationandauthorisation? How aboutnetwork security? Are databases andrelatedaplicationssecuredwith support of technical tooling? Is there a procedure in order to get information aboutincidents, andhow tohanddlethem ?

  12. Governance : How to be in control See Borking, 2001 /Approach : There are fourcategoriesregardingrisks : 1 = public information 2 = information about persons within the organisation 3 = very private data, f.eabouw personal health care. 4 = big themeslike state security The types of measuresyouorganize have tobe in accordancewith the types of risks.

  13. Case ANPR ANPR is automatic number plate recognition. Process : The camera registrates the number plate in the central database. This database is matching with other databases (Police, Social Control Auhority, Tax Contriol Authority). If there’s is recognition, the police will stop your car.

  14. Case ANPR The house of parlement was very upset about the new law. They asked for a PIA. The outcomes of the PIA are following Objectives The risk that data will be collected on behalve of non formulated objectives will be great (functional creep). And the impact of the risk is big.

  15. Case ANPR Roles and reponsibilities The risk that not the right people will cross their fingers around the registrated data is great. And the impact of the risk is big. Incidents The risk of hacking is great. And the impact of the risk is big. Applications and infrastructure The risk of no security tools linked to applications and infrastructure is small. And the impact of the risk is big.

  16. Case ANPR Logging The risk of not logging the registrations related to persons with access to the data is small. And the impact of the risk is big.

  17. Case ANPR How wouldyouorganize the measures in order tobe in compliance with the law? • Is there’s a needforcontracting? • How aboutauditingandreporting?

  18. Case ANPR What are the Do’s and Don’ts?

More Related