- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Sun, 9 Dec 2018 21:47:11 +0100
- To: public-dpvcg <public-dpvcg@w3.org>
Hello all, Regarding Data Security, I have observed most organisations either referring to ISO standards/certs they have, or use wording that indirectly relates to these. Therefore, I describe below a summary of some relevant standards (there are surely more). I think these would be useful as annotations over, say data storage or data sharing operations, where the security of data is required to be specified. These need to be distinguished as security via obfuscation i.e. encryption vs access control and other techniques. There is also a categorisation along security practices for the org (authentication) vs security measures acting directly or over the data. Encryption standards are defined by ISO/IEC 18033-3 and contain a description of a large range of used cryptographic techniques. Security aspects regarding anonymisation: WP29 opinion 05/2014 on anonymisation techniques https://www.pdpjournals.com/docs/88197.pdf with a easy to understand summary at https://www.privacylives.com/article-29-working-party-issues-opinion-on-anonymization-techniques/2014/04/24/ NIST has a report on "De-Identification of Personal Information" (NISTIR 8053) https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf Someone has been kind enough to look into a mapping between GDPR and ISO27000 http://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.pdf There are two standards - ISO27001/2 and ISO27018 for cloud based services. ISO27018 adds the following over ISO27001/2 (source random article on the internet https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud) * Rights of the customer to access and delete the data * Processing the data only for the purpose for which the customer has provided this data * Not using the data for marketing and advertising * Deletion of temporary files * Notification to the customer in case of a request for data disclosure * Recording all the disclosures of personal data * Disclosing the information about all the sub-contractors used for processing the personal data * Notification to the customer in case of a data breach * Document management for cloud policies and procedures * Policy for return, transfer and disposal of personal data * Confidentiality agreements for individuals who can access personal data * Restriction of printing the personal data * Procedure for data restoration * Authorization for taking the physical media off-site * Restriction of usage of media that does not have encryption capability * Encrypting data that is transmitted over public networks * Destruction of printed media with personal data * Usage of unique IDs for cloud customers * Records of user access to the cloud * Disabling the usage of expired user IDs * Specifying the minimum security controls in contracts with customers and subcontractors * Deletion of data in storage assigned to other customers * Disclosing to the cloud customer in which countries will the data be stored * Ensuring the data reaches the destination Most of these look like checkbox-items, but we can still provide a consistent way to add them as annotations over the processing operations. Regards, -- --- Harshvardhan J. Pandit PhD Researcher ADAPT Centre, Trinity College Dublin https://harshp.com/
Received on Sunday, 9 December 2018 20:47:35 UTC