“If we’re going to be connected, then we need to be protected. As Americans, we shouldn’t have to forfeit our basic privacy when we go online to do our business. Each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests.” These words were spoken two weeks ago by the American president Barack Obama, who urged Congress to pass a series of cybersecurity and privacy laws that will protect even more the data privacy of customers and children in schools. Once again the data Privacy and Regulation topic became newspaper headlines.
2. “If we’re going to be connected, then we need to be protected. As Americans, we shouldn’t have to forfeit our
basic privacy when we go online to do our business. Each of us as individuals have a sphere of privacy around
us that should not be breached, whether by our government, but also by commercial interests.” These words
were spoken two weeks ago by the American president Barack Obama, who urged Congress to pass a series of
cybersecurity and privacy laws that will protect even more the data privacy of customers and children in schools.
Once again the data Privacy and Regulation topic became newspaper headlines.
In 2014 Privacy and Regulation issues have continued affecting lots of levels, and looking ahead to 2015, according
to Information Security Forum (ISF), this topic will still dominate as one of the five security trends together with
cybercrime, threats from third-party providers, bring-your-own BYO, and people. Even more, it is predicted that in
2015 all these security trends will just continue to increase their complexity and sophistication.
So, for every organization the concept of privacy specifically the concept of Personally Identifiable Information (PII)
protection will have critical role to achieve organizations objectives. Nowadays every organization has to balance
its own interests with those of the customers. It has to comply with various applicable laws to reduce regulatory
sanctions inside the state where it functions, and also to treat data privacy protection as a business risk, all this to
reduce possible reputation damage and loss of customers due to privacy breaches.
However the massive numbers of information and communication technologies (ICT) which are used to transmit,
share, collect and carry data information and the enormous amount of data that pass everyday through these
processes have made privacy protection a very complex task. One of the reasons for this is that data privacy
breaches are influenced directly by technology innovations, and the fact that legislation can never be fast enough
to answer technology developments makes it very difficult to maintain regulations regarding this issue.
Another reason is that in different countries there are already different laws that regulate and protect the use of
Personally Identifiable Information (PII), and they have penalties for these kinds of threats. Compliance to all these
regulations is hard and confusing for international organizations. There are already some states in US and EU that
are developing stronger protections and have created several penalties for customers’ data loss. Since states are
creating regulation systems in independent way, to have to comply with all these laws its costly and it is bringing
more work for organizations which need to have resources, specific management structure and control toward
this issue.
2
3. As a result, it is more than needed to have international information security standards as a global point of reference
to PII protection. The International Organization for Standardization has already published some standards and is
intending to have specific standards that will protect PII from different points of view. Code of practice for information
security controls known as ISO 27002 is considered one of them. This standard was developed taking into account
the controls requirement already contained in ISO 27001. So, ISO 27002 is a technical standard providing a
number of requirements and good practices designed to ensure information security of data in general. Personally
Identifiable Information PII requires that organizations develop and implement a policy that will protect Personally
Identifiable Information.
In addition to this, standards such as ISO 29100 Privacy framework and ISO 29101 Privacy framework architecture
are developed to provide a higher level framework for the protection of Personally Identifiable Information PII within
information and communication technology systems. These standards can be used to design, implement, operate
and maintain information and communication technologies system that will enable the protection of PII and will
improve organizations’ privacy programs through the use of best practices.
The vast amount of data that nowadays is saved in cloud systems have ushered into scope
another standard, namely Code of practice for protection of PII or ISO 27018, which requires
PII protection at certain functions within the cloud services. This standard is useful for cloud
service providers to offer adequate quality and secure cloud services concerning the privacy
of data. Furthermore, given the prominence that the issue of privacy security enjoys among
customers, the aforementioned standard can facilitate the decision making process of
customers when selecting the most feasible option regarding cloud service providers.
Compliance with all standards controls will help organizations and will improve their information security system,
however in every country such controls implementation depend on national legislation which can impose different
obligation and can have different restrictions toward personally identifiable information. This is the reason why every
organization should give full attention to have security specialists who are certified on information security and have
appropriate knowledge and experience to link data security with company’s goals and to work under the legal and
regulatory requirements.
Professional Evaluation and Certification Board (PECB) is a personnel certification body on a wide range of
professional standards. It offers ISO 27001, ISO 27005, ISO 29100 and ISO 27002, training and certification
services for professionals wanting to support organizations on the implementation of these management systems.
Regarding privacy PECB offers Certified Lead Privacy Implementer training and certification based on ISO 29100.
ISO Standards and Professional Trainings offered by PECB:
• Certified Lead Implementer (5 days)
• Certified Lead Auditor (5 days)
• Certified Foundation (2 days)
• ISO Introduction (1 day)
Lead Auditor, Lead Implementer and Master are certification schemes accredited by ANSI ISO/IEC 17024.
Rreze Halili is the Security, Continuity, Recovery (SCR) Product Manager at PECB. She is in charge of developing
and maintaining training courses related to SCR. If you have any questions, please do not hesitate to contact:
scr@pecb.org.
For further information, please visit www.pecb.org/en/training
3