archive-cr.com » CR » P » PRIVACIDAD.CR

Total: 17

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Ben Gerber, CISSP, CISA, CPP, CIPP/G | Profile
    everyone s security I have led clients across the globe in achieving and maintaining solid privacy practices and security for their most sensitive assets their customers and employees personal information This resulted in Managed risk achieving and maintaining compliance with laws regulations and industry practices Better experiences for customers and users of both services and products Respected employees valuing their employer Trust confidence and worldwide esteem for organizations and their

    Original URL path: http://privacidad.cr/ (2016-03-26)
    Open archived version from archive


  • Ben Gerber, CISSP, CISA, CPP, CIPP/G | Contact
    to this web server using SSL Please use the below form to contact me From Message Encrypt the message content before sending optional requires JavaScript JScript Leave the message content in plaintext Please wait a few seconds encrypting Encrypted Message

    Original URL path: http://privacidad.cr/contact/ (2016-03-26)
    Open archived version from archive

  • Ben Gerber, CISSP, CISA, CPP, CIPP/G | Publications
    article are available from IEEE external link A Technology Perspective on Worldwide Privacy Regulations IBM Journal of Research and Development March 2009 An abstract and the full article are available from IEEE external link Achieving Data Privacy through Data Obfuscation Privacy Data Security Law Journal March 2009 The full article is available here Vendor Management Maintaining Privacy Compliance in Outsourced Business Relationships Privacy Data Security Law Journal October 2008 The full article is available here E mail Encryption Illinois State Bar Association Standing Committee on Legal Technology August 2008 Excerpts from the article are available here Information Security for the Solo and Small Firm Attorney Illinois State Bar Association Standing Committee on Legal Technology June 2007 Protecting Outsourced Data The Role of the Vendor Management Office Privacy Data Security Law Journal December 2006 Inventions Wearable Device to Detect Potential Interference or Unauthorized Access Attempts to Implanted Medical Devices More information is available here Search Engine Service Utilizing Hash Algorithms Privacy Enhancing Search Engine Service More information is available here Search Engine Service Utilizing the Addition of Noise Privacy Enhancing Search Engine Service More information is available here Service Oriented Architecture Lifecycle Organization Change Management More information is available here Selecting

    Original URL path: http://privacidad.cr/pub/ (2016-03-26)
    Open archived version from archive

  • Ben Gerber, CISSP, CISA, CPP, CIPP/G | Domains
    privacidad com uy datos org es privacidad org es privacy org uk donnees lu confidentialite lu datenschutz lu privacy lu privacy org il privacy asia privacy org in privacy in th privacy sg privacy vn privacy hk privacy com tw

    Original URL path: http://privacidad.cr/domains/ (2016-03-26)
    Open archived version from archive

  • Conceptualizing Privacy - December 2010 ACM SIGCAS Computers and Society
    experience under Soviet control included extensive privacy invasions by governments seeking out dissidents The United Kingdom s extensive use of closed circuit television CCTV cameras is largely influenced by the 1993 Bulger murder In Mexico where kidnapping is prevalent many individuals privacy concerns are tied directly to their and their families physical safety Privacy laws around the world are a reflection of the cultural experiences that frame constituents demands for privacy protections by their governments Understanding the origins of how we think about privacy today and perhaps tomorrow helps engage the mindset that allows people to identify privacy risks and implications when their organizations introduce new solutions be they the leveraging of new technologies or innovative business and governance models or considering the release of or new uses for existing data sets Think Outside the PII Box as a Group Exercise A lot of organizations privacy related activities are compliance driven and most compliance requirements focus on controls and restrictions on personally identifiable information PII or personal information PI Which is to say a compliance approach largely focuses on controlling the collection use and maintenance of a specific sets of data elements particularly in the United States where the privacy laws that are on the books are either sectoral e g financial healthcare or focus around addressing the problem of identity theft However PII is the Maginot Line of privacy We need to be looking beyond policies and controls that address PII and think about the wider context of information and how it relates to individuals A great way to demonstrate this is by showing that the use of categorical or demographic characteristics alone can uniquely identify individuals 1 But how can we get people to think about how seemingly progressive or innocent changes or additions can clash with cultures

    Original URL path: http://privacidad.cr/pub/Conceptualizing_Privacy_2010.html (2016-03-26)
    Open archived version from archive

  • Privacy Enhanced Search - December 2010 ACM SIGCAS Computers and Society
    out of the search providers control be they hacks 8 subpoenas 9 or just bad actors in September Google fired an engineer for spying on children s e mail and chats 10 Some solutions have been proposed In August Stephen Colbert provided his solution along with some other humorous tips on maintaining your privacy 11 Gmail keeps track of everyone you ever e mailed so you ll want to get rid of your old friends and family And since Google also tracks all your searches and web history you should change everything you have ever searched for on the Internet While Colbert s solution requires us to modify our past another option exists for the distant future Last October Scientific American ran an intriguing article by Seth Lloyd 12 a professor of mechanical engineering at the Massachusetts Institute of Technology that utilizes quantum mechanics to solve the search privacy problem The solution requires a viable quantum Internet or large quantum RAMs Lloyd and his colleagues have nailed down the details of how to build quantum RAM and make quantum private queries and another team in Italy managed to implement a simple quantum RAM and perform a search against a small database stored in it This is impressive however viable implementation of this quantum technology may be decades away Is there a solution possible built upon existing technology YES In 2008 IBM filed a patent application for an invention that does just this application number 12 345 842 publication number US 2010 0169293 A1 13 By applying three basic cryptographic building blocks symmetric cryptography cryptographic hash functions and salts described in figure 1 and considerable cryptographic acceleration the invention described in figure 2 achieves privacy enhanced search Obviously this approach to delivering search services is in conflict with the status quo business model for search engines though with a bit more imagination this too perhaps could be addressed Privacy enhanced search could be applied for specialized search engines where the search terms are particularly sensitive such as with medical conditions The technology might also be a very valuable feature for use in cloud computing such as with the increasingly popular Evernote 14 service if my client maintains control over the keys and salts I could not only store encrypted information in the cloud but utilize the cloud s power to search through it For general search engines perhaps a pay for use model could permit users to regain their privacy In his above mentioned article Lloyd recanted a conversation he had with Brin and Page where he described his quantum solution incidentally while they are all relaxing in a hot tub Their first response was that Google s business model was to keep the information about all queries and to use it to prioritize advertising and future search results Not retaining the information about queries had not occurred to them When I put to them the evident advantages of a new quantum business model based on charging customers for search results

    Original URL path: http://privacidad.cr/pub/Privacy_Enhanced_Search_2010.html (2016-03-26)
    Open archived version from archive

  • Achieving Data Privacy Through Data Obfuscation - March 2009 Privacy & Data Security Law Journal
    accomplished by de identifying data records prior to transfer For example for the completion of salary surveys the only necessary information may be job function salary and broad geographic location of employees Names serial numbers and other unique identifiers are unnecessary and specific demographic information such as zip code may also be beyond what is required for functional results As long as the risk of re identification is understood de identification is a very valuable tool Project Approach The following high level outline of a data obfuscation project approach aids in gaining an understanding of the various considerations that go into a successful data obfuscation implementation Working with legal the data business owners database administrators data architects application development and testing leads information security and the privacy organization Develop a strategy and determine requirements Identify scope of applications and or databases Identify intended uses of obfuscated data e g Unit testing User acceptance testing Statistical analyses for business intelligence Identify data sensitivity classification levels option collect create data definitions and classify data if this is not already done Identify high level relations amongst data sets detailed relationships amongst data elements can be addressed in data mapping detailed design or configuration of the prototype Map data flows and associated business processes Select candidate data sets elements schemas fields tables for obfuscation Select obfuscating techniques per Intended uses of data e g Unit testing User acceptance testing Statistical analyses for business intelligence Data sensitivity classification level Relations amongst data elements i e referential integrity De identification Data masking e g Data shuffling Micro aggregation Data swapping Lookup values lookup tables Random number generation Randomization with range constraints Hard coded literals Special registers e g date time Substring and concatenation of values Sequencing numeric fields or parts of concatenated fields Date manipulations Data anonymization Technology product s tool s evaluation and selection see Product Selection below Create structured evaluation criteria for technology product s evaluation based on requirements Select options that meet requirements Compare options for advantages and disadvantages Derive high level architecture options Design processes and technical architecture physical and logical Document intended steps for execution of data obfuscation operations Staging systems Database instances e g Staging Test Quality assurance Business intelligence Implement technical architecture option prototyping see Prototyping below Install products tools Configure products tools Perform data obfuscation i e de identification masking or anonymization Develop and execute validation procedures Verify protection against identity disclosure and value disclosure Verify data utility is maintained Test and document repeatable processes Prototyping Consider taking a prototyping approach with the initial implementation of a data obfuscation technology product or tool A viable prototype is well beyond a proof of concept the intent is to design and implement a prototype to serve as a robust functional base to build out subsequent data obfuscation implementations Product Selection Different solutions will have specific characteristics that could offer advantages in meeting the organization s goals each should be evaluated to determine which solution is the best fit for the organization s requirements and business objectives both short and long term Data Masking Products While advanced data masking can be implemented using software developed in house or by custom development the benefits of the powerful software packages that perform data masking available today such as IBM Optim formerly Princeton Softech Optim 4 and Camouflage Software s Camouflage 5 usually outweigh undergoing custom development efforts to implement advanced data masking Important features to look for in a data masking product include Supported compatibility with your organization s databases e g DB2 Oracle and platforms e g mainframe Unix Windows Intelligent contextual masking and multiattribute contextual masking to ensure valid values are used Key propagation including propagation of masked primary keys to dependent foreign keys is a crucial feature additionally the capability to consistently propagate masked key values across multiple databases within the enterprise may be desired Consistent masking or replay features allow for masking a column the same way each time a masking routine is performed from the same database and across multiple databases this removes uncertainty across multiple test and development databases when consistency is required Built in algorithms applicable to your organization s needs will speed implementation the flexibility to add additional algorithms and execute exit routines to apply complex algorithms may also be desirable Predefined mapping of data tables used by popular applications your organization employs is highly desirable e g ERP CRM SCM applications Some database management systems DBMS have built in capabilities or add on packages available that generate test data or provide batch de identification functionality While some of this functionality is becoming more sophisticated often these features are used for less complex de identification rather than advanced masking operations Data De Identification Products When de identification is used in combination with or in the same environment as data masking often the same tools are leveraged for both obfuscation techniques However de identification is a simpler function and has been performed by custom code and or built in or add on DBMS functionality for decades De identification is not limited to a batch operation it is also performed live on production data In much existing code this is often done at the view or interface level However the way data is used today accessible beyond a single defined application interface it is often necessary to apply protections as close to the data as possible This may dictate a need to change how such real time or live de identification is performed moving to leveraging database level features or a centralized interface layer or bus through which all data access and interfaces flow See Real time Data Obfuscation herein Data Anonymization Products While many products claim data anonymization capabilities they are often using this term to advertise their de identification solutions At a high level data anonymization is accomplished by applying one way cryptographic hashing to data elements Custom built applications of this sort have existed to address various information technology needs for years However when

    Original URL path: http://privacidad.cr/pub/Data_Obfuscation_2009.html (2016-03-26)
    Open archived version from archive

  • Vendor Management: Maintaining Privacy Compliance in Outsourced Business Relationships - October 2008 Privacy & Data Security Law Journal
    dispute resolution processes that ensure service continuity and executive level attention at the service provider Establish a sourcing management dashboard that provides an integrated view across all service providers by service line of the key operational and business performance metrics Motivation and Why The big questions that start with Why lead to recurring topics even with executives who already know it is important to address vendor management and data protection proactively Why are vendors handling data including access to information systems different from other types of vendors This comes down to an understanding of one s business many truly are information based businesses today As an example we look briefly at financial services Financial services companies have two major assets Money Information Key points to keep in mind Information data is the foundation of financial services businesses and must be protected as a critical asset The value and confidentiality of data are unrecoverable and irreplaceable once data is breached containment is difficult and potentially nonpermanent Why should we be concerned You cannot outsource compliance for US companies with US customers this includes GLBA PCI various states legislation when handling Europeans Canadians and many other citizens data national legislation and cross border data transfer require meticulous attention Trust and brand value are ever increasingly important attributes to possess without respect for and a proactive approach regarding privacy for both customers and employees no business will exist in a competitive market in jurisdictions with democratic regimes Competitive advantage of data if all the do the right things and abide by the law motives are not enough information based business must continue to be cognizant of their key competitive advantages there is a great deal of competitive advantage in keeping confidential data and data gained through trust relationships confidential Change Is Constant Successful organizations adapt and change both process and technology this goes for not just your organization but your vendors as well Just like your organization vendors too are interested in trying to improve their bottom line This is why it is necessary to regularly assess vendors security and privacy compliance posture beyond initial due diligence Indications that a significant change in business is about to or has occurred include mergers acquisitions and vendors moving to outsource their own operations Accidental outsourcing does occasionally occur While your organization may take every precaution to make sure data is handled properly and in compliance with the organization s policy and regulation goals take every step to ensure your vendor is doing the same If the vendor makes a sudden change in its operations such that data is transferred to another agent not bound to follow all the necessary precautions or in an inappropriate jurisdiction detection and remediation must be swift Do Not Just Audit Assess Oftentimes audits are performed strictly against checklists asking questions such as do you have a b and c and may we see them and then checking off that the vendor has what is required It is important to go beyond such basic audits and perform full assessments remember that while answers can look good on the surface often more questions must be asked ultimately protecting the data is not just about liability but mitigating tangible risk Utilizing an assessment methodology allows for an adaptive process and a more dynamic approach toward achieving your goals then traditional audit methods do Active participation such as seeing how a policy is executed how processes are implemented and in some cases actively taking a detailed hands on approach to assessing IT infrastructure will produce more accurate and informative results For example during site visits which we absolutely recommend are the storage rooms clean are there boxes filled with documents in the corners of the room did you notice any physical security barriers to entry An adaptive iterative approach that leverages the diverse experience and expertise of individuals that form the VMO also saves time and resources Plan for Incidents Your organization has incident response and business continuity plans Vendor practices must also include procedures to deal with incidents such as data breach leakage or exposure incidents including communication with your organization and appropriate third parties and emergency response plans These practices must also include an agreed upon definition of what an incident consists of Budget and Consolidating Vendors When considering outsourcing selecting vendors and renewing existing contracts money is always a factor how much are we saving spending earning through this relationship Organizations must remember to include the cost of maintaining a vendor in the budget from contract negotiation through to regular audits or assessments and regular communications Consolidating vendors can save money and we are often asked what having your eggs in one or more baskets means from a data protection perspective While consolidation of vendors may add risk to some operations it almost always reduces risk from a data protection perspective Unless different vendors work with completely different sets of data the eggs are not really different no matter how many baskets they are in If customer data is breached it is breached If one vendor mishandles data exposing the data it may be just as bad as any other of the vendors doing so with the same data However if your VMO has fewer vendors to guide and keep on course stronger well performing relationships may be the result of a more focused VMO Additionally there are fewer eggs that might fall out of a basket When Failure Is an Option Have a Plan One of the significant business situations in which organizations are not prepared is when a vendor fails an audit There are many reasons why this occurs Often the organization may have been working with their vendors for a considerable length of time and are not prepared for failure Other times it is simply a lack of preparation for such a situation However it is important to understand that failure is an option If this situation does occur whether it be a failed audit or a vendor simply failing to live up to its contractual obligations the organization must be prepared to address the issue immediately One of the most significant possible results of an audit failure is that the organization does nothing This should never happen If there is an issue with a vendor any vendor but especially a vendor who handles PII your organization needs to have a well defined action plan to address the failure This plan should include Notification Who should be told of the failure Depending upon your organization it may be the VMO legal business units compliance human resources procurement IT or depending upon the situation government or regulatory bodies Accountability One business unit usually the VMO will need to be accountable for addressing the failure with the vendor This unit will also be responsible for the development and subsequent monitoring of the remediation plan Remediation Which group should take the lead in developing a remediation plan For protected data this is usually completed with input from several groups including the VMO IT and legal Reinstatement Removal This decision is made after a thorough review of the results of the remediation plan The results will have to be reviewed by the VMO as well as other appropriate business units in order to make a final decision If the organization does remove a vendor it needs to be ready to move forward immediately with a suitable replacement The research on the new vendor should not wait until a key vendor has failed an audit We recommend at minimum you have potential replacement vendors for consideration and or a fast track process to identify new vendors to complete your due diligence If this is impractical and for some large organizations it is focus on the critical vendors and have at least one replacement available It is always good to have options There should be established guidelines as part of your assessment audit or review processes that address immediate failure of a vendor s data protection posture The organization should also have preexisting guidelines for how remediation can be achieved if the business should desire to maintain the relationship with the vendor Being proactive in the vendor relationship helps to avoid failures We have found that most failures are due to a change in the vendor s organization or operating procedures and these can be detected early through regular communication even when it is not time for an audit assessment Managing the Vendor Relationship Managing the vendor relationship needs to start early We recommend that you begin during the initial contract negotiation stage Usually there are several parties involved at this time Corporate counsel selected business units sourcing and possibly representatives from the information technology group will give input We recommend that the VMO lead the negotiations with input from the legal department If this is not possible have one organization designated as the point group for these discussions If it is the VMO legal will also most likely be involved to assist with the discussions and certainly to approve any final document We have been involved in situations where legal leads the negotiations others where the VMO leads the negotiations this will depend upon your corporate culture Also do not forget other interested parties human resources corporate compliance and selected business units may also provide valuable input Before you get into the negotiations do your homework Identify what type of data it is that you are moving to the third parties Ask yourself a few questions Do I know where this data is located Do I have data stewards for this data Is it protected data Is this data covered by any retention requirements Are we moving this data across international borders Why are we moving this data to the third parties There are also two very important documents when initiating a vendor relationship These are the due diligence questionnaire and the security and privacy requirements document The due diligence questionnaire should be presented to any interested party either right before the relationship has begun or soon thereafter This document will allow the vendor to elaborate on its entire background and history You will want information on its relevant security and privacy programs responsible parties governance modules audit expectations monitoring expectations special handling considerations disaster recovery plan and maybe even their financial viability Most due diligence documents are very comprehensive Do not be afraid to ask questions The data is very important and you need to make the correct decision regarding its care The second most important document for your vendor relationship is the data privacy and security requirements roadmap document These privacy and security guidelines and requirements should be provided to vendors so that they understand your organization s requirements they should be provided early in the relationship If this is an existing relationship provide this as soon as possible if you are negotiating a new contract include this with your other requirements if you are in an existing contract and cannot retroactively enforce the requirements provide them to the vendor as upcoming requirements This is an extremely significant document and will always be reviewed by auditors should there be an incident However this roadmap is usually the document that most vendor relationships are missing Specifically it is the listing of data protection handling and governance instructions that should be undertaken by the vendor in order to for the data security and privacy aspect of the relationship to be judged a success This document is generally based upon internationally accepted data security and privacy frameworks and your organization s own policies and compliance requirements It will list out all the actions and expectations that you want the third party to undertake when handling accessing storing and processing your data This will include definitions of protected information security protocols privacy protocols and possible compliance issues Every possible data issue should be contained in this document Usually many of these points are pulled directly from ISO 17799 27002 NIST or CoBIT the AICPA have also provided guidance in this area If possible provide this document during the contractual negotiation phase Let their personnel review it comment on it and finally accept it Also have some flexibility they will not accept everything Determine what is important to your organization IT legal and business need to work together on this to set expectation and to ensure that all aspects of your outsourcing agreement are covered in relation to data privacy and security expectations In many of the contractual negotiations that we have been involved with the opposing counsel very often makes the following statement Go Ahead and protect our data like you protect yours 2 If you are presented with this situation it demonstrates a clear lack of understanding about both the law and common sense around this issue As has been stated earlier in this article the vendor is not in the same business as the outsourcer may not be in the same country and does not have the same data and data practices as the outsourcer Because of this it will need direction from the outsourcer This is what the aforementioned roadmap document addresses We recommend that you always request such a document from opposing counsel when addressing data privacy practices in contractual discussions Success Criteria It is difficult to evaluate procedures in which the relationship will be judged a success However this is essential to your agreement We recommend that you develop metrics and or success criteria before this process begins and consistently evaluate the vendor relationship Evaluate all vendors on a yearly basis and make adjustments as necessary Do not forget also to audit your vendor on a regular basis For vendors who handle critical data the time frame should be more frequent perhaps quarterly If you do not have a quarterly audit with these vendors it is important at minimum to set up a communications plan in which you will receive a regular status update from the vendor Judge success based upon the metrics the communications and performance quality for the services provided Having vendor termination procedures addressed in your contract prior to allowing a vendor to receive data from your organization is vital to being able to neatly wrap up an outsourcing relationship when the time should come to do so This should include provisions for safe return transfer of any data or derived data the vendor holds as well as secure deletion or destruction of any media used to store the data and a communication process in the case of later discovery of your organization s data that may not have been removed from the vendor or later discovery of a breech that may have occurred while the vendor was still in possession of your organization s data Outsourcing to India For years India has been a lead destination of outsourcing This trend is still on the rise for many business processes including back office operations though even the latest laws do not sufficiently address data protection As with any jurisdictions not yet providing adequate levels of data protection within their own legal regimes businesses need to continue to be concerned with the laws that pertain to the data they are handling within their own frameworks The current state of privacy regulation in India is unsettled The National Association of Software and Service Companies NASSCOM 3 has been pushing for more privacy regulation though no such regulation has yet made it through the legislature 4 India does have some basic protections and there are remedies for a privacy breach but there are many remedies and they have not yet been codified into one cohesive piece of legislation 5 Also new privacy impacting directives have been mandated almost in a haphazard fashion One such example of this is the recent demand made by the Indian government on Research in Motion 6 the producers and service provider for BlackBerry devices and software to provide the ability to decrypt encrypted data transmitted by BlackBerry devices used in India 7 Even if your organization has established privacy and security process and technology for outsourced operations today it is important to keep in mind that that the reengineering of infrastructure for purposes of moving to an overseas vendor can affect security controls Walk Through of the Development of a Data Related Vendor Management Program As an example of how an organization may come to establish a data related vendor management program we will walk through the experience of one of our clients This client is a multibillion dollar provider of consumer services The organization was adopting a risk management approach to the handling of their assets As they calculated the level of risk posed to all assets they soon realized a cross functional team was necessary to assess risks associated with their data in particular their customer and employee data It became clear they needed to pay special attention to the vendors handling their data as these data related vendors are involved in every aspect of their services The organization s motives for addressing data protection go beyond compliance and competitive advantage their motivation stems from the organization s culture and a strong desire to Maintain trusted relationships with both customers and employees To not disrupt or have negative impact on either their customers or employees lives The risk management effort was spearheaded by the organization s Chief Information Officer and Vice President of Finance who were able to gather a cross functional team to handle the data aspects of their vendor risk management program This included representatives from legal internal audit finance marketing purchasing information technology information security and selected lines of business Early on they established the mission of the data related vendor management program Assess the overall level of information privacy and security risk that utilizing a given vendor might pose Determine the level of assurance that vendors who will have access to the organizations information will adequately protect and adhere to all information privacy and security requirements derived from the

    Original URL path: http://privacidad.cr/pub/Vendor_Management_Privacy_Compliance_2008.html (2016-03-26)
    Open archived version from archive



  •