privacy_engineering_privacy assurance_lecture-ecole_polytechnic_nice_sa-20150127

Frank Dawson/Nokia, Director information privacy compliance

Ecole Polytech Nice – Sophia Antipolis

2015-01-23

Privacy Engineering &

Privacy Assurance

Lecture

© Nokia 2015 PE_PA-Lecture-Ecole_Polytechnic_Nice_SA-20150123 Author :Frank Dawson

1

Privacy Engineering & Assurance

2

1. WHAT – Information Privacy− Terminology− Roles within the Privacy Framework− Privacy Principles− Essence of privacy− Privacy data lifecycle− Personally Identifiable Information

and Identifiability2. HOW – Compliance or Accountability

− Elements of an ACCOUNTABLE privacy program

− Privacy activities across the product life cycle

− Privacy program roles & responsibilies

3. HOW - Privacy Engineering & Assurance simplified

− Applying Privacy Engineering− Privacy Engineering steps− Privacy Assurance steps− Design activities across the product

life cycle− Privacy impact assessment− Privacy risk management− Assessing privacy maturity− Privacy related business processes

4. Use case

− Initial description

− Assessment planning

− Kickoff meeting

− Use case & DFD

− Data inventory & classification

− Threat analysis

− Security considerations

− Privacy Policy template

− Assessment findings

− Final assessment review

Information privacy

The right of an individual to control the processing of their personal data such that there is:

No hidden, unwanted, uncontrolled,

excessive or insecure

Collection, processing and disclosure of

consumer’s personal data

3

EU GDPR and ISO 29100

• TheEU data protection regulations will soon be based on the proposed General Data Protection Regulation

• Potential harmonizing DP effect across EU businesses

• ISO 29100 defines a Privacy Framework that reflects many of the proposed components of the GDPR

• The PDF of the standard is freely available here• Privacy Framework includes:

• Terminology• Roles and interactions• Recognizing PII• Privacy safeguarding requirements• Privacy policy• Privacy controls• Privacy principles

4

http://standards.iso.org/ittf/PubliclyAvailableStandards/c045123_ISO_IEC_29100_2011.zip

Terminology (29100 §2)

• Identifiability - condition which results in a PII principal being identified, directly or indirectly, on the basis of a given set of PII

• Personally Identifiable Information (PII) - any information that (a) can be used to identify the PII principal to whom such information relates, or (b) is or might be directly or indirectly linked to a PII principal

• PII Controller - privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes

• PII Principal - natural person to whom the personally identifiable information (PII) relates

• PII Processor - privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller

• Privacy Breach - situation where PII is processed in violation of one or more relevant privacy safeguarding requirements

• Privacy Safeguarding Requirements - set of requirements an organization has to take into account when processing personally identifiable information (PII) with respect to the privacy protection of PII

5

Roles within the privacy framework

• DPA, Data Privacy Authority, Information Privacy Commissioner, etc is the independent legal authority for administering privacy rules within a country

• The consumer is the PII Principal

• The PII Controller is entity that determines purposes and means of processing consumer’s personal data and is RESPONSIBLE for data processing of data subject’s PII

• The PII Processor performs information processing on behalf of the Data Controller

Data ProtectionAuthority (DPA)

PIIPrincipal

PIIProcessor

PIIController

Sometimes a reference is also made to a Third Party, which can be viewed as outside this privacy

framework, but the responsibility of the Data

Controller.

6

Privacy Principles (ISO 29100 §5)

# Principle Description

1 Consent and choice PII Principal has choice on and has Opt-In to PII processing

2 Purpose legitimacy and specification Processing complies with laws, giving notice before processing

3 Collection limitation Within laws and necessary for specified purposes

4 Data minimization Minimize the processing of PII

5 Use, retention and disclosure limitation Also applies to limitation on cross-border transfers

6 Accuracy and quality Measure to assure validity and correctness of PII processing

7 Openness, transparency and notice Clear, complete and accessible information on PII processing

8 Individual participation and access PII Principal access to review their PII and correct inaccuracies

9 Accountability Demonstrate care in duty toward PII Principal for PII stewardship

10 Information security Protecting PII under its authority with appropriate controls

11 Privacy compliance Verifying and demonstrating adherence to laws with internal or 3rd party audits

7

Essence of privacy

Privacy emerges from personally identifiable data

Personal data or information• Any information relating to an identified or identifiable

natural person, an individual

+Identifiability

• (Nymity) The measure of the degree that personal data can be associated with an individual

8

Privacy data lifecycle

• Also called the Consumer Data Lifecycle , it is a fundamental component of the privacy knowledge base

• Define the actions related to personal data within the privacy framework

• When analyzing the data flow in your specifications, you should also consider the complete lifecycle for the associated PII

• Within the EU, collection, itself is considered to be an act of processing !

Deletion

Storage

Processing

Transfer

Collection

x

9

Personal data/information

• Relates to information about a natural person

• When the data can be associated with an individual, it is referred to as Personally Identifiable Information (PII)

• Criteria for linkability of data to an individual is a hot-topic within the privacy community

• Sensitive PII must be treated specially

• Generally, if PII is of a racial, religious, political, sexual orientation, medical nature, it is characterized as Sensitive; but other categories should also be consisted

• Also commonly referred to as Personal Data

Basic data (E.G. first name, last name, mobile number)Address data (E.G. postal code, email address)Restricted categories of data (E.G. racial or ethnic origin, religion, trade union membership – if allowed by applicable law)Social networking relateddata (E.G.. metadata of pictures uploaded, site activity information)Location data (E.G. GPS coordinates or mobile network base station ID)Identifiers (E.G. IMEI, device identifiers, IP-address)System data is information about how individual users are using the system (E.G. log files)Monetary data transactions (E.G. credit card number, account information)

These are some of the categories of personal data to consider when

identifying the PII in your particular project

10


11









4. Use case



− Kickoff meeting

− Use case & DFD


− Threat analysis





Compliance or Accountability

• Goal of being privacy compliance may not be sufficient for avoiding regulatory actions against your company

• Data protection authorities (DPA) now expect organizations to demonstrate their good intentions

• Accountability has roots in 1980 OECD privacy guidelines• Accountability framework builds trust between DPA and

organizations for the handling of personal data• Accountability means being able to show how your

company has holistically integrated privacy best practices • Centre for Information & Policy Leadership (CIPL) has

defined a global DPA endorsed approach to Accountability

Data Protection Accountability: The Essential Elements

12

http://www.huntonfiles.com/files/webupload/CIPL_Galway_Accountability_Paper.pdf

Elements of an Accountable privacy program1. Executive accountability and oversightInternal senior executive oversight and responsibility for data privacy and data protection

2. Policies and processes to implement themBinding and enforceable written policies and procedures that reflect applicable laws, regulations and industry standards, including procedures to put those policies into effect

3. Staffing and delegation Allocation of resources to ensure that the organization's privacy program is appropriately staffed by adequately trained personnel

4. Education and awareness Existence of up-to-date education and awareness programs to keep employees and on-site contractors aware of data protection obligations

5. Risk assessment and mitigation Ongoing risk assessment and mitigation planning for new products, services, technologies and business models. Periodic Program risk assessment to review the totality of the accountability program

6. Event management and complaint handling Procedures for responding to inquiries, complaints and data protection breaches

7. Internal enforcement Internal enforcement of the organization's policies and discipline for non-compliance

8. RedressProvision of remedies for those whose privacy has been put risk

Not just compliant but accountable13

Privacy activities across the product life cycle

14

Privacy program roles & responsibilities

Executive privacy owner

• The senior executive with oversight and responsibility for data privacy and data protection in the organization

Chief privacy officer

• The senior manager with responsibility for the implementation and operation of the privacy program in the organization

Privacy officer

• The privacy professional responsible for implementation and operation of the privacy program within an organizational unit

Privacy champ

• The program or product member with sufficient privacy competence to be responsible for transposing privacy requirements into product requirements

Data Protection Officer

• A privacy professional required by some organizational entities with reporting accountability to the local Data Protection Authority

15These are minimal privacy program roles


16









4. Use case



− Kickoff meeting

− Use case & DFD


− Threat analysis





Privacy Engineering & Assurance simplified

Principles,Policies,

Requirements, Procedures,Guidelines,

Patterns

Design, Implement, TestMap privacy requirements into product

featuresSelect guidelines, patterns

ReviewAgainst requirements

Can be standalone

Release AssessmentSign-off

Evidence

Evidence

Evidence

Privacy Engineering

Privacy Assurance

PrivacyKnowledge

Base

Planning & ConceptingThreat Assessment and MitigationPrivacy requirements identification

17

Applying Privacy Engineering

Principles

Requirements

Threats

Controls

ResidualRisk

Privacy Principles

Privacy Requirements & Guidelines

Privacy & Security Threats & Vulnerabilities

Privacy & Security Safeguards

Business Acceptable Risk

18

Privacy Engineering steps

• Define the product context− Define product in terms of main

functions, assets, stakeholders, business model, sales estimates, deployment target countries, release schedule(s), strategic importance, risk summary

• Document the data flows and classify the data

− Inventory of all the personal data & data clusters

− Classification of each data element

− User story/epic based diagram of the flow of data through product components, interactors

• Analyze the threats and risks

− Identification of applicable privacy principles and underlying requirements

− Definie inherent threats to key privacy & security principles

− Analysis of attack surface and minimization

− Identification of root cause or vulnerability

• Mitigation− Selection of privacy & security

safeguarding controls

− Identification of key test causes and test tools to verify control fidelity

− Identification of residual riskImplementing Privacy by Design

19

Privacy Assurance steps

• Purpose of assurance is to verify that Privacy Engineering activities have been implemented as agreed, operational, as well as any required staffing is in place

• Kick-off the assessment process with Privacy Officer early to understand what will be needed for final sign-off

• Privacy & security assessment is based on a thorough assessment of the Product Team evidence that Privacy Engineering activities has been implemented and is operational

• Final sign-off recommendation is made by Privacy Officer with approval by Product Management & Chief Privacy Officer

• Escallation process may be needed to address disagreements over findings between Privacy Officer and Product Management

• Non-compliance with privacy regulations SHOULD NOT be approved

A final assessment of all product or service thathave a privacy impact is a necessity

20

Threat model

• Threats exploit Vulnerabilities and damage Assets

• Controls mitigate Vulnerabilities and therefore might mitigate Threats

• Attacks manifest Threats

Asset 1

Threat

Vulnerability 1

Vulnerability 2

Control

Control

Control

Asset 2

damages

damages

exploits

exploits

mitigates

mitigates

mitigates

mitigates

mitigates

mitigates

21

What is threat analysis

• Threat analysis is about understanding privacy threats to a system, determining harm from those threats and establishing appropriate migitations (privacy controls or safeguards) against those harms

• Analyzes threats to underlying Privacy Principles at each stage of the Privacy Data Lifecycle

• Analysis results facilitate selection of mitigation Privacy Safeguards/Controls

Why follow this practice?

• A structured approach better ensures PbD than an ad hoc approach

• Threat analysis allows development teams to effectively find potential privacy design issues. Mitigation of privacy issues is less expensive when performed during design

• By knowing the threats, privacy testing efforts can be focused more effectively

• This is a prerequisite to conducting a Risk Analysis to mitigate associated harm

22

Threats come with data –DFD can identify them

• Therefore we model the data using a data flow diagram (DFD)

• Scope is the processes (your code), all neighbouring actors, data stores and the trust boundaries between them

Data store

External interactor

Process

External interactor

Process

Data flow

External interactor

Trust boundary

References: Open Web Application Security Project, Microsoft TMA

Trust boundary

23

https://www.owasp.org/index.php/Application_Threat_Modeling#Threat_Analysis

http://msdn.microsoft.com/en-us/library/aa561499.aspx

Threat analysis modeling

1. Getting ready− Product description, data inventory, data flow diagram

2. Identify assets− Digital, physical, reputational, operational

3. Identify entry points− Entry or exit through a trust boundary in DFD

4. Identify vulnerabilities− A weakness or failing

5. Define attacker types− Threats exploit vulnerabilities, attack manifests a threat

6. Define controls− A countermeasure or safeguard

7. Build threat scenarios and mitigation plans− Possibly by making use of an attack tree/threat tree

24

Illustrative table to capture privacy threats table

Lifecycle Principle Threat Controls Harm

Collection TransparencyNotice & Consent

Unauthorized collection

Data analysisPurpose verification

Hidden data bases

Collection Collection limitation Unlimited collection Purpose verificationCollection method analysis

Lack of proportionality

Processing Purpose specificationLegitimate purpose

Processing unrelated to purpose

Function limitsUser participation

Processing with llegitimate purpose

Processing Processing Lack of consumer control

Opt-out, Platform privacy control

Automatic processing

Processing Security Data integrity fault or data misrepresentation

Data integrity check on read, write

Misrepresentation

Transfer Legal obligations Transfer PII outside EU without consent

Notice & Consent Violation of EU citizens’ basic rights

Maintenance Access & participation,Individual participation,Redress

Lack of consumer redress

Privacy policy includes process for user redress

Inability to rectify errors

25

Documenting controls and validation tests

• Selected controls should be documented in a reliable storage as a part of the evidence of applying Privacy Engineering

• It is good practice to also define test cases for validating that the controls are implemented, operating as intended and effect against the associated threat(s)

• This documentation forms part of the compliance evidence, and it has to be reviewed by a privacy & product security officers

26

Privacy risk assessment• Produces evidence of minimization of possible privacy risk

• Residual risk = Fn (Harm, Impact, Probability, Mitigations)

• Re-conducted when material changes made to product

• ISO 31000 – A reference risk management framework

Contextestablish external, internal context for risk, risk management process and risk assessment criteria to be used

Identifyidentify sources of risk, areas of impact, events and causes, potential consequences

Analyzeconsider causes and sources of risk, positive & negative consequences, both tangible and intangible

Evaluatemake decisions based on risk analysis, which risks need treatment and the priority for treatment implementation

Treatselect remediation based on avoiding, taking on, removing, changing potential for, changing harm of, sharing of risk

Monitor & Review

assures controls effective, learn and improve, detect context changes, identify new risks, measure KPI

Improve commit to constant improvement of the overall risk footprint

Identify the RESIDUAL RISK in

your product.

Product management must accept residual risk!

27

Understanding privacy risks

Threats/Vulnerabilities (examples)• “Hidden, uncontrolled, excessive or unsecure processing”

• Improper collection, use, disclosure

• Globally accepted privacy principles and laws often articulate these in more detail

• Privacy requirements and guidelines act as controls to these threats/vulnerabilities

Impacts to individuals (examples)• Tangible (e.g. credit card fraud, discrimination)

• Intangible (e.g. embarrasement)

• Societal (e.g. chilling effect on freedom of speach)

Impacts/consequences to companies (in general)• Bad publicity, erosion of trust

• Fines up to millions (new EU proposal: up to 2% of annual global turnover)

• Penalties, including personal criminal liability

• Forced privacy program with 20 year external audit obligation

• Data breach notifications (~$200 per lost record in US, similar in e.g. Germany)

• Deletion of unlawfully collected data

• Sales stops, recalls, cost of remediation

• Human rights, ethics challenges

28

Privacy risk assessment

• Objective is to reduce the business impact from exploitation of a set of threats

• Process utilizes the results of the threat analysis and mitigation activity• Product team is responsible for completion of risk analysis• Technical team provides complementary support

• Residual Risk = Fn (Harm, Impact, Probability of Occurrence, Mitigations)

• Risk migitation = actionable steps to reduce harm, impact or probability

• Migitation approaches include:• Do nothing, hope for the best• Mitigate the risk by putting countermeasures in place

• Reduce impact or probability

• Accept the risk after evaluating the business impact• Transfer the risk with contractual agreements or insurance• Remove the risk, for example shutdown the product, remove feature

Security risk is about harm to the company, but privacy risk is about harm to the consumer29

Example risk assessment report

ID Event Root causes Consequences Impact ProbabilityTreatment

actionsMonitoring measures

Action

DeadlineAction owner

Privacy breaches, privacy related loss of business, compliance including corruption and fraud

- Failures to design privacy into products and services.

- NSA espionage: Cloud services concentrated to US based cloud providers

- User privacy vs. benefits of analytics

- Privacy program and resourcing and maturity

- Data breaches

- Regulatory enforcement

- Business interruptions, requests to delete data, sales stops.

- -End user and business customers lost with US based cloud services

100-150 MEUR

Anything up to $200 USD per record in US

Up to 100 euro per record in Germany

Reputational damage and lost business opporutnity

~15% -Medium

Insurance policy?

Training, security scanning and audits including corrective actions

MS integrations project actions

Progress measures, milestones followed

2Q2015 Alice

30

Privacy impact assessment

• EU GDPR Article 33 promulgates PIA for public/privacy orgs

• Produces evidence of implementation of Privacy by Design

• Conducted by staff when personal data is collected, used or disclosed in a product or service

• Re-conducted if material changes made to product or service

• ISO 29134 (WD) will standardize methodology

31

Identifydescribe the project, including the aims, whether any personal information will be handled, inherent privacy principles

Analyzeidentify the personal information flows, classify data, identify relevant regulations, privacy requirements, privacy impact

Verifyvalidate that only essential data is collected and processed for legitimate purposes required by the product or service

Simplifychange system and processes to only collect/store/process essential data for minimum period with a data deletion plan

Secureuse industry best practices for safeguarding personal data through life cycle, providing consumer control over their data

Remediateidentify remaining risk, level of harm and mitigation plan to eliminate or reduce risk to acceptable level

Attestrecord findings, gain sponsor commitment to implement any needed changes, report results to management

Privacy capability assessment

• Provides a method for advancement of your privacy program

• Conducted to measure baseline and incremental changes

• Part of a commitment to accountability, constant improvement

• ISO 29190 (new IS) will standardize a methodology

32

Planagree on privacy capability assessment model (e.g., context or business process based) and assessment scale to be used

Assess rate the current capability against target capability

Reviewidentify sub-optimal capabilities to be improved and overall improvement plan

Reportcommunicate to management the assessment activity, results, improvement actions and next scheduled assessment

Improve implement improvement plan

Privacy related business processes

• Quality management process

• Risk management process

• Assessment process

• Security engineering process

• Business continuity process

• Customer care process

• Incident response management process

• External communications process

• Authority request/lawful intercept process

33


34









4. Use case



− Kickoff meeting

− Use case & DFD


− Threat analysis





Use case –Globetrotter Tech Weather App

You work as the privacy officer for Globetrotter Technologies, a technology start-up. The business intends to rule the world of mobile software apps to aid business travellers. You report to the CPO Elliot.

You just finished giving a privacy training to the software staff and Alice, a program manager, approached you to get some guidance, as her Android Weather App is planning on going Live at the end of the month. You have just reminded her that corporate policy is that no product goes live without satisfactory recommendation from the privacy officer after a final privacy assessment. Alice designated Bob on her team as the privacy champ. Her devmanager is Chuck. She reports to VP of programs, David. She wants to get started ASAP.

What is your course of action?

35

5. Gather feedback

Review & communicate lessons learned

1. Plan & Prepare 2. Conduct 3. Report

Assessment planning

What is your course of action?

Generic role Purpose of the role

Assessment sponsor Has the authority in Nokia to decide Go/No go for assessments. Authorizes plan and resourcing, specifies requirements. Ensures actions on findings

Lead assessor Ensures the successful execution of the assessment

Assessment team Team of people assessing the interviewees. Assessment team is headed by lead assessor

Interviewees The sample of people from the audited/assessed organization that are interviewed for the audit/ assessment

Assessment roles

Define scope, objectives, Review and agree plan with sponsors

Brief Assessment Team

Communicate purpose to persons to be assessed

Schedule & run interviews per plan

Write report, agree with all assessed then report to sponsors & stakeholders

Follow up improvement actions

4. Follow Up

• Get sponsor agreement for assessment and scope• Identify and secure support of key assessor roles• Follow the “Plan, Do, Check, Act” (PDCA) steps

36

Next steps

• Confirm assessment sponsorship with David, VP Programs

• Confirm assessment request with Elliot, CPO

• Email confirmation of availability to provide assessment assistance to Alice, PM and request meeting to identify assessment team and participants

• At subsequent meeting with Alice, verify role of Bob, Privacy Champ and agree on Kickoff meeting purpose and agenda• Introductions, Purpose of assessment, Activities/Evidence

• Email invite to assessment Kickoff meeting to participants• Req: Alice, PM; Bob, Privacy Champ; Chuck, Dev Mgr; You

• Opt: David, VP Programs; Elliot, CPO

37

Kickoff meeting

• At the kickoff meeting you learn the following about the Weather App project

• Alice is the program manager

• Bob is her privacy champ

• Chuck is the development manager

• David is the program VP and business owner

• Elliot is your CPO

• Android 4.4 app for Google Play Store distribution

• Wave 1: EU countries

• Wave 2: US and CA

• 3rd party partners:− OpenWeatherMap – Forecast

data

− CrashDaddy – Crash analytics

• Features− Lookup city from GPS lat-lon

− Lookup forecast from city name

− History of last 12 forecasts

− Admin console for crash analytics

What is your next course of action?

38

Next steps

• Schedule periodic meetings to progress assessment with Alice, PM; Bob, Dev Mgr; and Chuck, Privacy Champ

• Verify product description through Team provided evidence

• Perform/create System diagram, Data flow diagram, Data inventory & classification, Threat analysis & mitigation with Alice, PM; Bob, Dev Mgr; and Chuck, Privacy Champ

39

User experience concept

40

Weather app use case DFD

Open WeatherMap

GetCity

API Token,Lat-Lon

Trust boundary

City

GPS Sensor

Lat-Lon

CityDataStore

Lat-Lon,City

GetForecast

Forecast

API Token,City

ForecastDataStoreLat-Lon, City

CityLook

upForecast

Forecast

Lat-Lon,City

What findings can you infer?

• Forecast for current position displayed

• User can enter city name and get forecast for that city

• Previous forecasts kept to avoid data charges from unnecessary lookup

Mobile App

41

Web BrowserMobile App

Crash analytics use case DFD

Crash Daddy

TransferCrashData

API Token, Device ID,Crash Payload

Trust boundary

CrashDataStore

AnalyticRequest

What findings can you infer?

• Crash Payload pushed on app restart after crash recovery

• Web browser access to crash analytics console with admin credentials

• Crash analytics console functions include display of reports based on crash-type specific requestsCrash

AnalyticsConsoleFunction

AnalyticResponse

CrashPayload

42

Data inventory

43

Example threat list (1 of 4)

44


45


46


47

Threat analysis notes –Weather app

• No plan for product information to be provided to consumer in Google Play Store entry

• No plan for supporting consumer inquiry• No notice & consent given consumer on Terms or Privacy Policy

• Verify use of Globbetrotter Technologies Terms & Privacy Policy• Google Play Store• First-Use-Experience• Within App

• No prior notice & consent of consumer on Location Data collection and use• No data minimization effort• Unclear vetting of Open Weather Map for 3rd party services• Unclear how location/forecast history secured in device• Unclear if uninstall will delete app data• Unclear how API token secured in device• Unclear product security plans

• Need product security training & awareness• Unclear if app hardening will include tamper-prevention

• Unclear legal review plans• Unclear service continuity plans• Unclear reactive vulnerability & incident response plans• No data retention/deletion plan• Unclear coordination between Weather App & other business traveller app Teams

48

Threat analysis notes –Crash analytics

• No data minimization effort

• Unclear purpose for device id in crash payload

• Unclear purpose for memory dump in crash payload

• Unclear vetting of Crash Daddy for 3rd party services

• Unclear how API token secured in device

• Unclear product security plans• Need product security training & awareness

• Unclear if app hardening will include tamper-prevention

• Unclear legal review plans

• Unclear service continuity plans

• No data retention/deletion plan• Unclear if crash analytics planned only for Beta phase

49

Next steps

• Connect Alice, PM with Product Security Team to plan for product security assessment

• Draft and share privacy assessment findings with Alice, PM; Bob, Dev Mgr; and Chuck, Privacy Champ

• Coordinate assessment findings with Product Security Team

• Assist and encourage Alice, PM; Bob, Dev Mgr; and Chuck, Privacy Champ with documenting evidence of privacy engineering activities

• Plan & schedule final assessment review with Alice, PM

50

Security considerations

Define• OWASP Top-10 Security Threats• Google Android Developer Security Guidelines• Japan Smartphone Security Association Guidelines

Develop• Static & dynamic code scanner• Peer code review• 3rd party security review

Deploy• Hardening guidelines• Vulnerability testing (eg, NMAP)• Tamper-proofing, security distribution code• Penetration testing• Google Hacking• Reactive vulnerability response

Roles & responsibility for drafting & approval of Privacy Policy should be clearly defined

51

Privacy policy template• Title• Change control/effective date• Business privacy vision• Define categories of applicable personal data• Organization to which policy applies• Why the defined categories of personal data is collected• Limits on collection, use & disclosure of the personal data• Define circumstance for disclosure of the personal data• How consent for personal data collection & processing is

obtained• How long the personal data is retained• How the personal data is secured• How the accuracy of the personal data is ensured• How individuals can access their personal data• How individuals can complain or make an inquiry• Your identity and contact information

Roles & responsibility for drafting & approval ofPrivacy Policy should be clearly defined52

Assessment report –Major findings

ID Category Title of finding Description of requirement Action Status

01 Major Notice & Consent Provide notice prior to initial collection, Provide Opt-Out of data processing

Privacy notice and Terms need to be provided in Google Play Store, First User Experience and Settings

Major Notice & Consent Provide notice & consent prior to use of location data

Add notice & consent control for location data

03 Major Data minimization Minimum data collection & processing for stated primary purposes

Conduct data minimization review of data inventory against primary purpose

Major Data minimization No cross-border transfer of personal data without user's Active Consent

Include cross-border transfer purpose in Privacy Policy, as needed

Major Use, retention and disclosure limitation

Provide method for consumer requests for information & redress

Data Retention & Deletion Plan, Privacy policy includes instructions for consumer redress

Major Security Provide product security to protection personal data

Verify no open major product security assessment findings

Major 3rd Party Privacy & Security Management

Vetting of 3rd party service providers Email from PM verifying vetting of 3rd

party vendors by sourcing/legal

Not Ok Ok53

Assessment report –Minor findings


Minor Service Continuity No service continuity plan Agree on service continuity strategy and define and resource a planaligned with strategy

Minor Reactive Vulnerability & Incident Response Management

No RV&IR plan Agree on reactive vulnerability & incident response strategy and define and resource a plan aligned with strategy

Minor Requirements alignment

Privacy & security requirements alignment across GT app teams

Coordinate privacy & security requirements across app Teams

Not Ok Ok54

Assessment report –Recommendations


Recommend Requirements alignment Privacy & security requirements alignment across GT app teams

Coordinate privacy & security requirements across app Teams

Recommend App Hardening Harden install file with tamper-detection, encryption of token handling

Integrate hardening tool such as DEXGuard

Recommend Security Training & Awareness

Train key team members on product security

Product security training completed for PM, Dev, QA, Req Mgmt

Recommend Legal Review Comply with local laws & regulations Complete legal review with legal counsel

Not Ok Ok55

Next steps

• Distribute final assessment report with Alice, PM; Bob, Dev Mgr; and Chuck, Privacy Champ

• Work to close open action items with Alice, PM; Bob, Dev Mgr; and Chuck, Privacy Champ

• Schedule and meet to conclude perform final assessment review with Alice, PM

• Share final assessment recommendation with Alice, PM; Elliot, CPO; and David, VP Programs

• Support Elliot, CPO on any resulting escallation

56

Final assessment review

Category Activity Requirement Criteria Status

Development Business Impact Overall product business criticality & risks assessed

Risk assessment report

Product information Defined product description, responsible roles identified

Product description document

Data flows, System architecture

Use cases identified, data flows documented

Data inventory & classification spreadsheet

Threat Analysis Privacy & security threats and mitigating controls documented

Threat assessment report

Code review Security code scan of software. Manual security code reviews alsorecommended.

No open major code scan report items or action items from manual code review

Third party privacy & security management

Contracts with 3rd parties reference privacy & security requirements.

Sign-off email from sourcing/legal counsel

Not Ok Ok57

Final assessment reviewCategory Activity Requirement Criteria Status

Deployment Business continuity plan

Defined, resourced &tested plan, supporting agreed RTO (Recovery Time Objective)

Business continuity plan approved by business accountable

Backup/recovery plan Defined, resourced &tested plan, supporting agreed RPO (Recovery Point Objective)

Backup/recovery plan approved by business accountable

Reactive Vulnerability & Incident Response Plan

Defined, resourced & tested plan, supporting agreed vulnerability & incident mgmt. objectives

Reactive Vulnerability & Incident Response plan approved by business accountable

Audit logs Key activities logged and according to retention & deletion plan. No PII in logs without legitimate purpose

Sign-off email from responsible development manager

Access control Access to system admin functions and to sensitive/personal data follows AAA best practices


Software hardening Hardening to remove insecure, unnecessary software, features, test data, accounts and similar from the product


Not Ok Ok58

Final assessment review

Category Activity Requirement Criteria Status

Compliance Privacy assessment Privacy controls selected in threat analysis must be implemented and verified

No open major findings, FUE screenshots, Privacy Policy UX Test Report

Security assessment Security controls selected in threat analysis must be implemented and verified

No open major findings

Not Ok Ok59

60

5. References

60

References

EU Proposed General Data Protection Regulation

ISO 29100 from ISO (PDF version is freely available)

CIPL Implementing Accountability

CIPL Accountability Self-Assessment Tool

Android Developer Security Tips

Android Secure Design/Secure Coding Guidelines

Privacy policy generator

UK Privacy Commissioner guidelines

frank.dawson at nokia.com

61

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF

http://standards.iso.org/ittf/PubliclyAvailableStandards/c045123_ISO_IEC_29100_2011.zip

http://www.informationpolicycentre.com/files/Uploads/Documents/Centre/Centre_Accountability_Phase_III_White_Paper.pdf

http://www.informationpolicycentre.com/files/Uploads/Documents/Centre/Phase_IV-Self_Assessment_Comprehensive_Privacy_Programme_A_Tool_for_Practioners.pdf

http://developer.android.com/training/articles/security-tips.html

https://www.jssec.org/dl/android_securecoding_en.pdf

http://www.privacypolicyonline.com/

https://www.oipc.bc.ca/tools-guidance/guidance-documents/

mailto:[email protected]

What did you learn?

62

Q1: Which is not correct about Privacy Risk?

a. Related to harm to the individual’s personal data rights

b. Involves categories of tangible, intangible & ethical harm

c. Can be mitigated by accepting, transferring risk, eliminating the harm or diminishing the probability or impact of the harm

d. None of these

63

Q2: Which is not correct about the Data Flow

Diagram used in Privacy Engineering?

a. Visualizes internal and external interactors

b. Evidence of application of Privacy Engineering

c. Identifies the flow and category of personal data

d. Identifies threats to personal data

e. Can be useful in Product Security Assessment

64

Q3: What does best practice say should be

included in a Privacy Policy?

a. Business privacy vision

b. Categories of personal data that are collected and processed

c. Purposes for which personal data is collected and processed

d. Name & address for contacting the Data Controller

e. All of the above

65

Q4: What is the essence of privacy?

a. Personal data

b. Privacy data lifecycle

c. Identifiability of personal data

d. a and c

e. Nymity

f. a and c and e

66

Q5: Which statement about Privacy Engineering and

Privacy Assurance is not correct?

a. Privacy Engineering involves implementation of Privacy by Design

b. Privacy Assurance involves the acceptance of any residual product privacy risk

c. Privacy Engineering includes activities at all stages of the product life cycle and should begin as early as feasible

d. Privacy Assurance should include a final verification that the findings from the Privacy Engineering have been implemented and are operational in the product

e. Privacy Engineering is an emerging discipline

67

Q6: What is not a purpose of Privacy Assurance?

a. Verify that identified privacy safeguards are implemented

b. Determine if the product is ready to ”Go Live”

c. Document residual privacy risks

d. Ensure there is evidence of Privacy Engineering in the event a privacy audit is required

e. Identify possible areas of privacy non-compliance

68

Quiz Answers

1. d

2. d, Threats are identified as a result of the Threat Assessment process

3. e

4. f

5. b, It is the responsibility of the business owners to accept residual risk in the product

6. b, The decision to ”Go-Live” with a product involves more than just successful conclusion to a Privacy Assurance review.

69