1. No category

13 COMMISSION FOR PERSONAL DATA

COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
THE ROLE OF DATA PROTECTION AUTHORITY
IN THE ESTABLISHMENT AND WORK OF CERT
Prof. Veselin Tselkov, DSc
Commission for Personal Data Protection
State University of Library Studies and Information
Technologies
The role of data protection authority in the establishment and work of CERT
1
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Agenda
•
Introduction
•
The role of the Commission for personal data protection
•
Commission and the new challenges
• Cloud computing
• Big Data
• Base principles
•
Commission and good practices
•
Conclusions
The role of data protection authority in the establishment and work of CERT
2
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Introduction
Development
of
new
communication
and
information
technologies and particularly the Internet and social networks
pose new challenges to communication between people and
the protection of personal data and privacy. The users of new
technologies using services provided global Internet network
and communicate with friends and colleagues, using the
services of social networks (Facebook, Twitter, etc.). The new
generation of technology put to answer numerous questions:
The role of data protection authority in the establishment and work of CERT
3
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Questions
•
Are users insiders with the opportunities and services on the
Internet?
•
Are users aware of the threats in the networks?
•
How you have the scale and volume of the storage and
processing of personal?
•
How to use the personal data of users of the service and what
are the parameters for setting?
The role of data protection authority in the establishment and work of CERT
4
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Commission for personal data protection
The role of the Commission
•
National strategy for cyber security
•
CERT Bulgaria
•
National laboratory for cyber security
•
Training center for cyber defense
The role of data protection authority in the establishment and work of CERT
5
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
National Strategy for Cyber security
Cyber space
Cyber space is the electronic world created by interconnected
networks of information technology and the information on
those networks. It is a global commons where more than 1.7
billion people are linked together to exchange ideas, services
and friendship.
The role of data protection authority in the establishment and work of CERT
6
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
National Strategy for Cyber security
Cyber attacks
Cyber attacks include the unintentional or unauthorized access,
use, manipulation, interruption or destruction (via electronic
means) of electronic information and/or the electronic and
physical infrastructure used to process, communicate and/or
store that information. The severity of the cyber attack
determines
the
appropriate
level
of
response
and/or
mitigation measures: i.e., cyber security.
The role of data protection authority in the establishment and work of CERT
7
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
National Strategy for Cyber security
Protecting fundamental rights, freedom of expression,
personal data and privacy
Cyber security can only be sound and effective if it is based on
fundamental rights and freedoms as enshrined in the Charter
of Fundamental Rights of the EU and EU core values.
Individuals' rights cannot be secured without safe networks
and systems. Any information sharing for the purposes of
cyber security should be compliant with EU data protection
law and take full account of the individuals' rights in this field.
The role of data protection authority in the establishment and work of CERT
8
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CERT Bulgaria
CERT Bulgaria is the national Computer Security Incidents
Response Team. Its mission is to provide information and
assistance to its constituencies in implementing proactive
measures to reduce the risks of computer security incidents
as well as responding to such incidents when they occur. The
team builds up a Database, providing information on how you
can make your IT Environment more secure.
The role of data protection authority in the establishment and work of CERT
9
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CERT Bulgaria
Alerts, Warnings and Security Advices
•
Alerts: These are technical alerts for recent vulnerabilities in
the IT Systems. Ways to protect against them are described
in details.
•
Warnings: Here you could find non-technical reports of recent
vulnerabilities and other important security information.
•
Security Advices: Security advices are short security best
practice documents and guides how to protect your IT
Environment against cyber attacks.
The role of data protection authority in the establishment and work of CERT
10
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CERT Bulgaria, Services
The Computer Security Incidents Response Team provides the
following reactive and pro-active services to its
constituencies:
•
Alerts and Warnings;
•
Vulnerability Handling;
•
Incident Handling;
•
Artifact Handling;
•
Announcements;
•
Security-Related Information Dissemination.
The role of data protection authority in the establishment and work of CERT
11
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CERT Bulgaria, Services
Alerts and Warnings
This service involves disseminating information that describes an
intruder
attack,
security
vulnerability,
intrusion
alert,
computer virus, or hoax, and providing any short-term
recommended course of action for dealing with the resulting
problem. The alert, warning, or advisory is sent as a reaction
to the current problem to notify constituents of the activity
and to provide guidance for protecting their systems or
recovering any systems that were affected.
The role of data protection authority in the establishment and work of CERT
12
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CERT Bulgaria, Services
Vulnerability Handling
Vulnerability handling involves:
•
Receiving information and reports about hardware and
software vulnerabilities;
•
Analyzing
the
nature,
mechanics,
and
effects
of
the
vulnerabilities;
•
Developing response strategies for detecting and repairing
the vulnerabilities.
The role of data protection authority in the establishment and work of CERT
13
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CERT Bulgaria, Services
Incident Handling – 1/2
Incident handling involves receiving, triaging and responding to
requests and reports, and analyzing incidents and events.
Particular response activities can include:
•
Taking action to protect systems and networks affected or
threatened by intruder activity;
•
Providing solutions and mitigation strategies from relevant
advisories or alerts;
•
Looking for intruder activity on other parts of the network;
The role of data protection authority in the establishment and work of CERT
14
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CERT Bulgaria, Services
Incident Handling – 2/2
Incident handling involves receiving, triaging and responding to
requests and reports, and analyzing incidents and events.
Particular response activities can include:
•
Filtering network traffic;
•
Rebuilding systems;
•
Patching or repairing systems;
•
Developing other response or workaround strategies.
The role of data protection authority in the establishment and work of CERT
15
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CERT Bulgaria, Services
Artifact Handling
Artifact handling involves receiving information about and copies
of artifacts that are used in intruder attacks, reconnaissance,
and
other
unauthorized
or
disruptive
activities.
Once
received, the artifact is reviewed. This includes analyzing the
nature, mechanics, version, and use of the artifacts and
developing (or suggesting) response strategies for detecting,
removing, and defending against these artifacts.
The role of data protection authority in the establishment and work of CERT
16
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CERT Bulgaria, Services
Announcements
This includes, but is not limited to, intrusion alerts, vulnerability
warnings, and security advisories. Such announcements
inform constituents about new developments with medium to
long-term impact, such as newly found vulnerabilities or
intruder tools. Announcements enable constituents to protect
their systems and networks against newly found problems
before they can be exploited.
The role of data protection authority in the establishment and work of CERT
17
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CERT Bulgaria, Services
Security-Related Information Dissemination – 1/2
This service provides constituents with a comprehensive and
easy-to-find collection of useful information that aids in
improving security. Such information might include:
•
Reporting guidelines and contact information for the CSIRT;
•
Archives of alerts, warnings, and other announcements;
•
Documentation about current best practices;
•
General computer security guidance;
The role of data protection authority in the establishment and work of CERT
18
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CERT Bulgaria, Services
Security-Related Information Dissemination - 2/2
This service provides constituents with a comprehensive and
easy-to-find collection of useful information that aids in
improving security. Such information might include:
•
Policies, procedures, and checklists;
•
Patch development and distribution information;
•
Vendor links;
•
Current statistics and trends in incident reporting.
The role of data protection authority in the establishment and work of CERT
19
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Laboratory for cyber security
The main functions of the laboratory are:
•
Research and analysis of cyber threats;
•
Explore new technological solutions for cyber security;
•
Development and implementation of tools for cyber defense;
•
Liaising with similar structures in the country and abroad;
•
Preparation of the science-based analyzes opinions and
suggestions.
The role of data protection authority in the establishment and work of CERT
20
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Training Centre for cyber defense
The main functions of the training centre are:
•
Works under the methodological guidance of the NATO Centre
NCIRC and ENISA;
•
Support the development of documents, as:
• Educational programs and materials;
• Tests;
• Scenarios for training exercises;
• Steering games;
•
We will work in cooperation with other Research Centers;
The role of data protection authority in the establishment and work of CERT
21
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Training Centre for cyber defense
The main functions of the training centre are:
•
Support the preparation of the Balkan countries candidates
for accession to NATO and EU;
•
Will work with Laboratory for cyber security;
•
Will train the responsible structures in Bulgaria;
•
We will unite the efforts of the scientific community and
NGOs;
•
Will work to inform the public about cyber threats and counter
them.
The role of data protection authority in the establishment and work of CERT
22
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Commission for personal data protection
The new challenges
•
Cloud computing
•
Big Data
•
Top security risks
•
Base principles
•
The new challenges
The role of data protection authority in the establishment and work of CERT
23
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Cloud computing
Cloud computing is a model for IT provision, often based
on virtualization and distributed technologies.
•
Highly abstracted resources;
•
Near instant scalability and flexibility;
•
Near instantaneous provisioning;
•
Shared resources (hardware, database, memory, etc);
•
Service on demand, usually with a ‘pay as you go’ billing
system;
•
Programmatic management (eg, through WS API).
The role of data protection authority in the establishment and work of CERT
24
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Essential Characteristics
Essential Characteristics of cloud computing are:
•
On-demand self-service;
•
Broad network access;
•
Resource pooling;
•
Rapid elasticity;
•
Measured service.
The role of data protection authority in the establishment and work of CERT
25
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Service models
The role of data protection authority in the establishment and work of CERT
26
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Software as a Service (SaaS)
The capability provided to the consumer is to use the provider’s
applications
running
on
a
cloud
infrastructure2.
The
applications are accessible from various client devices through
either a thin client interface, such as a web browser
or a
program interface. The consumer does not manage or control
the
underlying
cloud
infrastructure
including
network,
servers, operating systems, storage, or even individual
application capabilities, with the possible exception of limited
user-specific application configuration settings.
The role of data protection authority in the establishment and work of CERT
27
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Platform as a Service (PaaS)
The capability provided to the consumer is to deploy onto the
cloud
infrastructure
consumer-created
or
acquired
applications created using programming languages, libraries,
services, and tools supported by the provider. The consumer
does
not
manage
or
control
the
underlying
cloud
infrastructure including network, servers, operating systems,
or storage, but has control over the deployed applications and
possibly configuration settings for the application-hosting
environment.
The role of data protection authority in the establishment and work of CERT
28
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Infrastructure as a Service (IaaS)
The
capability
processing,
provided
storage,
to
the consumer is
networks,
and
other
to
provision
fundamental
computing resources where the consumer is able to deploy
and run arbitrary software, which can include operating
systems and applications. The consumer does not manage or
control the underlying cloud infrastructure but has control
over operating systems, storage, and deployed applications;
and possibly limited control of select networking components
(e.g., host firewalls).
The role of data protection authority in the establishment and work of CERT
29
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Additional services
•
Storage as a service (STaaS);
•
Security as a service (SECaaS);
•
Data as a service (DaaS);
•
Test as a service (TEaaS);
•
Desktop as a service (DaaS);
•
API as a service (APIaaS);
•
Backend as a service (Baas).
The role of data protection authority in the establishment and work of CERT
30
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Deployment models
The role of data protection authority in the establishment and work of CERT
31
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Private cloud
The cloud infrastructure is provisioned for exclusive use by a
single organization comprising multiple consumers (e.g.,
business units). It may be owned, managed, and operated by
the organization, a third party, or some combination of them,
and it may exist on or off premises.
The role of data protection authority in the establishment and work of CERT
32
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Community cloud
The cloud infrastructure is provisioned for exclusive use by a
specific community of consumers from organizations that
have shared concerns (e.g., mission, security requirements,
policy, and compliance considerations). It may be owned,
managed, and operated by one or more of the organizations
in the community, a third party, or some combination of
them, and it may exist on or off premises.
The role of data protection authority in the establishment and work of CERT
33
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Public cloud
The cloud infrastructure is provisioned for open use by the
general public. It may be owned, managed, and operated by
a business, academic, or government organization, or some
combination of them. It exists on the premises of the cloud
provider.
The role of data protection authority in the establishment and work of CERT
34
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Hybrid cloud
The cloud infrastructure is a composition of two or more distinct
cloud infrastructures (private, community, or public) that
remain
unique
entities,
but
are
bound
together
by
standardized or proprietary technology that enables data and
application portability (e.g., cloud bursting for load balancing
between clouds).
The role of data protection authority in the establishment and work of CERT
35
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Privacy responsibility in cloud computing
The new technological environment requires new researches and
definitions as to the responsibilities and the need to specify
and solve common problems related to privacy.
The role of data protection authority in the establishment and work of CERT
36
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Responsibility
Responsibilities should be defined depending on the different
roles in the process of interaction, as follows:
•
Data owners;
•
Data controllers;
•
Different entering points to the cloud;
•
Internet service providers (ISP’s);
•
Cloud service providers (CSP’s):
• Google;
• Amazon.
The role of data protection authority in the establishment and work of CERT
37
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Common problems
The problems are related to the requirement for a common
understanding of the notions of privacy, threats, measures
and
instruments
for
protection,
as
well
as
for
the
establishment of common assessment criteria of the level of
protection. All this requires the development of a common
vision with regard to:
•
The correspondence of the levels of protection;
•
The common evaluation criteria.
The role of data protection authority in the establishment and work of CERT
38
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Big Data
Big data is the term for a collection of data sets, so large and
complex that it becomes difficult to process using on-hand
database management tools or traditional data processing
applications.
The role of data protection authority in the establishment and work of CERT
39
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Big data
The challenges include capture, curation, storage, search,
sharing, transfer, analysis and visualization. The trend to
larger data sets is due to the additional information derivable
from analysis of a single large set of related data, as
compared to separate smaller sets with the same total
amount of data, allowing correlations to be found to "spot
business trends, determine quality of research, prevent
diseases, link legal citations, combat crime, and determine
real-time roadway traffic conditions.
The role of data protection authority in the establishment and work of CERT
40
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Too Much Data, Not Enough Solutions
The role of data protection authority in the establishment and work of CERT
41
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Big data roadmap
•
Develop Big Data Definitions;
•
Develop Big Data Taxonomies;
•
Develop Big Data Requirements;
•
Develop Big Data Security and Privacy Requirements;
•
Develop
Big
Data
Security
and
Privacy
Reference
Architectures;
•
Develop Big Data Reference Architectures;
•
Develop Big Data Technology Roadmap.
The role of data protection authority in the establishment and work of CERT
42
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Top security risks
•
Loss of governance;
•
Lock-in;
•
Isolation failure;
•
Compliance risks;
•
Management interface compromising;
•
Data protection;
•
Insecure or incomplete data deletion;
•
Malicious insider.
The role of data protection authority in the establishment and work of CERT
43
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Base principles
•
Privacy;
•
Accountability;
•
Right to be forgotten;
•
Visibility and Transparency.
The role of data protection authority in the establishment and work of CERT
44
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Privacy
•
Privacy by Design;
•
Privacy by Redesign;
•
Privacy by Default.
The role of data protection authority in the establishment and work of CERT
45
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Accountability
•
Maintenance of the management structure;
•
Maintenance of the data protection registers ;
•
Maintenance of privacy policies ;
•
Maintenance of the operational policies and procedures ;
•
Increasing level of education and self responsibility (self
confidence) in order to achieve:;
•
Maintenance of the security checks;
•
Maintenance of the contracts;
The role of data protection authority in the establishment and work of CERT
46
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Accountability
•
Maintenance of the notes ;
•
Management of the questions, complaints and discussions ;
•
Monitoring (on consistent basis) of new operational practices
•
Monitoring (on consistent basis) of data protection violations;
•
Monitoring (on consistent basis) of the existing practices for
data protection management;
•
Monitoring of external criteria.
The role of data protection authority in the establishment and work of CERT
47
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Right to be forgotten
Very important question: Is it possible to be forgotten in the
digital world? The main difficulties are related to:
•
The transition from paper data to digital data;
•
Processing capabilities of digital data related to:
• Storage;
• Copy;
• Share;
• Destruction;
•
A need for new research and new legislation.
The role of data protection authority in the establishment and work of CERT
48
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Visibility and transparency
"Trust, but verify“. It is necessary to ensure full transparency
and accessibility to many questions, including:
•
What personal data is processed;
•
On what legal basis;
•
Where and how they are stored;
•
Who has access to them;
•
Who, why and how are provided;
•
When and how are destroyed;
•
How to carry out monitoring.
The role of data protection authority in the establishment and work of CERT
49
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
New challenges
The increasing role of the information technologies, the process
of
globalization
and
the
ongoing
transition
towards
information society call for the development and defining of a
complete and uncontroversial Data Protection Policy.
The role of data protection authority in the establishment and work of CERT
50
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
New challenges
•
Data protection policy;
•
Directions;
•
Inspection (checks and investigations);
•
Tasks.
The role of data protection authority in the establishment and work of CERT
51
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Data protection policy
If we consider the Data Protection Policy as a set of rules and
practices, the following relations and questions have to be
looked into:
•
Policy and technologies;
•
Technologies – an abstract notion due to their diversity;
•
Important questions:
• How technologies do function;
• Where they have to be used (knowledge required);
• How are they to be implemented in the world of privacy.
The role of data protection authority in the establishment and work of CERT
52
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Directions
The
ways
for
improving
and
further
strengthening
data
protection could be sought in the following areas:
•
Training at all levels;
•
Discussions;
•
Interaction between all parties;
•
Connection between experts. Especially between:
• Legal experts;
• IT experts.
The role of data protection authority in the establishment and work of CERT
53
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Inspections (checks and investigations)
In accordance with the latest world tendencies, a considerable
importance is being given to checks and investigations,
whereby the focus is on:
•
The increasing role of IT specialists;
•
What is important?
•
Why?
The role of data protection authority in the establishment and work of CERT
54
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Tasks
•
Strategic forecasting and researches with regard to possible
threats from privacy and data protection perspective;
•
Engaging more IT specialists in the work of data protection
authorities (DPA’s);
•
Lack of understanding about technologies hamper the work of
DPA’s;
•
About actual mathematical models;
•
In different subject fields;
•
Towards regulation and standardization.
The role of data protection authority in the establishment and work of CERT
55
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Technologies
•
Establishing
a
minimum
set
of
proved
protection
technologies;
•
The only chance – to communicate and train;
•
Special techniques:
• Data minimization;
• Cryptography.
The role of data protection authority in the establishment and work of CERT
56
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Technologies
•
Setup of verification and analysis tools (instruments);
•
Educating IT specialists with specific knowledge and
experience;
•
Establishing system mechanisms for protection of personal
data.
The role of data protection authority in the establishment and work of CERT
57
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Commission for personal data protection
Good practices
•
Commission for personal data protection and Central election
commission - 2014
•
Commission for personal data protection and EU Commission
regulation No 611
•
Commission for personal data protection and a good practice
– Security Information Even Management, SIEM
The role of data protection authority in the establishment and work of CERT
58
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CPDP and Central Election Commission
At its regular meeting held on 17.04.2014 (Protocol № 11 of
04.17.2014) The Commission for Personal Data Protection
found that the Central Election Commission to fulfill the
statutory requirements of Art. 136 of the Election Code (IC)
and allowed each voter - Bulgarian citizen to consult the list
of art. 133, para. 3, item 5 identification number, personal
number respectively for each voter - a citizen of another
Member State of the European Union.
The role of data protection authority in the establishment and work of CERT
59
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CPDP and Central Election Commission
Meanwhile CPDP believes that the development and use of
software CEC should provide the necessary level of protection
pursuant to Art. 23 of the Personal Data Protection Act and
Ordinance № 1 of 30 January 2013 on the minimum level of
technical and organizational measures and admissible type of
personal data. In this regard and pursuant to Art. 10, para 1,
item 5 of the Law on Personal Data Protection Act (PDPA)
The role of data protection authority in the establishment and work of CERT
60
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CPDP and Central Election Commission
The CPDP issued the following compulsory instruction of the CEC
as an administrator of personal data in the following sense:
•
Introduce further identification of voters in each of them to
receive a personal access code for consultation. Receiving this
code to it in all possible communication channels: mobile
phone, fixed phone, fax, email or in person, according to the
will of the voter. Access to the system for reference art. 136
IK be carried out by UCC and personal access code.
The role of data protection authority in the establishment and work of CERT
61
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CPDP and Central Election Commission
The CPDP issued the following compulsory instruction of the CEC
as an administrator of personal data in the following sense:
•
In the security of software used (electronic service of the CEC
of art. 136 IC) to introduce an additional level of protection
for the on-site inspection, time and sequence of requests for
consultation, analysis of results and the ability to respond by
CEC to ban access to the system.
The role of data protection authority in the establishment and work of CERT
62
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CPDP and Central Election Commission
The CPDP issued the following compulsory instruction of the CEC
as an administrator of personal data in the following sense:
•
In the security of software used (electronic service of the CEC
of art. 136 IC) to introduce an additional level of protection
for the on-site inspection, time and sequence of requests for
consultation, analysis of results and the ability to respond by
CEC to ban access to the system.
The role of data protection authority in the establishment and work of CERT
63
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CPDP and EU Commission regulation No 611
COMMISSION REGULATION (EU) No 611/2013 of 24 June 2013
•
on the measures applicable to the notification of personal
data reaches under Directive 2002/58/EC of the European
Parliament and of the Council on privacy and electronic
communications.
The role of data protection authority in the establishment and work of CERT
64
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CPDP and EU Commission regulation No 611
Article 2 Notification to the competent national authority
4. The competent national authority shall provide to all providers
established
in
the
Member
State
concerned
a
secure
electronic means for notification of personal data breaches
and information on the procedures for its access and use.
Where necessary, the Commission shall convene meetings
with
competent
national
authorities
to
facilitate
the
application of this provision.
The role of data protection authority in the establishment and work of CERT
65
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CPDP and EU Commission regulation No 611
System architecture – 1/2
To establish a system for monitoring, reporting and processing
of events related to the security breach of personal data.
CPDP maintain a database with a full description of events
and application software for data analysis to facilitate the
submission of statistics to the EU on the number and type of
violations of data security. Communication can be realized
through the secure site, contain all the necessary information
and procedures.
The role of data protection authority in the establishment and work of CERT
66
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CPDP and EU Commission regulation No 611
System architecture – 2/2
Secure site to contain at least the following information:
•
Annex 1 of Regulation 611/2013 to notify the national
competent authority;
•
Annex 2 of Regulation 611/2013 to notify subscribers or
individuals - with the possibility of filing online, and report
events.
The role of data protection authority in the establishment and work of CERT
67
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
CPDP and EU Commission regulation No 611
Security measures
Providing a secure connection is achieved by identification and
authentication (I&A) and ensuring secure communication SSL cryptographic protocol. Used algorithms are RSA and
AES. To providers of electronic services should be given a
certification system - providing key access and use of the
protected site. CPDP organize and maintain a Public Key
Infrastructure (lists of users, digital certificates, etc.).
The role of data protection authority in the establishment and work of CERT
68
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Security Information and Event Management
System for monitoring, management and analysis of information
events
and
incidents
Management,
SIEM),
(Security
Information
implemented
and
and
operated
Event
in
an
organization collects centralized records logs ( ogs , Log Files)
from
all
sources
communications
passive
and
and
information
information
communication
assets
system
equipment,
as
in
corporate
active
firewalls,
and
servers,
databases, and other applications and very traffic generated
in the network.
The role of data protection authority in the establishment and work of CERT
69
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Security Information and Event Management
The resulting information is processed and analyzed and
performed
correlation
between
suspicious
events
and
abnormal behavior of traffic so that they can be detected
potential attacks and malicious activities in information
systems.
The role of data protection authority in the establishment and work of CERT
70
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Security Information and Event Management
The role of data protection authority in the establishment and work of CERT
71
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Security Information and Event Management
Key architectural components - 1/4
Key components of the architecture are:
•
DECODER - Captures, parses, and reconstructs, all network
traffic from Layers 2-7 or log and event data from hundreds
of devices.
•
CONCENTRATOR - Indexes metadata extracted from network
or log data and makes it available for enterprise-wide
querying
and
real-time
analytics
while
also
facilitating
reporting and alerting.
The role of data protection authority in the establishment and work of CERT
72
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Security Information and Event Management
Key architectural components - 2/4
Key components of the architecture are:
•
WAREHOUSE - Hadoop based distributed computing system
which collects, manages, and enables analytics and reporting
on longer term (months/years) sets of security data. The
Warehouse can be made up of 3 or more nodes depending on
the
organization's
analytic,
archiving,
and
resiliency
requirements.
The role of data protection authority in the establishment and work of CERT
73
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Security Information and Event Management
Key architectural components - 3/4
Key components of the architecture are:
•
ANALYTIC SERVER/BROKER - Hosts the web server for
reporting, investigation, administration, and other aspects of
the analyst’s interface. Bridges the multiple real-time data
stores
held
in
the
various
decoder/concentrator
pairs
throughout the infrastructure. Also enables reporting on data
held in the Warehouse.
The role of data protection authority in the establishment and work of CERT
74
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Security Information and Event Management
Key architectural components - 4/4
Key components of the architecture are:
•
CAPACITY
-
Security
Analytics
has
a
modular-capacity
architecture, enabled with direct-attached capacity (DACs) or
storage
area
organization's
networks
short-term
(SANs),
that
investigation
adapt
and
to
the
longer-term
analytic and data-retention needs.
The role of data protection authority in the establishment and work of CERT
75
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Security Information and Event Management
The role of data protection authority in the establishment and work of CERT
76
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Security Information and Event Management
Real time collection, analysis and investigation
•
Real time collection, analysis & investigation;
•
Distributed collection infrastructure for simultaneous log and
full network packet capture;
•
Metadata parsing and management enables the blending of
log, network, and other data for automated analytics,
reporting, and analyst-driven investigations;
•
Optimized distributed data management.
The role of data protection authority in the establishment and work of CERT
77
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
The Benefits of SIEM
The system is highly effective tool to support the work of
specialists in information security. It provides a solution to
the problems associated with the lack of visibility into
information systems, the inability to manual processing of the
vast and diverse amount of information, lack of centralized
collection and storage of log information. They represent a
strategic component for the implementation of comprehensive
protection, and significantly improve the effectiveness in
counteracting occurred breakthroughs in information security.
The role of data protection authority in the establishment and work of CERT
78
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Conclusion
The
new
models
of
interactions,
the
new
information
technologies and threats to the inviolability of personal data,
outline the new scientific challenges. In order the right
answers and solutions to be found, there is a need to achieve
full integration and good interaction in the efforts of:
•
The state bodies;
•
The universities and scientific institutes;
•
The business;
•
The nongovernmental sector and the media.
The role of data protection authority in the establishment and work of CERT
79
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
Agenda
•
Introduction
•
The role of the Commission for personal data protection
•
Commission and new challenges
• Cloud computing
• Big Data
• Base principles
•
Commission and good practices
•
Conclusions
The role of data protection authority in the establishment and work of CERT
80
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
QUESTIONS ?
Prof. Veselin Tselkov, DSc – member of the Board
www.cpdp.bg
e-mail: [email protected]
tel: 00359 2 9153554
fax: 00359 2 9153525
The role of data protection authority in the establishment and work of CERT
81
COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA
Workshop on Computer Emergency Response Teams (CERT) and
Personal Data Protection, 24-25th of April 2014, Skopje
The role of data protection authority in the establishment and work of CERT
82

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2024 Paperzz