COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje THE ROLE OF DATA PROTECTION AUTHORITY IN THE ESTABLISHMENT AND WORK OF CERT Prof. Veselin Tselkov, DSc Commission for Personal Data Protection State University of Library Studies and Information Technologies The role of data protection authority in the establishment and work of CERT 1 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Agenda • Introduction • The role of the Commission for personal data protection • Commission and the new challenges • Cloud computing • Big Data • Base principles • Commission and good practices • Conclusions The role of data protection authority in the establishment and work of CERT 2 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Introduction Development of new communication and information technologies and particularly the Internet and social networks pose new challenges to communication between people and the protection of personal data and privacy. The users of new technologies using services provided global Internet network and communicate with friends and colleagues, using the services of social networks (Facebook, Twitter, etc.). The new generation of technology put to answer numerous questions: The role of data protection authority in the establishment and work of CERT 3 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Questions • Are users insiders with the opportunities and services on the Internet? • Are users aware of the threats in the networks? • How you have the scale and volume of the storage and processing of personal? • How to use the personal data of users of the service and what are the parameters for setting? The role of data protection authority in the establishment and work of CERT 4 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Commission for personal data protection The role of the Commission • National strategy for cyber security • CERT Bulgaria • National laboratory for cyber security • Training center for cyber defense The role of data protection authority in the establishment and work of CERT 5 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje National Strategy for Cyber security Cyber space Cyber space is the electronic world created by interconnected networks of information technology and the information on those networks. It is a global commons where more than 1.7 billion people are linked together to exchange ideas, services and friendship. The role of data protection authority in the establishment and work of CERT 6 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje National Strategy for Cyber security Cyber attacks Cyber attacks include the unintentional or unauthorized access, use, manipulation, interruption or destruction (via electronic means) of electronic information and/or the electronic and physical infrastructure used to process, communicate and/or store that information. The severity of the cyber attack determines the appropriate level of response and/or mitigation measures: i.e., cyber security. The role of data protection authority in the establishment and work of CERT 7 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje National Strategy for Cyber security Protecting fundamental rights, freedom of expression, personal data and privacy Cyber security can only be sound and effective if it is based on fundamental rights and freedoms as enshrined in the Charter of Fundamental Rights of the EU and EU core values. Individuals' rights cannot be secured without safe networks and systems. Any information sharing for the purposes of cyber security should be compliant with EU data protection law and take full account of the individuals' rights in this field. The role of data protection authority in the establishment and work of CERT 8 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CERT Bulgaria CERT Bulgaria is the national Computer Security Incidents Response Team. Its mission is to provide information and assistance to its constituencies in implementing proactive measures to reduce the risks of computer security incidents as well as responding to such incidents when they occur. The team builds up a Database, providing information on how you can make your IT Environment more secure. The role of data protection authority in the establishment and work of CERT 9 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CERT Bulgaria Alerts, Warnings and Security Advices • Alerts: These are technical alerts for recent vulnerabilities in the IT Systems. Ways to protect against them are described in details. • Warnings: Here you could find non-technical reports of recent vulnerabilities and other important security information. • Security Advices: Security advices are short security best practice documents and guides how to protect your IT Environment against cyber attacks. The role of data protection authority in the establishment and work of CERT 10 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CERT Bulgaria, Services The Computer Security Incidents Response Team provides the following reactive and pro-active services to its constituencies: • Alerts and Warnings; • Vulnerability Handling; • Incident Handling; • Artifact Handling; • Announcements; • Security-Related Information Dissemination. The role of data protection authority in the establishment and work of CERT 11 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CERT Bulgaria, Services Alerts and Warnings This service involves disseminating information that describes an intruder attack, security vulnerability, intrusion alert, computer virus, or hoax, and providing any short-term recommended course of action for dealing with the resulting problem. The alert, warning, or advisory is sent as a reaction to the current problem to notify constituents of the activity and to provide guidance for protecting their systems or recovering any systems that were affected. The role of data protection authority in the establishment and work of CERT 12 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CERT Bulgaria, Services Vulnerability Handling Vulnerability handling involves: • Receiving information and reports about hardware and software vulnerabilities; • Analyzing the nature, mechanics, and effects of the vulnerabilities; • Developing response strategies for detecting and repairing the vulnerabilities. The role of data protection authority in the establishment and work of CERT 13 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CERT Bulgaria, Services Incident Handling – 1/2 Incident handling involves receiving, triaging and responding to requests and reports, and analyzing incidents and events. Particular response activities can include: • Taking action to protect systems and networks affected or threatened by intruder activity; • Providing solutions and mitigation strategies from relevant advisories or alerts; • Looking for intruder activity on other parts of the network; The role of data protection authority in the establishment and work of CERT 14 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CERT Bulgaria, Services Incident Handling – 2/2 Incident handling involves receiving, triaging and responding to requests and reports, and analyzing incidents and events. Particular response activities can include: • Filtering network traffic; • Rebuilding systems; • Patching or repairing systems; • Developing other response or workaround strategies. The role of data protection authority in the establishment and work of CERT 15 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CERT Bulgaria, Services Artifact Handling Artifact handling involves receiving information about and copies of artifacts that are used in intruder attacks, reconnaissance, and other unauthorized or disruptive activities. Once received, the artifact is reviewed. This includes analyzing the nature, mechanics, version, and use of the artifacts and developing (or suggesting) response strategies for detecting, removing, and defending against these artifacts. The role of data protection authority in the establishment and work of CERT 16 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CERT Bulgaria, Services Announcements This includes, but is not limited to, intrusion alerts, vulnerability warnings, and security advisories. Such announcements inform constituents about new developments with medium to long-term impact, such as newly found vulnerabilities or intruder tools. Announcements enable constituents to protect their systems and networks against newly found problems before they can be exploited. The role of data protection authority in the establishment and work of CERT 17 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CERT Bulgaria, Services Security-Related Information Dissemination – 1/2 This service provides constituents with a comprehensive and easy-to-find collection of useful information that aids in improving security. Such information might include: • Reporting guidelines and contact information for the CSIRT; • Archives of alerts, warnings, and other announcements; • Documentation about current best practices; • General computer security guidance; The role of data protection authority in the establishment and work of CERT 18 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CERT Bulgaria, Services Security-Related Information Dissemination - 2/2 This service provides constituents with a comprehensive and easy-to-find collection of useful information that aids in improving security. Such information might include: • Policies, procedures, and checklists; • Patch development and distribution information; • Vendor links; • Current statistics and trends in incident reporting. The role of data protection authority in the establishment and work of CERT 19 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Laboratory for cyber security The main functions of the laboratory are: • Research and analysis of cyber threats; • Explore new technological solutions for cyber security; • Development and implementation of tools for cyber defense; • Liaising with similar structures in the country and abroad; • Preparation of the science-based analyzes opinions and suggestions. The role of data protection authority in the establishment and work of CERT 20 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Training Centre for cyber defense The main functions of the training centre are: • Works under the methodological guidance of the NATO Centre NCIRC and ENISA; • Support the development of documents, as: • Educational programs and materials; • Tests; • Scenarios for training exercises; • Steering games; • We will work in cooperation with other Research Centers; The role of data protection authority in the establishment and work of CERT 21 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Training Centre for cyber defense The main functions of the training centre are: • Support the preparation of the Balkan countries candidates for accession to NATO and EU; • Will work with Laboratory for cyber security; • Will train the responsible structures in Bulgaria; • We will unite the efforts of the scientific community and NGOs; • Will work to inform the public about cyber threats and counter them. The role of data protection authority in the establishment and work of CERT 22 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Commission for personal data protection The new challenges • Cloud computing • Big Data • Top security risks • Base principles • The new challenges The role of data protection authority in the establishment and work of CERT 23 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Cloud computing Cloud computing is a model for IT provision, often based on virtualization and distributed technologies. • Highly abstracted resources; • Near instant scalability and flexibility; • Near instantaneous provisioning; • Shared resources (hardware, database, memory, etc); • Service on demand, usually with a ‘pay as you go’ billing system; • Programmatic management (eg, through WS API). The role of data protection authority in the establishment and work of CERT 24 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Essential Characteristics Essential Characteristics of cloud computing are: • On-demand self-service; • Broad network access; • Resource pooling; • Rapid elasticity; • Measured service. The role of data protection authority in the establishment and work of CERT 25 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Service models The role of data protection authority in the establishment and work of CERT 26 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Software as a Service (SaaS) The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure2. The applications are accessible from various client devices through either a thin client interface, such as a web browser or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. The role of data protection authority in the establishment and work of CERT 27 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Platform as a Service (PaaS) The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. The role of data protection authority in the establishment and work of CERT 28 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Infrastructure as a Service (IaaS) The capability processing, provided storage, to the consumer is networks, and other to provision fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). The role of data protection authority in the establishment and work of CERT 29 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Additional services • Storage as a service (STaaS); • Security as a service (SECaaS); • Data as a service (DaaS); • Test as a service (TEaaS); • Desktop as a service (DaaS); • API as a service (APIaaS); • Backend as a service (Baas). The role of data protection authority in the establishment and work of CERT 30 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Deployment models The role of data protection authority in the establishment and work of CERT 31 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Private cloud The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. The role of data protection authority in the establishment and work of CERT 32 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Community cloud The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. The role of data protection authority in the establishment and work of CERT 33 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Public cloud The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. The role of data protection authority in the establishment and work of CERT 34 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Hybrid cloud The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). The role of data protection authority in the establishment and work of CERT 35 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Privacy responsibility in cloud computing The new technological environment requires new researches and definitions as to the responsibilities and the need to specify and solve common problems related to privacy. The role of data protection authority in the establishment and work of CERT 36 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Responsibility Responsibilities should be defined depending on the different roles in the process of interaction, as follows: • Data owners; • Data controllers; • Different entering points to the cloud; • Internet service providers (ISP’s); • Cloud service providers (CSP’s): • Google; • Amazon. The role of data protection authority in the establishment and work of CERT 37 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Common problems The problems are related to the requirement for a common understanding of the notions of privacy, threats, measures and instruments for protection, as well as for the establishment of common assessment criteria of the level of protection. All this requires the development of a common vision with regard to: • The correspondence of the levels of protection; • The common evaluation criteria. The role of data protection authority in the establishment and work of CERT 38 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Big Data Big data is the term for a collection of data sets, so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications. The role of data protection authority in the establishment and work of CERT 39 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Big data The challenges include capture, curation, storage, search, sharing, transfer, analysis and visualization. The trend to larger data sets is due to the additional information derivable from analysis of a single large set of related data, as compared to separate smaller sets with the same total amount of data, allowing correlations to be found to "spot business trends, determine quality of research, prevent diseases, link legal citations, combat crime, and determine real-time roadway traffic conditions. The role of data protection authority in the establishment and work of CERT 40 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Too Much Data, Not Enough Solutions The role of data protection authority in the establishment and work of CERT 41 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Big data roadmap • Develop Big Data Definitions; • Develop Big Data Taxonomies; • Develop Big Data Requirements; • Develop Big Data Security and Privacy Requirements; • Develop Big Data Security and Privacy Reference Architectures; • Develop Big Data Reference Architectures; • Develop Big Data Technology Roadmap. The role of data protection authority in the establishment and work of CERT 42 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Top security risks • Loss of governance; • Lock-in; • Isolation failure; • Compliance risks; • Management interface compromising; • Data protection; • Insecure or incomplete data deletion; • Malicious insider. The role of data protection authority in the establishment and work of CERT 43 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Base principles • Privacy; • Accountability; • Right to be forgotten; • Visibility and Transparency. The role of data protection authority in the establishment and work of CERT 44 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Privacy • Privacy by Design; • Privacy by Redesign; • Privacy by Default. The role of data protection authority in the establishment and work of CERT 45 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Accountability • Maintenance of the management structure; • Maintenance of the data protection registers ; • Maintenance of privacy policies ; • Maintenance of the operational policies and procedures ; • Increasing level of education and self responsibility (self confidence) in order to achieve:; • Maintenance of the security checks; • Maintenance of the contracts; The role of data protection authority in the establishment and work of CERT 46 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Accountability • Maintenance of the notes ; • Management of the questions, complaints and discussions ; • Monitoring (on consistent basis) of new operational practices • Monitoring (on consistent basis) of data protection violations; • Monitoring (on consistent basis) of the existing practices for data protection management; • Monitoring of external criteria. The role of data protection authority in the establishment and work of CERT 47 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Right to be forgotten Very important question: Is it possible to be forgotten in the digital world? The main difficulties are related to: • The transition from paper data to digital data; • Processing capabilities of digital data related to: • Storage; • Copy; • Share; • Destruction; • A need for new research and new legislation. The role of data protection authority in the establishment and work of CERT 48 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Visibility and transparency "Trust, but verify“. It is necessary to ensure full transparency and accessibility to many questions, including: • What personal data is processed; • On what legal basis; • Where and how they are stored; • Who has access to them; • Who, why and how are provided; • When and how are destroyed; • How to carry out monitoring. The role of data protection authority in the establishment and work of CERT 49 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje New challenges The increasing role of the information technologies, the process of globalization and the ongoing transition towards information society call for the development and defining of a complete and uncontroversial Data Protection Policy. The role of data protection authority in the establishment and work of CERT 50 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje New challenges • Data protection policy; • Directions; • Inspection (checks and investigations); • Tasks. The role of data protection authority in the establishment and work of CERT 51 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Data protection policy If we consider the Data Protection Policy as a set of rules and practices, the following relations and questions have to be looked into: • Policy and technologies; • Technologies – an abstract notion due to their diversity; • Important questions: • How technologies do function; • Where they have to be used (knowledge required); • How are they to be implemented in the world of privacy. The role of data protection authority in the establishment and work of CERT 52 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Directions The ways for improving and further strengthening data protection could be sought in the following areas: • Training at all levels; • Discussions; • Interaction between all parties; • Connection between experts. Especially between: • Legal experts; • IT experts. The role of data protection authority in the establishment and work of CERT 53 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Inspections (checks and investigations) In accordance with the latest world tendencies, a considerable importance is being given to checks and investigations, whereby the focus is on: • The increasing role of IT specialists; • What is important? • Why? The role of data protection authority in the establishment and work of CERT 54 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Tasks • Strategic forecasting and researches with regard to possible threats from privacy and data protection perspective; • Engaging more IT specialists in the work of data protection authorities (DPA’s); • Lack of understanding about technologies hamper the work of DPA’s; • About actual mathematical models; • In different subject fields; • Towards regulation and standardization. The role of data protection authority in the establishment and work of CERT 55 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Technologies • Establishing a minimum set of proved protection technologies; • The only chance – to communicate and train; • Special techniques: • Data minimization; • Cryptography. The role of data protection authority in the establishment and work of CERT 56 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Technologies • Setup of verification and analysis tools (instruments); • Educating IT specialists with specific knowledge and experience; • Establishing system mechanisms for protection of personal data. The role of data protection authority in the establishment and work of CERT 57 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Commission for personal data protection Good practices • Commission for personal data protection and Central election commission - 2014 • Commission for personal data protection and EU Commission regulation No 611 • Commission for personal data protection and a good practice – Security Information Even Management, SIEM The role of data protection authority in the establishment and work of CERT 58 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CPDP and Central Election Commission At its regular meeting held on 17.04.2014 (Protocol № 11 of 04.17.2014) The Commission for Personal Data Protection found that the Central Election Commission to fulfill the statutory requirements of Art. 136 of the Election Code (IC) and allowed each voter - Bulgarian citizen to consult the list of art. 133, para. 3, item 5 identification number, personal number respectively for each voter - a citizen of another Member State of the European Union. The role of data protection authority in the establishment and work of CERT 59 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CPDP and Central Election Commission Meanwhile CPDP believes that the development and use of software CEC should provide the necessary level of protection pursuant to Art. 23 of the Personal Data Protection Act and Ordinance № 1 of 30 January 2013 on the minimum level of technical and organizational measures and admissible type of personal data. In this regard and pursuant to Art. 10, para 1, item 5 of the Law on Personal Data Protection Act (PDPA) The role of data protection authority in the establishment and work of CERT 60 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CPDP and Central Election Commission The CPDP issued the following compulsory instruction of the CEC as an administrator of personal data in the following sense: • Introduce further identification of voters in each of them to receive a personal access code for consultation. Receiving this code to it in all possible communication channels: mobile phone, fixed phone, fax, email or in person, according to the will of the voter. Access to the system for reference art. 136 IK be carried out by UCC and personal access code. The role of data protection authority in the establishment and work of CERT 61 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CPDP and Central Election Commission The CPDP issued the following compulsory instruction of the CEC as an administrator of personal data in the following sense: • In the security of software used (electronic service of the CEC of art. 136 IC) to introduce an additional level of protection for the on-site inspection, time and sequence of requests for consultation, analysis of results and the ability to respond by CEC to ban access to the system. The role of data protection authority in the establishment and work of CERT 62 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CPDP and Central Election Commission The CPDP issued the following compulsory instruction of the CEC as an administrator of personal data in the following sense: • In the security of software used (electronic service of the CEC of art. 136 IC) to introduce an additional level of protection for the on-site inspection, time and sequence of requests for consultation, analysis of results and the ability to respond by CEC to ban access to the system. The role of data protection authority in the establishment and work of CERT 63 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CPDP and EU Commission regulation No 611 COMMISSION REGULATION (EU) No 611/2013 of 24 June 2013 • on the measures applicable to the notification of personal data reaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications. The role of data protection authority in the establishment and work of CERT 64 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CPDP and EU Commission regulation No 611 Article 2 Notification to the competent national authority 4. The competent national authority shall provide to all providers established in the Member State concerned a secure electronic means for notification of personal data breaches and information on the procedures for its access and use. Where necessary, the Commission shall convene meetings with competent national authorities to facilitate the application of this provision. The role of data protection authority in the establishment and work of CERT 65 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CPDP and EU Commission regulation No 611 System architecture – 1/2 To establish a system for monitoring, reporting and processing of events related to the security breach of personal data. CPDP maintain a database with a full description of events and application software for data analysis to facilitate the submission of statistics to the EU on the number and type of violations of data security. Communication can be realized through the secure site, contain all the necessary information and procedures. The role of data protection authority in the establishment and work of CERT 66 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CPDP and EU Commission regulation No 611 System architecture – 2/2 Secure site to contain at least the following information: • Annex 1 of Regulation 611/2013 to notify the national competent authority; • Annex 2 of Regulation 611/2013 to notify subscribers or individuals - with the possibility of filing online, and report events. The role of data protection authority in the establishment and work of CERT 67 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje CPDP and EU Commission regulation No 611 Security measures Providing a secure connection is achieved by identification and authentication (I&A) and ensuring secure communication SSL cryptographic protocol. Used algorithms are RSA and AES. To providers of electronic services should be given a certification system - providing key access and use of the protected site. CPDP organize and maintain a Public Key Infrastructure (lists of users, digital certificates, etc.). The role of data protection authority in the establishment and work of CERT 68 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Security Information and Event Management System for monitoring, management and analysis of information events and incidents Management, SIEM), (Security Information implemented and and operated Event in an organization collects centralized records logs ( ogs , Log Files) from all sources communications passive and and information information communication assets system equipment, as in corporate active firewalls, and servers, databases, and other applications and very traffic generated in the network. The role of data protection authority in the establishment and work of CERT 69 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Security Information and Event Management The resulting information is processed and analyzed and performed correlation between suspicious events and abnormal behavior of traffic so that they can be detected potential attacks and malicious activities in information systems. The role of data protection authority in the establishment and work of CERT 70 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Security Information and Event Management The role of data protection authority in the establishment and work of CERT 71 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Security Information and Event Management Key architectural components - 1/4 Key components of the architecture are: • DECODER - Captures, parses, and reconstructs, all network traffic from Layers 2-7 or log and event data from hundreds of devices. • CONCENTRATOR - Indexes metadata extracted from network or log data and makes it available for enterprise-wide querying and real-time analytics while also facilitating reporting and alerting. The role of data protection authority in the establishment and work of CERT 72 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Security Information and Event Management Key architectural components - 2/4 Key components of the architecture are: • WAREHOUSE - Hadoop based distributed computing system which collects, manages, and enables analytics and reporting on longer term (months/years) sets of security data. The Warehouse can be made up of 3 or more nodes depending on the organization's analytic, archiving, and resiliency requirements. The role of data protection authority in the establishment and work of CERT 73 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Security Information and Event Management Key architectural components - 3/4 Key components of the architecture are: • ANALYTIC SERVER/BROKER - Hosts the web server for reporting, investigation, administration, and other aspects of the analyst’s interface. Bridges the multiple real-time data stores held in the various decoder/concentrator pairs throughout the infrastructure. Also enables reporting on data held in the Warehouse. The role of data protection authority in the establishment and work of CERT 74 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Security Information and Event Management Key architectural components - 4/4 Key components of the architecture are: • CAPACITY - Security Analytics has a modular-capacity architecture, enabled with direct-attached capacity (DACs) or storage area organization's networks short-term (SANs), that investigation adapt and to the longer-term analytic and data-retention needs. The role of data protection authority in the establishment and work of CERT 75 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Security Information and Event Management The role of data protection authority in the establishment and work of CERT 76 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Security Information and Event Management Real time collection, analysis and investigation • Real time collection, analysis & investigation; • Distributed collection infrastructure for simultaneous log and full network packet capture; • Metadata parsing and management enables the blending of log, network, and other data for automated analytics, reporting, and analyst-driven investigations; • Optimized distributed data management. The role of data protection authority in the establishment and work of CERT 77 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje The Benefits of SIEM The system is highly effective tool to support the work of specialists in information security. It provides a solution to the problems associated with the lack of visibility into information systems, the inability to manual processing of the vast and diverse amount of information, lack of centralized collection and storage of log information. They represent a strategic component for the implementation of comprehensive protection, and significantly improve the effectiveness in counteracting occurred breakthroughs in information security. The role of data protection authority in the establishment and work of CERT 78 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Conclusion The new models of interactions, the new information technologies and threats to the inviolability of personal data, outline the new scientific challenges. In order the right answers and solutions to be found, there is a need to achieve full integration and good interaction in the efforts of: • The state bodies; • The universities and scientific institutes; • The business; • The nongovernmental sector and the media. The role of data protection authority in the establishment and work of CERT 79 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje Agenda • Introduction • The role of the Commission for personal data protection • Commission and new challenges • Cloud computing • Big Data • Base principles • Commission and good practices • Conclusions The role of data protection authority in the establishment and work of CERT 80 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje QUESTIONS ? Prof. Veselin Tselkov, DSc – member of the Board www.cpdp.bg e-mail: [email protected] tel: 00359 2 9153554 fax: 00359 2 9153525 The role of data protection authority in the establishment and work of CERT 81 COMMISSION FOR PERSONAL DATA PROTECTION, BULGARIA Workshop on Computer Emergency Response Teams (CERT) and Personal Data Protection, 24-25th of April 2014, Skopje The role of data protection authority in the establishment and work of CERT 82
© Copyright 2024 Paperzz