Operational resilience

September 24, 2019

One principle that many security managers are following is called privacy-by-design, which helps  uplift the organisation’s privacy posture while getting some quick wins in place that help prevent privacy breaches.

Security and risk managers are often handed the problem of ensuring their organisation’s ability to keep customer data private is adequately implemented, and while this might sound like a simple rebadging of the responsibilities security managers have always had (keep confidential information safe from compromise), there is a lot more to a privacy programme than meets the eye.  Atop this added responsibility, comes the need to accept a more rigorous auditing and compliance review regime, since no manager or data controller wants it to be their business unit’s data that gets stolen in a breach.

Let’s look at what privacy-by-design means and how your security operations teams can help boost the adoption of privacy requirements across your enterprise and support meeting the needs of the Australian Privacy Principles (APPs) enshrined in the Privacy Act 1988 (Cth).

Extend security-by-design to include privacy

It is not unusual to adopt an organisational approach to systems engineering where you include security requirements in every development project; in fact, this is called security-by-design. By extending this doctrine to include privacy requirements, it provides a rigorous system engineering approach to change whereby you embed privacy in every phase of the development lifecycle. Moreover, by extending this ethos to the data lifecycle, any data deemed personally identifiable information (PII) has privacy requirements imposed on the process engineering when designing data collection, use, retention, storage, disposal and destruction procedures.

It may seem at first as something organisations already do since keeping PII private isn’t any different to keeping data secure. However, when you analyse security as one attribute of all your owned assets, where the need to protect confidentiality, integrity and availability to a suitable level is what is maintained, privacy provides a more legislative and compliance-oriented approach, with just one aspect of the privacy programme directly requiring security to be maintained.

If you look, for example, at the thirteen APPs, just one of them (APP 11) directly talks about security. APP 11, entitled ‘Security of personal information’ requires the organisation to take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.  Interestingly, these are the kinds of requirements security teams are used to seeing, so an organisation with a relatively mature security capability should already be complying with APP 11.

What about compliance with the other twelve APPs? You will need a robust security operations capability to achieve compliance, focusing on protective monitoring, and reorienting it to support more comprehensive coverage of the organisation’s privacy needs than it would otherwise have done, by engineering security use cases based on threats targeting the integrity of the APPs themselves.

Security operations supporting privacy-by-design

A problem that privacy programmes come up against all the time is that changing business processes can be costly and, in some cases, the APPs may require a change in the way a business operates.

Complying with APP 1, for example, involves ensuring that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date privacy policy. Writing a policy is the most natural step, it’s operationalising your commitment to transparency that is much harder. Even simple questions relating to who has accessed the data over the last three months can be impossible for some organisations to answer since they don’t have the means to determine user activity.

Luckily, security operations teams have the tools to help meet this obligation. The Security Information and Event Management (SIEM) tools that security operations teams use to monitor for threats and cyber attacks are also very good at monitoring compliance in real-time. Long term audit is where many of the security requirements for SIEM tools originated from, but because organisations these days are more focused on real-time threat management, the compliance aspects of long-term audit are secondary considerations.

The security operations team can be challenged by the security manager to help mitigate the risks relating to not complying with APP 1.  In doing so, they will use the threat of non-compliance to develop their use cases. The team will then instruct their operational monitoring technology to record who has accessed the PII on a day-to-day basis, along with supporting threat models that allow them to detect when unusual user activity might be related to an attempted breach.

Furthermore, if the compliance team asks for an access report because they received a request from a customer, the security operations team can interrogate the data in their SIEM and fully comply with the request – this is a powerful approach to meeting the requirements of APPs.

Rapidly boosting privacy compliance

Each of the thirteen APPs involves you having a level of audit trail as the PII is collected, processed or destroyed. The threat monitoring and longer-term audit collection the security operations team does for protecting against cyber threat actors can be focused on managing the threats of non-compliance with privacy legislation. What’s useful about this approach is that while it doesn’t meet the requirements entirely, it can be used to quickly determine when the core needs of certain APPs are not being met.

To illustrate what we mean, if you look at APP 8, it states that to be compliant an organisation should, before disclosing personal information overseas, take reasonable steps to ensure the overseas recipient does not breach the APPs. Documenting the steps is a relatively straightforward endeavour, but like before, the more challenging aspect of maintaining compliance is ensuring procedures are followed and that you have a full audit trail of who has disclosed which information assets overseas.

Looking into the detail of APP 8, it’s clear that it’s not just about documenting the steps. Instead, it’s about enforcing the rules about protecting data concerning overseas access. Where an entity discloses personal information to an overseas recipient, it can be accountable for an act or practice of the overseas recipient that would breach the APPs. So compliance, in this case, is relating to access control rules.  Protecting against a privacy breach requires real-time monitoring and alerting to tell the business if something that should not be preparing or sending data overseas is stopped and investigated before the data leaves the company.

Privacy compliance is a challenge that organisations struggle with when they design it from the top down. Privacy-by-design means privacy managers can, through a systematic approach to process implementation and organisational change, develop the methods, reports, training programmes and teams to support their privacy obligations.

BLOG POSTS

Related Cybersecurity Content

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.