Информационная система
<<  Новый уровень ECM Программу для открытия на виндовс 8  >>
Privacy Impact Assessment In e-Governmental Cloud Services
Privacy Impact Assessment In e-Governmental Cloud Services
© M. Narojek for GIODO 2011
© M. Narojek for GIODO 2011
PRIVACY AND DATA PROTECTION
PRIVACY AND DATA PROTECTION
PRIVACY AND DATA PROTECTION
PRIVACY AND DATA PROTECTION
COPERNICAN REVOLUTION
COPERNICAN REVOLUTION
KEY ISSUES FOR THE EUROPEAN DEBATE
KEY ISSUES FOR THE EUROPEAN DEBATE
KEY ISSUES FOR THE EUROPEAN DEBATE
KEY ISSUES FOR THE EUROPEAN DEBATE
KEY ISSUES FOR THE EUROPEAN DEBATE
KEY ISSUES FOR THE EUROPEAN DEBATE
KEY ISSUES FOR THE EUROPEAN DEBATE
KEY ISSUES FOR THE EUROPEAN DEBATE
PRIVACY BY DESIGN
PRIVACY BY DESIGN
PRIVACY IMPACT ASSESSMENT
PRIVACY IMPACT ASSESSMENT
PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE
PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE
PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE
PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE
PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE
PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE
PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3
PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3
PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3
PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3
PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3
PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3
© M. Narojek for GIODO 2011
© M. Narojek for GIODO 2011
CLOUD COMPUTING
CLOUD COMPUTING
CLOUD COMPUTING
CLOUD COMPUTING
CLOUD COMPUTING - MODELS
CLOUD COMPUTING - MODELS
CLOUD COMPUTING - MODELS
CLOUD COMPUTING - MODELS
CLOUD COMPUTING - MODELS
CLOUD COMPUTING - MODELS
MAIN CONCERNS
MAIN CONCERNS
MAIN CONCERNS
MAIN CONCERNS
EUROPEAN COMMISSION & CLOUD COMPUTING
EUROPEAN COMMISSION & CLOUD COMPUTING
EUROPEAN COMMISSION & CLOUD COMPUTING
EUROPEAN COMMISSION & CLOUD COMPUTING
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
RISK ANALYSIS AND MANAGEMENT: Examples
SOPOT MEMORANDUM
SOPOT MEMORANDUM
I Cloud customers shall be able solely manage the data they
I Cloud customers shall be able solely manage the data they
PRIVACY IMPACT ASSESSMENTS FOR E-GOVERNEMENT Examples
PRIVACY IMPACT ASSESSMENTS FOR E-GOVERNEMENT Examples
PRIVACY IMPACT ASSESSMENT
PRIVACY IMPACT ASSESSMENT
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example
I Cloud customers shall be able solely manage the data they
I Cloud customers shall be able solely manage the data they
II Cloud providers shall provide full information and access to
II Cloud providers shall provide full information and access to
III Cloud providers shall inform the client what is the physical
III Cloud providers shall inform the client what is the physical
IV Cloud providers shall inform the client of any subpoena or other
IV Cloud providers shall inform the client of any subpoena or other
V Cloud providers shall reveal their data search, retention and
V Cloud providers shall reveal their data search, retention and
VI Cloud providers shall provide cloud customers with an information
VI Cloud providers shall provide cloud customers with an information
VII Cloud providers shall conduct reasonable due diligence and
VII Cloud providers shall conduct reasonable due diligence and
VIII Cloud providers shall provide prompt notice of any security
VIII Cloud providers shall provide prompt notice of any security
IX Only the open discussion on indemnation and limitation of liability
IX Only the open discussion on indemnation and limitation of liability
X Do not allow the vendor’s lock syndrome
X Do not allow the vendor’s lock syndrome
Motto for LAWYERS DEALING WITH CLOUD COMPUTING
Motto for LAWYERS DEALING WITH CLOUD COMPUTING
THANKS FOR YOUR ATTENTION
THANKS FOR YOUR ATTENTION

Презентация на тему: «Ата мамедов апрель 2013г». Автор: developer. Файл: «Ата мамедов апрель 2013г.ppt». Размер zip-архива: 2519 КБ.

Ата мамедов апрель 2013г

содержание презентации «Ата мамедов апрель 2013г.ppt»
СлайдТекст
1 Privacy Impact Assessment In e-Governmental Cloud Services

Privacy Impact Assessment In e-Governmental Cloud Services

15th Meeting of Central Eastern Europe Data Protection Authorities (CEEDPA) Belgrade, April 10-12th, 2012

WOJCIECH WIEWI?ROWSKI PhD Inspector General for Personal Data Protection, Poland Laboratory of Legal Informatics, Faculty of Law and Administration, University of Gdansk

Belgrade, April 10-12th, 2013

2 © M. Narojek for GIODO 2011

© M. Narojek for GIODO 2011

3 PRIVACY AND DATA PROTECTION

PRIVACY AND DATA PROTECTION

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Recognising that it is necessary to reconcile the fundamental values of the respect for privacy and the free flow of information between peoples Article 1 – Object and purpose The purpose of this convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ("data protection").

Belgrade, April 10-12th, 2013

4 PRIVACY AND DATA PROTECTION

PRIVACY AND DATA PROTECTION

Treaty on The Functioning Of The European Union Article 16 (ex Article 286 TEC) 1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.

Belgrade, April 10-12th, 2013

5 COPERNICAN REVOLUTION

COPERNICAN REVOLUTION

6 KEY ISSUES FOR THE EUROPEAN DEBATE

KEY ISSUES FOR THE EUROPEAN DEBATE

COM(2012) 11/4 draft Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)

Belgrade, April 10-12th, 2013

7 KEY ISSUES FOR THE EUROPEAN DEBATE

KEY ISSUES FOR THE EUROPEAN DEBATE

COM(2012) 10 final 2012/0010 (COD) Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data

Belgrade, April 10-12th, 2013

8 KEY ISSUES FOR THE EUROPEAN DEBATE

KEY ISSUES FOR THE EUROPEAN DEBATE

Belgrade, April 10-12th, 2013

9 KEY ISSUES FOR THE EUROPEAN DEBATE

KEY ISSUES FOR THE EUROPEAN DEBATE

Privacy by design Privacy impact assessments

Belgrade, April 10-12th, 2013

10 PRIVACY BY DESIGN

PRIVACY BY DESIGN

Privacy by Design Resolution 27-29 October 2010, Jerusalem, Israel 32nd International Conference of Data Protection and Privacy Commissioners Privacy by Design: The 7 Foundational Principles 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality: Positive-Sum, not Zero-Sum 5. End-to-End Security — Full Lifecycle Protection 6. Visibility and Transparency — Keep it Open 7. Respect for User Privacy — Keep it User-Centric

Belgrade, April 10-12th, 2013

11 PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

A Privacy Impact Assessment (PIA) is a process whereby a conscious and systematic effort is made to assess the privacy and data protection impacts of a specific actions with the view of taking appropriate actions to prevent or at least minimise those impacts. A PIA Report is the document resulting from the PIA Process that is made available to competent authorities. Proprietary and security sensitive information may be removed from PIA Reports before the Reports are provided externally (e.g., to the competent authorities) as long as the information is not specifically pertinent to privacy and data protection implications. The manner in which the PIA should be made available (e.g., upon request or not) will be determined by member states. In particular, the use of special categories of data may be taken into account, as well as other factors such as the presence of a data protection officer. PIA Templates may be developed based on the Framework to provide industry-based, application-based, or other specific formats for PIAs and resulting PIA Reports.

Belgrade, April 10-12th, 2013

12 PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE

PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE

(70) Directive 95/46/EC provided for a general obligation to notify processing of personal data to the supervisory authorities. While this obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Therefore such indiscriminate general notification obligation should be abolished, and replaced by effective procedures and mechanism which focus instead on those processing operations which are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes. In such cases, a data protection impact assessment should be carried out by the controller or processor prior to the processing, which should include in particular the envisaged measures, safeguards and mechanisms for ensuring the protection of personal data and for demonstrating the compliance with this Regulation. (71) This should in particular apply to newly established large scale filing systems, which aim at processing a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects.

Belgrade, April 10-12th, 2013

13 PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE

PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE

(72) There are circumstances under which it may be sensible and economic that the subject of a data protection impact assessment should be broader than a single project, for example where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity. (73) Data protection impact assessments should be carried out by a public authority or public body if such an assessment has not already been made in the context of the adoption of the national law on which the performance of the tasks of the public authority or public body is based and which regulates the specific processing operation or set of operations in question.

Belgrade, April 10-12th, 2013

14 PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE

PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE

(74) Where a data protection impact assessment indicates that processing operations involve a high degree of specific risks to the rights and freedoms of data subjects, such as excluding individuals from their right, or by the use of specific new technologies, the supervisory authority should be consulted, prior to the start of operations, on a risky processing which might not be in compliance with this Regulation, and to make proposals to remedy such situation. Such consultation should equally take place in the course of the preparation either of a measure by the national parliament or of a measure based on such legislative measure which defines the nature of the processing and lays down appropriate safeguards.

Belgrade, April 10-12th, 2013

15 PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3

PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3

SECTION 3 - DATA PROTECTION IMPACT ASSESSMENT AND PRIOR AUTHORISATION Article 33 Data protection impact assessment 1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. 2. The following processing operations in particular present specific risks referred to in paragraph 1: (a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly affect the individual; (b) information on sex life, health, race and ethnic origin or for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;

Belgrade, April 10-12th, 2013

16 PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3

PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3

Article 33 (…) (c) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance) on a large scale; (d) personal data in large scale filing systems on children, genetic data or biometric data; (e) other processing operations for which the consultation of the supervisory authority is required pursuant to point (b) of Article 34(2). 3. The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned. 4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.

Belgrade, April 10-12th, 2013

17 PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3

PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3

Article 33 (…) 5. Where the controller is a public authority or body and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities. 6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises. 7. The Commission may specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

Belgrade, April 10-12th, 2013

18 © M. Narojek for GIODO 2011

© M. Narojek for GIODO 2011

19 CLOUD COMPUTING

CLOUD COMPUTING

National Institute of Standards and Technology (NIST) defines cloud computing: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.” National Institute of Standards and Technology (NIST), Special Publication 800-145, The NIST Definition of Cloud Computing, September 2011, Page 3.

Belgrade, April 10-12th, 2013

20 CLOUD COMPUTING

CLOUD COMPUTING

National Institute of Standards and Technology (NIST) defines cloud computing: Cloud computing is an ICT sourcing and delivery model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.[It is NOT a new technology.] P. Mell, T. Grance: The NIST Definition of Cloud Computing (Draft) Recommendations of the National Institute of Standards and Technology, Computer Security Division Information Technology Laboratory National Institute of Standards and Technology, January 2011

Belgrade, April 10-12th, 2013

21 CLOUD COMPUTING - MODELS

CLOUD COMPUTING - MODELS

IaaS – a service that provides basic computer networking, load balancing, content delivery networks, routing, commodity data storage, and virtualized operating system hosting. PaaS – a service provides a platform in which to develop software applications, usually web based, with immediate abstractions of the underlying infrastructure. SaaS – a service that provides a software solution to the system clients. The software may be internal to a business, delivered by other means, or most commonly delivered over the Internet.

Belgrade, April 10-12th, 2013

22 CLOUD COMPUTING - MODELS

CLOUD COMPUTING - MODELS

BaaS – Business as a Service CaaS – Communications as a Service DaaS – Data as a Service – eg. The Google® Geocoding APITM E …

Belgrade, April 10-12th, 2013

23 CLOUD COMPUTING - MODELS

CLOUD COMPUTING - MODELS

Source: Wikipedia

Belgrade, April 10-12th, 2013

24 MAIN CONCERNS

MAIN CONCERNS

there is not yet international agreement on common terminology; the development of the technology is still in progress; enormous amounts of data are being accumulated and concentrated; the technology is boundless and transboundary; data processing has become global; transparency is lacking with respect to cloud service provider processes, procedures and practices, including whether or not cloud service providers sub-contract any of the processing and if so, what their respective processes, procedures and practices are;

Belgrade, April 10-12th, 2013

25 MAIN CONCERNS

MAIN CONCERNS

g. this lack of transparency makes it difficult to conduct a proper risk assessment; h. this lack of transparency also makes it more difficult to enforce rules regarding data protection; i. cloud service providers are under great pressure to quickly capitalise significant investment costs; j. cloud customers are under increasing pressure to reduce costs, including those of their data processing, in part accelerated due to the global financial crisis; and k. to keep low prices cloud service providers are more likely to offer standard terms and conditions.

Belgrade, April 10-12th, 2013

26 EUROPEAN COMMISSION & CLOUD COMPUTING

EUROPEAN COMMISSION & CLOUD COMPUTING

Brussels, 27.9.2012 COM(2012) 529 final COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS Unleashing the Potential of Cloud Computing in Europe (Text with EEA relevance) {SWD(2012) 271 final}

Belgrade, April 10-12th, 2013

27 EUROPEAN COMMISSION & CLOUD COMPUTING

EUROPEAN COMMISSION & CLOUD COMPUTING

Key Action 1: Cutting through the Jungle of Standards (2) Key Action 2: Safe and Fair Contract Terms and Conditions (3) Key Action 3: Establishing a European Cloud Partnership to drive innovation and growth from the public sector.

Belgrade, April 10-12th, 2013

28 RISK ANALYSIS AND MANAGEMENT: Examples

RISK ANALYSIS AND MANAGEMENT: Examples

Council CIO, Proposed Security Assessment & Authorization for U.S. Government Cloud Computin. Draft version 0.96, US CIO, November 2010

Belgrade, April 10-12th, 2013

29 RISK ANALYSIS AND MANAGEMENT: Examples

RISK ANALYSIS AND MANAGEMENT: Examples

D. Catteddu, G. Hogben, Cloud Computing. Benefits, risks and recommendations for information security, European Network and Information Security Agency (ENISA), November 2009

30 RISK ANALYSIS AND MANAGEMENT: Examples

RISK ANALYSIS AND MANAGEMENT: Examples

Giles Hogben, Marnix Dekker: Procure Secure: A guide to monitoring of security service levels in cloud contracts ENISA , April 02, 2012 A practical guide aimed at the procurement and governance of cloud services.

31 RISK ANALYSIS AND MANAGEMENT: Examples

RISK ANALYSIS AND MANAGEMENT: Examples

Creating Effective Cloud Computing Contracts for the Federal Government Best Practices for Acquiring IT as a Service, US CIO Council, Chief Aquisition Officers Council, Federal Cloud Computing Committee, Washington DC, February 2012

32 RISK ANALYSIS AND MANAGEMENT: Examples

RISK ANALYSIS AND MANAGEMENT: Examples

Council CIO, Proposed Security Assessment & Authorization for U.S. Government Cloud Computin. Draft version 0.96, US CIO, November 2010

33 RISK ANALYSIS AND MANAGEMENT: Examples

RISK ANALYSIS AND MANAGEMENT: Examples

Department of Finance and Deregulation: Cloud Computing Strategic Direction Paper. Opportunities and applicability for use by the Australian Government, Australian Government, April2011

34 RISK ANALYSIS AND MANAGEMENT: Examples

RISK ANALYSIS AND MANAGEMENT: Examples

J.Budszus, H.-W.Heibey, R. Hillenbrand-Beck, S.Polenz, M.Seifert, M.Thiermann: Orientierungshilfe – Cloud Computing. Version 1.0, Arbeitskreise Technik und Medien der Konferenz der Datenschutzbeauftragten des Bundes und der L?nder September 2011

35 RISK ANALYSIS AND MANAGEMENT: Examples

RISK ANALYSIS AND MANAGEMENT: Examples

D. Bigo, G. Boulet, C. Bowden, S. Carrera, J. Jeandesboz, A. Scherrer, Fighting cyber crime and protecting privacy in the cloud. Study, European Parliament, Brussels, November 2012

36 RISK ANALYSIS AND MANAGEMENT: Examples

RISK ANALYSIS AND MANAGEMENT: Examples

Information Commissioners' Office, Guidance on the use of cloud computing. Version: 1.1, Wilmslow October 2012.

37 RISK ANALYSIS AND MANAGEMENT: Examples

RISK ANALYSIS AND MANAGEMENT: Examples

Information Technology Reform. Progress Made but Future Cloud Computing Efforts Should be Better Planned . Report to the Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, Committee on Homeland Security and Governmental Affairs United States Senate, GAO-12-756, United States Government Accountability Office, lipiec 2012, http://www.gao.gov/products/GAO-12-756

38 SOPOT MEMORANDUM

SOPOT MEMORANDUM

“Sopot Memorandum” - Working Paper on Cloud Computing - Privacy and data protection issues International Working Group on Data Protection in Telecommunications, April 2012

39 I Cloud customers shall be able solely manage the data they

I Cloud customers shall be able solely manage the data they

transferred into the cloud. Such data sell be use only for the purposes of the customer.

"THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)"

Based on: Information Law Group LLP: Cloud Customers’ Bill of Rights, 2010, electronic document at: http://www.infolawgroup.com/uploads/file/InfoLawGroup -- Cloud Customers’ Bill of Rights -- Parchment _pocket-sized_(1).pdf V.J.R.Winkler: Securing the Cloud. Cloud Computer Security Techniques and Tactics, Elsevier Inc. 2011, p. 84-85 B. Segalis: Cloud Computing Legal Risk and Liability, Information law group, Oct. 20th, 2011, slides 24-30

Belgrade, April 10-12th, 2013

40 PRIVACY IMPACT ASSESSMENTS FOR E-GOVERNEMENT Examples

PRIVACY IMPACT ASSESSMENTS FOR E-GOVERNEMENT Examples

Sample System Privacy Impact Assessments Samples of U.S. Department of Health and Human Services privacy impact assessments for systems that collect personally identifiable information. Administration for Children and Families Privacy Impact Assessments (PDF - 170KB) Agency for Healthcare Research and Quality Privacy Impact Assessments (PDF - 460KB) Administration on Aging Privacy Impact Assessments (PDF - 25KB) Centers for Disease Control & Prevention Privacy Impact Assessments (PDF - 8.69MB) Centers for Medicare & Medicaid Services Privacy Impact Assessments (PDF - 1.24MB) Food & Drug Administration Privacy Impact Assessments (PDF - 896KB) Health Resources & Services Administration Privacy Impact Assessments (PDF - 580KB) Indian Health Service Privacy Impact Assessments (PDF - 82KB) National Institutes of Health Privacy Impact Assessments (PDF - 7.38MB) Office of the Inspector General Privacy Impact Assessments (PDF - 117KB) Office of the Secretary Privacy Impact Assessments (PDF - 1.33MB) Substance Abuse and Mental Health Services Administration Privacy Impact Assessments (PDF - 166KB)

Belgrade, April 10-12th, 2013

41 PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

Belgrade, April 10-12th, 2013

42 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example

PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example

1. Has your agency established a policy or procedure for deciding when it will be appropriate to use cloud computing services? Does the policy or procedure address the following? • will the proposal involve the storage or processing of personal information? • if so, is an assessment of the ability of a cloud solution to provide adequate protection to the personal information required? • if sensitive personal information is involved, what extra measures might be required? • what type of cloud service provider will be appropriate? (e.g. private, public or community) 2. Has your agency decided what it will use cloud service infrastructure for? • just storing • just processing • both storing and processing 3. Has your agency developed a contract with the cloud service provider that is consistent with (…) the Privacy Act? How will your agency ensure that the contract’s requirements are being met?

Belgrade, April 10-12th, 2013

43 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example

PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example

4. Has your agency considered what specific terms should be included in the contract to complement the general requirement under s 95B to adhere to the Information Privacy Principles? Some specific matters that could be addressed in the contract include requirements relating to: • data breach notification • the location of information • access to information by agency staff • audits 5. If personal information is to be disclosed to a cloud service provider, has your agency determined how that disclosure will be authorised? • express permission from individuals • individuals are notified in privacy notice/terms and conditions • by legislative provisions

Belgrade, April 10-12th, 2013

44 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example

PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example

6. If you are intending to use an off-shore cloud service provider, do you know where their head office is located? What are the privacy implications? 7. Does your agency know where the data will be stored; keeping in mind the possibility it may be across different countries or continents? What are the Privacy implications? 8. Keeping in mind privacy law reform, has your agency determined that there is data protection or privacy legislation in place in relevant foreign jurisdictions that, at a minimum, meets the requirements in the Privacy Act? Is the relevant law enforceable? 9. Has your agency determined how the personal information will be kept separate from other organisations’ data housed in the cloud service provider’s infrastructure? 10. Has your agency determined how employees of the cloud service provider will be prevented from unauthorised access to the data? Has your agency decided how it will control a cloud service provider passing personal information onto unauthorised third party organisations or using it for purposes other than those it was originally collected for?

Belgrade, April 10-12th, 2013

45 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example

PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example

11. Has your agency determined how it will monitor the cloud service provider’s use and management of the agency’s information? 12. Has your agency determined the controls (for example, encryption) that will be in place to ensure the security of personal information as it travels between here and possible overseas cloud data storage location? 13. If an Australian citizen requests access or alteration to their personal information, has your agency put in place appropriate controls so that all copies can be retrieved and amended easily? Has your agency put in place arrangements to ensure that where an individual requests an amendment to their personal information and this request is not agreed to, it will be possible to attach a statement provided by the individual regarding the requested amendment to the record?

Belgrade, April 10-12th, 2013

46 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example

PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example

14. Has your agency ensured that the cloud service provider will hold the personal information only as long as your agency needs it? Has your agency specified how the cloud service provider will manage their backup regime? Has your agency specified how personal information that is no longer needed is to be destroyed or de-identified? 15. Has your agency determined what happens at the conclusion of the contract with the cloud service provider? Will information be able to be retrieved or destroyed (including all backups where appropriate) in compliance with the Privacy Act and associated legislation?

Belgrade, April 10-12th, 2013

47 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

Creating Effective Cloud Computing Contracts for the Federal Government Best Practices for Acquiring IT as a Service, US CIO Council, Chief Aquisition Officers Council, Federal Cloud Computing Committee, Waszyngton luty 2012

Belgrade, April 10-12th, 2013

48 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

General Questions 1. Who is actively involved in negotiating and reviewing the agency’s contract and ancillary Service Level Agreement for cloud services? a. Contracting Officer/Procurement? Chief Information Officer? General Counsel? FOIA staff? Records Officer? Privacy Officer? E-Discovery Counsel? Cybersecurity personnel? b. What is the process for developing the agency’s needs criteria and evaluating the cloud provider proposal and post-award performance? 2. Are the unique operational aspects of the cloud computing environment addressed in the acquisition plan required by FAR Part 7? In particular, in terms of the written acquisition plan format described in FAR Section 7.105, how are technical, schedule and cost risks addressed, and has any test and evaluation program and Government Furnished Information (GFI) to be considered?

Belgrade, April 10-12th, 2013

49 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

General Questions 3. Based on market research conducted in accordance with FAR Part 10, does the acquisition plan contemplate use of a system integrator in addition to a Cloud Service Provider (CSP)? Will the CSP be a subcontractor to the system integrator, or will the CSP have a direct contractual relationship with the agency? 4. Is there a clear statement in the contract for cloud services that all data is owned by the agency? 5. Can the cloud provider access or use the agency’s information in the cloud? 6. How is the agency’s data handled both at rest and in motion in the cloud? 7. Who has access to the agency’s data, both in its live and backup state?

Belgrade, April 10-12th, 2013

50 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

General Questions 8. In the cloud, what geographic boundaries apply to data at rest and what boundaries are traversed by data in motion? 9. Where are the cloud servers that will store agency data physically located? Can the provider certify where the data is located at any one point in time? 10. How will the cloud provider meet regulatory compliance requirements applicable to the USG, [including but not limited to the Privacy Act, the Federal Information Management and Security Act (FISMA), the Paperwork Reduction Act, the Federal Records Act, the Freedom of Information Act (FOIA), the Trade Secrets Act and related guidance and authorities]?

Belgrade, April 10-12th, 2013

51 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

11. What is the potential termination liability that would result from application of the contract clauses associated with FAR Part 49 Termination of Contracts? 12. How is the migration of agency data upon contract termination or completion addressed? 13. How is agency data destroyed? (e.g. upon request? Periodically?) a. Methodology used? (e.g. remove data pointer or overwritten in accordance with USG security standards) b. How does the cloud provider segregate data? If encryption schemes are used have the design of those schemes been tested for efficacy? 14. If the cloud provider or reseller agreement incorporates “URLs” into the terms, which policies and terms are being incorporated into the agreement? (URLs are not static and change over time) a. What notice is provided to the agency if URLs/policies change? Remedies for agency if new policies or URLs are not acceptable?

Belgrade, April 10-12th, 2013

52 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

15. What remedies are being agreed to for breach or violations of the agreement? Litigation? Mediation? Waiver of right to sue? a. Are choice of law and jurisdiction provisions in the agreement appropriate? (e.g. has the agency unknowingly subjected itself and USG to the jurisdiction of a state or foreign court) 16. Is the agency indemnifying the cloud provider in violation of the Anti-Deficiency Act? a. What rights is the agency waiving, if any? b. What limitations of liability, whether direct or indirect, is the agency granting? c. How does the Force Majeure clause deal with the action of Federal agencies other than the customer agency? 17. Can the agency manage content in the cloud with its own tools or only through contractor resources? 18. How are upgrades and maintenance (hardware and software) handled? (e.g. who conducts these activities? How often? And how is the USG advised of findings?)

Belgrade, April 10-12th, 2013

53 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example

19. How are asset availability, compatibility, software updates and hardware refreshes addressed? a. What does the agreement say about estimated outage time the cloud provider foresees for standard hardware and software updates and the cloud provider’s estimated response time should an emergency take the system off line? 20. What responsibility does the cloud provider have for assuring proper patching and versioning control? a. What language is in the agreement specifically requiring the cloud provider to take on this responsibility? 21. Is there a discussion of how the cloud provider will continue to maintain or otherwise support the agency’s data in a designated format to ensure that the data remains accessible/readable over the life of the data?

Belgrade, April 10-12th, 2013

54 I Cloud customers shall be able solely manage the data they

I Cloud customers shall be able solely manage the data they

transferred into the cloud. Such data sell be use only for the purposes of the customer.

"THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)"

Based on: Information Law Group LLP: Cloud Customers’ Bill of Rights, 2010, electronic document at: http://www.infolawgroup.com/uploads/file/InfoLawGroup -- Cloud Customers’ Bill of Rights -- Parchment _pocket-sized_(1).pdf V.J.R.Winkler: Securing the Cloud. Cloud Computer Security Techniques and Tactics, Elsevier Inc. 2011, p. 84-85 B. Segalis: Cloud Computing Legal Risk and Liability, Information law group, Oct. 20th, 2011, slides 24-30

Belgrade, April 10-12th, 2013

55 II Cloud providers shall provide full information and access to

II Cloud providers shall provide full information and access to

documentation concerning their security policies and measures, including the ability for cloud customers to conduct periodic security assessments.

"THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)"

Belgrade, April 10-12th, 2013

56 III Cloud providers shall inform the client what is the physical

III Cloud providers shall inform the client what is the physical

location of the servers that will be processing their cloud data.

"THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)"

Belgrade, April 10-12th, 2013

57 IV Cloud providers shall inform the client of any subpoena or other

IV Cloud providers shall inform the client of any subpoena or other

legal process seeking their data, and shall assist and cooperate with their customers in responding to such legal process

"THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)"

Belgrade, April 10-12th, 2013

58 V Cloud providers shall reveal their data search, retention and

V Cloud providers shall reveal their data search, retention and

destruction practices to their cloud customers. Data search, retention and destruction capabilities (including relevant metadata) shell be accessible to the customer.

"THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)"

Belgrade, April 10-12th, 2013

59 VI Cloud providers shall provide cloud customers with an information

VI Cloud providers shall provide cloud customers with an information

on all third parties which will be able to access customer’s data.

"THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)"

Belgrade, April 10-12th, 2013

60 VII Cloud providers shall conduct reasonable due diligence and

VII Cloud providers shall conduct reasonable due diligence and

security assessments of subcontractors or other third parties that will have access to customers’ data or systems.

"THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)"

Belgrade, April 10-12th, 2013

61 VIII Cloud providers shall provide prompt notice of any security

VIII Cloud providers shall provide prompt notice of any security

breach and shall coordinate, cooperate and assist their customers with the investigation, containment and mitigation of the breach.

"THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)"

Belgrade, April 10-12th, 2013

62 IX Only the open discussion on indemnation and limitation of liability

IX Only the open discussion on indemnation and limitation of liability

may serve the interests of cloud provider, cloud users and data subjects

"THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)"

Belgrade, April 10-12th, 2013

63 X Do not allow the vendor’s lock syndrome

X Do not allow the vendor’s lock syndrome

"THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)"

Belgrade, April 10-12th, 2013

64 Motto for LAWYERS DEALING WITH CLOUD COMPUTING

Motto for LAWYERS DEALING WITH CLOUD COMPUTING

Belgrade, April 10-12th, 2013

65 THANKS FOR YOUR ATTENTION

THANKS FOR YOUR ATTENTION

desiwm@giodo.gov.pl http://edugiodo.giodo.gov.pl

«Ата мамедов апрель 2013г»
http://900igr.net/prezentacija/ekonomika/ata-mamedov-aprel-2013g-243163.html
cсылка на страницу

Информационная система

26 презентаций об информационной системе
Урок

Экономика

125 тем
Слайды