ISO IEC 29100:2011 download free.Information technology – Security techniques-Privacy framework.
ISO IEC 29100 provides a high-level framework for the protection of personally identifiable information (P11) within information and communication technology (ICT) systems It Is general en nature and places organizational, technical. and procedural aspects in an overall privacy framework
The privacy framework Is Intended to help organizations define their privacy safeguarding requirements related to P11 wIthin an ICT environment by:
• specifying a common privacy terminology;
• deflnrng the actors and their roles in processIng P11:
• describing privacy safeguardng requwements: and
– referencing known privacy principles
In some jurisdictions, this International Standards references to privacy safeguarding requirements might be understood as being complementary to legal requirements for the protection of PIt. Due to the increasing number of information and communication technologies that procesa P11, it is important to have International information security standards that provide a common understanding for the protection of P11 ISO IEC 29100 is Intended 10 enhance existing security standards by adding a focus relevant to the processing of P11.
The Increasing commercial use and value of P11, the shanng of P11 across legal jurisdictions, and the growing complexity of ICT systems, can make it difficult for an organization to ensure privacy and to achieve compliance with the various applicable laws. Privacy stakeholders can prevent uncertainty and distrust from arising by handling privacy matters property and avoiding cases of P11 misuse.
Use of this International Standard will:
– aid in the design. implementation. operation, and maintenance of ICT systems that handle and protect
– spur innovative solutions to enable the protection of P11 withIn ICT systems; and
– improve organizations’ privacy programs through the use of best practices,
The privacy framework provided within this International Standard can serve as a basis for additional privacy standardization initiatives, such as for
• a technical reference arch4eciixe;
• the Implementation and use of specifIc privacy technologies and overall privacy management;
• privacy controls for outsourced data processes:
• privacy risk assessments: or
– specific engineering specifIcations.
Some jurisdictions might require compliance with one or mor• of the documents referenced En
ISOFIEC JTC USC 27 WG 5 StandIng Document 2 (WG 5 S02) — Otficval Privacy Documents
References (3) or with other applicable laws and regulations, but ISO IEC 29100 Is not
intended to be a global model policy, nor a legislative framework.
4 Basic elements of the privacy framework
4.1 OvervIew of the privacy framework
The following components relate to privacy and the processing of P11 In ICT syslems and make up the privacy framework described In this international Standard:
– actors and roles;
• recogn.zrig P11;
• pnvacy safeguarding requwements.
• privacy policies; and
• privacy co.Qrole,
For the development of this privacy framework, concepts, definitions and recommendations from
other official sources have been taken into consideration. These sources can be found In
ISOIIEC JTC USC 27 WG 5 Standing Document 2 (WG 5 S02) — Official Privacy Documents
4.2 Actors and roles
For the purposes of this standard, it is important to identify the actors involved In the processing of P11. There are four types of actors who can be Involved in the processing of Pit: P11 principals, P11 controllers, Pit processors and third parties.
4.2.1 P11 princIpals
P11 pnncipais provide their Pit for processing to P11 controllers and Pit processors and, when ills not otherwise provided by applicable law, they give consent and determine their privacy preferences for how their Pit should be processed P11 prIncipals can include, for example, an employee listed In the human resources syslem of a company, the consumer mentioned In a credit report, and a patient listed in an electronic health record. It is not always necessary that the respective natural person is identified directly by name in order to be considered a P11 principal. If the natural person to whom the P11 relates can be identified indirectly e.g.. through an account identifier, social security number, or even through the combination of available attributes), he or she Is considered to be the P11 principal for that Pit sat.
4.2.2 P11 Controllers
A PIt controller delern,rnes why (purpose) and how (means) the processing of P11 takes place. The P11 controller should ensure adherence to the privacy principles in this framework during the processing of P11 under Its control (e.g.. by implementing the necessary privacy controls). There might be more than one P11 controller for the same Pit set or set of operations performed upon P11 (for the same or different legitimate purposes). In this case the different Pit controllers shall work together and make the necessary arrangements to ensure the privacy principles are adhered to during the processing of P11 A P11 controller can also decide to have all or part of the processing operations carried out by a different privacy stakeholder on Its behalf. P11 controllers should carefully assess whether or not they are processing sensitive P11 and implement reasonable and appropriate privacy and security controls based on the requirements set forth in the relevant jurisdiction as well as any potential adverse effects for PIt prrncipals as identified during a privacy risk assessment.
4.2.3 P11 processors
A P11 processor carries out the processing of P11 on behalf of a P11 controller, acts on behalf of. or in accordance with the instructions of the P11 controller, observes the stipulated privacy requirements
The processing of P11 entaIls a duty of care and the adoption of concrete and practical measures for Its protection. Adhering to the accountability principle means:
• documenting and communicating as appropnale all privacy-related polices, procedures and practices;
• assigning to a apecWled indrvidual within the organization (who might in turn delegate to others in the organization as apprOpriate) the task of epplamenting the privacy-related policies, procedures and practices:
– when transferring P11 to third parties, ensuring that the third party recipient will be bound to provide an eqi.ivalent level of privacy protection through contractual or other means such as mandafo.y internal policies (applicable law can contain additional requirements regarding International data transfers).
• providing suitable training foe the personnel of the P11 oontrollee who wlI have access to Pit:
• setting up efficient internal complaint handling and redress procedures for use by P11 principals;
• informing P11 pnnapals about privacy breaches that can lead to substantial damage to them (unless prohibited. e.g.. while wading with law enforcement) as well as the measures taken for resolution;
– notifying all relevant privacy staketiolders about privacy breaches as required in some jurisdictions (e.g.. the data protection authorities) and depending on the level of risk:
– allowing en aggrieved P11 principal access to appropriate and effective sanctions andlor remedies. such as rectification. expungemerti or restitution If a privacy breach has occurred: and
– considering procedures for compensation for situations in which ii w be difficult or Impossible to bring the natural person’s privacy status back to a position as if nothIng had Occurred.
Measures to remediate a privacy breach should be proportlonat. to the risks associated with the breach but they should b. Implemented as quickly as possible (unless otherwise prohibited. e.g., interference with a lawful investigation).
Establishing redress procedures is an important part of establishing accountability. Redress provides a means foe the P11 principal to hold the P11 controller accountable for P11 misuse. Restitution Is one form of redress which involves providing compensation to the aggrieved P11 prIncipal. This is Important not only In the situation of identity theft, reputational damage or misuse of P11 but also where mistakes have been made In modifying or changing the respectIve P11.
Where redress processes are in place. P11 princIpals might feel more confident entering into a transaction because the perceIved nsk for the natural person with regard to the outcome Is effectively reduced. For some services redress Is easier to achieve (e.g.. financial loss) than for others (e.g.. a stolen identity, damage to the image or reputation of the natural person), where the ability to quantify and compensate for the loss could be somewhat harder. Redress works best when based on transparency and honesty. Required types of redress measures can be governed by law.
5.11 InformatIon security
Adhering to the information security principle means:
– protect Ing P11 under lis authority with appropriate controls at the operational, functional and strategic level to ensure the integrity, confidentiality and availabáty of the P11, and protect it against rwka audi as unauthorized access, destruction, us.. modification, disclosure or loss throughout in. whole of Its ste cycle:
• choosing P11 processors that provide sufficient guarantees with regard to oi’ganizationai. physical and technical controls fo, the processing of P11 and ensuring compliance with these controls:
– basing these controls on applicable legal requirements, security standards, the results of systematic security risk assessments as described In ISO 31000, and the results of a cost/benefit analysis:
– implementing controls in propoillon to me likelihood and seventy of the potential consequences, the sensitivity of the P11. the number of P11 pdncats that might be affected, and the contexl In which It is held.
ISO IEC 29100:2011 download free
ISO IEC 29100:2011 download free.Information technology – Security techniques-Privacy framework.