Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

(SACON) Srinivas posarala - Challenges & Approach

581 vues

Publié le

ISO 27701 is a new standard for privacy protection, built as an extension to ISO 27001 & 27002. Released as recently as August of 2019, organizations and practitioners are still trying to understand the standard and its intricacies & implications. Infosys is the first Indian company to have been 27701 certified - a result of a long-running Privacy Program with a team having the necessary expertise and experience of many years in the domain. In this session, the Infosys Chief Privacy Officer shares their journey and offers key insights and learnings to organizations on their paths to achiecing 27701

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

(SACON) Srinivas posarala - Challenges & Approach

  1. 1. SACON SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur 27001 to 27701: 
 Challenges & Approach Srinivas Poosarla Infosys VP & Chief Privacy Officer
  2. 2. SACON 2020 ❑ A brief overview of ISO 27701 ❑ What it takes to implement the standard. ❑ What can be leveraged from an existing 27001 implementation and what needs to be done ground-up ❑ Challenges & Road blocks one can anticipate and how they can be overcome ❑ Key learnings Agenda Views expressed are personal
  3. 3. SACON 2020 Changing Notion of Privacy Places People Information self-determination Time, Innovation Privacy
  4. 4. SACON 2020 Anatomy of a DP Regulation 1. Privacy Principles 2. Data Subject Rights 3. Accountability 4. Grievance Redressal ❑ Fair & Lawful Processing ❑ Purpose Limitation ❑ Data Minimization ❑ Accuracy ❑ Storage Limitation ❑ Security (C,I,A) ❑ By DPO (Internal to Org) ❑ By DPA (Authority, with powers to regulate and impose sanctions) ❑ To Access ones’ PII ❑ To Correct ❑ To be forgotten ❑ To object to ADM ❑ To withdraw consent ❑ Against ADM & Profiling ❑ Appointment of DPO and empowerment ❑ Privacy by Design & Privacy Impact Assessments ❑ Due diligence when outsourcing ❑ Evidences to demonstrate compliance ❑ Breach Notification ❑ International Data Transfers
  5. 5. SACON 2020 • Extension to ISO/IEC 27001 & ISO/IEC 27002 for privacy information management — Requirements and guidelines • Is a sector specific standard - privacy extension to ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Security Controls • World’s 1st International Standard on PIMS • Incorporates mapping against GDPR requirements • ISO 27001 certification is a prerequisite About ISO 27701
  6. 6. SACON 2020 • Provides an established framework which the PIMS can emulate • Helps create a baseline set of measures when subjected to DP laws from multiple jurisdictions • Risk based approach useful in constantly changing threat landscape • A model for continuous improvement • Likely to minimize penalties in event of data breach • Market differentiator • Integrates well with ISO 27001 Why ISO 27701?
  7. 7. SACON 2020 Mapping between ISMS & PIMS Standard of ISO ISO 27001 ISO 27002, Annexure A of ISO 27001Security Privacy ISO 27701 Sec 5 ISO 27701 Sec 7, 8, Annexures A & B ISO 27701 Sec 6 PII specific Security Controls Privacy ControlsPIMS related requirements
  8. 8. SACON 2020 ❑Clause 5 : PIMS-specific requirements regarding the information security requirements in ISO/IEC 27001 for an organization acting as either a PII controller or Processor ❑Clause 6 : PIMS-specific guidance regarding the information security controls in ISO/IEC 27002 and PIMS-specific guidance for an organization acting as either a PII controller or a PII processor ❑Clause 7: Additional ISO/IEC 27002 guidance for PII controllers, and ❑Clause 8 : Additional ISO/IEC 27002 guidance for PII processors ❑Annex A : PIMS-specific control objectives and controls for PII controller ❑Annex B : PIMS-specific control objectives and controls for PII processor Categories of Key Requirements
  9. 9. SACON 2020 Approach towards Development of PIMS Identify Security & Privacy Risks Analyze TreatEvaluate SOA Compare with Annexure A & B Determine Controls Controls Identification PIMS Objectives & Planning What about Compliance Requirements?
  10. 10. SACON 2020 • ISMS & PIMS – Distinct or Combined? • Security related controls on PII • Documentation infrastructure • CISO & CPO Organization : Common or Independent? • Risk Assessment Framework • SoA • Data Classification & Labelling Criteria What may be leveraged during Implementation?
  11. 11. SACON 2020 • Compliance is binary , Risk is not • Conflict between Security & Privacy due to increased reliance on detection tools for security • Temp Files • Force-fitting PIMS in ISMS structure may have led to complexity • Implementation Guidance on integrating ISMS & PIMS absent • Competency gap on PIMS standard, if Privacy is a legal function • Need for auditors to be competent on regulatory updates Challenges, Way forward & Learnings?
  12. 12. SACON 2020 Questions?

×