Simplified and stronger data protection rules in the EU

We are getting some really interesting happening in the EU when it comes to revolutionising the EU Directive on Data Protection. Thanks to the summary provided by Panoticon blog.

The Memo from the European Commission, that has been approved, gives the following reforms that will make doing business simpler for EU companies, and they are significant! So here they come the 4 pillars of reform, or at least a summary of them. If you want to read the full Monty, go here.

Pillar One: One continent one law…
The European Parliament agrees that the new data protection law for the private and public sector should be a Regulation, and no longer a Directive. The Regulation will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28.

Pillar Two: Non-European companies will have to stick to European data protection law if they operate on the European market. What this means is that non-European companies will have to apply the same rules as their European counterparts. European regulators will be equipped with strong powers to enforce this.

Pillar Three: The Right to be Forgotten/ The Right to Erasure
The right to be forgotten builds on already existing rules to better cope with data protection risks online. If an individual no longer wants his or her personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system.

The right to be forgotten is not an absolute right. For example there are cases where there is a legitimate reason to keep data in a data base, e.g. archives of newspapers. In addition the right to be forgotten includes an explicit provision that ensures it does not encroach on the freedom of expression and information.

Pillar Four: A “One-stop-shop” for businesses and citizens
The Regulation will establish a ‘one-stop-shop’ for businesses. What this means is that companies established and operating in several Member States will only have to deal with a single national data protection authority not 28, making it simpler and cheaper for companies to do business in the EU.

The Expert’s Number for Security Risk Assessments

You know I just love this article, and often refer to it when I’m speaking. However I couldn’t remember who had written it, the title, or when. Well mystery is over, whilst cleaning out my hard-disk, I found it. It was published in 2008, have fun reading 🙂
The Experts Number for Security Risk Assessments

What is Requirement for ISO 27001 Accreditation?

Did you know that ISO 27001 was updated to ISO 27001:2013 last year? The new standard has only 119 controls, as apposed to over 130 before. Added are controls on mobility and agility. The control framework though is being expanded beyond by combined work with the Cloud Security Alliance I think its being mapped out as 270018, still uncompleted when I last checked. This is a good description of what is ISO 27001:2013, the high level process.

I’ve been digging around in my archives and found something that has sort of been lost. There is the traditional security triad, of Confidentiality, Integrity, Aviability (CIA). Which has also been revised to the following, at least 8 years ago. I found this on Bruce Schneier’s blog anyhow.

Authentication (who are you)
Authorization (what are you allowed to do)
Availability (is the data accessible)
Authenticity (is the data intact)

Also was added Admissibility because it was deemed that “this model is no longer sufficient because it does not include asserting the trustworthiness of the endpoint device from which a (remote) user will authenticate and subsequently access data. Network admission and endpoint control are needed to determine that the device is free of malware (esp. key loggers) before you even accept a keystroke from a user”.

I have been thinking a little. This keeping to 5 ‘A’s makes understanding this not straightforward. If we were to look at these again… the first 2 are to do with the identifying party, the next 2 are to do with the data, and the final one is to do with the endpoint. The first 3 ‘A’s I feel comfortable with, the last 2 feel like a workaround to keep 5 ‘A’s… hey the marketing guys would be happy with this 😉

I’ve changed Authenticity to what it was originally in the CIA triad, Integrity, and the last one to Trust, as this is basically what it is all about, do you trust the endpoint device.

Authentication (who are you)
Authorization (what are you allowed to do)
Availability (is the data accessible)
Integrity (is the data intact)
Trust (is the endpoint trusted)

So that gives us AAAIT if we go from the identity to the endpoint, or TIAAA from the endpoint to the identity.. well marketing wouldn’t like this at all, but I like it and I think it’s easy to remember 😀

Free book by Danah Boyd

I have admired Danah for years with the amount of work she as put into understanding social media and how young people engage with it. She has done some great work! Now she has published a free book. I haven’t read it yet, but I think it should be good as I’ve read a significant number of her research papers.

I will write more, a review, once I’ve read the book, but I would expect that a target audience of teachers, parents, and us all as a matter of fact for this type of material.