77 1 2 3 4 78
79 Availability Integrity Confidentiality 3 confidentiality) integrity) availability) 80
4 1 81 2 organizational measures) technical measures) physical measures) DPO Privacy Notice (ROPA) (Data Subject Request (DSR) 2565 82
1.Access control and authentication FA) 2.Logging and monitoring 3.Security of data at rest - 4.Network/communication security - IPS NAC 5.Back-ups 6.Mobile/portable devices - 7.Application lifestyle security - Patch Patch 8.Data deletion/disposal - 9.Physical security - : https://www.blognone.com/node/124264 83 3 (information assets) 84
4 confidentiality) integrity) availability) 85 5 servers ) clients ) defense in depth ) multiple layers of security controls ) 86
6 87 7 privacy and security awareness) user) 88
5 4 89 6 4 90
access control) identity proofing and authentication) authorization) need -to -know basis ) principle of least privilege) user access management) user registration and de -registration) user access provisioning) management of privileged access rights) management of secret authentication information of users) review of user access rights) removal or adjustment of access rights) user responsibilities) audit trails) 91 3 A (Authentication, Authorization, Accounting) Authentication : User & Password, PIN, QR code Authorization : Accounting : 92
Data Protection Data Risk Level Data Proliferation Data Discovery Data policy 93 1. 1. (Privacy Policy) Privacy Policy 2. Third-party Privacy Policy Cookie Cookie Pop up Cookiewow Cookie Consent Banner Third Party Privacy Policy HR Privacy Policy Privacy Policy http://pdpa.pro 94
Standard Operating Procedure) Records of Processing Activity: ROPA) Sensitive Personal Data) face ID, Add line Direct Marketing Cookie Target Advertising Vendor Vendor Sensitive Personal Data http://pdpa.pro 95 3 Minimum Security Requirements) Confidentiality) Integrity) Availability) Administrative Safeguard) Technical Safeguard) Physical Safeguard) Access Control) Security) Access Control, Security Assessment, Security Policy Breach Notification Protocol) http://pdpa.pro 96
4 Data Processing Agreement PDPA PDPA Chat http://pdpa.pro 97 98
5 PDPA PDPA DPO (Data Protection Officer) PDPA PDPA http://pdpa.pro 99 STEP 1 STEP 2 STEP 3 STEP 4 STEP 5 100
101 102
103 Data Risk Level) Impact) (1) Low) Confidentiality), Integrity) Availability) limited adverse effect) (2) Moderate) Confidentiality), Integrity) Availability) serious adverse effect) (3) High) Confidentiality), Integrity) Availability) severe or catastrophic adverse effect) 104
www.tba.or.th 105 DPIA Data Protection Impact Assessment) 106
107 7 108
109 1. https://www.mdes.go.th/mission/82 2. https://www.ncsa.or.th 3. Thailand Data Protection Guideline V3.0 Extension) 4. 2565 5. 2565 6. 2555 7. 2565 2570 8. Handbook on Security of Personal Data Processing, The European Union Agency for Cybersecurity (ENISA), https://www.enisa.europa.eu/publications/handbook-on-security-of-personal-data-processing 110
111 THANK YOU.
( ) 1 INTERNATIONAL PRIVACY STANDARDS (ISO/IEC 27701, 27001, 27002, AND 29100) RELATIONSHIP AMONG ISO PRIVACY STANDARDS 2 ISO/IEC 29100 ISO/IEC 27701 ISO /IEC 27001 ISO /IEC 27002 (2011) Information technology Security techniques Privacy framework (2013) Information technology Security techniques Information security management systems Requirements (2013) Information technology Security techniques Code of practice for information security controls (2019) Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
ISO/IEC 27001:2013 ISO/IEC 27001:2022 ISO/IEC 27001:2013 Information technology Security techniques Information security management systems Requirements ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection Information security management systems Requirements 3 ISO/IEC 27001:2013 ISO/IEC 27001:2022 ISO/IEC 27002:2013 Information technology Security techniques Code of practice for information security controls ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection Information security controls 4
THAILAND INFORMATION SECURITY STANDARDS 5 6
ISO/IEC 29100 (2011) 7 8 ISO/IEC 29100 (2011) INFORMATION TECHNOLOGY SECURITY TECHNIQUES PRIVACY FRAMEWORK Introduction This International Standard provides a high-level framework for the protection of personally identifiable information (PII) within information and communication technology (ICT) systems. It is general in nature and places organizational, technical, and procedural aspects in an overall privacy framework. The privacy framework is intended to help organizations define their privacy safeguarding requirements related to PII within an ICT environment by: specifying a common privacy terminology; defining the actors and their roles in processing PII; describing privacy safeguarding requirements; and referencing known privacy principles. In some jurisdictions, this International Standard s references to privacy safeguarding requirements might be understood as being complementary to legal requirements for the protection of PII. Due to the increasing number of information and communication technologies that process PII, it is important to have international information security standards that provide a common understanding for the protection of PII. This International Standard is intended to enhance existing security standards by adding a focus relevant to the processing of PII.
ISO/IEC 29100 (2011) INFORMATION TECHNOLOGY SECURITY TECHNIQUES PRIVACY FRAMEWORK The increasing commercial use and value of PII, the sharing of PII across legal jurisdictions, and the growing complexity of ICT systems, can make it difficult for an organization to ensure privacy and to achieve compliance with the various applicable laws. Privacy stakeholders can prevent uncertainty and distrust from arising by handling privacy matters properly and avoiding cases of PII misuse. Use of this International Standard will: aid in the design, implementation, operation, and maintenance of ICT systems that handle and protect PII; spur innovative solutions to enable the protection of PII within ICT systems; and 9 10 ISO/IEC 29100 (2011) framework) https://webstore.iec.ch/preview/info_isoiec29100%7Bed1.0%7Den.pdf
11 ISO/IEC 29100 (2011) framework) https://webstore.iec.ch/preview/info_isoiec29100%7Bed1.0%7Den.pdf 12 TERMINOLOGY DIFFERENCES BETWEEN GDPR AND ISO/IEC 27701 The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf
13 PII FLOW AND ROLES BETWEEN PROVIDER AND RECEIVER PECB is a certification body that provides education, certification, and certificate programs for individuals on a wide range of disciplines. https://pecb.com/en/about https://pecb.com/pdf/whitepapers/30-Whitepapers-iso29100-how-can-organizations-secure-its-privacynetwork.pdf 14 ISO/IEC 27701 ISO/IEC 27001 ISO/IEC 27002
15 ISO/IEC 27701 ISO/IEC 27001 ISO/IEC 27002 16 16 ISO/IEC 27701 ISO/IEC 27001 ISO/IEC 27002
17 https://www.iso.org/obp/ui/#iso:std:iso-iec:27701:ed-1:v1:en This document can be used by PII controllers (including those that are joint PII controllers) and PII processors (including those using subcontracted PII processors and those processing PII as subcontractors to PII processors). An organization complying with the requirements in this document will generate documentary evidence of how it handles the processing of PII. Such evidence can be used to facilitate agreements with business partners where the processing of PII is mutually relevant. This can also assist in relationships with other stakeholders. The use of this document in conjunction with ISO/IEC 27001 can, if desired, provide independent verification of this evidence. This document was initially developed as ISO/IEC 27552. 18 ISO/IEC 27001; THE LIST OF BASIC CONCEPTS IN THE STUDENT NOTES BELOW WILL BE CONSIDERED UNDERSTOOD FOR THE EXAM. access control annualized loss expectancy (ALE) annualized rate of occurrence (ARO) asset audit authentication authorization availability Backup biometrics business continuity management (BCM) certificate change management classification clear-desk policy code of conduct compliance Confidentiality continuity controls
19 ISO/IEC 27001; THE LIST OF BASIC CONCEPTS IN THE STUDENT NOTES BELOW WILL BE CONSIDERED UNDERSTOOD FOR THE EXAM. cryptography cyber crime damage direct damage indirect damage data digital signature disaster disaster recovery plan (DRP) encryption escalation exposure factor (EF) grading hacker identification (business) impact incident cycle incident reporting information information analysis 20 ISO/IEC 27001; THE LIST OF BASIC CONCEPTS IN THE STUDENT NOTES BELOW WILL BE CONSIDERED UNDERSTOOD FOR THE EXAM. information architecture information management information security management system (ISMS) information security organization information security policy information system integrit intrusion detection system (IDS) key logical access management malware (counter)measure corrective detective insurance preventive reductive Repressive non-disclosure agreement
21 ISO/IEC 27001; THE LIST OF BASIC CONCEPTS IN THE STUDENT NOTES BELOW WILL BE CONSIDERED UNDERSTOOD FOR THE EXAM. non-repudiation patch phishing priority privacy Public Key Infrastructure (PKI) redundancy reliability risk risk analysis qualitative risk analysis quantitative risk analysis risk assessment risk management risk avoiding/risk avoidance risk bearing (risk acceptance) risk neutral 22 ISO/IEC 27001; THE LIST OF BASIC CONCEPTS IN THE STUDENT NOTES BELOW WILL BE CONSIDERED UNDERSTOOD FOR THE EXAM. risk strategy risk treatment rootkit security incident segregation of duties single loss expectancy (SLE) social engineering spam spyware threat non-human threat human threat threat agent trojan uninterruptible power supply (UPS) urgency validation verification virtual private network (VPN) virus vulnerability worm
23 DESCRIBE HOW THE VALUE OF DATA AND INFORMATION CAN INFLUENCE ORGANIZATIONS The typical production factors of a company or organization are: Capital (Manual) labor and Raw materials In information technology, it is common to also consider information as a production factor: Businesses cannot exist without information A warehouse that loses its customer and stock information would usually not be able to operate without it Some businesses, such as an accountant s office, banks, insurance firms, even have information as their only product or service 24 NAME THE RELIABILITY A SPECTS OF INFORMATION The reliability of information is determined by three aspects: Confidentiality Integrity Availability Integrity Confidentiality Availability
25 E X PL A IN TH E REL ATIONS HIP BETWEEN A THRE AT A N D A RISK A risk is the likelihood of a threat agent taking advantage of a vulnerability in an asset and the corresponding business impact Risk Threat Asset Vulnerability 26 E X PL A IN T H E REL ATIONSHIP BETWEE N A T H RE AT AN D A RISK Risk cycle Threats Assets Countermeasures Attacks Vulnerabilities Risks Materialise by compromised by exploit protect expose to
27 E X PL A IN T H E REL ATIONSHIP BETWEE N A T H RE AT AN D A RISK A threat could be: an intruder accessing the network through a port on the firewall a process accessing data in a way that violates the security policy, a tornado wiping out a facility Two kinds of threats Human threats Intentional (Hacking, damaging property, Destroying e-mails after being fired) Unintentional (Deleting data and carelessly confirming this with OK) Social Engineering (Tricking people into voluntarily providing sensitive information: phishing) Non-human Threats Lightning strikes, fire, floods, hurricanes, tornadoes, etc. 28 DESCRIBE VARIOUS TYPES OF DAMAGE Damage types: Direct Damage Theft Water Indirect Damage Inability to provide a service because the IT infrastructure is down Financial damage due to loss of customer contract
29 2.1.5 DESCRIBE VARIOUS RISK STRATEGIES Risk bearing (acceptance) Risk are accepted, no action is taken (e.g. due to a low expected impact or likelihood) Security measures are too costly Security measures exceed the possible damage Security measures that are taken are repressive by nature Risk neutral (treat) Measures are taken to prevent risks happening or minimize damage (e.g. physical security, fire protection systems) The threat no longer occurs The resulting damage is minimized Security measures taken are a combination of preventative, detective and Repressive measures Risk avoiding Measures are taken to make sure the risk does not happen Security measures that are taken are preventative by nature (e.g. software patching) 30 EXPLAIN THE IMPORTANCE OF OWNERSHIP Assets are necessary for an organization to be able to do business. Assets may include: Documents, databases Hardware and software Facilities, such as buildings Media, such as USB-sticks, removable hard drives People The asset owner is responsible for the processes and activities that use the asset, including: Security Management Production Development
31 EXPLAIN THE IMPORTANCE OF OWNERSHIP Managing and handling assets Asset management deals with three main objectives: How to deal with assets How to handle changes to assets Who can initiate and implement changes to assets Service management frameworks such as VeriSM , ITIL, ISO/IEC 20000 and COBIT provide guidance on these objectives In practice: Media must be removed or deleted in a safe way if no longer required System documentation and manuals must be kept in a secure place and updated regularly The transport of media, which is of course packed well, should be carried out by a recognized courier firm that provides the correct physical conditions (humidity, temperature, electromagnetic protection) 32 NAME THE MOST IMPORTANT ROLES IN THE SECURITY ORGANIZATION The information security roles may vary in the title they are given, but they down to the following: The Chief Information Security Officer (CISO) is at the highest management level of the organization and develops the general strategy for the entire business The Information Security Officer (ISO) develops the policy of a business unit based on the company policy and ensures that it is observed The Information Security Manager (ISM) develops the Information Security Policy within the IT organization and ensures that this is observed In addition to these roles that are specifically geared to information security, an organization may have an Information Security Policy Officer or a Data Protection Officer
33 SUMMA RI ZE HOW SE CURITY I N C ID E NTS A RE REPORTE D A ND WHAT IN FORMATION IS REQUIRED An incident report form should at a minimum allow the following information to be entered: Date and time Name of the person reporting Location (where is the incident?) What is the issue? (description of the incident) What is the effect of the incident? How was it discovered? And, if possible, the following areas: Type of system (desktop, printer, server, mail server, etc.) System number / system name (if present) Who else was informed? 34 EXPLAIN THE CONSEQUENCES OF NOT REPORTING SECURITY INCIDENTS Staff, temporary personnel and external users should all be made aware of the procedures for reporting the various types of Incidents and weaknesses that can have an influence on the reliability of information and the security of business assets They should be required to report all incidents and weaknesses as quickly as possible to the service desk or a contact person Two matters are of great importance and must be made clear by the management: oReporting security incidents is primarily a way of learning from them to avoid similar incidents from recurring oReporting an incident is not intended as a way of punishing the perpetrator of that incident
35 EXPLAIN THE CONSEQUENCES OF NOT REPORTING SECURITY INCIDENTS However, if an employee were to intentionally sabotage an information system, leak Information or cause damage, he or she might have to be reported to the police response or not wanting to be seen as a telltale The process must also ensure that the person who reports an information security incident is informed of the results after it has been dealt with 36 EXPLAIN WHAT AN ESCALATION ENTAILS (FUNCTIONALLY AND HIERARCHICALLY) Hierarchical escalation: to a higher level in the organization (e.g. management) Functional escalation: to people with more expertise
37 EX PLAIN THE INCIDENT CYCLE Threat Incident Damage Recovery 38 DESCRIBE THE VARIOUS WAYS IN WHICH SECURITY MEASURES MAY BE STRUCTURED OR ARRANGED Prevention Detection Repression Recovery Insurance Acceptance
39 Aimed at buying insurance against certain security incidents because implementing the security measures may be too expensive DESCRIBE THE VARIOUS WAYS IN WHICH SECURITY MEASURES MAY BE STRUCTURED OR ARRANGED Preventative measures Detective measures Repressive measures Corrective measures Buy insurance Aimed at preventing security incidents Aimed at detecting security incidents Aimed at stopping the consequences of security incidents Aimed at recovering from the damage caused by security incidents 40 3.3.2 GIVE EX AMPLES OF SECURITY INCIDENTS Ineffective security control Breach of information integrity, confidentiality or availability expectations Human errors Non-compliances with policies or guidelines Breaches of physical security arrangements Uncontrolled system changes Malfunctions of software or hardware Access violations
41 GIVE EXAMPLES FOR EACH TYPE OF SECURITY MEASURE Preventative measures Aimed at preventing security incidents Examples: Breaking the connection with the internet (Cyber Drill) Making a cockpit door bullet proof Placing sensitive information in a safe 42 G IVE E X AMPLES FOR E A C H TYPE OF SE CURITY ME A SU RE Detective measures Aimed at detecting security incidents Examples: Video surveillance with stickers on the windows informing people they are being monitored Informing people that Internet use is being monitored will dissuade many employees from improper Internet browsing activities
43 GIVE EXAMPLES FOR EACH TYPE OF SECURITY MEASURE Repressive measures Aimed at stopping the consequences of security incidents Examples: Putting out a small fire Making a backup A stand-by arrangement 44 GIVE EXAMPLES FOR EACH TYPE OF SECURITY MEASURE Corrective measures Aimed at recovering from the damage caused by security incidents Examples: While creating a new database, an existing database was overwritten; the age of the backup of this database will determine how much recovery effort will need to be done
45 Give examples for each type of security measure Buy insurance Buying insurance against certain security incidents because implementing the security measures may be too expensive Examples: Fire Insurance Placing copies of important information at a different location 46 EX AMPLES OF INFORMATION CLASSIFICATION LEVELS Public Data that may be freely disclosed to the public Marketing materials Contact information Price lists etc Internal only Internal data not meant for public disclosure Battlecards Sales playbooks Organizational charts etc Sensitive data that if compromised could negatively affect operations Confidential Contracts with vendors Employee reviews etc Restricted Highly sensitive corporate data that if compromised could put the organization financial or legal risk Intellectual Property (IP) Credit card information Social security numbers Protected health information (PHI)
47 The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 48
The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 49 The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 50
The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 51 The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 52
The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 53 The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 54
The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 55 The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 56
The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 57 The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 58
The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 59 The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 60
The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 61 The original version is available at https://www.audit-academy.be/images/downloads/IS-ISO27701-2019V1.pdf 62