6.3 Data Security and Privacy from a Global Perspective

COBIT 2019 Framework

Developed by the Information Systems Audit and Control Association (ISACA), Control Objectives for Information and Related Technologies (COBIT) stands out as a comprehensive framework designed for the governance and management of enterprise IT. While its primary focus is IT governance, its principles and guidelines offer a holistic approach to robust data protection. The framework, previously known as COBIT5 and then overhauled in 2019, emphasizes the importance of stakeholder needs, risk management, and a value-based, holistic approach that aligns IT goals with business objectives. Organizations employing this framework may use it to:

• establish a systematic approach to managing personal data
• ensure that privacy risks are identified and mitigated
• demonstrate compliance with privacy regulations globally
• foster trust among stakeholders, especially data subjects, by showcasing a commitment to privacy

An example of COBIT adoption is the European Network of Transmission System Operators for Electricity (ENTSO-E).

Tasked with representing forty-two electricity transmission operators across thirty-five European countries, ENTSO-E embarked on a journey in 2014 to integrate COBIT 5 into its IT processes.²⁹ This strategic move was aimed at refining the organization’s intricate IT infrastructure to support massive electricity flows, establish a decade-long network development blueprint, and ensure a transparent, standardized energy transaction framework across Europe. By embracing COBIT 5, ENTSO-E was able to fortify its IT governance, ensuring data integrity, process efficiency, and a commitment to excellence in line with its ambitious mission.

As the framework evolved, they have continued to align their practices with the updated COBIT 2019 to address emerging IT governance challenges.

ISO/IEC 27701

An extension to the ISO/IEC 27001 and ISO/IEC 27002 standards, the ISO/IEC 27701 provides guidelines for establishing, implementing, and maintaining a privacy information management system (PIMS), which is a framework or set of policies and procedures used by an organization to manage personal data and ensure compliance with privacy laws and regulations.

ISO/IEC 27701 is particularly vital given the volume of international and regional data protection laws such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States.

The key highlights of ISO/IEC 27701 include three levels (Table 6.2):

• Frameworks and Standards (Top Level): These are the overarching guidelines that organizations follow. For instance, ISO/IEC 27001 is the standard for managing information security, while ISO/IEC 27701 focuses on privacy.
• Systems (Middle Level): The frameworks lead to the creation of specific systems such as ISMS and PIMS, which are implemented within organizations to protect information and ensure compliance.
• Sector-Specific Applications (Bottom Level): The standards and systems are applied differently across sectors, acknowledging that each has specific requirements and challenges.

NIST Privacy Framework

In January 2020, the National Institute of Standards and Technology (NIST) released its Privacy Framework to address the challenges of increasing data privacy risks. This framework complements the NIST Cybersecurity Framework, specifically focusing on managing privacy risks by promoting the idea of Privacy by Design, which is a concept and approach in system engineering and data handling practices that integrates privacy and data protection measures from the very beginning of the design process, rather than as an afterthought.

The NIST Risk Management Framework allows enterprises to translate high-level, principles-based legal requirements into tangible technical privacy controls. Figure 6.6 outlines the Risk Management Framework steps, serving as a blueprint for organizations to tailor their own cybersecurity strategies. Notably, it incorporates guidance from a suite of NIST standards. For instance, NIST SP 800-39 offers a broad overview for managing information security risk organization-wide, while IR 8062 provides a nuanced approach to privacy engineering and risk management. SP 800-30, on the other hand, specializes in risk assessments, helping organizations identify, evaluate, and prioritize risks.

Figure 6.6 The Risk Management Framework steps incorporate key NIST standards such as SP 800-39 for organizational risk, IR 8062 for privacy engineering, and SP 800-30 for risk assessments. (modification of work “Risk Management” by NIST/National Institute of Standards and Technology, Public Domain)

As we advance further into the era of data-driven decision-making and digital innovation, these frameworks and regulations play a dual role. First, they provide a framework to guard against potential risks, and second, they lay the foundation for businesses to innovate responsibly, ensuring that user trust isn’t compromised.

China: Personal Information Protection Law

China’s Personal Information Protection Law (PIPL), introduced in 2021, marks the country’s first major data privacy law. This law is crucial for ensuring that personal information collected within China remains within its borders—a concept known as data localization. PIPL sets very strict rules for sharing data with other countries, meaning that companies must meet specific requirements before transferring data out of China. These requirements include getting certifications or contracts that align with Chinese standards.

Japan: Act on the Protection of Personal Information

Japan’s Act on the Protection of Personal Information (APPI) has been a key part of the country’s data privacy laws since it was first enacted in 2003. Recognizing the growing importance of global data protection, Japan made significant changes to the APPI in 2017 to update it in line with international standards, such as the European Union’s GDPR. The APPI focuses heavily on individual rights, ensuring that people have control over their personal data. This includes the right to access their data, correct any inaccuracies, and decide how their data are used. Businesses are required to clearly explain why they are collecting personal data and must obtain explicit consent from individuals.

South Africa: Protection of Personal Information Act

South Africa’s Protection of Personal Information Act (POPIA), which became fully effective in 2021, is designed to protect the privacy of personal data within the country. POPIA applies to any organization that processes personal information in South Africa, whether the data are processed automatically (like on a computer) or manually. The law requires that organizations are transparent about why they are collecting personal data and that they get consent from individuals when necessary. POPIA also emphasizes the importance of lawful processing, meaning that data can only be used for legitimate purposes. Furthermore, organizations must appoint an information officer to oversee compliance with POPIA, ensuring that the organization follows the regulations.

Background: The ISO/IEC 27001 Standard

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) jointly developed ISO/IEC 27001. This globally recognized standard specifies the requirements for establishing, implementing, maintaining, and continuously improving an information security management system (ISMS). An organization that achieves this certification demonstrates its commitment to information security and data privacy, meeting international standards of excellence.

ISO/IEC 27001 certification is achieved through a rigorous process facilitated by a certification body, which is an organization accredited to assess and certify that companies, systems, processes, or products meet the established standards and requirements. The traditional method to obtain this certification involves undergoing an audit, a systematic examination and evaluation of an organization’s records, compliance with regulatory standards, and the integrity of financial reporting processes.

The Challenge: Certification during a Pandemic

In April 2020, Lone Star Data Hub, a data center located in Austin, Texas, embarked on a journey to achieve ISO/IEC 27001 certification. For Lone Star Data Hub, known for managing critical data infrastructure for regional clients in sectors such as finance and health care, this certification was more than just a seal of approval. It was a strategic business move aimed at setting their services apart in a competitive market. Obtaining ISO/IEC 27001 certification would underscore the center’s dedication to stringent information security standards and enhance its appeal to a broad client base, including Fortune 500 companies. This certification was seen as a crucial step in demonstrating their commitment to protecting sensitive data and maintaining the highest level of security. However, the onset of the COVID-19 pandemic introduced a myriad of challenges, specifically, nationwide lockdowns, social distancing mandates, and the transition to remote work.

To meet the challenges of this certification process, the data center sought a certification body with a solid reputation, even in remote settings. Guided by a recommendation from another auditor and the influence of stakeholders with a comprehensive background in information security, they selected the National Sanitation Foundation; International Strategic Registrations chapter (NSF-ISR).

The ensuing audit was thoroughly planned, with NSF-ISR providing a comprehensive agenda designed to allow the data center to operate seamlessly, ensuring minimal disruption to its ongoing operations. The audit process involved a detailed examination of the data center’s information security practices, including assessments of security controls, risk management processes, and compliance with ISO/IEC 27001 standards. This balanced approach provided the data center with invaluable insights, highlighting areas of strength and those needing improvement.

Remote Auditing: A New Paradigm

The adoption of remote auditing, a practice in which an audit is conducted off-site via video or other technological means, marked a significant shift in the certification process. Traditionally, auditors would be present on-site, directly interacting with systems and personnel. However, the pandemic’s constraints necessitated a different approach. NSF-ISR leveraged digital tools and technologies to assess the data center’s systems, processes, and policies. During the remote audit, NSF-ISR measured various aspects, including the effectiveness of security controls, the alignment of practices with ISO/IEC 27001 standards, and the overall security posture of the data center. This assessment was conducted through virtual meetings, screen sharing sessions, and digital document reviews, which have become a new norm. While this mode of auditing was novel, it demonstrated that with the right tools and expertise, remote evaluations could be just as effective as their in-person counterparts.

Achieving Certification: Implications and Benefits

The meticulous audit culminated in the data center obtaining its ISO/IEC 27001 certification. This achievement also signaled an auditor’s adeptness in remotely verifying an ISMS. For the Texas-based data center, this certification expanded the company’s market opportunities, enabling it to respond to business opportunities that mandated stringent information security practices. As more organizations prioritize data security, the demand for ISO/IEC 27001-certified entities is poised to grow.