THE CONSULTING PROJECT
The activity consists in the analysis of the privacy system implemented in the company (ex Legislative Decree 196/03) and in the indication of the measures to be adopted in light of the new European Regulation (EU) 2016/679. The European Privacy Regulation UE / 2016/679 (GDPR) entered into force on 25 May 2016 and the deadline to comply with the new privacy obligations is set for 25 May 2018.
Risk Assessment As Is (d. Lgs. 196/03)
The realization of the previous activities, carried out through interviews and document analysis, allows a verification to be carried out:
At the end of the check, an assessment will be prepared that identifies any aspects that need to be implemented or that can be improved to ensure that the processing of personal data complies with the provisions of Legislative Decree 196/03.
Risk analysis European Regulation (UE) 2016/679
The Regulation aims to respond to the challenges posed by technological developments and new models of economic growth, taking into account the need to protect personal data increasingly perceived by citizens of European Union countries.
The Regulation promotes the accountability (accountability) of the data controllers and the adoption of approaches and policies that constantly take into account the risk that a particular processing of personal data may entail for the rights and freedoms of those concerned: a risk-based approach which rewards the most responsible subjects.
The key principle is "privacy by design", that is to guarantee data protection from the planning and design phase of a data processing or a system, and to adopt behaviors that prevent possible problems.
The realization of the present phase foresees the identification of the normative fulfilments foreseen by the Regulation and applicable to the company reality.
Gap analysis between Risk assessment As Is and European Regulation (EU) 2016/679
On the basis of the information gathered in the previous points ("Risk Assessment As Is" and "Risk analysis Regulation (EU) 2016/679"), a report is drawn up to identify the missing elements to ensure that the processing of personal data is compliant as provided for by the New Regulation (EU) 2016/679 and therefore the areas on which the company must intervene to ensure such compliance.
List of actions to be implemented for adaptation to the European Regulation (EU) 2016/679
At the end a list of the actions to be implemented is provided to ensure compliance with the European Regulation (EU) 2016/679, for example:
Drafting of the documentation and final presentation
Sharing with the managers of the documentation produced, approval by the same and final presentation of the results of the privacy system.
THE CONSULTING PROJECT
The consulting projects are carried out through the use of the Secure Information module ISO 27001 of the KRC® platform.
The KRC® flow ISO 27001 adopts a model that provides for the definition of the following entities: Processes, assets, layouts, miancances, controls
The risk assessment dimensions of each asset covered by the algorithm are:
The probability of occurrence of the threats is expressed in terms of the average time between two consecutive events (MTBO, Mean Time Between Occurrences), by means of a numerical scale from 0 to 5.
The impact, ie the extent of the consequences following a damaging event, with the same scale the levels of effectiveness of the Controls are also quantified. The implementation and planning values of the countermeasures are represented by the scale expressed in %.
Layouts are organized according to a hierarchical tree structure. The hierarchical logic is not necessarily that of the physical structure, but in most cases it is the most appropriate to adopt. The layout tree is shared with other flows in KRC® and in the case of flow 27001 it is used to contextualise specific Assets at a given location.
The Controls are classified according to a three-level hierarchical model, which distinguishes Clauses, containing Control Objectives that eventually host the individual Controls. Hierarchical division is only for classification purposes and does not affect the functioning of the algorithm.
The control structure provided with the flow is intended as a starting point and can be extended, modified or completely rewritten.
The list of threats provided with the flow is intended as a starting point and can be extended, modified or completely rewritten. Includes the following fields:
Assets are organized according to a hierarchical tree structure. This organization is used by the evaluation algorithm in order to simplify the modeling of Threats (and of the relative Controls) by making the hierarchically dependent Assets inherit the Threats associated with the father (the father of the father and the whole hierarchy to rise).
In the case a child needs to describe specific threats or levels of application of Controls other than those inherited, it is possible to specify them explicitly and these overlapping values will be used to those inherited.
The hierarchical structure of the Assets should therefore not be defined on the basis of necessarily "physical" or connection criteria, but also on the basis of optimization criteria in the definition and maintenance of the model of application of the Threats and related Controls.
Assets that need to define specific Threats (and related Controls) can be specified through an identification card composed of the fields:
The card contains a tile that shows the set (union) of the Controls associated with the selected Threats. For each Control it is possible to specify the level of implementation and programming.
Processes are represented through a hierarchical tree structure. On each node are associated the Assets that contribute to the delivery; also in this case the hierarchical inheritance rule applies: Assets that are associated with a higher level are considered by the algorithm as inherited during the evaluation of the lower levels.
Processes can be associated with nodes of the layout structure. In this case the Assets specifically defined for that Layout will be evaluated, if present, if absent the Generic Assets will be evaluated, ie without Layout.
The Business Impact Analysis (BIA) is fundamental for risk analysis; this activity has the purpose to determine the consequences deriving from the occurrence of a critical event to evaluate the impact of this event on the Process and, ultimately, on the operation of the administration.
For each of the Process activities to be evaluated (leaves) the sensitivity (pain threshold) must be defined for the three dimensions of impact: Confidentiality, Integrity, Availability.
The risk is calculated starting from the Elementary Risk, ie the risk profile of Processes and Assets without the application of any countermeasure.
Current Risk is the risk profile of Processes and Assets with the countermeasures applied up to the time of the analysis. The Planned Risk is the risk profile of Processes and Assets of at the end of the application of risk data processing plans. When the values of impact (I) and probability (P) are represented on matrices (HeatMap) the values are discretized on the respective scales according to the mathematical rounding criterion. Discrete scale of the risk R = P x I.