Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001 Designed to Last: Building a Modern...
-
date post
18-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001 Designed to Last: Building a Modern...
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
Designed to Last: Building a Modern Privacy ArchitectureNovember 1, 2001
Presented to: The Human Face of Privacy
Presented by: Stephanie Perrin, CPOZero-Knowledge Systems
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
My Talk Todayo Zero Knowledge Systems and our experience of Building in Privacy
• Freedom• Private Credentials• Enterprise Privacy Management
o Privacy Architecture• The CSA standard and the Canadian Experience• The ISO initiative• CEN/ISS• PETs
o Constituencies• Legal• Standards• Technology• Security• The CPO
o The Future
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
About Zero-Knowledge Systems
Founded: 1997
Offices: Montreal and San Francisco
Awards: PC Magazine 5/5 rating for Freedom®, PC World Internet Newcomer of the Year (2000), Yahoo! “Rolls Royce of Privacy Software”
Product Evolution: Tools for Consumers Consulting Businesses Tools for Enterprise = EPM
Zero-Knowledge Systems equips Global 2000 organizations with the software and expertise to manage the privacy and security of
customer, employee and corporate information assets in support of critical business initiatives.
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
Zero-Knowledge Product Lines
For Enterprise:
Enterprise Privacy Manager (EPM) product & services
Software and services for the private and secure management of customer and employee information within the enterprise
Enables businesses to define, implement and manage corporate privacy policies, building customer confidence, improving operational efficiencies and facilitating regulatory compliance.
For Consumers:
Award winning consumer software
Powerful personal firewall and flexible suite of applications enables consumers to secure against hackers and security threats, while protecting their personal information online
All information contained within is CONFIDENTIAL AND PROPRIETARY INFORMATION - © Zero Knowledge Systems Inc, <add month here>, 2000, Montreal, Canada. All rights reserved.
Stephanie Perrin, Chief Privacy OfficerZero-Knowledge Systems
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
What was Freedom Premium Services?
o Software solution that enables Internet users to:
• Regain control of their privacy
• Create their own identity
• Decide what they want to reveal to whom
• Protect themselves from being monitored and
profiled
o Freedom provides total Internet privacy for:
• www Surfing
• Internet Chat (IRC)
• Newsgroup posting
• Telnet
Nyms +
Encryption +
Network =
Total Internet
Privacy
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
Privacy in the enterprise
LegalIssuesLegalIssues
BusinessIssues
BusinessIssues
TechnologyIssues
TechnologyIssues
Business Challenges• Unlocking the business value of the data• Keeping promises of privacy to consumers• Collaborating successfully with legal and IT
Legal Challenges• Respecting the business issues• Grasping the data issues• Complying with complex regulations
and jurisdictions
CPO
Technical Challenges• Systems weren’t built for privacy• Lack of effective data management
tools
A collaborative, multi-disciplinary issue
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
Constituencies
o Legalo Policyo Government Relationso Marketingo Public relationso Consumero Civil Societyo Technologyo Standardso Securityo Law enforcemento Intelligence
WHO ARE YOU?
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
The Differences Between SecurityThe Differences Between Security & & PrivacyPrivacy
Protecting assets, including information
Controlling behaviour of individuals
Managing risk
Providing accountability
National Security needs
Information self-determination
The right to be let alone
Data minimization
Fundamental human rights
Public relations and Consumer Protection
SecuritySecurity PrivacyPrivacy
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
Some Differences Between Data Protection Some Differences Between Data Protection & & PrivacyPrivacy
traffic data, patterns, urls
information filled into forms
IP address
geographical data
Control of my own machine
Access by authorities
Fantasia: the new software
Extrapolation and human rights: discrimination, redlining
Personal InformationPersonal Information PrivacyPrivacy
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
Standards Activities
o The Canadian Standard, CSA Q 830o The ISO initiative for a management standardo CEN/ISS
• Set of best practices• No management standard• Audit practices• Criteria for PETS• Criteria for seals• Contract clauses• Ongoing technology brief• Consumer education
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
PETS and PETS: Standardization
How do we define a PET? Is it useful to distinguish between enhancing and enabling technologies?
What standardization activity would be useful? Do the Common Criteria Standards assist or add cost and confusion? Can we get some core criteria agreed?
Is each technology to be treated separately? Should the focus be on the potential for amending privacy
threatening technologies, such as face recognition, biometrics, authentication standards?
Who is watching all this? Can we all cooperate and share information?
www.cenorme.be/isss/Projects/DataProtection/IPSE
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
? $ ?
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
Who will have a Budget for privacy?
o Legalo Policyo Government Relationso Marketingo Public relationso Consumero Civil Societyo Technologyo Standardso Securityo Law enforcemento Intelligence
WHO IS THE CPO?
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
WHO is the CPO?
o Responsible for privacy complianceo Responsible for protection from litigation and liabilityo Coordinates between legal, IT, security, HR, PR,
marketing, government relations, etc.o Reports to the executive team on an issue that is
consistently top of consumer priorities, and has a direct impact on shareholder value
o Associations:• ACPO (international association of privacy officers, US)• Canadian CPO association• European privacy officers network (EPON)
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
Corporate Privacy Lifecycle
LawIndustryStandards
CustomerExpectations
BusinessRequirements
Audit Logs
Reporting
Training & Education
Rules & Procedures
Technology,Architecture & Planning
Data SourcesApplications
Reporting
Roles
Reporting
Modeling & Analysis
PolicyDevelop’t
PolicyDevelop’t
Practice/Enforcement
Practice/Enforcement
DataHandlingAssess’t
DataHandlingAssess’t
Compliance/Risk
Assess’t
Compliance/Risk
Assess’t
OngoingMonitoring &
Mgmt.
OngoingMonitoring &
Mgmt.
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
Need for privacy management tools
Managing privacy introduces additional complexity into everyday operations:
o Audits and compliance issueso Resource commitment: human resources, time,
moneyo Potential bottleneck to acting quickly on opportunitieso Collaboration across divisions, departmentso Employee Training
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
About Enterprise Privacy Manager
o Client-server application that allows an organization to model its data-handling rules and practices, and then analyze the gaps between current and future policy, practice, and regulation.
Server• Centralized data discovery• Collaboration server
Client• Policy creation• Activity modeling• “What-if” analysis• Reports
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
EPM analyses
o Policy-oriented• “Show me all the data that’s covered by this specific policy
statement.”o Data-oriented
• “Show me every policy which applies to this data field.”o Purpose-oriented
• “If I wanted to up-sell additional services, whichdata is okay to use?”
o Role-oriented• “Which data is okay to share with affiliates?
Which isn’t?”o Action-oriented
• “Can we produce a report which shows every group that collects data on one page and everyone who shares data with outside parties on another?”
Examining rules and practices from every angle
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
EPM
Regulatory compliance and risk management
Effective use of information assets
Building brand, consumer trust
PolicyDevelop’t
PolicyDevelop’t
Practice/Enforcement
Practice/Enforcement
DataHandlingAssess’t
DataHandlingAssess’t
Compliance/Risk
Assess’t
Compliance/Risk
Assess’t
OngoingMonitoring &
Mgmt.
OngoingMonitoring &
Mgmt.
EPMEPM
Efficient collaboration across the company
Creating digital policy is important at every stage
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
The Value of EPM
o Reduces cost of compliance o Improves operational efficiencies
• Save time, money; training tools
o Improves use of customer and employee informationo Simplifies audit needs
• Easy-to-use, accessible analytical tools
o Enables rapid response to opportunity analysis • Reduce bottlenecks in change management with “what-if”
analysis capability
o Decreases risk of brand damage or PR exposure• Timely, detailed reports on data handling
o Safeguards customer and employee trust
Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001
Privacy by Design Conference
o Extensive information on privacy and security technologies, products, legal, and business issues
o Comprehensive, technology-based solutions and strategies for managing privacy and customer information
Sponsors Select Speakers
• Axciom• Oracle • HP• IBM • Earthlink • Equifax • Sun
• Nokia • Tivoli• Bell Canada• Daimler
Chrysler • Lufthansa• DoubleClick
Join us December 3-5th 2001, in Montreal