Скачать книгу

id="ulink_a07b5391-cb19-5989-b501-c4228b70c02d">The increased use of information systems is generating many benefits, but it has created an ever larger gap between the need to protect systems and the degree of protection. Society, including business, public services, and individuals, has become very dependent on technologies that are not yet sufficiently dependable. Often, information systems are vulnerable to attacks upon or failures of information systems. Certain information systems, both public and private, such as those used in power grid, military or defense installations, nuclear power plants, hospitals, transport systems, and securities exchanges, offer fertile ground for antisocial behavior or terrorism. However, users need to have confidence that information systems will operate as intended without unanticipated failures or problems to personal security and privacy.

      2.5.1 Security as Personal Priority

      The right to security of the person is guaranteed by Article 3 of the Universal Declaration of Human Rights [UN 1948] that reads:

      Everyone has the right to life, liberty and security of person.

      The Article 12 of this document reads:

      No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

      With the proliferation of computers, the right to privacy of the individual is threatened by the use of information due to the new technology and the Internet. As a result, privacy policies (such as those described in [OECD 1980]) have been adopted in many countries around the world. Other publications assess the impact of technology on the private lives of people (e.g. [Britz 1996]).

      2.5.2 Protection of Private Information

      In 2010, the OECD celebrated the 30th anniversary of the guidelines for protection of privacy and flows of personal data [OECD 1980] through a series of events and papers such as [OECD 2011]. This report presents an overview of other documents that were published after the guidelines (e.g. [OECD 2002], [OECD 1999]). Also, it provides an analysis of the importance of the privacy guidelines document of 1980. The report shows that there were still privacy risks for organizations, individuals, and society even 30 years after the publication of the guidelines in 1980. Examples of risks and issues include the following [OECD 2011]:

       Certain risks associated with privacy have increased as a result of the shift in scale and volume of personal data flows and the ability to store data indefinitely.

       Definition of personal data in the guidelines is broad (any information related to an identified or identifiable individual). Given the current power of analytics and the apparent limitations of anonymization techniques, this means vast amounts of data potentially now fall under the scope of privacy regimes.

       An increasing economic value of personal data gives rise to concerns related to the security of personal data, unanticipated uses, monitoring, and trust.

       Organizations often retain large amounts of personal data for various purposes.

       High‐profile data breaches have shone a light on the challenges of safeguarding personal data; concepts of data controller and data processor raise new concerns.

       An increasing concern that the long‐standing territorial/regional approaches to data protection may no longer be sufficient as the world increasingly moves online and data is available everywhere, at any time.

       Uncertainty over questions of applicable law, jurisdiction, and oversight on the global nature of data flows; some organizations may not always be able or willing to tailor their services to meet the specific needs of each jurisdiction.

       Differences that remain among various national and regional approaches to data protection, which are more noticeable when applied to global data flows.

       Increasing difficulty for individuals to understand and make choices related to the uses of their personal data; the uses of personal data are becoming increasingly complex and nontransparent to individuals.

       Advances in technology and changes in organizational practices, which have transformed occasional transborder transfers of personal data into a continuous multipoint global flow.

      As a result of this environment, the security of personal data has become an issue of concern to governments, businesses, and citizens [OECD 2011]. The report shows that the volume of personal data being transferred over public networks and retained by organizations has changed the risk profile, potentially exposing larger quantities of data in a single data breach. A data breach is a loss, unauthorized access to, or disclosure of personal data as a result of a failure of the organization to effectively safeguard the data. Data breaches can be attributed to both internal and external factors as discussed in [OECD 2011]:

       Internal factors such as errors or deliberate malicious activity on the part of employees as well as errors or malicious activity on the part of third parties that are involved in processing personal data on behalf of organizations; the risk of potential harm is from identity theft to individuals and from the misuse of their personal data; organizations are impacted too – a substantial financial cost in recovering from the breach and fixing problems within the organization to prevent a recurrence; may be subject to legal actions, including private actions or fines levied by various authorities, where allowed; costs to the organization's reputation; loss of trust or confidence, which can have serious financial consequences.

       External factors include intrusion from outside threat agents (e.g. malware); both organizations and individuals’ home computers and other devices are also at risk.

      Other developments of recent years include:

       A focus on finding common approaches to privacy protection at a global level, such as the development of international standards, as a response to the borderless nature of data flows, concerns around impediments to those flows, and the different cultural and legal traditions that have shaped the implementation of the privacy guidelines over the past 30 years.

       Finding global solutions and a better understanding of different cultures' views of privacy and the social and economic value of transborder data flows may help to achieve this goal.

       Seeking consensus on developing privacy protections in increasing numbers of countries besides OECD members.

       Increased support from the global privacy community and commitment within international organizations, governments, and privacy enforcement authorities to addressing current challenges.

      Many activities and policies for cybersecurity and privacy are supported by the Department of Homeland Security (DHS) in the United States [DHS 2016a]. One example is the policy of 2008 that declares the Fair Information Practice Principles (FIPPs) as the foundation and guiding principles of the DHS's privacy program. FIPPs are time‐tested and universally recognized principles that form the basis of the Privacy Act of 1974 and dozens of other federal privacy and information protection statutes. Also, a recent Executive Order [WH 2013] directs DHS to issue an annual report using the FIPPs to assess the Department's cyber operations under the Executive Order.

      2.5.3 Protecting Cyberspace as a National Asset

      In the light of the risk and potential consequences of cyber events, strengthening the security and resilience of cyberspace has become an important homeland security mission in the United States [DHS 2015]. However, emerging cyber threats require engagement from the entire American community to create a safer cyber environment – from government and law enforcement to the private sector and, most importantly, members of the public. Cybersecurity is a shared responsibility as pointed by DHS [DHS 2016b].

Скачать книгу