A Model Enabling Law Compliant Privacy Protection through the Selection and Evaluation of Appropriate Security Controls
暂无分享,去创建一个
The broad adoption and increasing reliance on computing and communication systems in applications domains such as health services, insurance, telecommunication and direct marketing leads to the creation, collection and processing of enormous amounts of personal data. Responding to this development, international bodies, the European Union and various countries established personal data protection laws and Authorities to regulate and control their application. The legal framework imposes the taking of appropriate security measures, that may be different compared with those specified by data controllers based on their business needs, since personal data are assets with, possibly, different values for the data subjects and the controllers. In this paper, we propose a security controls selection model, that supports data controllers in their effort to methodologically choose security measures compliant to privacy protection laws being in force. Also, we propose a process to assess (methodologically) the privacy protection requirements according to the related legal provisions and the selected and implemented security controls.
[1] Chris Pounder. Security and the new Data Protection law , 1998, Comput. Secur..
[2] Andy Jones,et al. Penetration testing and system audit - experience gained during the investigation of systems within the UK , 1997, Computers & security.
[3] H. P Gassmann,et al. OECD guidelines governing the protection of privacy and transborder flows of personal data , 1981 .
[4] Rossouw von Solms,et al. A Formalized Approach to the Effective Selection and Evaluation of Information Security Control , 2000, Comput. Secur..