PRIVACY, CYBER SECURITY AND ISO 27001. HOW ARE THEY RELATED?
Concerns about privacy are as old as humanity. Because of the protection of one’s body and property in ancient times, it has become intimately linked to when, how, and to what extent one’s data and information are shared with others. And regardless of body, property, or information, privacy depends on three critical factors.
First, although people seek to protect their privacy. They invariably choose to sacrifice it in exchange for perceived benefits such as money, prestige or convenience, ignoring potential dangers and losses.
Second, the desire of governments/organizations to pass privacy laws is not always in the interests of individuals. Sometimes it is done in the name of the “greater good.”
And finally, technology. As a key point in the fight against privacy, technology increasingly provides the means for people, organizations and governments to collect, aggregate and analyze more and more information more quickly. Accidental or intentional breaches of privacy, becoming more and more serious and pervasive.
On the other hand, the same technological environment known as cyberspace can provide solutions that help properly protect the privacy of individuals, business organizations and governments. At the same time, allow them to fully enjoy modern life safely.
These solutions, along with other non-technological measures, are known as cybersecurity. The purpose of this article is to provide a perspective on how privacy concepts should be considered in cyberspace activities, and how standards, particularly ISO 27001 and structures already available in the marketplace, can help in the comprehensive management, implementation, operation and improvement of cybersecurity.
What should be considered privacy?
While some meanings of privacy may be simple: “being away from other people” or “being out of the public eye,” the boundaries and content of what is considered private and what constitutes an invasion of privacy vary across cultures and people (some languages don’t even have a specific word for “privacy”). However, the following common themes often emerge:
The right to be left alone: when a person chooses to be secluded from the attention of others if he/she wishes to do so, including a state of immunity from inspection or surveillance in a private setting.
Restricted access: the ability to participate in a group, regardless of size, without others gathering information about them.
Control of information: the degree to which an individual can influence information about himself or herself.
Privacy states: privacy is not a binary thing, the degree of which depends on how many people are “isolated” from themselves. Some common levels are considered:
Loneliness (complete separation from others),
intimacy (only a couple or small group of people share a relationship),
anonymity (when someone wishes to be in public so that they are not recognized),
reserve (when someone requires others to respect his/her need to limit the transfer of information about him/herself).
Secrecy: refers to any information that a person wishes to withhold because, in his/her opinion, it could be used to his/her detriment. It is important to note that while these concepts are mainly focused on individuals, they also apply to some extent to organizations and governments (for example, organizations and governments also seek to hide information that they believe could be used to their detriment).
In addition, it is important to consider that privacy can be seen as something absolute, as attackers often use aspects of privacy to conceal their activities (which is one of the main arguments for those who want to limit privacy rights).
Risks to privacy in cyberspace
When we think of “cyberspace” as “the electronic world created by interconnected networks of information technology and the information in those networks,” with the Internet being its most prominent example, and current and anticipated levels of computing power, we can assume the following risk-space:
|Powerful and portable computing devices (e.g., smartphones, tablets, and laptops) are more likely to facilitate the collection, aggregation, and distribution of information||Increase in the number of people performing activities in cyberspace||Collecting information beyond its primary purpose|
|Increased number of third-party relationships (e.g., connectivity providers and applications)||Increase in sources for data collection (e.g., IP cameras, biometrics, GPS, RFID, etc.)||Retention of information beyond its intended use|
|Increased concentration of cyberspace infrastructure (e.g., data centers and communication backbones)||Uneducated/uninformed users about privacy in cyberspace||Disclosing confidential information about one’s life or business|
|Laws and regulations that violate privacy||Lack of privacy concerns in application/system development||Misrepresentation and reputation risks|
|Professionalization of attackers (e.g., individual hackers)||More valuable data is stored electronically and handled on a massive and centralized scale (e.g., data warehouses)||Identity theft|
|Information is shared, merged and linked together with greater frequency||Applications/systems without adequate privacy protection features/ controls|
|Use of shared credentials to access multiple systems|