The PIA concept from directive 95/46 to the current draft of the EU – Part 2

By | Tuesday July 21st, 2015

Further developments

After the first wave of PIA methods, in the last two years, further ideas have been proposed. Unfortunately, they introduce complexity, instead of help for controllers, processors and operators.

In 2014 European Commission ruled on smart grid and promoted another model for PIAs. This model has theoretical errors (e.g. “feared events” and “threats” are supposed to define different subjects) and requires a much more complex method (in 74 pages!) than the previous one, where “impact” and “likelihood” are now doubled in 4 parameters: data subjects identification ease, impacts on data subjects, vulnerabilities width and capability of threats to exploit vulnerabilities. In the end, the risk level should be presented in 4 values (Risks with a high severity and likelihood, risks with a high severity but a low likelihood, risks with a low severity but a high likelihood and risks with a low severity and likelihood).

Such model, including a DPIA template, is available on the web: http://ec.europa.eu/energy/en/topics/markets-and-consumers/smart-grids-and-meters.

CNIL, French data protection Authority, in July 2015 issued PIA guidelines, aligned with the most complex smart grid model. It also introduces strange ideas such as having the identification of security controls before risk analysis. Such guidelines are available on the web in French http://www.cnil.fr/linstitution/actualite/article/article/etude-dimpacts-sur-la-vie-privee-suivez-la-methode-de-la-cnil/.

CNIL guidelines are also available in French: http://www.cnil.fr/english/news-and-events/news/article/privacy-impact-assessments-the-cnil-publishes-its-pia-manual/.

Smart grid and CNIL models, obviously, don’t follow one of the first principles of security: keep it simple and stupid (also known as “KISS principle”).

Last actor: ISO/IEC JTC1 SC27 WG5 (a working group near the one who maintains ISO/IEC 27001) is working on a future standard ISO/IEC 29134 (according with the best case scenario, it will be published in end 2016). This proposal, at the time of writing this article, is more KISS oriented and requires a risk analysis based only on two variables (impact and likelihood).

Category: Impact, Risk and Measures Tags:

About Cesare Gallotti

More than 15 years of experience in information security and IT process management. Italian representative in ISO/IEC SC 27 WG1 international meetings for writing ISO/IEC 27000 standard family. Activities in Italy, Europe, Asia and Africa, for companies of various sizes and market sectors. Consultancy, training and audit for: information security, quality, compliance with legal requirements (Personal Data Protection, SOX, etc.), compliance with international standards (ISO 9001, ISO/IEC 27001, ISO/IEC 20000, ISO 22301, etc.), and processes improvement.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.