Article written on 26 October 2010
During the European Security and Information System congress, the CNIL released a guide regarding the security of personal data. This guide aims at helping security managers to respect the law « Data Processing, Data Files and Individual Liberties » and to ensure the security of personal data. The present article is a summary of the recommendations of this guide.
Context and presentation
There are more and more personal data manipulated, and threats affecting information systems are in parallel increasing (see on this topic Cert-IST 2009 annual report on the vulnerabilities and attacks). During all their lifecycle, personal data must therefore be protected against the loss of confidentiality, the loss of integrity, the usurpation or the simple loss.
Organisation of the guide
The CNIL guide is made of 17 datasheets allowing security managers to evaluate the level of security of personal data in their organisation.
These sheets are divided into three sections mentioning the elementary precautions for data security, the things to avoid and a third section enabling the reader to go further on the topic dealt in the sheet. The themes developed are as follows: risk management, user authentication, accreditation management and user awareness, workstation security, mobile equipment security, backups and activity continuity, maintenance, traceability and incident handling, office security, internal network security, server and application security, externalisation, storing, exchange of information with other organisations, computer development, anonymisation and encryption.
The following examples give an idea of the sheets presented in this guide.
Sheet n°1: Which risks ?
This first sheet allows the persons responsible for the data handling to take the necessary measures to protect these data from the possible risks they encounter.
The elementary precaution is to formalize the risks in a complete document, which will have to be kept up to date regularly. This document must gather the personal data and the associated treatments, by identifying the supports on which these treatments rely. The possible impacts on private life will have to be identified, as well as risks and threats, in order to set up the appropriate security measures.
Three things must in particular be avoided, managing a risk study alone, performing a too much detailed study and choosing inappropriate measures.
Several orientations enable the reader to go further, for instance the implementation of a security budget, the use of a method such as EBIOS, the formation of the persons in charge of the risk analysis or the realisation of a security audit.
Sheet n°5: How to secure mobile devices?
This sheet deals with the protection of data manipulated by mobile computers and phones, USB keys and any other mobile device. The risks related to these devices have indeed been mentioned in the Cert-IST 2009 annual report quoted above, it is therefore essential to secure personal data manipulated by these devices.
As an elementary precaution, the guide recommends to encrypt store spaces either at hardware level, or at software level, or to use file encryption or at last to create encrypted containers.
The thing to avoid is keeping personal data in these mobile devices when travelling abroad. This guide reminds the advices published by ANSSI in the document named « Passport advice to travellers ». The section « To go further » recommends to lock the device after some time of inactivity, as well as to use a fingerprint reader.
Sheet n°8: Traceability and incident handling
Another interesting example for personal data is the one of logging the actions performed on a system. This is indeed crucial in case of investigation on incident (i.e. unauthorised access to personal data or fraudulent use of these data).
The elementary precaution recommended by the CNIL is to set up a reliable logging system, allowing to record accesses, errors, and security events on a period of time that does not exceed six months.
The CNIL recommends, in the section « things to avoid », not to use these data for other things than the good use of the information system.
The section « To go further » gives recommendations on the synchronisation of information systems and the treatment of security vulnerabilities that may affect these systems.
Sheet n°15: Computer developments
The last example that we will take is the protection of personal data during the development of applications.
In the section « Elementary precautions », the CNIL reminds the basic principles in term of security for developments, which are the use of a development environment distinct of the production environment and the integration of security since the conception of applications. These principles have been known for a long time, but are still often neglected.
The thing to avoid is to use real personal data for development, or in this case to impersonate these data.
To go further in its advices regarding developments, the CNIL recommends to reduce the personal data collected, to use a format compatible with the time of conservation of these data, to integrate access control to these data during development and to avoid free text areas (or then with a mention regarding access rights to the information entered).
At the end of this guide, a questionnaire allows computer managers to evaluate the security level of the personal data in their organisation.
The CNIL president (Alex TÜRK) also mentions that this guide is probably not perfect and is either too much or not enough detailed depending on the reader profile, but also indicates that a more precise document is under elaboration.