Application Privacy Assessments
Published: May 14, 2010
Authors: Ken Stavinoha, Senior Security Consultant, Microsoft Security Center of Excellence and Javier Salido, Senior Program Manager, Microsoft Trustworthy Computing
Data protection has become a key ingredient for success in business. Customers, employees and stockholders expect that confidential information—especially personally identifiable information (PII)—will be handled appropriately, and regulators are demanding increasingly stringent privacy safeguards. Finding the appropriate mix of practices and procedures to ensure privacy and confidentiality while meeting business objectives has become a challenge for organizations. Microsoft believes that data privacy and confidentiality, along with related compliance obligations must be approached holistically, integrated into business processes, and embraced throughout the organization in order for data protection goals to be achieved.
One challenging data protection related area involves the deployment of software applications in the enterprise. The types of data collected, generated, transferred, and processed by applications can directly affect privacy and confidentiality. Existing applications should be evaluated for data protection gaps, and those in development should have privacy and confidentiality considerations incorporated as part of the design process. The Application Privacy Assessment is a questionnaire that can help your organization with this process. It is important however to note that this approach is not an exhaustive data privacy and security assessment and should be used as one component of a comprehensive data protection program.
In this article:
The concept of the information lifecycle is helpful in this context because in order to select appropriate technical controls and activities to protect confidential data, you must first understand how information flows throughout your organization over time and how information is accessed and processed at different stages—by multiple applications and people and for various purposes. The image below illustrates the information lifecycle and its phases:
Information technology professionals are well acquainted with the stages in this lifecycle, so we will not discuss them in detail. It is important however to underscore the need to include a “Transfer” stage. As data is copied or removed from storage as part of a transfer, a new information lifecycle begins and you will want to carefully review data protection measures. It is important to understand transfer vehicles (private network, the Internet, courier) as well as their inherent risks. (For example, media sent by postal mail can be lost or stolen.) It also requires understanding how the recipient organization’s policies, systems, and practices might differ from those of the current keepers of the data. (Does the recipient have the same security capabilities and processes as the current keepers of the data? If not, should something be done to the data or the process before the data is transferred?)
Another aspect of data transfers that you will want to consider is that individuals and departments sometimes run reports or extract subsets of data from centralized databases for processing, in the form of document files and spreadsheets. These files can also easily be transferred as email attachments or saved to different types of devices. Given that more than 60 percent of data breaches in 2009 were attributed to lost or stolen laptops or media, such data transfer practices should be of concern to organizations.
Data Privacy and Confidentiality Principles
The questions in the assessment questionnaire align with four key data privacy and confidentiality principles. These principles can help in the selection of technologies and activities that will protect confidential data assets. The principles are high-level statements that can be followed by more detailed guidance—clear and concise statements or questions that can help guide the risk management and decision-making processes.
The four principles are:
Note that the use of a data classification taxonomy and an associated use policy are prerequisites for successful data protection efforts.
To learn more about how the information lifecycle and the privacy and confidentiality principles can be used to evaluate privacy, security, and noncompliance threats and to manage associated risks, see “ A Guide to Data Governance for Privacy, Confidentiality, and Compliance: Part 3: Managing Technological Risk" from Microsoft Privacy.
Before using the assessment questionnaire, organizations will need to do the following:
Understand the organization’s policies for privacy and data protection. The key is to know how the organization classifies information (especially PII) and specifies handling and retention procedures for the various classifications. Examples of such classification can be found in ISACA’s COBIT 4.1 – PO2.3 Data Classification Scheme, and in the ISO/IEC 27002 Standard Code of Practice for Information Security.
Identify relevant laws, regulations, and standards and their effect on the application. It is important to understand the compliance factors that can affect the organization and its privacy/data protection processes. “Regulated data” will likely require special handling, and this can affect the design and operation of Web pages, back-end databases, and everything in between. A good example of this can be found in some of the data breach notification laws that have been enacted in different parts of the world, and that require that individuals whose personally identifiable information has been breached be notified of the incident. Many of these laws release the organization that suffered the breach from such requirement if the breached data was encrypted at the time of the incident.
Engage appropriate employees in application assessment. Locate and engage developers, testers, and users who can provide information on application design and operation. Program managers or application owners should be able to provide a business justification for the collection and/or retention of PII or other confidential data by an application. Management involvement is typically necessary only to ascertain the level of acceptable risk or to mediate conflicting viewpoints.
Using the Application Privacy Assessment
The questions in the Application Privacy Assessment are based on guidance and best practices from Microsoft, and the questionnaire should be considered only one element of an organization’s larger privacy and data protection assessment process. The questions can and should be customized to fit each organization’s policies, processes, market, and overall environment. The assessment takes the form of three spreadsheets in a Microsoft Excel workbook: Application, Application Environment, and Organizational. Each sheet represents a phase of a privacy assessment, beginning in a specific target area—the application—and expanding to encompass the application environment and then the organizational practices and structure. The Application and Organizational questions are grouped according to the four data privacy and confidentiality principles and then by category (such as Data Collection). In the Application Environment sheet, the questions are grouped by technology domains and the avenue of threat for data disclosure (such as e-mail, Web access, malware, and so on).
An important goal for the organization is to achieve an enhanced level of maturity in the way it manages private information. The organization can record the initial answers to establish what the current practices are. Over time, it can record updated answers in successive boxes to track progress. Due to the dynamic nature of privacy compliance, this will likely be an iterative process that leads to refinements and improvements rather than a project with set milestones.
A holistic approach to integrating privacy and data protection into business processes can help facilitate continuous improvement in the privacy maturity of an organization. You can access Microsoft’s Trustworthy Computing privacy resources at www.microsoft.com/mscorp/twc/privacy/resources.mspx and the company’s Data Governance resources at www.microsoft.com/datagovernance.
Application Security Assessment - Download
A Guide to Data Governance for Privacy, Confidentiality, and Compliance