gautraiserene
TRANSCRIPT
cybersecurity ecosystem: the documentation dimension
full professor | director of crdpwww.gautrais.com
www.crdp.umontreal.cawww.twitter.com/gautrais
Ottawa | 04/22/2015
plan
1.State of the Art + Individuel Normativity1. State of the Art in General (facts)
2. State of the Law (law)
2.Suspicious + Individual Normativity 1. Suspicious about I.N. Process (facts)
2. Suspicious about I.N. Law Recognition (law)
Laws Regulations
ContractPolicies
Formal Level
Informal Level
Documentation Level
Standards
Guidelines Norms
Methods Codes of Conduct
Principles
Procedures
Daniel J. Weitzner, Harold Abelson, Tim Berners-Lee, Joan Feigenbaum, James Hendler, and Gerald Jay Sussman, Information Accountability, (2007)
“This paper argues that debates over online privacy, copyright, and information policy questions have been overly dominated by the access restriction perspective. We propose an alternative to the “hide it or lose it” approach that currently characterizes policy compliance on the Web. Our alternative is to design systems that are oriented toward information accountability and appropriate use, rather than information security and access restriction.”
“In many cases it is only by making better use of the information that is collected, and by retaining what is necessary to hold data users responsible for policy compliance that we can actually achieve greater information accountability”
Quite the same at the federal level
(Canada evidence act)
(31.3) the integrity of an electronic documents system by or in which an electronic document is recorded or stored is proven (…) the computer system or other similar device used by the electronic documents system was operating properly (…)
34
PIPEDA4.1 Principle 1 — AccountabilityAn organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.(…)4.1.4Organizations shall implement policies and practices to give effect to the principles, including
• (a) implementing procedures to protect personal information;• (b) establishing procedures to receive and respond to complaints
and inquiries;• (c) training staff and communicating to staff information about the
organization’s policies and practices; and• (d) developing information to explain the organization’s policies and
procedures.
on the proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the
processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 –
C7-0025/2012 – 2012/0011(COD))
“the possible over-inclusiveness or under-inclusiveness of existing legal rules as
applied to new practices”
(L. Bennett-Moses, 2010)
1. ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
2. ISO/IEC 29100:2011, Information technology -- Security techniques – Privacy framework.3. ISO/IEC WD 29134, Privacy Impact Assessment – Methodology.4. ISO 13008:2012 – Information and Documentation – Digital records conversion and migration
process.5. ISO 13008:2012 – Information and documentation – Digital records conversion and migration
process (PDF)6. ISO/TR 23081-3:2011– Information and Documentation – Managing Metadata for Records – Part
3: Self-Assessment Method.7. ISO 23081-1: 2006 – Information and Documentation – Metadata for records – Part 1 – Principles.8. ISO 23081-2:2009 Information and documentation – Managing metadata for records – Part 2:
Conceptual and implementation issues.9. ISO/TR 26122:2008 Information and documentation – Work Process Analysis for Records.10. ISO 16175-1:2010 Information and documentation – Principles and functional requirements for
records in electronic office environments – Part 1: Overview and statement of principles.11. ISO 16175-2:2011 Information and documentation – Principles and functional requirements for
records in electronic office environments – Part 2: Guidelines and functional requirements for digital records management systems.
12. ISO 30300:2011 Information and Documentation – Management Systems for Records - Fundamentals and Vocabulary.
13. ISO 30301:2011 Information and Documentation – Management Systems for Records - Requirements.
14. ISO 15489-1, Information and Documentation – Records Management, Part. 1 – General, 2001.15. ISO/TR 15489-2, Technical Report, Information and Documentation – Records Management,
Part. 2 – Guidelines, 2001
Mainstream Canada v. Staniford, 2012 BCSC 1433 « [23] Among other things, Cermaq has published the principles governing its sustainability program and reported on the company’s performance, using the standards set by the Global Reporting Initiative (“GRI”) for sustainability reporting. Since 2010, the sustainability reporting is also subject to review by KPMG’s sustainability team. Ms. Bergan explained further that, if Cermaq deviates from the indicators that are part of the GRI, Cermaq must disclose the manner in which it has done so. This manner of reporting, using the GRI standards, applies to both Cermaq and Mainstream, according to Ms. Bergan. »