cybersecurity ecosystem: the documentation dimension

full professor | director of crdpwww.gautrais.com

www.crdp.umontreal.cawww.twitter.com/gautrais

Ottawa | 04/22/2015

considering legal aspects of i.t.

privacy

evidence

contract

copyright

business

etc.

Vincent Gautrais, La preuve technologique, Lexis / Nexis, Montréal, mars

2014.

conclusion

Individual normativity is the good tool …

conclusion

but we need more control on them !

plan

1.State of the Art + Individuel Normativity1. State of the Art in General (facts)

2. State of the Law (law)

2.Suspicious + Individual Normativity 1. Suspicious about I.N. Process (facts)

2. Suspicious about I.N. Law Recognition (law)

1 – State of the art of individual normativity phenomenon

1

1.1 – generalisation of

individual normativity in general

1.1

documentation

accountability

modelisation

code of conduct

audit

etc.

guidelines

privacy by design

Laws Regulations

ContractPolicies

Formal Level

Informal Level

Documentation Level

Standards

Guidelines Norms

Methods Codes of Conduct

Principles

Procedures

Certification Service Provider ExampleCertification Service Provider Example

in all laws, documentation was the main issue that CSPs had to provide

2 main reasons behind this phenomenon

1 – complexity

2 – technology

Daniel J. Weitzner, Harold Abelson, Tim Berners-Lee, Joan Feigenbaum, James Hendler, and Gerald Jay Sussman, Information Accountability, (2007)

“This paper argues that debates over online privacy, copyright, and information policy questions have been overly dominated by the access restriction perspective. We propose an alternative to the “hide it or lose it” approach that currently characterizes policy compliance on the Web. Our alternative is to design systems that are oriented toward information accountability and appropriate use, rather than information security and access restriction.”

“In many cases it is only by making better use of the information that is collected, and by retaining what is necessary to hold data users responsible for policy compliance that we can actually achieve greater information accountability”

process of security

process of security

1.2 – generalisation of individual

normativity in specific legal context

1.2

example 1

law + security

An Act to Establish a Legal Framework for Information Technology, CQLR c C-1.1

Documentation and Quebec Law

Transfer(17)

Communication(30 + 34)

Retention (21)

Evidencein general

Quite the same at the federal level

(Canada evidence act)

(31.3) the integrity of an electronic documents system by or in which an electronic document is recorded or stored is proven (…) the computer system or other similar device used by the electronic documents system was operating properly (…)

legal revolution

1 – respect of double evidence rule

document itselfdocumentation on document

2 – document managed by yourself

example 2

law + privacy

34

PIPEDA4.1 Principle 1 — AccountabilityAn organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.(…)4.1.4Organizations shall implement policies and practices to give effect to the principles, including

• (a) implementing procedures to protect personal information;• (b) establishing procedures to receive and respond to complaints

and inquiries;• (c) training staff and communicating to staff information about the

organization’s policies and practices; and• (d) developing information to explain the organization’s policies and

procedures.

on the proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the

processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 –

C7-0025/2012 – 2012/0011(COD))

example 3

law + environment

example 3

Quebec environment quality act

(RLRQ c Q-2)

Etc.

Program (39)

Policies (15)

Plans (22)

Mesures (93)

Strategy (2)

Norms (90)

Plan (129)

Suspicious about individual normativity

2

“the possible over-inclusiveness or under-inclusiveness of existing legal rules as

applied to new practices”

(L. Bennett-Moses, 2010)

Suspicious about individual normativity process

2.1

1 – lack of protection

ex.: Global Reporting Initiative (“GRI”) for sustainability reporting

Example of Hydro-Quebec

2 – too much norms

ex.: ISO

1. ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.

2. ISO/IEC 29100:2011, Information technology -- Security techniques – Privacy framework.3. ISO/IEC WD 29134, Privacy Impact Assessment – Methodology.4. ISO 13008:2012 – Information and Documentation – Digital records conversion and migration

process.5. ISO 13008:2012 – Information and documentation – Digital records conversion and migration

process (PDF)6. ISO/TR 23081-3:2011– Information and Documentation – Managing Metadata for Records – Part

3: Self-Assessment Method.7. ISO 23081-1: 2006 – Information and Documentation – Metadata for records – Part 1 – Principles.8. ISO 23081-2:2009 Information and documentation – Managing metadata for records – Part 2:

Conceptual and implementation issues.9. ISO/TR 26122:2008 Information and documentation – Work Process Analysis for Records.10. ISO 16175-1:2010 Information and documentation – Principles and functional requirements for

records in electronic office environments – Part 1: Overview and statement of principles.11. ISO 16175-2:2011 Information and documentation – Principles and functional requirements for

records in electronic office environments – Part 2: Guidelines and functional requirements for digital records management systems.

12. ISO 30300:2011 Information and Documentation – Management Systems for Records - Fundamentals and Vocabulary.

13. ISO 30301:2011 Information and Documentation – Management Systems for Records - Requirements.

14. ISO 15489-1, Information and Documentation – Records Management, Part. 1 – General, 2001.15. ISO/TR 15489-2, Technical Report, Information and Documentation – Records Management,

Part. 2 – Guidelines, 2001

3 – who controlled ?

4 – cost of standardization

ex.: afnor (fr) / bsi (uk)

ex.: Sarbanes-Oxley Act

Suspicious about individual normativity legal recognition

2.2

jurisprudence is mainly on favor of new technologies

ex 1: email acceptance

(vandal c. Salvas, 2005 QCCQ 40771)

ex 2: wikipedia page

(reference to the page history)

ex 3: paper version of “.xls”(Stadacona, s.e.c./Papier White Birch c.

KSH Solutions inc., 2010)

ex 4: digital picture(with no reference to metadata)

No respect of double evidence rule

document itselfdocumentation on document

Mainstream Canada v. Staniford, 2012 BCSC 1433 « [23] Among other things, Cermaq has published the principles governing its sustainability program and reported on the company’s performance, using the standards set by the Global Reporting Initiative (“GRI”) for sustainability reporting. Since 2010, the sustainability reporting is also subject to review by KPMG’s sustainability team. Ms. Bergan explained further that, if Cermaq deviates from the indicators that are part of the GRI, Cermaq must disclose the manner in which it has done so. This manner of reporting, using the GRI standards, applies to both Cermaq and Mainstream, according to Ms. Bergan. »

cybersecurity ecosystem: the documentation dimension

full professor | director of crdpwww.gautrais.com

www.crdp.umontreal.cawww.twitter.com/gautrais

Ottawa | 04/22/2015