Good morning,
Yesterday, I participated with 65 of my peers to an informational workshop on the “current state of affairs” with regards to the Privacy Protection laws and initiatives that are underway in Switzerland.
The “core” working group composed of the unit chief, the privacy commissioner and both legal councils exposed us over a two-hour period to various bits and pieces of information that I will try to resume in the current posting.
First, let me start by saying that although the Swiss regulation is not really aggressive in terms of retaliation against the privacy vandals and “neglector”, it is really well structured. Some might complain it is too much, but it is clear that all the relevant aspects are formally addressed in the regulation.
Currently, the mandate of this working group is to bring to the market a government approved way of certifying both product and services in terms of privacy protection compliance. This is quite unique for now since I am not aware of any formal “country driven” initiative. A lot of private and commercially driven privacy label exists but the Swiss government is attempting to formalize certification channels and to impose such exercise in the regulation.
This information session started with a presentation of the results from a survey that was conducted among the participants a few weeks before. The topic of the survey was service and product certification which is, in my understanding and opinion, important to determine if this vision corresponds to a market need and not only to a government wish. Roughly, over 75% of the response confirms a market demand which is great news for the core workgroup.
We were then presented with the current status with regards to legislative works, everything seems to be on track from that standpoint as well.
Then, Mr. Baumann, the Swiss Federal Privacy Commissioner (or Préposé Fédéral à la Protection des Donnée et à la Transparence) presented us his analysis of what is already available on the market in terms of service and product certification processes.
To resume, the Swiss government is currently looking at an ISO type of certification based on currently available standards such as ISO 27001 and ISO 20000 for service certification and ISO 15408 (Common Criteria) for product certification.
I personally agree with the approach. Simply said, there is no other way to go. Continuous improvement and independent certification of both service and product is necessary. Some elements still need to be cleared out: Which standards should be use, how to tackle the task and how does this fit in the more general framework / certification market?
To clear out those last questions, a workgroup involving the private sector is currently in the buildup. Work is scheduled to be started in March 2010 and deliverables are expected by mid-2011. My candidature is up, I will try to get involve in that workgroup for myself since I find this pretty interesting, but also on behalf of the CLUSIS.
To obtain further information on the regulation, I invite you to visit the commissionners' web site.
Have a great day and talk to you soon,
Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security
No comments:
Post a Comment