By: CPA Moriah Tzavoni, CISA specializes in Risk Management, Informational Systems and Internal Audits
Ripples from Facebook’s recent data-mining earthquake have already been felt in Israel. US Senate members initiated an extensive interrogation of Facebook founder and CEO Mark Zuckerberg, and an investigation was launched on suspicion of violating Israel’s Protection of Privacy Law. This law addresses the distribution of personal information to another party without consent or use of personal information for anything other than its intended purpose.
With today’s technological advancements, information in existing data systems are a valuable treasure for advertising agencies, since they enable advertisers to analyze consumer behavior and preferences, and then target those consumers who are most likely to respond to their marketing campaigns. The purpose of the law in general, and the regulations in particular, is to regulate the process in such a way that private information (when defined as such by law) is no longer a free-for-all. Moreover, organizations are now obligated to implement concrete procedures in order to ensure the protection and security of information in their databases.
The right for protection of privacy was first recognized in Israel over 35 years ago, with a law that addressed the issue of data protection (“the Protection of Privacy Law – 1981”), including defining which information falls under the definition of “private” and which measures would be effective in maintaining its integrity. But its seems that only in the wake of the freshly exposed violations of international law and unauthorized use of data by various organizations, is the Israeli public waking up to this complex reality.
Further steps taken to implement and enforce this law include enactment of additional regulations by the Authority for the Protection of Privacy (“Protection of Privacy Regulations – Information Security Regulations – 2017”) which will come into effect from May 2018, parallel to a similar law under the European Union (GDPR).
These regulations are not new to public companies, public establishments, institutions, government corporations and organizations with ISO 27001, but bring a real revolution to the private sector. This is daunting news for private entities who manage databases since any violation of these laws or regulations is subject to a fine. And a recently-proposed government bill could authorize the ISA to impose fines as hefty as 3 million NIS!
So what are the new regulations?
Organizations are required to establish an administration system to manage information security. This system includes protocols which are applied to each database according to three prerequisite levels of security classification: regular, moderate and high. Criteria such as the nature of a database, the number of persons who have access to the database, and the number of persons whose information appears in the database – are what define its security level. (There are databases that are managed by private individuals, with a different scope of applicable regulations).
This system is comprised of three components:
- Core Administration – Compile and document classifications, delineate work procedures, appoint information security officer, etc.
- Information Security Protocol – Take concrete measures to execute the management system
- Documentation and Report Procedures
Where do I even start?
First, examine whether the information maintained and managed by your organization actually fulfills the criteria of private information as defined by law and the new regulations. If it does fulfill the criteria, you’ll need to determine the requisite level of information security for your database.
You need to tackle, establish and implement each component of the administration system, according to the level of information security your database requires:
- Compile and document definitive classifications and guidelines
- Appoint information security officer
- Document information security procedures
- Contract outsourcing suppliers and define role parameters
Information Security Protocol
- System mapping, risk analysis and PT tests
- Manage access permissions
- Log-in authentication processes
- Secure communications including remote access
Documentation and Report Procedures
- Define official procedure for documenting breaches in information security
- Define official procedure for reporting breaches in information security
- Define official procedure for preserving information security data
- Official procedure for data recovery
Information security might suddenly feel like an overwhelming responsibility, but it doesn’t have to keep you up at night. BRH’s team of information security and management consultants walks clients through the entire process – from defining and mapping of existing databases and planning procedures, to development of an official administration system and application of a monitoring platform. Your databases are kept safe and in full compliance with new privacy regulations.
The information provided in this article is not a substitute for full review of the regulations, consultation with a relevant professional, and in-depth analysis of an organization’s specific requirements.
Rosenblum Holtzman CPA is a top Israeli accounting firm founded in 1981. The firm provides a wide range of services to corporations, kibbutzim, non-profit organizations and private clients.