Privacy and Security Assessment.
Technical Security and Data Privacy in a Single Process.
Deutsche Telekom AG
Friedrich-Ebert-Allee 140
D-53113 Bonn
Contents.
2 Technical Security and Data Privacy
at Deutsche Telekom
2 Foreword
4 Privacy and Security Assessment
4 Scope of validity6 Objectives 8 Consulting approach
10 Interrelationship between project and system level 12 Benefits of the process
14 Opinions on the process
16 Annex
16 Glossary
Dear Readers,
This brochure is designed to explain the Privacy and Security Assessment process (PSA process) – a core element in safe-guarding technical security and data privacy at Deutsche Telekom.
One of the main objectives of the Data Privacy, Legal Affairs and Compliance (DRC) Board of Management department is to ensure a suitable level of security and data privacy. Since the DRC department was set up, our two Group IT Security (GIS) and Group Privacy (GPR) units have been cooperating increasingly in this Board of Management department. The technical and organizational requirements of GIS and GPR are closely linked in terms of content. Against this background, we developed the PSA process in 2009, with the common goal of integrating the fulfillment of technical security and data privacy requirements at an early stage in the relevant Deutsche Telekom development processes.
The new standardized process implements security and data privacy requirements as part of product and system development, thus ensuring greater transparency, improved project support as well as a suitable level of protection for our products. The PSA process has enabled us to put in place the foundation for uniform support in relation to security and data privacy issues. All development projects that create or change IT or NT systems are categorized, taking into account the data being processed, attack vulnerability from the public Internet (hereinafter referred to as criticality) as well as complexity. Security and data privacy experts provide ongoing consulting and review functions for highly critical and complex projects. Before such projects go live, they need to be explicitly approved. Standardized requirements are provided for less complex and less critical projects. These requirements enable the responsible employees themselves to achieve a suitable level of security and data privacy. This is con-firmed by a Statement of Compliance, which is archived for documentation purposes.
In 2010, the PSA process was integrated into the key product and system development processes in Germany as well as on a cross-functional Group level. More than 2,000 projects undergo the PSA process every year. In future, the process will also be applied at Deutsche Telekom’s international subsidiaries. The PSA process already enjoys a high level of acceptance through-out the entire Group. It received the seal of quality according to the internationally recognized ISO 27001 certificate and has also served as a role model outside the company.
Yours,
Dr. Stefan Pütz Dr. Kornel Knöpfle PSA process owners for technical security and data privacy
Technical Security and Data Privacy
at Deutsche Telekom.
Kornel Knöpfle has been working for Deutsche Telekom since 2002. He has been in charge of Privacy Audit & Technical Knowhow Management within Group Privacy (GPR) in the Data Privacy, Legal Affairs and Compliance Board of Manage-ment departManage-ment since April 2009. Together with Dr. Stefan Pütz, he has developed the PSA pro-cess, which he supports from a data privacy per-spective. Prior to this, Kornel Knöpfle spent several years at T-Online International AG in Darmstadt, holding various management posts in the IT Strat-egy and IT Security department. Kornel Knöpfle has a doctorate in physics from the Technical Uni-versity of Darmstadt.
PSA process owner for data privacy
Dr. Kornel Knöpfle
PSA process owner for technical security
Dr. Stefan Pütz
Stefan Pütz has been head of Production Infra-structure Security within Group IT Security (GIS) in the Data Privacy, Legal Affairs and Compliance Board of Management department since 2009. Together with Dr. Kornel Knöpfle, he is responsible for the PSA process and manages its further devel-opment from a security perspective. Stefan Pütz started out at Deutsche Telekom in 1997 and has since been in charge of various technical security areas. He studied electrical engineering, specializ-ing in communications engineerspecializ-ing, at the Univer-sity of Siegen and completed a doctorate in the security of modern mobile communications systems.
The PSA process standardizes key activities in the area of technical secu-rity and data privacy, and governs the creation of secusecu-rity and data privacy concepts for IT or NT systems. The process is also used to provide support and advice from GIS and GPR experts, as well as to ensure approval of systems from a security and data privacy law perspective.
The PSA process is used in product or system development when new systems are created or existing systems are updated technically or in terms of the type of data processing. Typically, new systems are created or sys-tems are updated in the course of versioning (new release). This process ensures that the changes caused by the new version are adapted in the data privacy and security concept. The PSA process can be used on all IT or NT systems, regardless of their range and complexity.
The new PSA process completely replaces all older requirements for draw-ing up security and data privacy concepts. However, in order to ensure a smooth transition from the old to the new process, existing security and data privacy concepts continue to apply until the end of 2011. Up to this point, managers can decide whether to continue applying the old con-cepts or to switch to the new ones.
The use of the PSA process is mandatory for all German companies as well as for all Deutsche Telekom common projects, provided they are to be managed from Germany. In the course of 2011, the PSA process will be gradually rolled out in the Deutsche Telekom international subsidiaries in close cooperation with the IT and technology units – in a form geared to local circumstances. The roll-out will be conducted jointly with the Corpo-rate IT security organization.
Privacy and Security Assessment:
Scope of validty.
Integration of security and data privacy in product and system development.Consulting, documentation and approval regarding technical security and data privacy. PSA mandatory in Germany; international roll-out in 2011.
Summary
International roll-out of the PSA process.
Roll-out complete Roll-out in the pipeline
GIS and GPR establish important fundamentals within Deutsche Telekom for reliable products that also satisfy strict requirements for security and data privacy. They have introduced the PSA process jointly in order to ensure that all development projects within the Group can satisfy require-ments for technical security and data privacy.
The new process addresses
the following aims:
A consistent and adequate security and data privacy level in all prod-ucts, systems and platforms that are updated or created from scratch. An integrated process for technical security and data privacy as a
com-ponent of the product and system development processes. A support level adapted to project complexity and criticality through
the introduction of categorization at the start of each development project .
Deutsche Telekom operates several thousand different IT systems and net-work platforms. This implies a huge challenge integrating security and data privacy in a single process. These IT systems and network platforms are designed, implemented and constantly developed further via a host of different processes as well as through the involvement of functional and technical stakeholders. It is an extremely complex undertaking to set up a single procedure ensuring technical security and data privacy throughout the entire system landscape. Additionally this new procedure has to be integrated functionally into the existing development processes.
Privacy and Security Assessment:
Objectives.
Safeguarding a uniform, suitable level of security and data privacy.Integrated process for technical security and data privacy.
Project support level according to to project complexity and criticality.
Summary
Group IT Security (GIS)
GIS is responsible for technical security within Deutsche Telekom. Therefore a suitable level of security needs to be defined and implemented using suitable measures.
Group Privacy (GPR)
GPR determines the Group’s strategic alignment in terms of data privacy and defines the requirements from a legal, technical and organizational perspective. It also represents the Group in all data privacy matters, both internally and externally.
Security
SDSK
Platform
Realization
Detailed Design
Standardization
Privacy Concept
Implementation
Sytem Owner
Benefit
Feasibility Study
suitable
appropriate
Security Level
Pro ject Manager
GPR
Live Operation
Products
PMT
Comp liance
Realization
GIS
Design
Initial Idea
Rollout
Systems
Data Privacy
Criticality
Privacy Requirements
Secur ity Requirements
PSA Process
PSA-Template DRC
Privacy and Security Assessment:
Consulting approach.
Integration in the product and system development processes.Categorization in terms of security and data privacy relevance. Approval prior to live operation.
Summary
The following drawing describes the PSA process methodology along a generic development process. It explains the integration in the develop-ment process as well as the differences that result depending on the particular project categorization.
The PSA process at a glance.
Initial idea Feasibility study Detailed design Realization Operation
Approval
Self declaration / Review by local security organizations
Project consulting concerning SDSK
Creation of security and data privacy concept
Assign consutant and requirements
Sample tests Sample tests
Sample tests
Identification of requirements
Creation of
security and data privacy concept (SDSK) A
B
C
Gate: Start of project Gate Gate Gate: Live operation
Categorization
Integration in the development processes.
The PSA process is integrated into Deutsche Telekom’s main ment processes, which basically follow the generic model of a develop-ment process presented here (initial idea – feasibility study – detailed design – realization – operation). At the decision gates between each process step, a decision is made as to whether the next process step is to be taken. This requires an explicit gate decision by the responsible management.The PSA process is linked to the decision gates at the start of the project and at the launch of live operation. At the start of the project, in the idea generation phase, the project is categorized in terms of its security and data privacy relevance. At the end of the realization phase, i.e., before the launch of live operation, the PSA process must have been completed successfully. As such, all necessary approvals must be in place. If live operation is subject to certain conditions, the resulting measures must be implemented by the time the project is completed. If GIS and GPR are not directly involved in consulting the project, the effectiveness of the PSA process is tested on a sample basis.
Project categorization.
Before the decision gate for the start of the project, a project manager categorizes his project using a categorization tool. This tool determines in three different categories (A, B, C) the criticality and complexity of the requirements resulting from the project in terms of technical security and data privacy. This defines the level of detail on the basis of which the proj-ect is consulted and approved. The categorization is based on
character-istics such as processing of particularly sensitive data, the complexity of the platforms or systems, or the strategic and financial significance of the products.
Relevance and level of support of the projects.
Category Relevance/level of support/approval Distribution by percent*
A
High relevance, as projects are complex and/or critical .
The project is supported, advised and approved directly by security and/or data privacy experts from GIS and GPR.
46 %
B
Relevant, but projects are less complex with less sensitive data.
Standard requirements are implemented by the project teams themselves, with support from local security organizations if required.
Approval is given through a self-declaration by the project manager and, if appropriate, is reviewed by local security organizations; GIS and GPR review these approvals on a sample basis.
35 %
C
No changes or generally irrelevant.
The projects do not result in any changes relevant for security and/or data privacy.
No approval is required; GIS and GPR review the project categorizations on a sample basis.
19 %
* Distribution of the categorization in 2010.
Privacy and Security Assessment:
Interrelationship between project and system level.
Documentation of project categorization and approval in the PSA template.Documentation of implementation of security and data privacy requirements and approvals in the SDSK.
Summary
PSA template.
The PSA template is the form used to document the project categorization and approval. It is prepared by the project manager at project level. Project approval is generally only given and documented in the PSA template once all systems have been approved. As such, the approval of all systems in the PSA template is the prerequisite for project approval for live operation .
The PSA process is based on two central documents: the PSA template and the standardized data privacy and security concept (SDSK).
SDSK.
The SDSK is drawn up and updated for each system by the system owner. The system owner is responsible for ensuring the respective system meets the requirements for technical security and data privacy. He documents the implementation of security and data privacy requirements at IT or NT sys-tem level as well as their approval or self-declaration in the SDSK. The role and area of responsibility of the system owners are not dependent on spe-cific projects and apply for the entire life cycle of a system.
Privacy and Security Assessment
Documentation on project categorization and approval
B A A A Cate-gory C A A A Cate-gory System
name Re-lease
System owner Data Privacy system Approval / Self declaration / poss. Assessment Security system Approval / Self declaration / poss. Assessment Name, phone Org. unit
Approval / Self Declaration (name) Possible Assessment (name) Uncon-ditional Con-ditional Not issued Approval / Self Declaration (name) Possible Assessment (name) Uncon-ditional Con-ditional Not issued
System 1 No. Name, phone Org. unit name n.a. X name n.a. X System 2 No. Name, phone Org. unit name n.a. X name n.a. X System 3 No. Name, phone Org. unit name n.a. X name n.a. X System 4 No. Name, phone Org. unit n.a. n.a. name (name) X
Categorization
Version: x.y Date: dd.mm.yyyy
Textbox Headline
Project information
Confirmation of Data Privacy and Security system approvals for new or modified IT/NT systems
Version 1.1 ( 01.03.2011)
Privacy Assessment
Cat.
Self Declaration (B1/B2) poss. Assessment local DPC Approval (A)
unconditional conditional* not issued*
Security Assessment
Date, name, org. unit
unconditional conditional* not issued* No information
Date, name, org. unit Date, name, org. unit
A B1 B2 C
Cat.
Self Declaration (B) poss. Assessment local PSM Approval (A)
unconditional conditional* not issued* Date, name, org. unit
No information
Date, name, org. unit Date, name, org. unit
A B C
Project name: Short text Development process: PMT, RLT etc.
Project contact: Name, phone number Project number: SAP no., PMT no., RLT no.
Embed the completed categorization tool here (using “Objekt einfügen”
[Insert object], “als Symbol”
[as symbol]). Link to the tool:
Wiki-link to the categorization tool
* If an approval is rejected or has only been issued with conditions, then please attach an informal document to this template (or embed it electronically) which documents the respective conditions or justifies the rejection.
unconditional conditional* not issued*
Classification according to information security guideline: internal
Notes on the PSA template.
1. Documentation of project categorization and
approval by the project manager, the security and data privacy experts from GIS and GPR or the local security and data privacy units.
2. List of newly created or modified IT or NT
systems concerned including approval status.
Notes on the SDSK.
1. The SDSK consists of:
System description Data privacy information Authorization concept Requirements catalogs Action plan
System categorization
2. Since the SDSK is maintained over the
entire lifecycle of a system, it includes the update of the particular releases, inclu-ding the release status.
1.
2.
Standardized Data Privacy and Security Concept (SDSK)
System description
Date: dd.mm.yyyy
Documentation on the Standardized Data Privacy and Security Concept
* A system approval is not required if no data privacy or security-relevant changes are made with the release of the IT/NT system.
Authorization concept
Date: dd.mm.yyyy
Data privacy info
Date: dd.mm.yyyy
Requirements catalog
Date: dd.mm.yyyy dd.mm.yyyy Action plan
Date: dd.mm.yyyy
Categorization
Date: dd.mm.yyyy
System name: Short text SDSK version: No. Last update: xx.xx.xxxx System Identifier: e.g. App-ID, ICTO-ID
System owner: Name Org. unit: Org. Phone no.: +49 (xxx) xxxxxxxx
Textbox headline
System information
Version 1.1 Feb 23 2011
Optional (** see backside) Embed the categorization tool for systems as a file here.
Weblink to the categorization tool
Embed the system description as a file here. Link to the template:
Weblink to the template of the system description
Embed the authorization concept as a file here. Link to the template:
Weblink to the template of the authorization concept
Embed the completed data Privacy information as a file here:
Weblink to the data privacy info for category A
and B1 Weblink to the data privacy info for category
B2
Embed both the completed SoCs as a file here:
Weblink to the Data PrivacySoC Weblink to the Security
SoC
Embed the completed action plan as a file here. Link to the
template:
Weblink to the template of the action plan
Textbox HeadlineChange history
A C A A Security Category
Security Approval (GIS)/ Self Declaration (specialist unit) /poss. Assessment local PSM
31.05.2008 30.06.2007 02.10.2006 31.01.2005 Date B1 B1 C B1 Data Privacy Category
Data Privacy Approval (GPR)/ Self declaration (specialist unit) /poss. Assessment local DPC SDSK Vers. System Rel. Approval/ Self decl. (name) Poss. Assess-ment local DPC (name) Un- condi-tional Condi-tional Not issued
Date Approval/ Self decl. (name) Poss. Assess-ment local PSM (name) Un- condi-tional Con- di-tional Not issued
1.0.2 1.0 name (name) X 15.02.2005 name n.a.* X
1.1.4 1.1 n.a.* n.a.* 01.10.2006 n.a.* n.a.* X
1.2.3 1.2 name (name) X 30.06.2007 name n.a.*
2.0.7 2.0 name (name) X 30.04.2008 name n.a.* X
Classification according to Information Security Guideline: Confidential
Standardized Data Privacy and Security Concept (SDSK)
System description
Date: dd.mm.yyyy
Documentation on the Standardized Data Privacy and Security Concept
* A system approval is not required if no data privacy or security-relevant changes are made with the release of the IT/NT system.
Authorization concept
Date: dd.mm.yyyy
Data privacy info
Date: dd.mm.yyyy
Requirements catalog
Date: dd.mm.yyyy dd.mm.yyyy Action plan
Date: dd.mm.yyyy
Categorization
Date: dd.mm.yyyy
System name: Short text SDSK version: No. Last update: xx.xx.xxxx System Identifier: e.g. App-ID, ICTO-ID
System owner: Name Org. unit: Org. Phone no.: +49 (xxx) xxxxxxxx
Textbox headline
System information
Version 1.1 Feb 23 2011
Optional (** see backside) Embed the categorization tool
for systems as a file here.
Weblink to the categorization tool
Embed the system description as a file here. Link to the template:
Weblink to the template of the system description
Embed the authorization concept as a file here. Link to the template:
Weblink to the template of the authorization concept
Embed the completed data Privacy information as a file here:
Weblink to the data privacy info for category A
and B1 Weblink to the data privacy info for category
B2
Embed both the completed SoCs as a file here:
Weblink to the Data PrivacySoC Weblink to the Security
SoC
Embed the completed action plan as a file here. Link to the
template:
Weblink to the template of the action plan
Textbox HeadlineChange history
A C A A Security Category
Security Approval (GIS)/ Self Declaration (specialist unit) /poss. Assessment local PSM
31.05.2008 30.06.2007 02.10.2006 31.01.2005 Date B1 B1 C B1 Data Privacy Category
Data Privacy Approval (GPR)/ Self declaration (specialist unit) /poss. Assessment local DPC SDSK Vers. System Rel. Approval/ Self decl. (name) Poss. Assess-ment local DPC (name) Un- condi-tional Condi-tional Not issued
Date Approval/ Self decl. (name) Poss. Assess-ment local PSM (name) Un- condi-tional Con- di-tional Not issued
1.0.2 1.0 name (name) X 15.02.2005 name n.a.* X
1.1.4 1.1 n.a.* n.a.* 01.10.2006 n.a.* n.a.* X
1.2.3 1.2 name (name) X 30.06.2007 name n.a.*
2.0.7 2.0 name (name) X 30.04.2008 name n.a.* X
Classification according to Information Security Guideline: Confidential
1.
2.
The benefits of the PSA process at a glance.
Benefit Description of the benefit
Consistency Technical security and data privacy are reviewed and evaluated based on uniform requirements and criteria.
Reduction in effort Redundant documentation is minimized as a result of uniform, standardized templates.
Timeliness Integration into development processes ensures technical security and data privacy are incorporated into the relevant topics at an early stage.
Optimization of resources Project prioritization ensures that critical, complex projects are supported by experts from GIS and GPR.
Reliable implementation The modular, requirement-based approach enables the project teams to ensure implementation.
Privacy and Security Assessment:
Benefits of the process.
The roll-out of the Privacy and Security Assessment (PSA process) gives more structure and transparency to Deutsche Telekom’s security and data privacy work. The process gives development projects a uniform and suit-able level of security and data privacy, which is documented efficiently in standardized templates. Project support for technical security and data pri-vacy is provided along a uniform procedural model. This procedural model helps to ensure that all security and data privacy requirements are identi-fied early on. Prompt integration has the advantage of preventing costly reworking and unnecessary compromises.
It also prevents projects from possibly having to be stopped before going live as a result of GIS and GPR involvement that is too late. Thanks to the project cate gorization, GIS and GPR can optimally focus the level of con-sulting for technical security and data privacy on the key issues, and hence sustainably support rapid project work.
Greater structure and transparency of security and data privacy work.
Suitable level of security and data privacy thanks to standardized procedural model. Greater efficiency thanks to early integration.
Summary
Privacy and Security Assessment:
Opinions on the process.
“As part of our data privacy audit and certifi-cation, the SDSK was submitted to us as doc-umentation and as the basis for the audit. Deutsche Telekom is way above the general standard with this consolidated documenta-tion of data privacy and security aspects and the technical/organizational measures imple-mented. Based on our long-standing experi-ence in auditing and certification, the SDSK is an extremely positive development.”
LL.M., TÜV Informationstechnik GmbH, TÜV NORD group of companies, Head of the TÜV Data Protection and Evaluation Center
Monika Wojtowicz
“Deutsche Telekom developed the PSA pro-cess to ensure compliance with security and data privacy specifications in products, systems and platforms. Thanks to its secu-rity specifications, the process fully covers issues of technical security and ensures implementation of secure solutions in the Deutsche Telekom network. The PSA pro-cess is well thought-out and important. The PSA process provides NSN as a telecommu-nications vendor with a process that com-plements its own security processes and supports rapid project acceptance.”
Nokia Siemens Networks GmbH & Co KG, Head of CTO Security Team Munich
Bernhard Petri
“The PSA process involves the rollout of an entirely logical, process-oriented model, which systematically envisages for the first time the inclusion of security and data pri-vacy requirements as part of system imple-mentations and modifications as an integral component of the development processes. I therefore explicitly welcome it and wish all my colleagues a great deal of success.”
Head of Group Audit – Information & Com-munication Technology, Deutsche Telekom
Boris Riese
“Technical security and data privacy are cru-cial to the commercru-cial success of Telekom Deutschland GmbH. That’s why exacting requirements need to be made of their imple-mentation. The Privacy and Security Assess-ment process is a key component in meeting these requirements. As Chief Compliance Officer at Telekom Deutschland I therefore emphatically welcome this standardized pro-cess as it contributes to our compliance with legal provisions and internal guidelines, help-ing ensure the reputation of our company is not tarnished.”
Chief Compliance Officer, Telekom Deutschland GmbH
Dr. Ralf Schneider
“The PSA process is extremely important from a security and data privacy perspective, especially for a system platform such as the CNTDB (Common Network Technology Data Base) with centralized subscriber data stor-age. At the end of the process you have a plat-form that is certified in accordance with secu-rity and data privacy requirements. The PSA process offers a harmonized, standardized procedural model for creating security and data privacy concepts; the modular structur-ing of platform documentation reduces the cost in the case of subsequent changes man-aged by projects. In addition to this valuable, compact platform and project documentation, the data privacy and security concept also pro-vides an agreed roadmap for further improve-ment measures.”
Head of Competence Center Subscriber Data Management, Group Technology, Deutsche Telekom
Andreas Hörnes
External opinions on the PSA process
Internal opinions on the PSA process
“As part of ISO 27001 certification of Deutsche Telekom’s centralized security management, the PSA process was also presented as a service process provided by Group IT Security. The process was rated positively in the certification process as a good, sensible way of prioritized processing development projects in respect of data pri-vacy and security. The PSA process ensures that the security requirements for IT and NT systems developed by Group IT Security are taken into account in the IT and NT projects and actively supported by Group IT Security as part of the associated operational imple-mentation.”
External auditors at DQS GmbH, Deutsche Gesellschaft zur Zertifizierung von Man-agementsystemen, as part of ISO 27001 certification
Peter Rothfeld and Ingo Vasen
Annex.
Glossary.
Publication details.
Deutsche Telekom AGGroup IT Security / Group Privacy Friedrich-Ebert-Allee 140 D-53113 Bonn, Germany Design:
HGB Hamburger Geschäftsberichte GmbH & Co. KG Last revised: March 2011
Contact.
Group IT Security: [email protected] Group Privacy: [email protected] Action planDocumentation of measures through which the requirements will be met in future
Authorization concept
Description of roles and access rigths
Data privacy information
Description of the purpose of processing personal data or data that can be traced back to a given individual in the IT / NT system con-cerned
DRC
Data Privacy, Legal Affairs and Compliance Board of Management department GIS Group IT Security GPR Group Privacy IT or NT system
Systems that process or transmit information in electronic form. These generally consist of a number of computer systems or network elements with the same or similar purpose, e.g. servers, IT or NT networks and platforms
PSA
Privacy and Security Assessment: The PSA process is intended to ensure a suitable level of data privacy and security
Requirements catalogs
Documentation of the degree of compliance with technical security and data privacy requirements
SDSK
Standardized data privacy and security concept
System description
Documentation of the responsibilities, along with functional and technical system description