ETSI TR 103 305-5 V1.1.1 (2018-09)

ETSI TR 103 305-5 V1.1.1 (2018-09)
TECHNICAL REPORT
CYBER;
Critical Security Controls for Effective Cyber Defence;
Part 5: Privacy enhancement
---------------------- Page: 1 ----------------------
2 ETSI TR 103 305-5 V1.1.1 (2018-09)
Reference
DTR/CYBER-0034-5
Keywords
Fyber security, Fyber-defence, information
assurance, privacy
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88
Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search

The present document may be made available in electronic versions and/or in print. The content of any electronic and/or

print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any

existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the

print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.

Users of the present document should be aware that the document may be subject to revision or change of status.

Information on the current status of this and other ETSI documents is available at

If you find errors in the present document, please send your comment to one of the following services:

No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying

The content of the PDF version shall not be modified without the written authorization of ETSI.

DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.

3GPP and LTE are trademarks of ETSI registered for the benefit of its Members and

Intellectual Property Rights ................................................................................................................................ 4

Foreword ............................................................................................................................................................. 4

Modal verbs terminology .................................................................................................................................... 4

Executive summary ............................................................................................................................................ 4

Introduction ........................................................................................................................................................ 4

1 Scope ........................................................................................................................................................ 5

2 References ................................................................................................................................................ 5

2.1 Normative references ......................................................................................................................................... 5

2.2 Informative references ........................................................................................................................................ 5

3 Abbreviations ........................................................................................................................................... 5

4 Critical Security Controls: Privacy Impact Assessment ........................................................................... 6

4.1 Description ......................................................................................................................................................... 6

4.2 Privacy Impact Assessment of the Critical Security Controls ............................................................................ 6

4.2.1 Overview ...................................................................................................................................................... 6

4.2.2 Authorities .................................................................................................................................................... 6

4.2.3 Characterizing Control-Related Information ................................................................................................ 7

4.2.4 Uses of Control-Related Information ............................................................................................................ 7

4.2.5 Security ......................................................................................................................................................... 8

4.2.6 Notice ............................................................................................................................................................ 8

4.2.7 Data Retention .............................................................................................................................................. 9

4.2.8 Information Sharing ...................................................................................................................................... 9

4.2.9 Redress .......................................................................................................................................................... 9

4.2.10 Auditing and Accountability ......................................................................................................................... 9

5 How to support the EU General Data Protection Regulation (GDPR) using the Critical Security

Controls .................................................................................................................................................. 10

5.1 Description ....................................................................................................................................................... 10

5.2 GDPR responsibilities ...................................................................................................................................... 10

5.3 What data is in scope? ...................................................................................................................................... 10

5.4 Assessing the data and the privacy risks .......................................................................................................... 11

5.5 Specific Critical Security Controls in support of GDPR .................................................................................. 11

5.6 Use of Hardened virtual machine images ......................................................................................................... 12

History .............................................................................................................................................................. 13

IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information

pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found

in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in

respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web

Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee

can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web

The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.

ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no

right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does

not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.

This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER).

The present document is part 5 of a multi-part deliverable covering the Critical Security Controls for Effective Cyber

In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be

interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).

"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

The present document is an evolving repository for privacy enhancement guidelines for Critical Security Control

implementations. These guidelines include a privacy impact assessment mechanism and as well as implementations to

meet provisions of the EU General Data Protection Regulation (GDPR) using the Critical Security Controls.

The Critical Security Controls ("the Controls") exist within a larger cyber security ecosystem that relies on the Controls

as critically important defensive measures. There are a variety of mechanisms that facilitate and encourage their use -

one of which notably includes privacy protection. In addition, the Controls can help meet provisions of the EU General

Data Protection Regulation (GDPR) using the Critical Security Controls. The present document is directed at both

NOTE: Clause 4 existed in a previous version of ETSI TR 103 305-4 [i.3] and was moved to the present

The present document is an evolving repository for privacy enhancing implementations using the Critical Security

Controls [i.2]. These presently include a privacy impact assessment and use of the Controls to help meet provisions of

References are either specific (identified by date of publication and/or edition number or version number) or

non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the

NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee

The following referenced documents are not necessary for the application of the present document but they assist the

[i.1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and on the free

movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[i.2] ETSI TR 103 305-1: "CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The

[i.3] ETSI TR 103 305-4: "CYBER; Critical Security Controls for Effective Cyber Defence; Part 4:

[i.4] U.S. Department of Homeland Security (DHS): "Fair Information Practice Principles (FIPPs)".

NOTE: Available at https://www.dhs.gov/publication/fair-information-practice-principles-fipps-0#.

An effective posture of enterprise cybersecurity need not, and, indeed, should not compromise individual privacy. Many

laws, regulations, guidelines, and recommendations exist to safeguard privacy, and enterprises will, in many cases,

Use of the Controls should support the general principles embodied in the General Data Protection Regulation [i.1] and

the Fair Information Practice Principles (FIPPs) [i.4]. All enterprises that apply the Controls should undertake - and

make available - privacy impact assessments of relevant systems to ensure that appropriate protections are in place as

the Controls are implemented. Every enterprise should also regularly review these assessments as material changes to

its cybersecurity posture are adopted. The aim is to assess and mitigate the major potential privacy risks associated with

implementing specific Controls as well as evaluate the overall impact of the Controls on individual privacy.

The following framework guides this efforts and provides an outline for a Privacy Impact Assessment.

Outline the purpose of each Control and provide justification for any actual or potential intersection with privacy-

• Where possible, identify how technologies, procedures, and data flows are used to implement the Control.

Provide a brief description of how the Control generally collects and stores information. Identify the type of

data collected by the Control and the kinds of information that can be derived from this data. In discussing

how the Control might collect and use PII, include a typical transaction that details the life cycle of that PII

• Describe the measures necessary to protect privacy data and mitigate any risks of unauthorized access or

inadvertent disclosure of the data. The aim here is not to list every possible risk to privacy, but rather, to

provide a holistic view of the risks to privacy that could arise from implementation of the Control.

• Describe any potential ad-hoc or routine information sharing that will result from the implementation of the

Control both within the enterprise and with external sharing partners. Also describe how such external sharing

is compatible with the original collection of the information, and what agreements would need to be in place to

Identify the legal authorities or enterprise policies that would permit or, conversely, limit or prohibit the collection or

• List the statutory and regulatory authorities that would govern operation of the Control, including the

authorities to collect the information identified above. Explain how the statutory and regulatory authorities

permit or would limit collection and use of the information or govern geographic storage requirements. If the

Control would conceivably collect Personally Identifiable Information (PII), also identify the specific statutory

• Would the responsible office of an enterprise be able to rely on authorities of another parent organization,

• Might the information collected by the Control be received from a foreign user, organization or government?

If so, do any international agreement, contract, privacy policy or memorandum of understanding exist to

Identify the type of data the Control collects, uses, disseminates, or maintains:

• For each Control, identify both the categories of technology sources, logs, or individuals from whom

information would be collected, and, for each category, list any potential PII, that might be gathered, used, or

- Relevant information here includes (but is not limited to): name; date of birth; mailing address; telephone

numbers; social security number; e-mail address; mother's maiden name; medical records locators; bank

account numbers; health plan beneficiaries; any other account numbers; certificates or other license

numbers; vehicle identifiers, including license plates; marriage records; civil or criminal history

information; medical records; device identifiers and serial numbers; education records; biometric

identifiers; photographic facial images; or any other unique identifying number or characteristic.

• If the output of the Control, or system on which it operates, creates new information from data collected (for

example, a scoring, analysis, or report), might this new information have privacy implications? If so, perform

• If the Control uses information from commercial sources or publicly available data to enrich other data

- Commercial data includes information from data aggregators (such as threat feeds, or malware

databases), or from social networking sources where the information was originally collected by a private

- Publicly available data includes information obtained from network services, news feeds, or from state or

local public records, such as court records where the records are received directly from the state or local

- Identify scenarios with this enriched data might derive data that could have privacy implications. If so,

• Identify and discuss the privacy risks for Control information and explain how they are mitigated. Specific