Information Security and Privacy Audit Modeling

The rapid development and extensive use of digital technologies, electronic mail, Internet and mobile communication systems, and electronic commerce applications lead to the collection and processing of huge amounts of personal data. The increasing reliance on the information systems conducts to the selection of security controls, that are driven by the business needs and the associated security requirements. On the other hand, the European Union and various countries established a legal framework and Authorities to regulate and control its application. The privacy protection laws impose security measures to be taken, that may be different compared with those specified by the data controllers based on their business needs, since personal data are assets with, possibly, different values for the data subjects and the controllers. In this paper, we propose a security and privacy audit model, that takes into account these possibly contradicting security requirements. Key-words: Secure Information Systems, Privacy-Enhancing Technologies, Baseline Security Policy, Data Protection, System Audit, Security and Privacy Protection Evaluation.