ISO ISO IEC 22624-2020 pdf free download – Information technology — Cloud computing — Taxonomy based data handling for cloud services.
5 Overview: The need for a structured expression of data policies and practicesbased on a common data taxonomy
Data policies and practices, at corporate or government level, need to be crisply expressed with thedesired degree of precision and clarity.The need for varying degree of precision, along with the needto compare and analyse various policies in an efficient manner, calls for a common and structuredapproach to the expression of these policies and practices, an approach that is based on a common datataxonomy.
ISO/IEC 19944 provides a comprehensive set of elements which can be used to
a) assign a data category to a given data set (e.g. personally identifiable information (PID).
organisational identifiable information, customer content data),
b) provide classes of actions applied to such data (e.g.use to provide a service, to optimize it, to
provide marketing information),
c) include scopes explaining on what level the use of data happens (e.g. service level vs.enterprise/)
organisational level vs.use by 3rd parties), and
d) define the level of de-identification (or anonymization) applied to a data set (qualifiers such as
“identified”, “anonymized”, “aggregated”).
These elements are referred to in the document as “data categories”or “data taxonomy”, “actions”,”scopes”,and“qualifiers”without explicitly referencing ISO/IEC 19944.Clause 6 provides acomprehensive overview of the elements.The framework described in this document references theframework in ISO/IEC 19944.
In order to define application specific data handling policies and practices,these elements needto be applied to the application domain at hand. This includes data classifications with regards tosecurity or risk levels that apply to data, as well as technical and organisational qualifications of data.Hence, the approach described in this document requires the considerations of data categories asdescribed in iSo/IEC 19944 as well as orthogonal information dependent on the concrete applicationunder consideration.Examples which are used to explain this approach therefore employ a tabularrepresentation format emphasizing the orthogonal character of generic data categorization (rows) andapplication specific elements (columns).Therefore, for a person who is concerned with the developmentof, for example, enterprise policies for data use by a set of cloud services, all relevant cases which needto be considered are visible.
Implicitly, ISO/IEC 19944 focuses on personal data and PII, and does not explicitly cover non-personal data, or mixed sets of data that contain both PII and non-personal data. Non-personal data is defined as any data that is not personal and is not covered under PII, e.g. scientific data, sales data. Mixed data sets contain both PII and non-personal data such as human resource data that contains both organizational structures and personal employee data. It is important to recognize these different sets as different policies and regulations could apply to each. For example, the EU GDPR [9] regulates aspects of PII and the free-flow of non-personal data regulation [10] sets policies concerning the geo-location and movement of non-personal data. In line with ISO/IEC 19944, this document focuses on PII and does not delve deeper into aspects explicitly related to non-personal or mixed sets of data.
The document is structured as follows:
— Clause 6 describes the framework for the structured expression of data related policies and practices
including elements of the framework building on ISO/IEC 19944. It then expands discussion on data classification (6.2.6).
— Clause 7 discusses guidance for using the framework defined in Clause 6.
— Clause 8 covers use of framework in specific areas of concern.
— Clause 9 describes the application of the framework to codes of conduct.
Examples for data handling challenges are provided throughout the document.ISO ISO IEC 22624 pdf download.