Data Privacy Implications for Security Information and Event Management Systems and Other Meta-Systems

Security Information and Event Management (SIEM) systems collect security information from multiple input systems, with a view to correlating and interpreting events so as to conduct security analysis and inference. Our analysis of large SIEM event sets has shown that in many instances the source events also contain personal information resulting from activities performed by users. The treatment of privacy in such 'meta-systems' is a challenging and, as yet, largely unaddressed consideration in privacy debates. This paper uses the 2012 EU Draft Data Protection Regulation as a basis to develop a view of its implications for SIEMs and other meta-systems. Providers of SIEM services have an obligation to ensure that their 'meta-systems' adhere to the same requirements as other systems, and the complexity can be compounded if the SIEM is not located in the same country as the originating events. Recommendations for role clarification, notification requirements, anonymisation and data protection officer oversight activities are presented - with respect to requirements of the associated privacy specifications. By adhering to these privacy specifications, security objectives can be achieved while ensuring that the rights of individuals and obligations, in terms of data privacy requirements, are met even when centralised security events and other types of meta-data, are collected.