ConConffecting Security ecting Security and Privacyand Privacy

OROR

How to bake a security TRA How to bake a security TRA with your PIAwith your PIA

Marcel Gingras

Cinnabar Networks Inc.

mgingras@cinnabar.ca

613.262.0946

The Cook’s BackgroundThe Cook’s Background

• A major in security with a minor in privacy A major in security with a minor in privacy • Manager of Risk AnalystsManager of Risk Analysts

– TRA, PIA, BCPTRA, PIA, BCP– Big on methodology development Big on methodology development

• IT Security since 1995, Privacy since 2001IT Security since 1995, Privacy since 2001• Public service for 16 yearsPublic service for 16 years• IT software developer, software and IT software developer, software and

network architect and network support network architect and network support managermanager

RecipeRecipe

• IngredientsIngredients– Risk Management and Limiting DisclosureRisk Management and Limiting Disclosure– PIA and TRA MethodologiesPIA and TRA Methodologies

• PreparationPreparation– Sharing the Data GatheringSharing the Data Gathering

• CookingCooking– Collaborative AnalysisCollaborative Analysis

• Testing for DonenessTesting for Doneness– Tasty Privacy and Security SafeguardsTasty Privacy and Security Safeguards

Conference Theme: Conference Theme: DisclosureDisclosure

• Privacy DomainPrivacy Domain– Principle: Limiting Use, Principle: Limiting Use, DisclosureDisclosure, and , and

RetentionRetention– Affects business process designAffects business process design– May need security “confidentiality” services to May need security “confidentiality” services to

limit disclosure (authentication, authorization, limit disclosure (authentication, authorization, confidentiality services_confidentiality services_

• Security Security – Protects a business processProtects a business process– Provides confidentiality, integrity and Provides confidentiality, integrity and

availability security servicesavailability security services

Disclosure Requirements Disclosure Requirements using Risk Management using Risk Management

ProcessesProcesses• Variety of Risk Management ProcessesVariety of Risk Management Processes

– Business Strategic RiskBusiness Strategic Risk– Business Service Delivery Risk (Operational)Business Service Delivery Risk (Operational)– Financial Risk ManagementFinancial Risk Management– Business Continuity Planning (BCP)Business Continuity Planning (BCP)– Privacy Impact Analysis (PIA)Privacy Impact Analysis (PIA)– Security Threat and Risk Analysis (TRA)Security Threat and Risk Analysis (TRA)

• Latter two directly analyze disclosure Latter two directly analyze disclosure risksrisks

Security Risk Management:Security Risk Management:A Long HistoryA Long History

• Physical securityPhysical security– Walls, doors, locks and safesWalls, doors, locks and safes

• Military securityMilitary security– Protect the country, safeguard the Protect the country, safeguard the

troopstroops– Codes and ciphersCodes and ciphers

• IT Security Risk AnalysisIT Security Risk Analysis– Well developed models and Well developed models and

methodologiesmethodologies

IT Security Risk Analysis IT Security Risk Analysis ProcessProcess

• Conceptual analysis of system or applicationConceptual analysis of system or application• Statement of SensitivityStatement of Sensitivity

– Inventory of Assets (includes classification)Inventory of Assets (includes classification)– Injury testsInjury tests

• Threat AssessmentThreat Assessment• Vulnerability AssessmentVulnerability Assessment• Examination of Existing SafeguardsExamination of Existing Safeguards• Risk AssessmentRisk Assessment• Security Safeguard RecommendationsSecurity Safeguard Recommendations

Privacy Risk Management:Privacy Risk Management:A Short HistoryA Short History

• Variable expectations between social Variable expectations between social groupsgroups– Values within a country, variations depending Values within a country, variations depending

on context (commercial, banking, health, legal)on context (commercial, banking, health, legal)• Sense of privacy being under attackSense of privacy being under attack

– Fear of government ‘big brother’Fear of government ‘big brother’– Fear of erosion of privacy in an IT information Fear of erosion of privacy in an IT information

ageage• Privacy Compliance and Risk AnalysisPrivacy Compliance and Risk Analysis

– New models, limited risk management and New models, limited risk management and ‘young’ supporting methodologies‘young’ supporting methodologies

Current Privacy Compliance Current Privacy Compliance and Risk Analysisand Risk Analysis

• Slanted towards compliance auditSlanted towards compliance audit• Checklist basedChecklist based• No ranking of potential damages No ranking of potential damages • No ranking of risk (too many yes/no No ranking of risk (too many yes/no

questions)questions)• No ranking of safeguard effectivenessNo ranking of safeguard effectiveness• No action planNo action plan

Unless particular privacy safeguards are Unless particular privacy safeguards are specified, it’s all ‘best guess’specified, it’s all ‘best guess’

Current Privacy Compliance Current Privacy Compliance and Risk Analysis – The and Risk Analysis – The

EffectEffect• Audit against legislation and policy Audit against legislation and policy

sufficient in some cases, but not helpful sufficient in some cases, but not helpful in selecting strength of privacy in selecting strength of privacy safeguards neededsafeguards needed

• Checklist based discourages risk analysisChecklist based discourages risk analysis• Lack of risk rankings makes it difficult to Lack of risk rankings makes it difficult to

justify appropriately strong solutionsjustify appropriately strong solutions• Lack of a prioritized action plan makes it Lack of a prioritized action plan makes it

difficult to plan next steps in the projectdifficult to plan next steps in the project

Other Annoying IssuesOther Annoying Issues

• Too many TLAs (Three letter acronyms)Too many TLAs (Three letter acronyms)• Clutter in the project planClutter in the project plan• Too many interviews asking the same questionsToo many interviews asking the same questions• Timing issues: When to do these things to get Timing issues: When to do these things to get

actual value… Requirements when you need actual value… Requirements when you need them and a reality check on the solution when them and a reality check on the solution when you need it.you need it.

• Contradictory ‘disclosure’ and ‘confidentiality’ Contradictory ‘disclosure’ and ‘confidentiality’ recommendationsrecommendations

• Potential for security solutions to be privacy Potential for security solutions to be privacy invasiveinvasive

What Can We Improve? What Can We Improve? (1)(1)

• We can do privacy protection We can do privacy protection requirements gathering, analysis, requirements gathering, analysis, and audit at the right time in the and audit at the right time in the project lifecycle process.project lifecycle process.

• We can align related risk We can align related risk management processes (E.g. PIA management processes (E.g. PIA and TRA) to be supportive and and TRA) to be supportive and consistent.consistent.

What Can We Improve? What Can We Improve? (2)(2)

• We can improve PIAs by borrowing from We can improve PIAs by borrowing from more mature risk analysis processes.more mature risk analysis processes.

• We can incorporate the risk analysis We can incorporate the risk analysis processes into the current compliance audit processes into the current compliance audit PIA templates, providing a tool to be used PIA templates, providing a tool to be used as needed.as needed.

Note: The current form and rigor of Note: The current form and rigor of existing PIA methodologies do not need to existing PIA methodologies do not need to be changed, just augmented.be changed, just augmented.

Project Lifecycle Project Lifecycle IntegrationIntegration

• What information do we need when?What information do we need when?– Privacy requirements identification with Privacy requirements identification with

other business requirementsother business requirements– Privacy protection solution Privacy protection solution

identification with other business identification with other business solutionssolutions

– Audit/testing of privacy solutions with Audit/testing of privacy solutions with other business functionality other business functionality audit/testingaudit/testing

Bad Things That Can Bad Things That Can Happen…Happen…

• Unknown privacy requirement kills Unknown privacy requirement kills projectproject– E.g. Illegal use of SIN, Illegal disclosure of E.g. Illegal use of SIN, Illegal disclosure of

health card numberhealth card number• Unknown security requirement creates Unknown security requirement creates

‘add-on’ expense‘add-on’ expense• Poorly implemented safeguards leave Poorly implemented safeguards leave

information at riskinformation at risk• Intended safeguard implementation is Intended safeguard implementation is

deferred with unknown risk exposuredeferred with unknown risk exposure

Project Lifecycle Project Lifecycle IntegrationIntegration

Concept Analysis Design Develop Deploy Operate

I.T. SecurityRisk

Management

BusinessContinuityPlanning

PrivacyRisk

Management

BusinessRisk

Management

PrivacyRequirementsAnalysis (PIA)

PrivacyPlan (PIA)

PreliminaryRisk Analysis

BusinessRisk Analysis

Project RiskTracking

IT RiskMitigation Plan

(TRA)

IT SecurityTest Plan

IT Risk Audit& Certification

IT RiskRequirements

Plan (TRA)

BusinessImpact

AnalysisBCP/DRP

IncidentResponse

Plans

BCP/DRPTesting &

Maintenance

PrivacyAudit

Project Risk Management

ProgramAudit

Things to NoteThings to Note

• All risk management activities should have All risk management activities should have a minimum of 3 stages:a minimum of 3 stages:– Requirements: Identification of risk and Requirements: Identification of risk and

safeguard requirementssafeguard requirements– Solution Evaluation: Verify that the proposed Solution Evaluation: Verify that the proposed

solutions are effectivesolutions are effective– Implementation: Verify that the solutions are Implementation: Verify that the solutions are

installed and operating as advertisedinstalled and operating as advertised

Cost note: Typically, the cost of the first Cost note: Typically, the cost of the first two exercises does not exceed 1.5 times two exercises does not exceed 1.5 times the cost of doing a single large exercise the cost of doing a single large exercise (TRA or PIA). It’s an incremental update.(TRA or PIA). It’s an incremental update.

Risk Assessment AlignmentRisk Assessment AlignmentPIAs and TRAsPIAs and TRAs

•Can we integrate PIA and TRA Can we integrate PIA and TRA risk analysis processes? …save risk analysis processes? …save time and money?time and money?

•Can we do the two analyses in a Can we do the two analyses in a timely fashion?timely fashion?

•Can we ensure that resulting Can we ensure that resulting safeguard recommendations do safeguard recommendations do not conflict?not conflict?

Yes, But…Yes, But…

• Garbage in – Garbage outGarbage in – Garbage out– It still takes expertise in the It still takes expertise in the

methodology and subject area (security, methodology and subject area (security, privacy, …) to do good analysisprivacy, …) to do good analysis

– Privacy analysis requires expertise of a Privacy analysis requires expertise of a separate body of knowledgeseparate body of knowledge

– Security analysts are not automatically Security analysts are not automatically good privacy analystsgood privacy analysts

• Team-of-2 approach works well!Team-of-2 approach works well!

At a High Level, TRAs & At a High Level, TRAs & PIAs Have SimilaritiesPIAs Have Similarities

• Both risk management processes seek to Both risk management processes seek to avoid adverse outcomesavoid adverse outcomes

• Both are communications and decision Both are communications and decision making toolsmaking tools

• Both seek to identify risks and identify Both seek to identify risks and identify safeguard requirements at the analysis safeguard requirements at the analysis phasephase

• Both seek to document “due diligence” Both seek to document “due diligence” analysis and safeguards prior to deploymentanalysis and safeguards prior to deployment

• Both stem from legislative or policy Both stem from legislative or policy requirementsrequirements

PIA/TRA Analysis ProcessPIA/TRA Analysis ProcessShared ElementsShared Elements

•System descriptions: detailed System descriptions: detailed knowledge of the information knowledge of the information flowflow

•Knowledge of effectiveness of Knowledge of effectiveness of safeguardssafeguards

•Concept of “Damages” and Concept of “Damages” and “Acceptable Risk” of value to “Acceptable Risk” of value to bothboth

Not Shared: Privacy Threats Not Shared: Privacy Threats (1)(1)

More Than Keeping Personal More Than Keeping Personal

SecretsSecrets •Lack of authority to collectLack of authority to collect• Inadequate consentInadequate consent•Poorly informed data subjectPoorly informed data subject•Low quality (incorrect) Low quality (incorrect)

informationinformation•Too much information being Too much information being

held (or held too long)held (or held too long)

Not Shared: Privacy Threats Not Shared: Privacy Threats (2)(2)

• Inappropriate useInappropriate use– Data profilingData profiling– Data mappingData mapping– Transaction monitoringTransaction monitoring

• Identification of individualsIdentification of individuals•Lack of, or fuzzy accountabilityLack of, or fuzzy accountability•Lack of openness Lack of openness

Not Shared: Privacy Threats Not Shared: Privacy Threats (3)(3)

•Loss of personal control over and Loss of personal control over and access to data, including right to access to data, including right to object / challenge the systemobject / challenge the system

•Physical observation of individualsPhysical observation of individuals•Publishing or re-distribution of Publishing or re-distribution of

databases containing personal databases containing personal informationinformation

Recap: Why do PIAs and Recap: Why do PIAs and TRAs together?TRAs together?

•Timeliness and cost savingsTimeliness and cost savings•Minimize disruption to business Minimize disruption to business

and development teamsand development teams•Assessments feed critical info Assessments feed critical info

to each otherto each other•Requirements integrated and in Requirements integrated and in

agreement agreement

Solution: Risk Assessment Solution: Risk Assessment Alignment - DetailAlignment - Detail

TRAPIA

Methodology

Background

Purpose Purpose

Scope

Methodology

Target Risk

Information Gathering

System Description

Data Flow Documentation

Privacy Legislation Framework

Statement of Sensitivity

Policies and Standards

Dat

a G

athe

ring

Dat

a G

athe

ring

Solution: Risk Assessment Solution: Risk Assessment Alignment - DetailAlignment - Detail

TRAPIAAccountability

Identifying Purpose

Consent

Limiting Collection

Limiting Use, Disclosure (feed threatanalysis) and Retention

Accuracy (feed threat analysis)

Safeguards (Appropriateness, withEfficacy Referenced Out)

Openness

Individual Access

Challenging Compliance

Privacy Recommendations

Recommended Safeguards(Efficacy)

Threat Analysis

Vulnerability Analysis

Existing Safeguards(Efficacy)

Risk Analysis

Ten

Priv

acy

Prin

cipl

esA

naly

sis

Con

fiden

tialit

y, In

tegr

ity, A

vaila

bilit

yA

naly

sis

The ReportsThe Reports

• Separate PIA and TRA for different Separate PIA and TRA for different audiencesaudiences

• Similar layout for easy reading Similar layout for easy reading (optional)(optional)

• Risk scenario based privacy analysis Risk scenario based privacy analysis supporting PIA questionnaires supporting PIA questionnaires (optional)(optional)Note: Questionnaire formats are being Note: Questionnaire formats are being revisited in some jurisdictions as they revisited in some jurisdictions as they have encouraged poor analysishave encouraged poor analysis

Improving PIAs with Risk Improving PIAs with Risk Scenario Analysis (1)Scenario Analysis (1)

•Start with the privacy questionnaire…Start with the privacy questionnaire…•Postulate system-specific attacks Postulate system-specific attacks

against particular personal informationagainst particular personal information•Consider the initial risks, based on Consider the initial risks, based on

damages caused by disclosure, damages caused by disclosure, inaccuracy, etc. inaccuracy, etc.

•Consider existing privacy safeguardsConsider existing privacy safeguards

Risk Scenario Analysis (2)Risk Scenario Analysis (2)

•Rate residual riskRate residual risk•Make additional privacy Make additional privacy

safeguard recommendations (if safeguard recommendations (if needed)needed)

•Rate residual riskRate residual risk•Organize analysis and Organize analysis and

safeguards by privacy principlessafeguards by privacy principles

Risk Scenario Analysis (3)Risk Scenario Analysis (3)

•Sample questionnaire questionSample questionnaire questionIf personal information is to be used If personal information is to be used or disclosed for a secondary or disclosed for a secondary purpose not previously identified, purpose not previously identified, is consent required? is consent required?

Very generic, asks for a Yes/No, Very generic, asks for a Yes/No, does not encourage analysis does not encourage analysis

Risk Scenario Analysis (4)Risk Scenario Analysis (4)Simplified Analysis Table Simplified Analysis Table

ItemItem

PRPR2222

Consent is not Consent is not obtained in all obtained in all cases. cases. Persons Persons who make who make inquiries by inquiries by telephone or by telephone or by regular mail may regular mail may not formally not formally consent to having consent to having personal personal information stored information stored in a repository, or in a repository, or may not may not understand that understand that their contact their contact information will be information will be retained following retained following satisfaction of satisfaction of their inquiry. their inquiry. Their consent may Their consent may be viewed as be viewed as implicit.implicit.

MM HH M-M-HH

R-R-PSGP112PSGP112

XXX User AgreementsXXX User Agreements LL

R-PSP201R-PSP201 Business ManualBusiness Manual

R-PSP250R-PSP250 Business Liaison with Business Liaison with ATIPATIP

P-PSP251P-PSP251 Consistent notices and Consistent notices and formsforms

R-PSP252R-PSP252 Consent proceduresConsent procedures

P-PSA500P-PSA500 Periodic audits by Periodic audits by ATIP officeATIP office

RR##

Risk ScenarioRisk Scenario II LL RR Privacy Privacy SG#SG#

Safeguards (Existing Safeguards (Existing and Recommended)and Recommended)

RR

Risk Scenario Analysis (5)Risk Scenario Analysis (5)Privacy Safeguard ItemPrivacy Safeguard Item

PSPPSP250250

Business Liaison with Business Liaison with ATIPATIP: There should : There should be a manager-level be a manager-level business line point of business line point of contact or points of contact or points of contact with the ATIP contact with the ATIP office to ensure office to ensure consistency of policy consistency of policy and practices, as well and practices, as well as integration of as integration of privacy policy and privacy policy and practices throughout practices throughout the lifetime of the the lifetime of the system.system.

Recom-Recom-mendemendedd

Recipe Recap: Get the right Recipe Recap: Get the right information at the right information at the right

timetime• Lifecycle Alignment and Integration: Lifecycle Alignment and Integration:

– Set up your project to get privacy Set up your project to get privacy requirements and solutions at the right requirements and solutions at the right timetime

• Risk Analysis Process Integration: Risk Analysis Process Integration: – Align your privacy and security risk Align your privacy and security risk

management processesmanagement processes• PIA Analysis ImprovementPIA Analysis Improvement

– Formalize and harmonize privacy risk Formalize and harmonize privacy risk analysis with other risk analysis processesanalysis with other risk analysis processes

Questions?Questions?

Thank you for your time.Thank you for your time.