privacy & security training for senior staff. agenda what is privacy? privacy & security,...

27
Privacy & Security Training for Senior Staff

Upload: vivien-waters

Post on 25-Dec-2015

226 views

Category:

Documents


2 download

TRANSCRIPT

Privacy & Security Training for Senior Staff

Agenda What is privacy?

Privacy & security, what’s the difference?

The Future of privacy & security in Ohio

What agencies need to do Define; Classify; Map; Minimize Invest budget & staff resources towards privacy & security

Bottom line

3

What is Privacy & Where is it Going?

“The right to be left alone -- the most comprehensive of rights, and the right most valued by civilized men.” ~ Louis Brandeis

“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” ~ Alan Westin

“You have no privacy, get over it.” ~ Scott McNealy

4

What is Privacy: That was Then & This is Now Privacy not in Constitution

Has been interpreted in “penumbra” Privacy - Then

Practical Obscurity No internet; no cell phones; less data gathering; sense of “ain’t nobody’s

business”

Privacy - Now Information Age

More data gathering across government & business Cell phones Mobile & wireless computing 24/7 access Technological Developments (surveillance cameras & software, RFID)

Privacy Spheres Consumer privacy (online & offline)

Usage of data by private businesses & organizations Opt-in, opt-out Data Sharing Cookies, shopping incentive cards Social networking

Governmental privacy Similar issues as with consumer privacy PLUS Privacy as a civil liberty

Governmental monitoring: Wiretapping, Surveillance, etc…

The Future – Pervasive & ubiquitous computing Constant data gathering

RFID, REAL ID, biometrics, facial & behavior recognition, social networking, GPS, nanotechnology

6

Basic Privacy Principles1. Minimization/Collection Limitation: only collect that data for which you have a

business need.

2. Notice/Awareness: clear and complete disclosure to individuals on the specifics of how the data they submit is to be collected, used, and shared with other organizations, in addition to the steps taken to preserve the data’s confidentiality, integrity, and quality.

3. Choice/Consent: where applicable, give individuals the choice of what data they submit, how it can be used, and with whom it can be shared.

4. Access: where applicable, give reasonable access to an individual’s personal data for review, modification, correction, and, where appropriate, deletion.

5. Integrity/Security: ensure that personal information is relevant, accurate, and consistent throughout the enterprise; and that reasonable security precautions are taken to protect data from unauthorized use, access, or transfer

6. Accountability/Enforcement: specify an individual(s) to ensure the integrity and security of the data, and to enforce applicable law and policy.

7

Privacy and Security, what is the difference? Privacy & Security are flipsides of a coin

Privacy Broadly speaking, how data is defined and used

Laws, regulations, and policies that define and classify data and date usage

SecuritySecuring the data, both physically

and technologically, per its definition to ensure its

Confidentiality (limited access) Integrity (authentic & complete)Availability (accessible)

8

CPO Role – Data Protection Strategist & Evangelist

Statewide subject matter expert for advice, counsel, & direction Work to align state practices with recognized fair information principles,

federal & state laws Statewide & OIT Policy and Procedure Development Administrative rules Centralized forum for agency guidance & sharing of best practices Executive & Legislative Guidance

Executive Orders Testimony Bill development & guidance

Incident Response Awareness, Training & Education

Web presence, presentations Work alongside CISO

Implement security standards, technologies, programs Prognosticate the Future While Helping Shape the Present

REAL ID, RFID, Biometrics, Surveillance, Social Networking

9

CISO Role – Data Protection Architect

Statewide SME for technical guidance & implementation SME in NIST, ISO 27001 & 27002, and other recognized standards Enable & implement security standards, technologies, programs that align

with international and federal standards Encryption; Wireless; IT Security Policy (ex: remote access security, boundary

security) Incident Response Assess/Audit IT security infrastructure & policy

Network & application security assessments ISO/NIST security assessments of IT security policy

Work alongside CPO Education Awareness & Training Develop statewide IT strategic plan Prognosticate the Future While Helping Shape the Present

Data classification Systems Lifecyle Policy RFID, Biometrics

October 10, 2007 10

Why Protect Privacy? – World View

AustraliaFederal Privacy Amendment Bill State Privacy Bills in Victoria, New South Wales and Queensland, new email spam and privacy regulations

CaliforniaSB 1, SB 1386, SB 27, AB 1950

South AfricaElectronic Communications and Transactions Act

US FederalHIPAA, GLBA Safeguards Rule, COPPA,

Hong KongPersonal Data Privacy Ordinance

CanadaPIPEDA

JapanPersonal Information Protection Act, METI Guidelines

ChileLaw for the Protection of Private Life

South KoreaAct on Promotion of Information and Communications Network Utilization and Data Protection

IndiaLaw pending currently under discussion

New ZealandPrivacy Act

ArgentinaPersonal Data Protection Law, Confidentiality of Information Law

PhilippinesData Privacy Law proposed by ITECCTaiwan

Computer-Processed Personal Data Protection Law

European UnionEU Data Protection Directive and Member States, Safe Harbor Principles

11

Why protect privacy? – Federal View Federal privacy legislation & rules on the rise

HIPAA GLB FCRA COPPA Do-not-call REAL ID OMB mandate on data breach reporting

The Office of Management and Budget's Office of Electronic Government and Information Technology reports that about 30 incidences occur daily exposing individuals' personal information

Currently in Congress: breach notification; SSN protection; electronic health information sharing

12

Why protect privacy? – Ohio View It’s a best practice and rapidly becoming Ohio law and policy!

Executive Order 13: Improving State Agency Data Privacy and Security Ohio IT Bulletin ITB-2007.02: Data Encryption and Securing Sensitive

Data ITP-B.11: Data Classification Policy HB 104: Data Breach Notification Law HB13: No SSN - Vehicle Registration Renewal Notice SB 6: Credit Freeze; SSN Redaction; PIA SafeBoot encryption Upcoming Administrative Rules on Sensitive Data Protection, and

Privacy Policies And more…

Other states, especially California, are also pushing forward with privacy & security legislation

13

Why protect privacy? – Citizen View Increasing sensitivity & fear of ID Theft

Cost of ID Theft in U.S. 2006 = $49 Billion Security breaches - Daily occurrence

446 Breaches as of 12/31/07, involving 128 million records

TJ Maxx breach may cost as much as $256 million! UK Breach: sensitive info of 25 million citizens Federal OMB: 30 data breach incidences occur

daily

14

Why Protect Privacy? - Public Trust

Citizens have no option to shop around – they are required to provide personal information to government.

We have an obligation to protect the information entrusted to us.

The Future of Privacy & Security?

The Future of Privacy & Security

Data aggregation

Data Sharing

Threats/ Vulnerabilities

Biometrics, RFID

Risk Assessment

Transparency

Accountability

We can no longer make assumptions about privacy & use of data. We must create a legal and policy framework that respects personal information (privacy) and safeguards its proper use (security), all while respecting Ohio’s Sunshine Laws.

17

Privacy (law, policy, rules, awareness) Law:

Data minimization; bulk records requests Policies

Business Continuity; System Development Lifecycle (PIA & app vulnerability testing); Physical security

Enhanced awareness & training efforts Incident response training a *must*

Security (technology) Data-level encryption ID/Access Management Physical security

Threats Social engineering; netbots; web app vulnerabilities; wireless;

employee activities

The Future of Privacy & Security - Ohio

18

Increased inter-agency data-sharing OAKS & elsewhere

Development of a template data-sharing agreement

Increased multi-agency solutions Sharing of best practices, policies, procedures, RFQs Enterprise-wide procurement opportunities

Mobile encryption

Statewide CISO & CPO Shared resources for enabling & auditing Ohio’s privacy

security environment SB 6 calls for statewide CISO; Governor’s & DAS/OIT office already

looking at the issue

The Future of Privacy & Security - Ohio

19

What Agencies Need to Do: Publish, test & maintain your incident response plan Define & Classify Data

Sensitive PII; Confidential/Critical Map data

Where does it live; follow data flows; data lifecycle Minimize – less is more

Data & Access Work Cooperatively

Within the agency; across the state enterprise Vendor Management

Build privacy & security into contract terms Validate & monitor vendor practices Beware of vendor sub-contracting

Invest in Privacy & Security Policy & Procedure Technology Awareness & Training

20

Investing in Privacy & Security Policy & Procedure Investment

Make sure agency-specific policies & procedures are promulgated & implemented (especially incident response)

Classify Data Keep abreast of the latest privacy & security laws & news

Weekly CPO Privacy & Security News Brief State of Ohio Privacy & Security Information Center website

Technological Investment Encryption Data mapping ID/Access Management Physical security

Awareness & Training Investment (Might be most important investment of all)

Use centralized resources (CPO, training ppts, OIT FAQs) Build into on-boarding & performance reviews Regular refreshers

21

Privacy & Security Are NOT Just IT-Related Sr. Staff/Data Owners/Legal

Data Minimization Risk Analysis Data Classification Policy & Procedure Development Ensuring Funding Vendors/contracting Education & Awareness

IT = Data Custodian Secure data per risk analysis & classification Maintain security throughout system life cycle

Spotlight on Data Classification Data classification is NOT an IT function – it is a business

process and requires business resources to be successful. Classification requires an educated Steering Committee to

include: IT management, security & audit Risk management Business Leaders Legal

Use the Steering Committee to: Baseline the data environment & determine scope Identify risk, laws, policies, and regulations Validate objectives Monitor progress

BOTTOM LINEIncidents will occur

Understand that privacy & security are EVERYONE’S business

Be prepared & invest Policy, procedure, planning

Incident response policy - plan & test Awareness & training

Part of on-boarding; performance review IT security infrastructure Build privacy & security at beginning

Lifecycle view: PIA & App testing

24

Public Trust

Privacy & security are the right thing to doCitizens have no option to shop around – they

are required to provide personal information to government.

We have an obligation to protect the information entrusted to us.

25

NEVER AGAIN!

26

(Some) Privacy Resources Ohio Privacy & Security Information Center

http://www.privacy.ohio.gov/ Federal Citizen Information Privacy Resources

http://www.pueblo.gsa.gov/privacy_resources.htm Federal Trade Commission Privacy Initiatives

http://www.ftc.gov/privacy/index.html Onguard Online

http://onguardonline.gov/index.html Identity Theft Resource Center

http://www.idtheftcenter.org/ Center for Democracy & Technology

http://www.idtheftcenter.org/

Questions?

Sol BermannChief Privacy Officer, J.D., CIPP

DAS-OIT

[email protected]