© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force

Security, Privacy, and the Protection of Personally Identifiable Information

Rodney J. PetersenPolicy Analyst, EDUCAUSE

EDUCAUSE/Internet2 Security Task Force Coordinator

Information Protection Strategies Security versus Privacy - Positions Security or Privacy – Win/Lose Security nor Privacy – Lose/Lose Security and Privacy – Win/Win

Balancing Interests - Compromise Tradeoffs – Win/Lose Legal and Ethical Approaches – Win/Win

Goals of IT Security Confidentiality: computers, systems,

and networks that contain information require protection from unauthorized use or disclosure.

Integrity: computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification.

Availability: Computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses.

Policy of the United StatesIn the past few years, threats in cyberspace have risen dramatically. The policy of the United States is to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States. We must act to reduce our vulnerabilities to these threats before they can be exploited to damage the cyber systems supporting our Nation’s critical infrastructures and ensure that such disruptions of cyberspace are infrequent, of minimal duration, manageable, and cause the least damage possible.

Letter from President George W. Bush to The American People, The National Strategy to Secure Cyberspace (February 2003)

Congressional Actions–Fall 2003 “Worms and Viruses” – multiple hearings “Database Security: Finding Out When Your

Information Has Been Compromised”U.S. Senate Committee on the Judiciary, Subcommittee on Technology, Terrorism and Government Information (November 4, 2003)

“Cybersecurity & Consumer Data: What’s at Risk for the Consumer?”U.S. House Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection (November 19, 2003)

Public Policy Issues Identity Theft Notification of Security Breaches Protection of Personally Identifiable

Information Social Security numbers Credit Card Information

Privacy Policies & Collection Practices Safeguarding Information

GLB Act Security Safeguards Designate employee(s) to coordinate Conduct a risk assessment

Identify reasonably foreseeable risks Assess the sufficiency of any safeguards in

place to control these risks Design and implement safeguards to

control the risks you identified through risk assessment

Regularly test and monitor the effectiveness of the safeguards

Oversee service providers

HIPAA Security RegulationsAdministrative Safeguards Security Management Process

Risk Analysis Risk Management

Appointment of a security official Workforce Security Information Access Management Security Awareness and Training Incident Response Procedures Contingency Plan

U.S. Privacy Act of 1974

Federal agencies are required to “establish appropriate administrative, technical and physical safeguards to insure” security and confidentiality and “protect against anticipated threats . . . which could result in substantial harm, embarrassment, inconvenience or unfairness to any individual.”

Fair Information Practices Access and correction Transparency Data security Specifying and limiting purposes for which

data can be used Data minimization Enforcement

(Fair Credit Reporting Act, Privacy Act, and several other information privacy laws)

FTC’s Principles for Government Privacy Policies and E-Commerce

Notice Choice/Consent Access Security Enforcement

Emerging Issues Notification to “Consumers”

Disclosure of organization’s maintenance of personally identifiable information

Description of what procedures the organization has in place to protect data

Notification when a breach or leakage has the potential for harm

Providing a Right of Access: individuals need to know what information is being kept about them.

Adoption of The Privacy Act’s Security Standard: application of fed. agency rules to the private sector

Creation of a Private Right of Action

Public Policy Framework Coverage: any record containing nonpublic

personal information whether in paper, electronic or other form

Information Security Program: the administrative, technical, and physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle information

Risk Assessment and Mitigation of Risks Notification of Owners of PII Or Be Held Accountable!

“Negligent Security” Duty

Statutory obligations Created by contract or promise Assumed in policy or mission statement Standard of care in the industry!!!

Breach Damage Causation

Risk Management Risk = Threats x Vulnerabilities x

Impact Only 30% of the institutions surveyed

have undertaken a risk assessment to determine their IT assets’ value and the risk to those assets – ECAR Study (2003)

Risk Assessment (identify assets, classify assets, inventory policies and practices, vulnerabilities, etc.) and Responses to Risk (assumption, control, mitigation, or avoidance)

Types of Risk (Impact) Legal Risks Financial Risks Reputational Risks Operational Risks Strategic Risks

Cybersecurity Plans Only 13% of the institutions surveyed

have comprehensive IT security plans in place. 10% said no plan was in place. 42% had a partial plan in place. 36% are currently developing a plan – ECAR Study (2003)

Convergence with Emergency Preparedness Planning Activities

Relationship to Business Continuity and Contingency Plans

Cyber Security as part of Strategic Plans

Security Policies “A security policy is a concise statement,

by those responsible for a system (such as senior management), of information values, protection responsibilities and organizational commitment.” [U.S. General Accounting Office]

54% of the institutions surveyed have formal institutional IT security policies – ECAR Study (2003)

37% had policies in the implementation stage – ECAR Study (2003)

What Formal Policies Cover 99% - acceptable use 89% - system access

control 85% - authority to

shut off Internet access

83% - data security 82% - network

security 82% - enforcement of

institutional policies

80% - desktop security 71% - physcial security

of assets 61% - residence halls 51% - remote devices 39% - application

development

ECAR Study (2003)

Security Policies & Procedures Rationale/Purpose Scope Policy Statement Roles & Responsibilities Procedures Related Policies

Rationale or PurposeExamples include: Confidentiality, Integrity, &

Availability Attainment of Institutional Mission Compliance with Laws or Regulations

GLB Act HIPPA State Laws or Regulations

Principles

Guiding Principles Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility

ScopeExamples include: Data and information? Computers and networks? “Information Resources – information

in any form and recorded on any media, and all computer and communications equipment and software.” [Georgetown University Information Security Policy]

Policy Statement

Examples include: Critical asset

identification Risk management Physical security System and

network management

Authentication & authorization

Access control Vulnerability

management Awareness &

training

Roles and Responsibilities

Examples include: Governing Board Executive Management Chief Information Officer Chief Security Officer Unit Directors and Data Stewards End-Users

Procedures

Examples include: Confidentiality and Nondisclosure Breach notification Logging and monitoring Identification of departmental

contacts Blocking network access Incident response

Related PoliciesExamples include: Acceptable Use Elimination of Social Security

numbers as primary identifiers Privacy Policy or Collection and

Disclosure of Personal Information Data Management and Access Policy Identity Management

For more information:

EDUCAUSE/Internet2Computer and Network Security Task

Force

http://www.educause.edu/security

Email: rpetersen@educause.edu