Upload
jeffry-charles
View
217
Download
3
Tags:
Embed Size (px)
Citation preview
© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force
Security, Privacy, and the Protection of Personally Identifiable Information
Rodney J. PetersenPolicy Analyst, EDUCAUSE
EDUCAUSE/Internet2 Security Task Force Coordinator
Information Protection Strategies Security versus Privacy - Positions Security or Privacy – Win/Lose Security nor Privacy – Lose/Lose Security and Privacy – Win/Win
Balancing Interests - Compromise Tradeoffs – Win/Lose Legal and Ethical Approaches – Win/Win
Goals of IT Security Confidentiality: computers, systems,
and networks that contain information require protection from unauthorized use or disclosure.
Integrity: computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification.
Availability: Computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses.
Policy of the United StatesIn the past few years, threats in cyberspace have risen dramatically. The policy of the United States is to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States. We must act to reduce our vulnerabilities to these threats before they can be exploited to damage the cyber systems supporting our Nation’s critical infrastructures and ensure that such disruptions of cyberspace are infrequent, of minimal duration, manageable, and cause the least damage possible.
Letter from President George W. Bush to The American People, The National Strategy to Secure Cyberspace (February 2003)
Congressional Actions–Fall 2003 “Worms and Viruses” – multiple hearings “Database Security: Finding Out When Your
Information Has Been Compromised”U.S. Senate Committee on the Judiciary, Subcommittee on Technology, Terrorism and Government Information (November 4, 2003)
“Cybersecurity & Consumer Data: What’s at Risk for the Consumer?”U.S. House Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection (November 19, 2003)
Public Policy Issues Identity Theft Notification of Security Breaches Protection of Personally Identifiable
Information Social Security numbers Credit Card Information
Privacy Policies & Collection Practices Safeguarding Information
GLB Act Security Safeguards Designate employee(s) to coordinate Conduct a risk assessment
Identify reasonably foreseeable risks Assess the sufficiency of any safeguards in
place to control these risks Design and implement safeguards to
control the risks you identified through risk assessment
Regularly test and monitor the effectiveness of the safeguards
Oversee service providers
HIPAA Security RegulationsAdministrative Safeguards Security Management Process
Risk Analysis Risk Management
Appointment of a security official Workforce Security Information Access Management Security Awareness and Training Incident Response Procedures Contingency Plan
U.S. Privacy Act of 1974
Federal agencies are required to “establish appropriate administrative, technical and physical safeguards to insure” security and confidentiality and “protect against anticipated threats . . . which could result in substantial harm, embarrassment, inconvenience or unfairness to any individual.”
Fair Information Practices Access and correction Transparency Data security Specifying and limiting purposes for which
data can be used Data minimization Enforcement
(Fair Credit Reporting Act, Privacy Act, and several other information privacy laws)
FTC’s Principles for Government Privacy Policies and E-Commerce
Notice Choice/Consent Access Security Enforcement
Emerging Issues Notification to “Consumers”
Disclosure of organization’s maintenance of personally identifiable information
Description of what procedures the organization has in place to protect data
Notification when a breach or leakage has the potential for harm
Providing a Right of Access: individuals need to know what information is being kept about them.
Adoption of The Privacy Act’s Security Standard: application of fed. agency rules to the private sector
Creation of a Private Right of Action
Public Policy Framework Coverage: any record containing nonpublic
personal information whether in paper, electronic or other form
Information Security Program: the administrative, technical, and physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle information
Risk Assessment and Mitigation of Risks Notification of Owners of PII Or Be Held Accountable!
“Negligent Security” Duty
Statutory obligations Created by contract or promise Assumed in policy or mission statement Standard of care in the industry!!!
Breach Damage Causation
Risk Management Risk = Threats x Vulnerabilities x
Impact Only 30% of the institutions surveyed
have undertaken a risk assessment to determine their IT assets’ value and the risk to those assets – ECAR Study (2003)
Risk Assessment (identify assets, classify assets, inventory policies and practices, vulnerabilities, etc.) and Responses to Risk (assumption, control, mitigation, or avoidance)
Types of Risk (Impact) Legal Risks Financial Risks Reputational Risks Operational Risks Strategic Risks
Cybersecurity Plans Only 13% of the institutions surveyed
have comprehensive IT security plans in place. 10% said no plan was in place. 42% had a partial plan in place. 36% are currently developing a plan – ECAR Study (2003)
Convergence with Emergency Preparedness Planning Activities
Relationship to Business Continuity and Contingency Plans
Cyber Security as part of Strategic Plans
Security Policies “A security policy is a concise statement,
by those responsible for a system (such as senior management), of information values, protection responsibilities and organizational commitment.” [U.S. General Accounting Office]
54% of the institutions surveyed have formal institutional IT security policies – ECAR Study (2003)
37% had policies in the implementation stage – ECAR Study (2003)
What Formal Policies Cover 99% - acceptable use 89% - system access
control 85% - authority to
shut off Internet access
83% - data security 82% - network
security 82% - enforcement of
institutional policies
80% - desktop security 71% - physcial security
of assets 61% - residence halls 51% - remote devices 39% - application
development
ECAR Study (2003)
Security Policies & Procedures Rationale/Purpose Scope Policy Statement Roles & Responsibilities Procedures Related Policies
Rationale or PurposeExamples include: Confidentiality, Integrity, &
Availability Attainment of Institutional Mission Compliance with Laws or Regulations
GLB Act HIPPA State Laws or Regulations
Principles
Guiding Principles Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility
ScopeExamples include: Data and information? Computers and networks? “Information Resources – information
in any form and recorded on any media, and all computer and communications equipment and software.” [Georgetown University Information Security Policy]
Policy Statement
Examples include: Critical asset
identification Risk management Physical security System and
network management
Authentication & authorization
Access control Vulnerability
management Awareness &
training
Roles and Responsibilities
Examples include: Governing Board Executive Management Chief Information Officer Chief Security Officer Unit Directors and Data Stewards End-Users
Procedures
Examples include: Confidentiality and Nondisclosure Breach notification Logging and monitoring Identification of departmental
contacts Blocking network access Incident response
Related PoliciesExamples include: Acceptable Use Elimination of Social Security
numbers as primary identifiers Privacy Policy or Collection and
Disclosure of Personal Information Data Management and Access Policy Identity Management
For more information:
EDUCAUSE/Internet2Computer and Network Security Task
Force
http://www.educause.edu/security
Email: [email protected]