40
< Project Name > Security and Privacy Risk Assessment Template Last Updated: January 27, 2016 Submission Date: Executive Team: Project Sponsor: Service Owner: Project Manager: Template Name: Security and Privacy Risk Assessment Template Template ID: RA.1

Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

  • Upload
    trananh

  • View
    213

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

< Project Name >

Security and Privacy Risk Assessment Template Last Updated: January 27, 2016

Submission Date:

Executive Team:

Project Sponsor:

Service Owner:

Project Manager:

Template Name: Security and Privacy Risk Assessment Template

Template ID: RA.1

Project Stage:

Page 2: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Contents

Overview of the Security and Privacy Risk Assessment Process..................................................................2

Instructions for Completing the Security and Privacy Risk Assessment Template.......................................3

STAGE 1: PROPOSAL...................................................................................................................................4

1.1 Project Identification and Lead....................................................................................................4

1.2 Project Description......................................................................................................................4

1.3 Key Stakeholders.........................................................................................................................4

1.4 Business Flow Diagram................................................................................................................4

1.5 Information Involved in the Project.............................................................................................5

1.6 Information Handling Requirements...........................................................................................6

1.7 Privacy and Records Retention Requirements.............................................................................6

1.8 Assessment..................................................................................................................................7

STAGE 2: INVESTIGATION...........................................................................................................................8

2.1 Security and Privacy Analysis.......................................................................................................8

STAGE 3: INITIATION.................................................................................................................................12

3.1 Solution Information..................................................................................................................12

3.2 Security and Privacy Analysis.....................................................................................................12

3.3 Contract Negotiation.................................................................................................................16

STAGE 4: PLANNING.................................................................................................................................19

4.1 Data Flow...................................................................................................................................19

4.2 Security and Privacy Analysis.....................................................................................................19

STAGE 5: IMPLEMENTATION....................................................................................................................22

5.1 Security and Privacy Analysis.....................................................................................................22

Security and Privacy Risk Register.............................................................................................................23

Appendix 1: Personal Information under FIPPA........................................................................................24

Appendix 2: Privacy Principles...................................................................................................................25

DRAFT of January 27, 2016 - 1

Page 3: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Overview of the Security and Privacy Risk Assessment Process

The Security and Privacy Risk Assessment is a staged process that provides a comprehensive review and evaluation of the risks and controls associated with the records and data collection and management requirements of a cloud based or hosted solution.

Objectives:1) To ensure that Queen’s University’s and its service providers’ data collection and handling

processes are aligned with relevant privacy legislation including the Freedom of Information and Protection of Privacy Act (FIPPA). (N.B.: For projects involving “personal health information” as defined by the Personal Health Information Protection Act (PHIPA) consult with the Privacy Office for further instructions.)

2) To ensure that Queen’s University’s records and data are managed in accordance with internal policies and procedures.

The Security and Privacy Risk Assessment is part of the “Authorization to Operate” process.

DRAFT of January 27, 2016 - 2

Stage 1: Proposal

Project DescriptionBusiness Flow

DiagramData Classification

Analysis

Stage 2: Investigation

Privacy & Security Assessment of

Vendor Security and Privacy Risk Assessment of

Service Owner (Investigation)

Stage 3: Initiation

Security and Privacy Risk Assessment of

Service Owner (Initiation)

Data Flow DiagramContract/NDA/SLA

Stage 4: Planning

Security and Privacy Risk Assessment of

Service Owner (Planning)

Stage 5: Implementation

Operational Documentation

Security and Privacy Risk Register

Authorization Sign-off

Page 4: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Items in black are completed as part of this Security and Privacy Risk Assessment. Items in blue are completed as separate, but related, documentation. (See http://queensu.ca/cio/information-systems-security-office/authorization-operate).

Instructions for Completing the Security and Privacy Risk Assessment Template

What is the Security and Privacy Risk Assessment Template?The Security and Privacy Risk Assessment Template provides documentation for the risk assessment reviews conducted with regards to the software application and services under consideration. It provides the vendor, project team and stakeholders with an understanding of how well the proposed software applications and services can address the data collection, use, retention, storage and disposition requirements of the business processes they manage.

The completion of this template is mandatory for all projects that require the collection and storage of personal information, and recommended for all projects that involve University records and data.

Who should fill out the Security and Privacy Risk Assessment Template?The Project Manager, with the assistance of the Service Owner and the Vendor, is responsible for the completion of this document.

The Project Manager is … [define]The Service Owner is the individual responsible for delivery of the business function.

When should the Security and Privacy Risk Assessment Template be filled out?The Security and Privacy Risk Assessment Template is completed in parts; the sections are categorized according to project stage. Stages 1 and 2 must be completed before signing any contract or agreeing to any Terms of Use.

ResourcesThose completing this risk assessment are encouraged to seek assistance from the Records Management and Privacy Office (http://www.queensu.ca/accessandprivacy/) as early in the process as practical.

DRAFT of January 27, 2016 - 3

Page 5: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

STAGE 1: PROPOSALThe purpose of this stage is to understand the business need: why is the project being considered? What data is involved in the project? What information will be collected, used, disclosed, retained and disposed of within the cloud service, and what is the level of sensitivity of that information? It is at this stage that the responsible information stewards should be consulted about the project, as well as any other relevant stakeholders.

The outcome of this stage is a decision on whether to proceed with seeking a solution. Accordingly, this stage should be completed BEFORE a service provider is procured.

The information in this stage is to be compiled by the Service Owner.

1.1 Project Identification and LeadProject Name: <Insert>

Project Sponsor: <Insert>

Department: <Insert>

Project Manager/Lead: <Insert>

1.2 Project DescriptionInsert a brief overview of the project, the business needs and key objectives.

1.3 Key StakeholdersName Title

DRAFT of January 27, 2016 - 4

Page 6: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

1.4 Business Flow DiagramThe business flow diagram outlines the existing business processes in place. It should clearly demonstrate the overall goal of the business process, as well as the requirements involved in every step of the process.

1.5 Information Involved in the Project1.5.1 Identify all individuals whose information will be involved in the project, i.e., the data subjects. Be as specific as possible, e.g., Students of which faculty? Employees of which department? Which constituency of community members?

DATA SUBJECT DESCRIPTION (e.g., faculty, department, number)

1.5.2 For each type of data subject, identify the kinds of personal information (i.e., data elements) that will be collected, used, disclosed, retained and disposed of through the project (check all that apply). Remember that information about an individual acting in a business capacity (e.g., name with job title, business contact information, etc.) is not considered to be personal information.

DATA ELEMENT (e.g., student number, email address, grades, personal opinions, etc.) CO

LLEC

T (e

ither

by

the

unit

or th

roug

h th

e sy

stem

/

appl

icati

on)

USE

(use

of i

nfor

mati

on

alre

ady

colle

cted

by

the

unit)

DISC

LOSE

(by

the

syst

em /

ap

plic

ation

)

RETA

IN (i

n th

e sy

stem

/

appl

icati

on)

DISP

OSE

(by

the

syst

em /

ap

plic

ation

)

1.5.3 List all information stewards for the personal information involved in the project. Ensure these information stewards are consulted throughout this process.

DATA ELEMENT OR INFORMATION TYPE (e.g., INFORMATION STEWARD (TITLE)

DRAFT of January 27, 2016 - 5

Page 7: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

student record, alumni record)

1.6 Information Handling RequirementsBased on the analysis above, refer to the University’s Data Classification Scheme, and identify specific information-handling requirements for each data element. Consult with the appropriate Information Steward if unsure.

DATA ELEMENT (e.g., student number, email address, grades, personal opinions, etc.) EN

CRYP

TIO

N IN

TR

ANSI

T

ENCR

YPTI

ON

AT

REST

SECU

RE D

ELET

ION

/

DEST

RUCT

ION

JURI

SDIC

TIO

NAL

RE

STRI

CTIO

NS

ACCE

SS R

ESTR

ICTE

D TO

N

AMED

INDI

VIDU

ALS

[OTH

ER?]

1.7 Privacy and Records Retention Requirements1.7.1 Identify applicable privacy and other legislation for the information involved in the project. Consult with the appropriate Information Steward if unsure.

YES NO UNKNOWNFreedom of Information and Protection of Privacy Act (FIPPA)Personal Health Information Protection Act (PHIPA) (N.B. If personal health information is involved, consult with the Privacy Office.)Personal Information Protection and Electronic Documents Act (PIPEDA)Other:

DRAFT of January 27, 2016 - 6

Page 8: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

1.7.2 Identify records retention and disposition requirements for the information involved in the project as defined by Queen’s University records retention schedules or in legislation or policy. (Note that under FIPPA, personal information must be retained for a minimum of 1 year after use.) Consult with the appropriate Information Steward if unsure.

SCHEDULE NUMBER

SCHEDULE TITLE RETENTION PERIOD (Years)

DISPOSITION (Destroy or Transfer

to Archives)

OTHER AUTHORITIES (identify and describe below; e.g., statutes, policies, collective agreements)

1.8 AssessmentBased on the information identified above, if it is decided to continue with outsourcing the project to a third-party vendor, ensure the vendor can meet all requirements for:

Information handling Privacy Records retention

Ensure the Information Stewards are consulted and approve of any decision to move forward.

DRAFT of January 27, 2016 - 7

Page 9: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

STAGE 2: INVESTIGATION The purpose of this stage is to investigate potential vendors and their ability to meet the needs identified in Stage 1. It is at this stage that vendors are asked to complete the Vendor Security and Privacy Assessment. In addition, the Service Owner should review each potential vendor’s Terms of Use and Privacy Policy.

The outcome of this stage is an identified vendor.

2.1 Security and Privacy AnalysisQuestions for Service Owner

Question

FindingsResponse

(If applicable, indicate the document where this is addressed)Ye

s

No

Unk

now

n

NA

COLLECTION

S2-1 Has the purpose of the collection been defined? What is the purpose of the collection?

S2-2 Is the collection of personal information authorized under FIPPA or another statute?

S2-3 Will notice of collection be provided to the individual(s)? Explain timing method, and exemptions from notice, where authorized.

S2-4 Will the notice of collection comply with FIPPA? Explain how or missing components.

S2-5 Will personal information be collected

DRAFT of January 27, 2016 - 8

Page 10: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Question

FindingsResponse

(If applicable, indicate the document where this is addressed)Ye

s

No

Unk

now

n

NA

directly from the individual? Explain the form of collection (for example, orally, hardcopy form, online portal, web form, etc.)

S2-6 Will personal information be collected indirectly from another source (e.g., from another Queen’s University system), or covertly? Why?

S2-7 Will indirect collection comply with FIPPA? Explain authority for indirect collection.

USE

S2-8 Has the purpose of the use been defined? Explain purpose(s).

S2-9 Will personal information be used for data matching, data analysis or data profiling? Describe.

S2-10 Will personal information be linked or cross referenced to other information systems, technologies or programs? Describe.

S2-11 Will personal information used for secondary purposes be anonymized?

S2-12 Have all parties using personal information been defined, for example, program staff, consultants, agents, third party service providers, etc.?

S2-13 Will there be procedural, technical, and

DRAFT of January 27, 2016 - 9

Page 11: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Question

FindingsResponse

(If applicable, indicate the document where this is addressed)Ye

s

No

Unk

now

n

NA

physical measures in place to ensure personal information will be used only for authorized purposes and by authorized parties? Explain measures.

DISCLOSURE

S2-14 Have all parties disclosing personal information been defined, for example, program staff, consultants, agents, third party service providers, etc.?

S2-15 Do all parties disclosing personal information have the legal authority for the disclosures?

S2-16 Has the purpose of the disclosure been defined? Explain purpose(s).

S2-17 Will personal information be disclosed to any persons who are not employees of Queen’s University?

S2-18 Will disclosures of personal information be for purposes stated in the notice of collection or for a consistent purpose?

S2-19 Will the disclosures be documented and how?

S2-20 Will disclosures be documented and controlled by information-sharing agreements or other means?

S2-21 Will there be controls in place to ensure

DRAFT of January 27, 2016 - 10

Page 12: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Question

FindingsResponse

(If applicable, indicate the document where this is addressed)Ye

s

No

Unk

now

n

NA

personal information will be disclosed for authorized purposes, by and to authorized parties? Explain controls.

Questions for Project Manager

Question ResponseS2-22 Which key stakeholders have been provided with an

opportunity to comment on the sufficiency of privacy protections and their implications on the proposed/existing solution? Describe any outstanding concerns.

S2-23 Have you contacted other universities or institutions that have implemented the same solution to discuss the risks planned for and issues encountered? Please provide feedback.

S2-24 Have you consulted the University’s Privacy Officer and Information Security Officer on the Security and Privacy risks and considerations?

DRAFT of January 27, 2016 - 11

Page 13: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

STAGE 3: INITIATIONThe purpose of this stage is to negotiate and settle on terms with a vendor. Measures regarding access to the records for purposes of fulfilling access requests, retention and disposal of records, and privacy breach protocols should be addressed at this stage.

The outcome of this stage is a contract and/or Service Level Agreement with the selected vendor.

3.1 Solution InformationVendor: <Insert>

Software Name: <Insert>

Overview of Solution: <Insert>

3.2 Security and Privacy AnalysisQuestions for Service Owner

Question

FindingsResponse

(If applicable, indicate the document where this is addressed)Ye

s

No

Unk

now

n

NA

REQUESTING ACCESS TO PERSONAL INFORMATION

S3-1 Will requests from individuals for access to and correction of personal information

DRAFT of January 27, 2016 - 12

Page 14: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Question

FindingsResponse

(If applicable, indicate the document where this is addressed)Ye

s

No

Unk

now

n

NA

change be recorded and tracked?RETENTION

S3-2 Will there be defined and documented policies, procedures, and other requirements related to the retention of personal information?

S3-3 Will reasonable measures be in place to ensure that personal information will be retained for a minimum of one year after its last use?

S3-4 Has the medium and format of the personal information to be retained been defined?

DISPOSAL AND DESTRUCTION

S3-5 Will procedures be defined and documented for the secure disposal (e.g., transfer to the University Archives, or secure destruction) in accordance with applicable retention schedules? Explain disposal process.

S3-6 Will procedures be defined and documented for disposal of devices and equipment containing personal information?

S3-7 Will controls be defined and documented to ensure only appropriate personal information will be disposed of or destroyed, and only by authorized parties after obtaining

DRAFT of January 27, 2016 - 13

Page 15: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Question

FindingsResponse

(If applicable, indicate the document where this is addressed)Ye

s

No

Unk

now

n

NA

appropriate approval?S3-8 Will details of the disposal of personal

information be recorded?SECURITY

S3-9 Will measures be used to secure the personal information? Explain each physical, technical and procedural measure.

S3-10 Will security policies and procedures be defined and documented to protect the confidentiality, integrity and availability of personal information? Provide documentation showing which persons, positions, or employee categories have access to the personal information.

S3-11 Will user activities be monitored for security and quality assurance purposes?

S3-12 Will control mechanisms be in place to monitor user accounts, access rights and security authorizations within the system? Describe control mechanisms.

S3-13 Will procedures be defined and documented on how to identify, report, investigate and address the unauthorized access, collection, uses and/or disclosure of personal information?

DRAFT of January 27, 2016 - 14

Page 16: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Question

FindingsResponse

(If applicable, indicate the document where this is addressed)Ye

s

No

Unk

now

n

NA

S3-14 Will criteria be developed to determine and authorize “need to know” access to personal information? Describe the criteria.

Ensure that any risks that cannot be addressed appropriately through the business procedures are added to the Security and Privacy Risk Register (below).

Question for Project Manager

Question ResponseS3-15 Have Security and Privacy risks been identified on the

Project Risk Register?

DRAFT of January 27, 2016 - 15

Page 17: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

3.3 Contract NegotiationEnsure the contract or agreement addresses the following conditions:

Condition Suggested Wording for Contract

1. Queen's University retains ownership of all records and information.

Queen's University retains ownership of all records and information with regards to the service.

2. The service provider will use the records and information for Queen's University’s purposes and for no other purpose.

The service provider will use the records and information for Queen's University’s purposes and for no other purpose.

3. No records or information will be disclosed without the consent of Queen's University.

No records or information will be disclosed without the consent of Queen's University.

4. The service provider has a privacy policy and/or complies with privacy legislation.

[Vendor] shall comply with all federal, provincial and local laws, rules, regulations and ordinances governing or relating to privacy rights in connection with its performance under this Agreement including, without limitation, PIPEDA.

5. The service provider will ensure that it acts in such a way as to assist Queen's University meet its obligations under FIPPA and other statutes as necessary.

[Vendor] acknowledges that Queen’s University is governed by the Ontario Freedom of Information and Protection of Privacy Act (“FIPPA”) and hereby undertakes and agrees to cooperate as reasonably necessary with Queen’s University in fulfilling Queen’s University’s obligations thereunder, including without limitation, in assisting Queen’s University in responding to an access request referencing documents that may be in the custody or control of [Vendor] pursuant to this Agreement.

6. The service provider will resist, to the extent lawful, any orders to disclose information without consent, will give notice to Queen's University of any orders and give Queen's University opportunity to dispute the order.

The service provider will resist, to the extent lawful, any orders to disclose information without consent, will give notice to Queen's University of any orders and give Queen's University opportunity to dispute the order.

7. The service provider will not assign the contract to another service provider without the consent of Queen's University.

[Vendor] may not assign or transfer, by operation of law or otherwise, this Agreement or any of its rights under this Agreement to any third

DRAFT of January 27, 2016 - 16

Page 18: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Condition Suggested Wording for Contract

party without Queen’s University’s prior consent.8. The service provider is transparent about its partners, suppliers and sub-contractors. 9. The service provider's partners, suppliers and sub-contractors are bound by the same terms and conditions as the service provider.

[Vendor] will disclose the Queen’s University records and information only to its partners, suppliers and sub-contractors who have a need to know such information for such purposes and who are under a duty of confidentiality no less restrictive than [Vendor’s] duty hereunder.

10. The service provider is transparent about the location(s) of Queen’s University records and information.

11. The service provider's employees are properly vetted and trained in privacy and confidentiality of customer information.

12. The service provider will limit access to Queen's University's records and information to specific and appropriate individuals within the service provider's organization.

[Vendor] will disclose the Queen’s University records and information only to its employees who have a need to know such information for such purposes and who are under a duty of confidentiality no less restrictive than [Vendor’s] duty hereunder.

13. The service provider has security measures in place to prevent unauthorized access to its systems and to Queen's University's records and information.14. The service provider has acceptable protocols in place in the event of a security or privacy breach.15. The service provider will work cooperatively with Queen's University in the event of a privacy or security breach.

16. The service provider will allow Queen's University to audit its security measures and information handling practices.17. The service provider has no limitations of liability related to Security and Privacy.

DRAFT of January 27, 2016 - 17

Page 19: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Condition Suggested Wording for Contract

18. The service provider will work cooperatively with Queen's University to assist Queen's in complying with records retention requirements.19. The service provider will permit Queen's University to terminate the agreement for any reason.

Queen’s University may terminate this Agreement, or all or any of the Services, at any time, without cause and for convenience, by providing at least [x] days prior written notice of such termination.

20. Upon termination, the service provider will return the records and information (or a copy) to Queen's University in a readable format AND/OR permanently destroy/delete the records and information.21. The service provider will not retain any copies of records and information once instructed to return, destroy or delete them, and will provide written evidence of compliance.

[Vendor] shall, no later than [x-period of time] following the termination of this Agreement, however caused, permanently and irretrievably destroy all Confidential Information held by it in any format pursuant to this Agreement. Queen’s University shall be entitled to request proof of and/or certification from [Vendor] of such destruction and the method used therefor.

If appropriate terms cannot be negotiated, ensure any resultant risks are included in the Security and Privacy Risk Register (below).

DRAFT of January 27, 2016 - 18

Page 20: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

STAGE 4: PLANNING The purpose of this stage is to establish operational procedures for ensuring the Security and Privacy requirements are met by the selected vendor. The outcome of this stage is a set of business procedures that can be operationalized.

4.1 Data Flow The data flow diagram serves as a graphic representation of the flow of data through an information system. It must illustrate the following:

a. How data is being collectedb. How data is being stored and processed

Note that in some cases, the data flow architecture diagram could be identical to the business flow diagram.

4.2 Security and Privacy AnalysisQuestions for Service Owner

Question

FindingsResponse

(If applicable, indicate the document where this is addressed)Ye

s

No

Unk

now

n

NA

PRIVACY MANAGEMENT

S4-1 Will accountability for managing personal information throughout its lifecycle be defined to include parties involved in the project, for example, the University, the vendor and any other third parties? Explain

DRAFT of January 27, 2016 - 19

Page 21: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Question

FindingsResponse

(If applicable, indicate the document where this is addressed)Ye

s

No

Unk

now

n

NA

accountability.S4-2 Will operational policies, procedures or

practices related to the protection of personal information be needed?

S4-3 Have all parties requiring training on operational, security and privacy aspects of the project been identified?

S4-4 Has the individual responsible for ensuring that all parties receive appropriate training been identified?

S4-5 Will communications exist to inform individuals how the system works and how their personal information will be managed?

ACCURACY AND CORRECTION

S4-6 Will there be measures in place to make sure personal information is not used unless it is accurate, complete and up-to-date? Provide details of measures.

S4-7 Will individuals be provided with an option to update all of their personal information?

S4-8 Will a log exist to track any changes made to stored personal information in the system?

S4-9 Will other sources of the same information be updated? How?

S4-10 Will there be a defined and documented

DRAFT of January 27, 2016 - 20

Page 22: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Question

FindingsResponse

(If applicable, indicate the document where this is addressed)Ye

s

No

Unk

now

n

NA

process for the processing of a request for the correction of personal information? Provide details of process.

BREACH PROTOCOLS

S4-11 Will protocols be in place to identify privacy and security breaches? Describe the protocols.

S4-12 Will users be notified of a compromise of security or privacy? How?

DRAFT of January 27, 2016 - 21

Page 23: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

STAGE 5: IMPLEMENTATION The purpose of this stage is to ensure that all documentation required for the operation of the system has been completed, and that all residual risks have been identified and strategies for risk mitigation developed. The outcome of this stage is the written Operational Documentation and the completed Security and Privacy Risk Register.

5.1 Security and Privacy AnalysisQuestions for Service Owner

Question ResponseS5-1 Has your staff been formally trained for handling personal

information?S5-2 Has the vendor agreement been negotiated to mitigate

privacy and security risks to the greatest extent possible?

Questions for Project Manager

Question ResponseS5-3 Has the Privacy Risk Assessment, including the Security and

Privacy Risk Register, been fully completed?S5-4 Has the Operational Documentation been fully completed?

DRAFT of January 27, 2016 - 22

Page 24: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

DRAFT of January 27, 2016 - 23

Page 25: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Security and Privacy Risk Register

Based on your responses in the Security and Privacy Analysis, complete the risk register below. Consider the likelihood and impact of all residual risks, and the strategies for mitigating such risks.

Risk Description Risk Likelihood

5 = almost certain4 = likely3 = possible2 = unlikely1 = rare

Risk Impact

5 = catastrophic4 = major3 = moderate2 = minor1 = insignificant

Risk Analysis(Likelihood x Impact)

20+ = extreme11 to 19 = high5 to 10 = moderate1 to 4 = low

Owner Risk Mitigation Strategy

Example: Vendor will not encrypt data at rest in its data centre meaning that if the data centre is compromised, personal information could be improperly accessed and disclosed.

Example: 2 – data centre has good physical and technical security

Example: 4 – personal information includes the educational history of students (student number, grades, etc.)

Example: 8 = moderate

Example: Service Owner

Example: Continue to push vendor to implement encryption at rest. Take steps to minimize the personal information collected. Ensure information is destroyed as per the contract and not retained by the vendor.

DRAFT of January 27, 2016 - 24

Page 26: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Appendix 1: Personal Information under FIPPA“Personal information” (FIPPA) means recorded information about an identifiable individual, including,

(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

(b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,

(c) any identifying number, symbol or other particular assigned to the individual,

(d) the address, telephone number, fingerprints or blood type of the individual,

(e) the personal opinions or views of the individual except where they relate to another individual,

(f) correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,

(g) the views or opinions of another individual about the individual, and

(h) the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual;

“Business identity”: (FIPPA) Personal information does not include the name, title, contact information or designation of an individual that identifies the individual in a business, professional or official capacity.

The purpose of FIPPA is: to provide a right of access to information under the control of institutions in accordance with the principles that, information should be available to the public, necessary exemptions from the right of access should be limited and specific, and decisions on the disclosure of government information should be reviewed independently of government; and to protect the privacy of individuals with respect to personal information about themselves held by institutions and to provide individuals with a right of access to that information

The provisions of Part 3 of FIPPA apply to personal information – that is, recorded information about an identifiable individual – in the custody or under the control of an institution.

FIPPA assessment is based on questions addressing:

1. Collection; (Sec. 38(2))

2. Use; (Sec. 41)

3. Disclosure; (Sec. 42)

4. Retention; and (Sec. 40(1))

5. Destruction. (Sec. 40(4))

DRAFT of January 27, 2016 - 25

Page 27: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Appendix 2: Privacy PrinciplesThese principles are taken from the Canadian Standards Association’s “Model Code for the Protection of Personal Information” (1996) and form the foundation for all privacy legislation in Canada, including Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA), which applies to public sector and broader public sector organizations in Ontario, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to private sector organizations in Canada and federally regulated bodies.

Principle 1 - Accountability

An organization is accountable for personal information under its control and shall designate an individual(s) who is/are accountable for the custodian’s compliance with the appropriate legislation and the Principles adopted by Queen’s University.

Principle 2 - Identifying Purposes

The purposes for which personal information is collected shall be identified by the custodian at or before the time the information is collected. Individuals must be told why their personal information is being collected at or before the time of collection.

Principle 3 - Consent

Consent of the individual is required for the collection, use and disclosure of personal information, except where obtaining consent is inappropriate.

Principle 4 - Limiting Collection

The primary purpose of the collection of personal information is to benefit the individual. Collection for a use, which is not the care and treatment of the individual, shall be restricted to what is necessary and shall not impede the collection of information for the primary purpose. Information shall be collected by fair and lawful means.

Principle 5 - Limiting Use, Disclosure, and Retention

Personal information shall only be used or disclosed for purposes for which it was collected, except with the consent of the individual or as required by law. The purpose of the use, disclosure and retention of personal information is to benefit the individual. Any other use or disclosure shall be restricted to what is necessary and shall not impede the collection of information.

Principle 6 - Accuracy and Integrity

The accuracy and integrity of personal information are necessary to offer the services required, the individual right to privacy and to meet the requirements for its collection, use or disclosure.

DRAFT of January 27, 2016 - 26

Page 28: Overview of the Security and Privacy Risk Assessment … · Web viewThe purpose of this stage is to understand the business need: why is the project being considered? What data is

Principle 7 – Security Safeguards

Personal information shall be protected by security safeguards appropriate to the information and against unintended or unauthorized access, use or intrusion, or such dangers as accidental loss or destruction.

Principle 8 - Openness

The custodian shall make readily available to individuals specific information about its policies, procedures and practices relating to the management of personal information.

Principle 9 - Individual Access

Individuals have the right to access their own personal information. Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate, subject to exceptions.

Principle 10 - Challenging Compliance

Individuals shall be informed that the custodian’s policies, procedures and practices are open to scrutiny and challenge. An individual shall be able to challenge compliance with the above Principles

DRAFT of January 27, 2016 - 27