Embed Size (px)
DESCRIPTION
Security vs. Privacy. The Protection of Personal Information. Organization of the Presentation. The Purpose and Goals of this presentation Background The Roles and Responsibilities of VA Personnel in Security and Privacy - PowerPoint PPT Presentation
Citation preview
Security vs. PrivacySecurity vs. Privacy
The Protection of Personal Information
The Protection of Personal Information
Organization of the PresentationOrganization of the Presentation
• The Purpose and Goals of this presentation
• Background
• The Roles and Responsibilities of VA Personnel in Security and Privacy
• An Extensive Interactive Discussion Session will follow the presentation
• The Purpose and Goals of this presentation
• Background
• The Roles and Responsibilities of VA Personnel in Security and Privacy
• An Extensive Interactive Discussion Session will follow the presentation
Purpose and GoalsPurpose and Goals
• To Define Security and Privacy
• To Explain the Relationship of the Two
• To Describe the Requirements for Both in Federal Law and Guidance
• To Help You Understand Your Responsibilities
• To Define Security and Privacy
• To Explain the Relationship of the Two
• To Describe the Requirements for Both in Federal Law and Guidance
• To Help You Understand Your Responsibilities
Differences and SimilaritiesDifferences and Similarities
What is Security?Security applies to the spectrum of physical, technical & administrative safeguards that are put in place to protect the integrity, availability and confidentiality of information (in all media) and information systems.
What is Security?Security applies to the spectrum of physical, technical & administrative safeguards that are put in place to protect the integrity, availability and confidentiality of information (in all media) and information systems.
Differences and SimilaritiesDifferences and Similarities
What is Privacy?Privacy refers to the right of each individual to control their personal information and to not have it disclosed or used by others against their wishes.
What is Privacy?Privacy refers to the right of each individual to control their personal information and to not have it disclosed or used by others against their wishes.
You Can Have Security Without Privacy, But You
Cannot Have Privacy Without Security
You Can Have Security Without Privacy, But You
Cannot Have Privacy Without Security
Protect the Security and Privacy of Privacy-protected Data
Protect the Security and Privacy of Privacy-protected Data
• Malicious or Accidental Use of VA Privacy-protected Data Could Cause Harm to Veterans or VA Personnel.
• Malicious Use, Disclosure or Alteration of VA Privacy-protected Data or Access to VA Networks Could be in Breach of the Law.
• Malicious or Accidental Use of VA Privacy-protected Data Could Cause Harm to Veterans or VA Personnel.
• Malicious Use, Disclosure or Alteration of VA Privacy-protected Data or Access to VA Networks Could be in Breach of the Law.
Veterans and VA Personnel at RiskVeterans and VA Personnel at Risk
• Veterans Infected with HIV or Suffering from Sickle-Cell Anemia– These Veterans are Protected by
Specific Federal Laws and Regulations
• Identity Theft Could Happen at VA
• Veterans Infected with HIV or Suffering from Sickle-Cell Anemia– These Veterans are Protected by
Specific Federal Laws and Regulations
• Identity Theft Could Happen at VA
Why Is It Necessary to Protect Personally Identifiable
Information Data?
Why Is It Necessary to Protect Personally Identifiable
Information Data?
Because Uncle Sam Requires You To
Because Uncle Sam Requires You To
Federal Laws and RegulationsSuch As:
Federal Laws and RegulationsSuch As:
• Health Insurance Portability & Accountability Act (HIPAA)
• The Privacy Act
• The E-Gov Act
• Health Insurance Portability & Accountability Act (HIPAA)
• The Privacy Act
• The E-Gov Act
Why Is It Important to Protect Personally Identifiable
Information?
Why Is It Important to Protect Personally Identifiable
Information?
Because It Can Cause Great Heartache and Griefif the Security of this
Information is Compromised
Because It Can Cause Great Heartache and Griefif the Security of this
Information is Compromised
Example:
Are You Really Who You Think You Are? !
Example:
Are You Really Who You Think You Are? !
Identity Theft:Identity Theft:
• Has happened at VA
• Is facilitated by the sharing of personal information, or the lack of protection of personal information
• Has happened at VA
• Is facilitated by the sharing of personal information, or the lack of protection of personal information
• Identify theft is a crime and it is on the rise
• An estimated 500,000 or more persons are becoming victims each year
• It can happen to anyone
• Identify theft is a crime and it is on the rise
• An estimated 500,000 or more persons are becoming victims each year
• It can happen to anyone
Identity TheftIdentity Theft
What Do Thieves Steal?What Do Thieves Steal?
• Social Security numbers
• Driver license numbers
• Credit card numbers
• ATM cards
• Telephone calling cards
• Social Security numbers
• Driver license numbers
• Credit card numbers
• ATM cards
• Telephone calling cards
The Consequences of Identity TheftThe Consequences of Identity Theft
• Your credit rating will be ruined
• You can be arrested for a crime that someone else committed using your name
• You can be refused job opportunities
• You can be refused education benefits
• Your credit rating will be ruined
• You can be arrested for a crime that someone else committed using your name
• You can be refused job opportunities
• You can be refused education benefits
How to Prevent Identity Theft How to Prevent Identity Theft
• Do not share privacy-protected data unless required by VA
• Protect the security and privacy of personal information using guidance provided by OCIS and the privacy service
• Do not share privacy-protected data unless required by VA
• Protect the security and privacy of personal information using guidance provided by OCIS and the privacy service
Threats to Privacy-protected Data Require:
Threats to Privacy-protected Data Require:
• Network administrators, ISO’s, & PO’s to become more aware of privacy-protected information– What it is– Where it is
• Rigorous access controls to privacy-protected information on VA networks
• Network administrators, ISO’s, & PO’s to become more aware of privacy-protected information– What it is– Where it is
• Rigorous access controls to privacy-protected information on VA networks
Privacy and Security are InterrelatedPrivacy and Security are Interrelated
• Access Controls and Authentication Procedures are the Two Most Important Information Security Measures for the Protection of PII– Confidentiality: Preserving authorized restrictions
on information access and disclosure.
– Integrity: Guarding against improper information modification or destruction:
• includes information non-repudiation and authenticity.
– Availability: Ensuring timely and reliable access to and use of information.
• Access Controls and Authentication Procedures are the Two Most Important Information Security Measures for the Protection of PII– Confidentiality: Preserving authorized restrictions
on information access and disclosure.
– Integrity: Guarding against improper information modification or destruction:
• includes information non-repudiation and authenticity.
– Availability: Ensuring timely and reliable access to and use of information.
VA Roles in Protecting the Privacy and Security of VA Data
VA Roles in Protecting the Privacy and Security of VA Data
• ISO
• Privacy Officer
• System Administrators
• ISO
• Privacy Officer
• System Administrators
You Are Required to Protect the Privacy and Secure the Personal Information of VA Personnel and Veterans
You Are Required to Protect the Privacy and Secure the Personal Information of VA Personnel and Veterans
Federal Law and Guidance Mandate That All Information Is
to Be Secured and That the Privacy of Personal Information
Is to Be Protected
Federal Law and Guidance Mandate That All Information Is
to Be Secured and That the Privacy of Personal Information
Is to Be Protected
E-Government Act: PurposeE-Government Act: Purpose
• To enhance citizen access to Federal Information by requiring interconnectivity & Interoperability
• Provides for the development of a Federal Bridge Authority for digital signatures and the use of digital signature technology
• To enhance citizen access to Federal Information by requiring interconnectivity & Interoperability
• Provides for the development of a Federal Bridge Authority for digital signatures and the use of digital signature technology
E-Government Act:Privacy Impact Assessment (PIA)
E-Government Act:Privacy Impact Assessment (PIA)
• Each system that contains Privacy-protected Data will have to do a Risk Assessment
• The CIO has the authority to determine the acceptable level of risk to Privacy-protected Data
• Each system that contains Privacy-protected Data will have to do a Risk Assessment
• The CIO has the authority to determine the acceptable level of risk to Privacy-protected Data
E-Government Act:Privacy Impact Assessment (PIA)
E-Government Act:Privacy Impact Assessment (PIA)
• New Systems, Systems Under Development, or Systems Undergoing Major Modifications are Required to Complete a PIA
• The Privacy Officer, the System Owner, System Developers, and ISO’s Must Work Together to Complete the PIA.
• The Privacy Service will Provide Guidance.
• New Systems, Systems Under Development, or Systems Undergoing Major Modifications are Required to Complete a PIA
• The Privacy Officer, the System Owner, System Developers, and ISO’s Must Work Together to Complete the PIA.
• The Privacy Service will Provide Guidance.
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA)
Federal Requirements for the Security of Privacy-protected Data
Federal Requirements for the Security of Privacy-protected Data
Privacy Rule [§160, §162]
Security Rule [§164]
HIPAA Security RuleHIPAA Security Rule
• Access Control – implementing policies and procedures to control & limit access by persons or software programs to Electronic Personal Health Information (EPHI)
• Audit Controls - implementing hardware, software, and/or procedural mechanisms to detect any malicious behaviors
• Access Control – implementing policies and procedures to control & limit access by persons or software programs to Electronic Personal Health Information (EPHI)
• Audit Controls - implementing hardware, software, and/or procedural mechanisms to detect any malicious behaviors
HIPAA Security Rule (cont.)HIPAA Security Rule (cont.)• Integrity - Protection of EPHI from improper
modification or destruction.
• Person or Entity Authentication - Procedures to verify that persons or entities seeking access to EPHI are who or what they claim to be.
• Transmission Security - Implementing Security Measures to prevent Unauthorized Access to EPHI that is being transmitted.
• Integrity - Protection of EPHI from improper modification or destruction.
• Person or Entity Authentication - Procedures to verify that persons or entities seeking access to EPHI are who or what they claim to be.
• Transmission Security - Implementing Security Measures to prevent Unauthorized Access to EPHI that is being transmitted.
The Privacy Act: 5 U.S.C. § 552A The Privacy Act: 5 U.S.C. § 552A
• Security Requirements of the Privacy Act:– Require that administrative, technical and
physical safeguards are in place to protect data
– Rules of conduct must be in place for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record
• Security Requirements of the Privacy Act:– Require that administrative, technical and
physical safeguards are in place to protect data
– Rules of conduct must be in place for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record
VA Information SecurityVA Information Security• VA is Required by Federal Law and
Guidance to Provide Adequate Security Measures for Privacy-protected Data
• VA OCIS has Implemented Various Security Controls:
• VA is Required by Federal Law and Guidance to Provide Adequate Security Measures for Privacy-protected Data
• VA OCIS has Implemented Various Security Controls:
•Digital Signatures•Certification and Accreditation
•Access Controls•Authentication
VA Directive 6502: “Privacy Program”VA Directive 6502: “Privacy Program”
• Signature Policy of the Privacy Service
• This policy requires:– Privacy Review– Privacy Rules of Behavior– Privacy Role-based Training
• Signature Policy of the Privacy Service
• This policy requires:– Privacy Review– Privacy Rules of Behavior– Privacy Role-based Training
The Roles and Responsibilities of VA Personnel in Security and Privacy
The Roles and Responsibilities of VA Personnel in Security and Privacy
• Daily Actions to Maintain Privacy and Security of VA Privacy-protected Data– Passwords– Logging off your computer– Sharing data– Lockdown of Your Workstation– Proper Storage and Disposal of Media
• Daily Actions to Maintain Privacy and Security of VA Privacy-protected Data– Passwords– Logging off your computer– Sharing data– Lockdown of Your Workstation– Proper Storage and Disposal of Media
Privacy Roles for Information Security Officers
Privacy Roles for Information Security Officers
• Participate in Various VA Security Processes to Secure Privacy-protected Data– Risk Assessment of Systems
Containing Privacy-protected Data– PIA’s of Systems Containing Privacy-
protected Data– Certification and Accreditation of
New and Existing Systems that Contain Privacy-protected Data
• Participate in Various VA Security Processes to Secure Privacy-protected Data– Risk Assessment of Systems
Containing Privacy-protected Data– PIA’s of Systems Containing Privacy-
protected Data– Certification and Accreditation of
New and Existing Systems that Contain Privacy-protected Data
Privacy Roles for Information Security Officers (cont.)
Privacy Roles for Information Security Officers (cont.)
• Federal Information Security Management Act (FISMA) Remediation
• Designing and Implementing Access Controls & Authentication Procedures during the System Development Lifecycle (SDLC)
• Enforcing the Security and Privacy of VA Privacy-protected Data
• Federal Information Security Management Act (FISMA) Remediation
• Designing and Implementing Access Controls & Authentication Procedures during the System Development Lifecycle (SDLC)
• Enforcing the Security and Privacy of VA Privacy-protected Data
Security Roles for Privacy OfficersSecurity Roles for Privacy Officers
• Ensure that all Privacy-protected Information is:– Protected from Unauthorized Access– Accessed Only by Users who have been
Properly Authenticated– Disposed of in a Secure Manner
• Ensure that all Privacy-protected Information is:– Protected from Unauthorized Access– Accessed Only by Users who have been
Properly Authenticated– Disposed of in a Secure Manner
The Roles of Network
Administrators & Program Managers The Roles of Network
Administrators & Program Managers • PIA
• Certification and Accreditation
• Monitoring Access to Networks
• Implementing Access Controls to Privacy-protected Data
• Auditing of VA Networks
• Establishing and Monitoring the Use of Authentication Procedures
• PIA
• Certification and Accreditation
• Monitoring Access to Networks
• Implementing Access Controls to Privacy-protected Data
• Auditing of VA Networks
• Establishing and Monitoring the Use of Authentication Procedures
VA Personnel Working Together
VA Personnel Working Together
The VA Privacy Service provides oversight, guidance,
and understanding in the preservation of the security
and privacy of personal information
The VA Privacy Service provides oversight, guidance,
and understanding in the preservation of the security
and privacy of personal information
Useful WebsitesUseful Websites
CIO website
www.cio.gov
OMB Website
www.whitehouse.gov/omb/inforeg/infopoltech.html#pg
VA OCIS Website
www.infosec.va.gov/main/index.asp
CIO website
www.cio.gov
OMB Website
www.whitehouse.gov/omb/inforeg/infopoltech.html#pg
VA OCIS Website
www.infosec.va.gov/main/index.asp
