Security Standard: “reasonable security”

Slides:



Advertisements
Similar presentations
ETHICAL HACKING A LICENCE TO HACK
Advertisements

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
David A. Brown Chief Information Security Officer State of Ohio
Information Security Policies and Standards
Computer Security: Principles and Practice
Stephen S. Yau CSE , Fall Security Strategies.
Payment Card Industry (PCI) Data Security Standard
Network security policy: best practices
Incident Response Updated 03/20/2015
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
General Awareness Training
Information Security Update CTC 18 March 2015 Julianne Tolson.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Note1 (Admi1) Overview of administering security.
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
Chapter 2 Securing Network Server and User Workstations.
Small Business Security Keith Slagle April 24, 2007.
Module 11: Designing Security for Network Perimeters.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”
Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Best Cyber Security Practices for Counties An introduction to cybersecurity framework.
Kevin Watson and Ammar Ammar IT Asset Visibility.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
CS457 Introduction to Information Security Systems
Performing Risk Analysis and Testing: Outsource or In-house
Cybersecurity - What’s Next? June 2017
Critical Security Controls
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Secure Software Confidentiality Integrity Data Security Authentication
Introduction to the Federal Defense Acquisition Regulation
Cyber Protections: First Step, Risk Assessment
NYBA 2017 Technology, Compliance &
Implementing and Auditing the Critical Controls
Red Flags Rule An Introduction County College of Morris
IS4680 Security Auditing for Compliance
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
National Cyber Security
County HIPAA Review All Rights Reserved 2002.
How to Mitigate the Consequences What are the Countermeasures?
Drew Hunt Network Security Analyst Valley Medical Center
Security week 1 Introductions Class website Syllabus review
Cybersecurity Threat Assessment
HIPAA Privacy and Security Update - 5 Years After Implementation
Mohammad Alauthman Computer Security Mohammad Alauthman
6. Application Software Security
802E Privacy Report Date: Authors: January 2016
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Cloud Computing for Wireless Networks
Presentation transcript:

Security Standard: “reasonable security” OECD: Personal data should be protected by reasonable security safeguards against risks such as FTC Commission Statement: Not perfect security, but a continuous process of assessing and addressing risks. Product Testing/QA/Compliance Red Team/Monitoring Security Tools & Vendor Review Employee Training loss or unauthorized access destruction use modification or disclosure of data

California AG 2016 Data Breach Report CA Statute: Requires businesses to use “reasonable security procedures and practices… to protect personal information from unauthorized access, destruction, use, modification, or disclosure.” The 20 Controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all of the Controls that apply to an organization’s environment constitutes a lack of reasonable security.

Full List of 20 Controls Inventory of Authorized and Unauthorized Devices Secure configurations for Network Devices such as Firewalls, Routers, and Switches Inventory of Authorized and Unauthorized Software Boundary Defense Data Protection Security configurations for Hardware and Software on Mobile Devices, Workstations, and Servers Controlled Access Based on Need to Know Wireless Access Control Account Monitoring and Control Continuous Vulnerability Assessment and Remediation Security Skills Assessment and Appropriate Training Controlled Use of Administrative Privileges Application Software Security Maintenance, Monitoring, and Analysis of Audit Logs Incident Response and Management Penetration Tests and Red Team Exercises Email and Web Browsing Protection Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Data Recovery Capability

Security Standard: “reasonable security” PRODUCT TESTING/QA/RISK ASSESSMENT/COMPLIANCE Code Review Design Review Test Product against Choice Mechanisms (Asutek Computer) Security Audits/investigations (Microsoft) Monitor compliance (CVS) RED TEAM TESTING/REGULAR MONITORING Pen Testing Bug Bounty Program or Process to investigate vulnerability research (Asutek Computer) Widely known security flaws (Lookout) Network scanning (EPN) Anti-virus (Lifelock) Security warning process (TJX) SECURITY TOOLS Use SSL/encryption to protect information (Credit Karma; Fandango) Password policies and regular required password changes (Lifelock/Twitter/Reed Elsevier) Access/Identity Management (CBR/Accretive Health) VENDOR REVIEW Should make sure vendors implement reasonable security (GMR Transcription/Credit Karma) TRAINING Train employees adequately on infosec and privacy (Upromise/HTC/Tower Records) Incident response training and plan (EPN) Few examples of “reasonable security” failures from Enforcement Actions: In 2014, FTC reached 50 enforcement actions – so number continues to grow.

Privacy by Design & Security by Design to Prevent and Mitigate Cyber Attacks

Product Lifecycle Privacy lawyer/privacy ops should be involved in all parts of product lifecycle (process may be shorter/longer from company to company) Inception/Strategy/Remedy Policy - Early Documentation/Product Requirements Docs Awareness - Consult with Stakeholders Implement Test Product (Internal/Beta/Focus Group) Document Security Decisions Made + Reasoning QA Test / Red Team Tests - Monitor Implement - Consult all Stakeholders and make changes

Privacy by Design Focus on prevention of a cyber attack via proactive privacy. More of a combo of evolving concepts and technology instead of principles. 1. Proactive, not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full functionality – Positive-sum, not Zero-sum (more on this later) 5. End-to-end Security – Full Lifecycle Protection 6. Visibility and Transparency – Keep it Open 7. Respect for User Privacy – Keep it User-Centric (v. Data Centric)

Security by Design More focused concept than PbD – focused on prevention of data loss through Confidentiality, Integrity, and Availability (CIA). Confidentiality: focused on avoiding disclosure of information/limiting access Tools – encryption/firewalls, taking security controls outside of user’s control user/employee training Integrity: Accurate and complete over lifecycle (privacy overlap / integrity principle) Data stewards/custodians & training Availability: Available when necessary to the right users (privacy overlap / access principle) Access management/policies (used in data-centric design) Tools like encryption

Case Study: Harmonization of Privacy and Security Interests both focused on prevention/mitigation of a cyber attack Security Concern: “Users can’t be trusted with passwords. We need to collect data to protect our data or else we’re subject to a cyber attack.” Banking website uses browser fingerprinting or device fingerprinting to identify your browser or device when you log on. Security wants to collect additional data sets to verify user. Privacy Concern: The information could be used by the company for secondary purposes that are not so innocuous. Want to collect less personal information to mitigate potential damages in event of a breach. Harmonization: (1) Data Minimization; (2) Purpose/Use limitations; (3) Altering Retention; (4) Restricting Internal Access