Considerations in an Outsourced / Cloud World ARMA Information Management Symposium Bill Wilson, Chief Privacy Technologist.

Slides:



Advertisements
Similar presentations
Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
Security Controls – What Works
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
Developing a Records & Information Retention & Disposition Program:
Government Databases and You or How I Learned to Stop Worrying and Love Information Loss. By Patrick Fahey Mis 304.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Session 3 – Information Security Policies
Oyinkan Adedun Adeleye Caitlyn Carney Tyler Nguyen.
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium Presented by Brian Rosenbaum LL.B. Director, Legal and Research Practice.
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
New Data Regulation Law 201 CMR TJX Video.
Cloud Computing Cloud Security– an overview Keke Chen.
TOP 10 TECHNOLOGY INITIATIVES © Robert G. Parker S-1 9. Preventing and Responding to Computer Fraud IT Security Ranked #2 Preventing and Responding.
Information Security Technological Security Implementation and Privacy Protection.
Security Imperatives in a New Workplace Partnering to Protect Digital Information in the 21st Century Presented by Michael Ferris, Alaska Enterprise Solutions.
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.
AUGUST 25, 2015 Cyber Insurance:
ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.
Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Eliza de Guzman HTM 520 Health Information Exchange.
SPH Information Security Update September 10, 2010.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
LEGAL ISSUES IN CLOUD COMPUTING
Managing your Institution-Specific HIPAA Compliance Policies and Procedures Cutting Edge Issues Thursday, December 13, 2007.
Software Development Risk Assessment for Clouds National Technical University of Ukraine “Kiev Polytechnic Institute” Heat and energy design faculty Department.
Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.
Implications of Privacy Risks in IT and Operations Virginie Hupé Strategist, Trustworthy Computing Microsoft Corporation.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
#watitis2015 CAN I DO THAT IN THE CLOUD? Jason Testart.
Chapter 4: Laws, Regulations, and Compliance
An Information Security Management System
Understanding The Cloud
Cloud Security– an overview Keke Chen
VIRTUALIZATION & CLOUD COMPUTING
Regulatory Compliance
Hot Topics:Mobility in the Cloud
Current ‘Hot Topics’ in Information Security Governance Auditing
Managing Privacy Risk in Your Commercial Practices
Cloud Computing for Wireless Networks
Presentation transcript:

Considerations in an Outsourced / Cloud World ARMA Information Management Symposium Bill Wilson, Chief Privacy Technologist

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World The times, they are a-changin 40 years ago – truck full of paper 30 years ago – crates of floppy disks 10 years ago – hard drives Today, same information can fit on a single DVD or a thumb drive!

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Cybercrime Fraud-related offences are now thought to be as profitable as drug-related offences, estimated at between $10 and $30 billion annually in Canada by the RCMPs Commercial Crime Branch. The majority of these crimes arent committed by kids at their computers, 80% or more of the work is conducted by criminal organizations.

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Identity Fraud Victims of identity theft or fraud can experience financial loss and difficulty obtaining credit or restoring their "good name". In 2009 the average data breach cost the affected business $6.75 million, up from $6.65 million in 2008, according to a Ponemon Institute study.

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World What your information could be used for: Criminals can use your stolen or reproduced personal or financial information to: access your bank accounts open new bank accounts transfer bank balances apply for loans, credit cards and other goods and services make purchases hide their criminal activities obtain passports or receive government benefits

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Threat Landscape - Trends Top threat events involved external hacking/malware on servers Increase in all forms of attacks by all actors Industrialization of attacks Targeting weak points in the financial system Top three industries targeted – Hospitality, Retail, Financial

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Threat Landscape - Trends Market Segmentation –Organization size –Geographic location –Industry Low risk, automated attacks against vulnerable systems Sophisticated attacks targeted at intellectual property

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Defences Understand the threat landscape for your business Assess the risks –Vulnerabilities –What are you seeing –Regulatory requirements –Industry requirements

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Legislation Personal Information Protection and Electronic Documents Act (PIPEDA) Key elements to cloud computing: –Consent –Collection –Use –Disclosure –Retention –Safeguards

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Personal Information Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form Personal information does not include the name, title, business address or telephone number of an employee of an organization

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Cloud Computing Models Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Software as a Service (SaaS) Private Public Partner Deployment ModelsService Models Cost Liability Assurance Risks vary by deployment and service model

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Considerations Ceding of control to the cloud/outsource provider and related impact on governance Cloud computing is new – standards are still being developed, supporting technologies being enhanced and little to no case law.

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Considerations Amalgamation of existing technologies; risks in cloud/outsourced computing can be: –Existing risks inherent in the technologies used –Magnification of existing risks –New risks Consumer-focused cloud services may present greater risks to data security and privacy due to click-through terms.

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Jurisdiction Location of the cloud/outsource provider, their infrastructure and your data Some countries may be considered higher- risk Does the cloud/outsource provider outsource any of its services to other providers in other jurisdictions

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Trans Border Data Flows PIPEDA does not prohibit the transfer of Personal Information (PI) –But does establish rules Sharing of information to service provider is considered a use –Additional consent is not required Accountability is not transferred –The buck stops with you

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Trans Border Data Flows Data protection formalized in a contract –Contract cannot override laws Assess the risks –Dont jeopardize the integrity, security and confidentiality of customer personal information Transparency and notification –Advise customers

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Lawful Access What laws apply to the data both in transit and at rest –Does the host country have lawful access to your data? i.e. US Patriot Act –Un-lawful access? Shared storage - consider implications if a physical device is seized

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Compliance Maintaining compliance with required regulations –PIPEDA, Sarbanes-Oxley, or industry- requirements such as PCI-DSS Maintaining compliance with certifications –ISO Breach reporting –Does the providers breach reporting policy and procedure align with your requirements

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Data Ownership Must be clearly defined –Explicitly state what data the provider has access to and what they can do with the data What happens to the data on contract termination –By you –By them –Other reasons, i.e. failure of the vendor

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Data Handling Data classification and labelling –Prerequisite –Drives requirements for data handling in SLA –Encryption or additional controls for sensitive data Understand providers data handling practices

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Processing and creation of new data Understand what is happening to your data in the cloud/service provider –What is your service provider doing with the data? Data matching Creation of new data

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Data Permanence Proper disposal of data must be addressed –redundancy images –backups Proof of disposal –Certification of Disposal

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Security Existing risks inherent to the technologies used –Virtualization, web New risks –Lack of isolation, Magnification of existing risks inherent to your processes

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Security Implications of multi-tenant, shared resources Availability and segmentation of audit logs Authentication and identity management Access control Management and monitoring of privileged access Security incident response capability

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Security Providers provision for handling conflicting requirements between customers on shared infrastructure Clear division of security responsibilities and liabilities between the customer and the provider Cloud/outsourcing can provide benefits, mostly related to economies of scale –Small business may benefit

ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Summary Risk assessment Transparency by the provider on approach to privacy and security Certifications Contract review, including SLA and any related/reference Terms of Service Contract monitoring