Security Policies University of Sunderland CSEM02 Harry R. Erwin, PhD.

Slides:



Advertisements
Similar presentations
The data retention directive: data protection aspects Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg 375 B-1040.
Advertisements

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
CREATED BY: HMIS Security Awareness Approved 1/10/2012 Revised 1/29/2013 Revised 3/15/2013.
The Data Protection (Jersey) Law 2005.
Data Protection.
Security Controls – What Works
Session 3 – Information Security Policies
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Theme: classification & distribution of government control of FEA.
707 KAR 1:360 Confidentiality of Information. Section 1: Access Rights 1) An LEA shall permit a parent to inspect and review any education records relating.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
The Data Protection Act 1998 The Eight Principles.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Data Protection Act AS Module Heathcote Ch. 12.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
Privacy and Confidentiality. Definitions n Privacy - having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally,
Calloway County Schools CONFIDENTIALITY TRAINING Protection of Personal Information School Year
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Tad and Terry Legal Issues in ILP. 28 CFR Part 23 The federal rule that governs or provides guidance for these issues. § 23.3 Applicability: These policy.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.
Twelve Guiding Principles for the Regulation of Surveillance Camera Systems Presented by: Alastair Thomas Date: 23 rd October 2013.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
ISO/IEC 27001:2013 Annex A.8 Asset management
Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.
Session 12 Information management and security. 1 Contents Part 1: Introduction Part 2: Legal and regulatory responsibilities Part 3: Our Procedures Part.
Assumptions of Secure Operation University of Sunderland CSEM02 Harry R. Erwin, PhD.
Data protection—training materials [Name and details of speaker]
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Uses of brain imaging data: privacy and governance implications Dr. Hester Ward Medical Director, Information Services Division, (ISD) Consultant in Public.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
General Data Protection Regulation (EU 2016/679)
Luca De Matteis Justice counsellor (criminal law, data protection)
Trevor Ellis Trainee Programmer (1981 – 28 years ago)
Issues of personal data protection in scientific research
Providing Access to Your Data: Handling sensitive data
Domain 2 – Asset Security
General Data Protection Regulation
Data Protection Act.
Data Protection Update – GDPR or bust
Data Protection Legislation
Nina Barakzai November 2017
EU Directive 95/46/EC (Paragraph 2) “Whereas data-processing systems are designed to serve man; whereas they must Respect their fundamental rights.
6 Principles of the GDPR and SQL Provision
G.D.P.R General Data Protection Regulations
General Data Protection Regulation
Data Protection principles
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
General Data Protection Regulations 2018
HIPAA Security Standards Final Rule
The General Data Protection Regulation: Are You Ready?
IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004
Public Privacy: juridical & ethical perspective
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
Presentation transcript:

Security Policies University of Sunderland CSEM02 Harry R. Erwin, PhD

A Definition The US and UK security communities define ‘policy’ differently. The US security community is concerned with the organizational security policies that the system must meet irrespective of risk. The UK security community is concerned with formally defined policy goals that the system must meet. This is lower-level. RFC 2196 takes a similar perspective, as does Microsoft. This is closer to a ‘security objective’ in the US sense. I will usually use the US definition—but be aware that the word is used in two different ways.

Examples of Policies Corporate policies –Reputation –Risks involving lives Legal policies: –EU Data Protection Directive –US Privacy Act –Protection of classified information –Protection of evidence –RIPA –Other legal liabilities

Typical Corporate Policies Reputation –The most valuable possession of a corporation or partnership. –Most companies will fire you if you damage their reputation. Risks involving lives –No managing director wants to go to jail for corporate manslaughter. –Companies that accept risks involving lives are likely to have their reputation damaged.

EU Data Protection Directive Protects the informational privacy of individuals as follows: 1. Member States shall provide that personal data must be: (a)processed fairly and lawfully; (b)collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c)adequate, relevant and not excessive in relation to the purposes for which they are collected and/or for which they are further processed; (d)accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (e) kept in a form which permits identification of data subjects for no longer that is necessary for the purposes for which the data were collected or for which they are further processed. Member Sates shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

EU DPD Considerations Applies to private groups, corporations, and individuals. Requires that data collection must be justifiable. Data on national origin, etc., cannot be collected except under certain circumstances. Data collectors must notify the individuals and the government and follow the law. Data collectors face potential liability. Does not protect the individual against data collection by governmental agents.

US Privacy Act Applies only to the federal government, not to states, corporations, or private individuals. SCOTUS (Supreme Court of the US) has held there is a constitutional right to freedom of commercial speech. This trumps any individual right to informational privacy and allows non- governmental agents to collect information on anyone. This conflicts directly with the EU Data Protection Directive. No resolution is likely any time soon.

US Department of Defense Security Policies Individuals shall be held accountable for their actions. Authorities shall be immediately notified of all threats and vulnerabilities. Information shall be used only for its authorized purposes. Information shall be available to satisfy mission requirements. Guidance documentation shall be available defining installation and use. Only authorized persons and processes shall access information. Information shall retain its content integrity. Information systems security shall be an integral part of the system lifecycle. Information shall be appropriately marked and labeled. Information shall be physically protected to prevent unauthorized disclosure.

Individuals shall be held accountable for their actions. Security mechanisms must enforce the following: –Individuals using the system must identify and authenticate (I&A) themselves, and –A record of their actions (an audit trail), suitable for use in a court of law, shall be maintained. It is inadequate to enforce group responsibility. On the other hand, procedural I&A and audit trails are adequate to meet this.

Authorities shall be immediately notified of all threats and vulnerabilities. In part, this is a procedural requirement— system administrators and security administrators must track potential threats and vulnerabilities. It also implies that the audit trail should be checked on a regular basis for developing problems. Intrusion detection may be required.

Information shall be used only for its authorized purposes. Unauthorized use must be precluded. This can be done procedurally or by automatic enforcement (access control). This policy cannot be automatically enforced in most distributed system architectures since it requires a single- threaded security manager. Tough.

Information shall be available to satisfy mission requirements. Availability Non-modification Non-destruction Clashes directly with confidentiality. Most military and intelligence systems incorporate a ‘battle short’.

Guidance documentation shall be available defining installation and use. In other words, both users and security administrators should have the manuals they need to manage and use the system. Should describe all the considerations in use. Should define how to install the system securely.

Only authorized persons and processes shall access information. To access information, a person or a process must identify itself so that its authorization can be checked. Mandates: –I&A –Access control –Audit

Information shall retain its content integrity. Only authorized users and processes may change it, and only when authorized to change it.

Information systems security shall be an integral part of the system lifecycle. In other words, plan for it and manage it. Start early. Take it into account at all stages.

Information shall be appropriately marked and labeled. UNCLASSIFIED, CONFIDENTIAL, SECRET, TOP SECRET, TOP SECRET/CODEWORD or their UK equivalents. This is so users will know the sensitivity. Not usually applicable outside of classified environments. Painful.

Information shall be physically protected to prevent unauthorized disclosure. Again, UNCLASSIFIED, CONFIDENTIAL, SECRET, TOP SECRET, TOP SECRET/CODEWORD or its UK equivalent. Keep it in safes or the equivalent unless it is in use. Facilities need to be guarded and locked. When in use, follow procedures. Storage media with classified information need to be protected, too. Security violations tend to be unpleasant. At TRW, you had to meet with the division general manager on a Saturday at 5 AM.

Summary Organizational policies address vulnerabilities where no risk analysis is appropriate. They must be complied with. Life is hard...

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.