Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Standard: “reasonable security”

Published byDaniela Davis Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Standard: “reasonable security”"— Presentation transcript:

1 Security Standard: “reasonable security”
OECD: Personal data should be protected by reasonable security safeguards against risks such as FTC Commission Statement: Not perfect security, but a continuous process of assessing and addressing risks. Product Testing/QA/Compliance Red Team/Monitoring Security Tools & Vendor Review Employee Training loss or unauthorized access destruction use modification or disclosure of data

2 California AG 2016 Data Breach Report
CA Statute: Requires businesses to use “reasonable security procedures and practices… to protect personal information from unauthorized access, destruction, use, modification, or disclosure.” The 20 Controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all of the Controls that apply to an organization’s environment constitutes a lack of reasonable security.

3 Full List of 20 Controls Inventory of Authorized and Unauthorized Devices Secure configurations for Network Devices such as Firewalls, Routers, and Switches Inventory of Authorized and Unauthorized Software Boundary Defense Data Protection Security configurations for Hardware and Software on Mobile Devices, Workstations, and Servers Controlled Access Based on Need to Know Wireless Access Control Account Monitoring and Control Continuous Vulnerability Assessment and Remediation Security Skills Assessment and Appropriate Training Controlled Use of Administrative Privileges Application Software Security Maintenance, Monitoring, and Analysis of Audit Logs Incident Response and Management Penetration Tests and Red Team Exercises and Web Browsing Protection Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Data Recovery Capability

4 Security Standard: “reasonable security”
PRODUCT TESTING/QA/RISK ASSESSMENT/COMPLIANCE Code Review Design Review Test Product against Choice Mechanisms (Asutek Computer) Security Audits/investigations (Microsoft) Monitor compliance (CVS) RED TEAM TESTING/REGULAR MONITORING Pen Testing Bug Bounty Program or Process to investigate vulnerability research (Asutek Computer) Widely known security flaws (Lookout) Network scanning (EPN) Anti-virus (Lifelock) Security warning process (TJX) SECURITY TOOLS Use SSL/encryption to protect information (Credit Karma; Fandango) Password policies and regular required password changes (Lifelock/Twitter/Reed Elsevier) Access/Identity Management (CBR/Accretive Health) VENDOR REVIEW Should make sure vendors implement reasonable security (GMR Transcription/Credit Karma) TRAINING Train employees adequately on infosec and privacy (Upromise/HTC/Tower Records) Incident response training and plan (EPN) Few examples of “reasonable security” failures from Enforcement Actions: In 2014, FTC reached 50 enforcement actions – so number continues to grow.

5 Privacy by Design & Security by Design to Prevent and Mitigate Cyber Attacks

6 Product Lifecycle Privacy lawyer/privacy ops should be involved in all parts of product lifecycle (process may be shorter/longer from company to company) Inception/Strategy/Remedy Policy - Early Documentation/Product Requirements Docs Awareness - Consult with Stakeholders Implement Test Product (Internal/Beta/Focus Group) Document Security Decisions Made + Reasoning QA Test / Red Team Tests - Monitor Implement - Consult all Stakeholders and make changes

7 Privacy by Design Focus on prevention of a cyber attack via proactive privacy. More of a combo of evolving concepts and technology instead of principles. 1. Proactive, not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full functionality – Positive-sum, not Zero-sum (more on this later) 5. End-to-end Security – Full Lifecycle Protection 6. Visibility and Transparency – Keep it Open 7. Respect for User Privacy – Keep it User-Centric (v. Data Centric)

8 Security by Design More focused concept than PbD – focused on prevention of data loss through Confidentiality, Integrity, and Availability (CIA). Confidentiality: focused on avoiding disclosure of information/limiting access Tools – encryption/firewalls, taking security controls outside of user’s control user/employee training Integrity: Accurate and complete over lifecycle (privacy overlap / integrity principle) Data stewards/custodians & training Availability: Available when necessary to the right users (privacy overlap / access principle) Access management/policies (used in data-centric design) Tools like encryption

9 Case Study: Harmonization of Privacy and Security Interests both focused on prevention/mitigation of a cyber attack Security Concern: “Users can’t be trusted with passwords. We need to collect data to protect our data or else we’re subject to a cyber attack.” Banking website uses browser fingerprinting or device fingerprinting to identify your browser or device when you log on. Security wants to collect additional data sets to verify user. Privacy Concern: The information could be used by the company for secondary purposes that are not so innocuous. Want to collect less personal information to mitigate potential damages in event of a breach. Harmonization: (1) Data Minimization; (2) Purpose/Use limitations; (3) Altering Retention; (4) Restricting Internal Access

Download ppt "Security Standard: “reasonable security”"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Information Security Policies and Standards

Information Security Policies and Standards
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Network security policy: best practices

Network security policy: best practices
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
General Awareness Training

General Awareness Training
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Similar presentations

Ads by Google