Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sue McGlashan Jesse Beard Ashley Langille Elisabeth Spalding

Published byAshlyn Norton Modified over 6 years ago

Similar presentations

Presentation on theme: "Sue McGlashan Jesse Beard Ashley Langille Elisabeth Spalding"— Presentation transcript:

1 Sue McGlashan Jesse Beard Ashley Langille Elisabeth Spalding
IRMQ and IRRM Sue McGlashan Jesse Beard Ashley Langille Elisabeth Spalding

2 Triage Does everything need an assessment? What type of data How much
Impact on business if system not available Before going further Data classification - if there is restricted information or higher – yes; FIPPA – one small course, short assessment – check what the students are being asked to sign for; Availability – how much does it affect your offereing if the system is not available for 1 nhour, 1 day, 1 week

3 Circular process – intake of information through IRMQ; then is there PI – there are questions that guide assessment in the PIA Whether or not there is PIA, data needs protecting. TRA What – everything? At a certain level, yes. Even public data needs some protection Is the IRMQ enough for all of the information? We go through privacy policy, ToU or contract; (vendor – agent – is the language enough that you can regard them as an extention of your own group?) . What are the risks? What actions could be taken to mitigate them? Project owner must now decide how they want to treat the risk – and rinse and repeat. Frequency depends. Is this the only way? No, but it is very useful in checking down to whether project owners / hosters/ developers understand what they are doing. If this is something you are doing for yourself in your own unit, and you are not doing this for anyone else, after a couple of these, the process will be very quick

4 Layers – IaaS, PaaS, SaaS – who does what?

5 Tut XX YYY Cloud vendor providing a learning system
EMR system – complex, many parts; health information; locally hosted; software provided

6 PIA - risks Risks to individuals: Risks to institutions identity theft
adverse impact on employment damage to reputation, embarrassment, distress financial impacts Risks to institutions financial, legal and reputational impact of privacy breaches failure to comply with FIPPA

7 PIA - benefits Confirmation Due diligence and evidence of compliance
legal authority for the project to collect, use, retain and disclose personal information. Due diligence and evidence of compliance privacy breach or complaint to the Information and Privacy Commissioner Best practices are being followed PIAs may help promote better decision-making and a culture of privacy within an institution

8 TRA Always required if a PIA is required
May be required even if a PIA is not required Other legislative requirements Risks to business Risks to research data Risks to reputation Confidentiality, Integrity and Availability of data Accountability

9 Layers – IaaS, PaaS, SaaS – who does what?

10 Layers – UofT applications– who does what?

11 Control Control access Isolate system as best as possible
authentication; authorization Isolate system as best as possible Hardening; Network controls; application code standards Manage continuity Plan for Availability and Disaster; Data Retention; Maintaining Code Monitor, respond, recover Logs Application scans; Systems scans

12 Manage vendors Contracts Access Annual updates SOC documents Pen Tests
Applications Scans

13 Where does the puck stop?

14 Risk Management Recommendations
Tut - Start of IRRM Executive Summary Project Rationale Scope Statement Statement of Sensitivity Solution Business Model Risk Management Recommendations

15 Tut - 4 different sets Each has material for XX and YYY Two PIA sets
XX - Cloud vendor providing a learning system YYY - EMR system – complex, many parts; health information; locally hosted; software provided Two pages with questions (from IRRM) The related answers from the IRMQ Two PIA sets One has a privacy policy from XX; qs 4 and 5 Other ToU from XX, qs 2 and 3 Two TRA sets Authentication, Authorization, Isolation controls and related materials Continuity and Monitoring controls and related materials

16 References Management-Questionnaire-v1.5.docx services/project-information-risk-management-assessment/#4947 Please note these links will change. Please contact sue dot mcglashan at utoronto dot ca for the new links. The new ISEA web page will be available at the same link

Download ppt "Sue McGlashan Jesse Beard Ashley Langille Elisabeth Spalding"

Similar presentations

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Managing Risk: A Framework and Reporting Cycle 2014.

Managing Risk: A Framework and Reporting Cycle 2014.
The University of Houston Institutional Compliance Program Rev July 2011.

The University of Houston Institutional Compliance Program Rev July 2011.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Auditing Computer Systems

Auditing Computer Systems
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Security Controls – What Works

Security Controls – What Works
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Controls for Information Security

Controls for Information Security
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-1 9. Preventing and Responding to Computer Fraud IT Security Ranked #2 Preventing and Responding.

TOP 10 TECHNOLOGY INITIATIVES © Robert G. Parker S-1 9. Preventing and Responding to Computer Fraud IT Security Ranked #2 Preventing and Responding.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.

Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.

Similar presentations

Ads by Google