Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Published byJeffry Charles Modified over 9 years ago

Similar presentations

Presentation on theme: "Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security."— Presentation transcript:

1 Security, Privacy, and the Protection of Personally Identifiable Information
Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security Task Force Coordinator © 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force

2 Information Protection Strategies
Security versus Privacy - Positions Security or Privacy – Win/Lose Security nor Privacy – Lose/Lose Security and Privacy – Win/Win Balancing Interests - Compromise Tradeoffs – Win/Lose Legal and Ethical Approaches – Win/Win

3 Goals of IT Security Confidentiality: computers, systems, and networks that contain information require protection from unauthorized use or disclosure. Integrity: computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification. Availability: Computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses.

4 Policy of the United States
In the past few years, threats in cyberspace have risen dramatically. The policy of the United States is to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States. We must act to reduce our vulnerabilities to these threats before they can be exploited to damage the cyber systems supporting our Nation’s critical infrastructures and ensure that such disruptions of cyberspace are infrequent, of minimal duration, manageable, and cause the least damage possible. Letter from President George W. Bush to The American People, The National Strategy to Secure Cyberspace (February 2003)

5 Congressional Actions–Fall 2003
“Worms and Viruses” – multiple hearings “Database Security: Finding Out When Your Information Has Been Compromised” U.S. Senate Committee on the Judiciary, Subcommittee on Technology, Terrorism and Government Information (November 4, 2003) “Cybersecurity & Consumer Data: What’s at Risk for the Consumer?” U.S. House Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection (November 19, 2003)

6 Public Policy Issues Identity Theft Notification of Security Breaches
Protection of Personally Identifiable Information Social Security numbers Credit Card Information Privacy Policies & Collection Practices Safeguarding Information

7 GLB Act Security Safeguards
Designate employee(s) to coordinate Conduct a risk assessment Identify reasonably foreseeable risks Assess the sufficiency of any safeguards in place to control these risks Design and implement safeguards to control the risks you identified through risk assessment Regularly test and monitor the effectiveness of the safeguards Oversee service providers

8 HIPAA Security Regulations Administrative Safeguards
Security Management Process Risk Analysis Risk Management Appointment of a security official Workforce Security Information Access Management Security Awareness and Training Incident Response Procedures Contingency Plan

9 U.S. Privacy Act of 1974 Federal agencies are required to “establish appropriate administrative, technical and physical safeguards to insure” security and confidentiality and “protect against anticipated threats which could result in substantial harm, embarrassment, inconvenience or unfairness to any individual.”

10 Fair Information Practices
Access and correction Transparency Data security Specifying and limiting purposes for which data can be used Data minimization Enforcement (Fair Credit Reporting Act, Privacy Act, and several other information privacy laws)

11 FTC’s Principles for Government Privacy Policies and E-Commerce
Notice Choice/Consent Access Security Enforcement

12 Emerging Issues Notification to “Consumers”
Disclosure of organization’s maintenance of personally identifiable information Description of what procedures the organization has in place to protect data Notification when a breach or leakage has the potential for harm Providing a Right of Access: individuals need to know what information is being kept about them. Adoption of The Privacy Act’s Security Standard: application of fed. agency rules to the private sector Creation of a Private Right of Action

13 Public Policy Framework
Coverage: any record containing nonpublic personal information whether in paper, electronic or other form Information Security Program: the administrative, technical, and physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle information Risk Assessment and Mitigation of Risks Notification of Owners of PII Or Be Held Accountable!

14 “Negligent Security” Duty Breach Damage Causation
Statutory obligations Created by contract or promise Assumed in policy or mission statement Standard of care in the industry!!! Breach Damage Causation

15 Risk Management Risk = Threats x Vulnerabilities x Impact
Only 30% of the institutions surveyed have undertaken a risk assessment to determine their IT assets’ value and the risk to those assets – ECAR Study (2003) Risk Assessment (identify assets, classify assets, inventory policies and practices, vulnerabilities, etc.) and Responses to Risk (assumption, control, mitigation, or avoidance)

16 Types of Risk (Impact) Legal Risks Financial Risks Reputational Risks
Operational Risks Strategic Risks

17 Cybersecurity Plans Only 13% of the institutions surveyed have comprehensive IT security plans in place. 10% said no plan was in place. 42% had a partial plan in place. 36% are currently developing a plan – ECAR Study (2003) Convergence with Emergency Preparedness Planning Activities Relationship to Business Continuity and Contingency Plans Cyber Security as part of Strategic Plans

18 Security Policies “A security policy is a concise statement, by those responsible for a system (such as senior management), of information values, protection responsibilities and organizational commitment.” [U.S. General Accounting Office] 54% of the institutions surveyed have formal institutional IT security policies – ECAR Study (2003) 37% had policies in the implementation stage – ECAR Study (2003)

19 What Formal Policies Cover
99% - acceptable use 89% - system access control 85% - authority to shut off Internet access 83% - data security 82% - network security 82% - enforcement of institutional policies 80% - desktop security 71% - physcial security of assets 61% - residence halls 51% - remote devices 39% - application development ECAR Study (2003)

20 Security Policies & Procedures
Rationale/Purpose Scope Policy Statement Roles & Responsibilities Procedures Related Policies

21 Rationale or Purpose Examples include:
Confidentiality, Integrity, & Availability Attainment of Institutional Mission Compliance with Laws or Regulations GLB Act HIPPA State Laws or Regulations Principles

22 Guiding Principles Civility and Community
Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility

23 Scope Examples include: Data and information? Computers and networks?
“Information Resources – information in any form and recorded on any media, and all computer and communications equipment and software.” [Georgetown University Information Security Policy]

24 Policy Statement Examples include: Critical asset identification
Risk management Physical security System and network management Authentication & authorization Access control Vulnerability management Awareness & training

25 Roles and Responsibilities
Examples include: Governing Board Executive Management Chief Information Officer Chief Security Officer Unit Directors and Data Stewards End-Users

26 Procedures Examples include: Confidentiality and Nondisclosure
Breach notification Logging and monitoring Identification of departmental contacts Blocking network access Incident response

27 Related Policies Examples include: Acceptable Use
Elimination of Social Security numbers as primary identifiers Privacy Policy or Collection and Disclosure of Personal Information Data Management and Access Policy Identity Management

28 EDUCAUSE/Internet2 Computer and Network Security Task Force
For more information: EDUCAUSE/Internet2 Computer and Network Security Task Force

Download ppt "Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Security, Privacy, Copyright, and Other Institutional Policy Implications of Online Learning Rodney J. Petersen, J.D. Policy Analyst & Security Task Force.

Security, Privacy, Copyright, and Other Institutional Policy Implications of Online Learning Rodney J. Petersen, J.D. Policy Analyst & Security Task Force.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.

WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.
Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.

Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.

© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.

Similar presentations

Ads by Google