Download presentation
Presentation is loading. Please wait.
Published byJeffry Charles Modified over 9 years ago
1
Security, Privacy, and the Protection of Personally Identifiable Information
Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security Task Force Coordinator © 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force
2
Information Protection Strategies
Security versus Privacy - Positions Security or Privacy – Win/Lose Security nor Privacy – Lose/Lose Security and Privacy – Win/Win Balancing Interests - Compromise Tradeoffs – Win/Lose Legal and Ethical Approaches – Win/Win
3
Goals of IT Security Confidentiality: computers, systems, and networks that contain information require protection from unauthorized use or disclosure. Integrity: computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification. Availability: Computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses.
4
Policy of the United States
In the past few years, threats in cyberspace have risen dramatically. The policy of the United States is to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States. We must act to reduce our vulnerabilities to these threats before they can be exploited to damage the cyber systems supporting our Nation’s critical infrastructures and ensure that such disruptions of cyberspace are infrequent, of minimal duration, manageable, and cause the least damage possible. Letter from President George W. Bush to The American People, The National Strategy to Secure Cyberspace (February 2003)
5
Congressional Actions–Fall 2003
“Worms and Viruses” – multiple hearings “Database Security: Finding Out When Your Information Has Been Compromised” U.S. Senate Committee on the Judiciary, Subcommittee on Technology, Terrorism and Government Information (November 4, 2003) “Cybersecurity & Consumer Data: What’s at Risk for the Consumer?” U.S. House Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection (November 19, 2003)
6
Public Policy Issues Identity Theft Notification of Security Breaches
Protection of Personally Identifiable Information Social Security numbers Credit Card Information Privacy Policies & Collection Practices Safeguarding Information
7
GLB Act Security Safeguards
Designate employee(s) to coordinate Conduct a risk assessment Identify reasonably foreseeable risks Assess the sufficiency of any safeguards in place to control these risks Design and implement safeguards to control the risks you identified through risk assessment Regularly test and monitor the effectiveness of the safeguards Oversee service providers
8
HIPAA Security Regulations Administrative Safeguards
Security Management Process Risk Analysis Risk Management Appointment of a security official Workforce Security Information Access Management Security Awareness and Training Incident Response Procedures Contingency Plan
9
U.S. Privacy Act of 1974 Federal agencies are required to “establish appropriate administrative, technical and physical safeguards to insure” security and confidentiality and “protect against anticipated threats which could result in substantial harm, embarrassment, inconvenience or unfairness to any individual.”
10
Fair Information Practices
Access and correction Transparency Data security Specifying and limiting purposes for which data can be used Data minimization Enforcement (Fair Credit Reporting Act, Privacy Act, and several other information privacy laws)
11
FTC’s Principles for Government Privacy Policies and E-Commerce
Notice Choice/Consent Access Security Enforcement
12
Emerging Issues Notification to “Consumers”
Disclosure of organization’s maintenance of personally identifiable information Description of what procedures the organization has in place to protect data Notification when a breach or leakage has the potential for harm Providing a Right of Access: individuals need to know what information is being kept about them. Adoption of The Privacy Act’s Security Standard: application of fed. agency rules to the private sector Creation of a Private Right of Action
13
Public Policy Framework
Coverage: any record containing nonpublic personal information whether in paper, electronic or other form Information Security Program: the administrative, technical, and physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle information Risk Assessment and Mitigation of Risks Notification of Owners of PII Or Be Held Accountable!
14
“Negligent Security” Duty Breach Damage Causation
Statutory obligations Created by contract or promise Assumed in policy or mission statement Standard of care in the industry!!! Breach Damage Causation
15
Risk Management Risk = Threats x Vulnerabilities x Impact
Only 30% of the institutions surveyed have undertaken a risk assessment to determine their IT assets’ value and the risk to those assets – ECAR Study (2003) Risk Assessment (identify assets, classify assets, inventory policies and practices, vulnerabilities, etc.) and Responses to Risk (assumption, control, mitigation, or avoidance)
16
Types of Risk (Impact) Legal Risks Financial Risks Reputational Risks
Operational Risks Strategic Risks
17
Cybersecurity Plans Only 13% of the institutions surveyed have comprehensive IT security plans in place. 10% said no plan was in place. 42% had a partial plan in place. 36% are currently developing a plan – ECAR Study (2003) Convergence with Emergency Preparedness Planning Activities Relationship to Business Continuity and Contingency Plans Cyber Security as part of Strategic Plans
18
Security Policies “A security policy is a concise statement, by those responsible for a system (such as senior management), of information values, protection responsibilities and organizational commitment.” [U.S. General Accounting Office] 54% of the institutions surveyed have formal institutional IT security policies – ECAR Study (2003) 37% had policies in the implementation stage – ECAR Study (2003)
19
What Formal Policies Cover
99% - acceptable use 89% - system access control 85% - authority to shut off Internet access 83% - data security 82% - network security 82% - enforcement of institutional policies 80% - desktop security 71% - physcial security of assets 61% - residence halls 51% - remote devices 39% - application development ECAR Study (2003)
20
Security Policies & Procedures
Rationale/Purpose Scope Policy Statement Roles & Responsibilities Procedures Related Policies
21
Rationale or Purpose Examples include:
Confidentiality, Integrity, & Availability Attainment of Institutional Mission Compliance with Laws or Regulations GLB Act HIPPA State Laws or Regulations Principles
22
Guiding Principles Civility and Community
Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility
23
Scope Examples include: Data and information? Computers and networks?
“Information Resources – information in any form and recorded on any media, and all computer and communications equipment and software.” [Georgetown University Information Security Policy]
24
Policy Statement Examples include: Critical asset identification
Risk management Physical security System and network management Authentication & authorization Access control Vulnerability management Awareness & training
25
Roles and Responsibilities
Examples include: Governing Board Executive Management Chief Information Officer Chief Security Officer Unit Directors and Data Stewards End-Users
26
Procedures Examples include: Confidentiality and Nondisclosure
Breach notification Logging and monitoring Identification of departmental contacts Blocking network access Incident response
27
Related Policies Examples include: Acceptable Use
Elimination of Social Security numbers as primary identifiers Privacy Policy or Collection and Disclosure of Personal Information Data Management and Access Policy Identity Management
28
EDUCAUSE/Internet2 Computer and Network Security Task Force
For more information: EDUCAUSE/Internet2 Computer and Network Security Task Force
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.