1 / 27

Privacy & Security Training for Senior Staff

Privacy & Security Training for Senior Staff. Agenda. What is privacy? Privacy & security, what’s the difference? The Future of privacy & security in Ohio What agencies need to do Define; Classify; Map; Minimize Invest budget & staff resources towards privacy & security Bottom line.

lee-gray
Download Presentation

Privacy & Security Training for Senior Staff

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy & Security Training for Senior Staff

  2. Agenda • What is privacy? • Privacy & security, what’s the difference? • The Future of privacy & security in Ohio • What agencies need to do • Define; Classify; Map; Minimize • Invest budget & staff resources towards privacy & security • Bottom line

  3. What is Privacy & Where is it Going? “The right to be left alone -- the most comprehensive of rights, and the right most valued by civilized men.” ~ Louis Brandeis “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” ~ Alan Westin “You have no privacy, get over it.” ~ Scott McNealy 3

  4. What is Privacy: That was Then & This is Now Privacy not in Constitution Has been interpreted in “penumbra” Privacy - Then Practical Obscurity No internet; no cell phones; less data gathering; sense of “ain’t nobody’s business” Privacy - Now Information Age More data gathering across government & business Cell phones Mobile & wireless computing 24/7 access Technological Developments (surveillance cameras & software, RFID) 4

  5. Privacy Spheres • Consumer privacy (online & offline) • Usage of data by private businesses & organizations • Opt-in, opt-out • Data Sharing • Cookies, shopping incentive cards • Social networking • Governmental privacy • Similar issues as with consumer privacy • PLUS Privacy as a civil liberty • Governmental monitoring: Wiretapping, Surveillance, etc… • The Future – Pervasive & ubiquitous computing • Constant data gathering • RFID, REAL ID, biometrics, facial & behavior recognition, social networking, GPS, nanotechnology

  6. Basic Privacy Principles Minimization/Collection Limitation: only collect that data for which you have a business need. Notice/Awareness: clear and complete disclosure to individuals on the specifics of how the data they submit is to be collected, used, and shared with other organizations, in addition to the steps taken to preserve the data’s confidentiality, integrity, and quality. Choice/Consent: where applicable, give individuals the choice of what data they submit, how it can be used, and with whom it can be shared. Access: where applicable, give reasonable access to an individual’s personal data for review, modification, correction, and, where appropriate, deletion. Integrity/Security: ensure that personal information is relevant, accurate, and consistent throughout the enterprise; and that reasonable security precautions are taken to protect data from unauthorized use, access, or transfer Accountability/Enforcement: specify an individual(s) to ensure the integrity and security of the data, and to enforce applicable law and policy. 6

  7. Privacy and Security, what is the difference? Privacy & Security are flipsides of a coin Privacy Broadly speaking, how data is defined and used Laws, regulations, and policies that define and classify data and date usage • Security • Securing the data, both physically and technologically, per its definition to ensure its • Confidentiality (limited access) • Integrity (authentic & complete) • Availability (accessible) 7

  8. CPO Role – Data Protection Strategist & Evangelist Statewide subject matter expert for advice, counsel, & direction Work to align state practices with recognized fair information principles, federal & state laws Statewide & OIT Policy and Procedure Development Administrative rules Centralized forum for agency guidance & sharing of best practices Executive & Legislative Guidance Executive Orders Testimony Bill development & guidance Incident Response Awareness, Training & Education Web presence, presentations Work alongside CISO Implement security standards, technologies, programs Prognosticate the Future While Helping Shape the Present REAL ID, RFID, Biometrics, Surveillance, Social Networking 8

  9. CISO Role – Data Protection Architect Statewide SME for technical guidance & implementation SME in NIST, ISO 27001 & 27002, and other recognized standards Enable & implement security standards, technologies, programs that align with international and federal standards Encryption; Wireless; IT Security Policy (ex: remote access security, boundary security) Incident Response Assess/Audit IT security infrastructure & policy Network & application security assessments ISO/NIST security assessments of IT security policy Work alongside CPO Education Awareness & Training Develop statewide IT strategic plan Prognosticate the Future While Helping Shape the Present Data classification Systems Lifecyle Policy RFID, Biometrics 9

  10. Why Protect Privacy? – World View European Union EU Data Protection Directive and Member States, Safe Harbor Principles US Federal HIPAA, GLBA Safeguards Rule, COPPA, Canada PIPEDA South Korea Act on Promotion of Information and Communications Network Utilization and Data Protection Japan Personal Information Protection Act, METI Guidelines Hong Kong Personal Data Privacy Ordinance Philippines Data Privacy Law proposed by ITECC California SB 1, SB 1386, SB 27, AB 1950 Taiwan Computer-Processed Personal Data Protection Law India Law pending currently under discussion Chile Law for the Protection of Private Life South Africa Electronic Communications and Transactions Act Argentina Personal Data Protection Law, Confidentiality of Information Law Australia Federal Privacy Amendment Bill State Privacy Bills in Victoria, New South Wales and Queensland, new email spam and privacy regulations October 10, 2007 10 New Zealand Privacy Act

  11. Why protect privacy? – Federal View Federal privacy legislation & rules on the rise HIPAA GLB FCRA COPPA Do-not-call REAL ID OMB mandate on data breach reporting The Office of Management and Budget's Office of Electronic Government and Information Technology reports that about 30 incidences occur daily exposing individuals' personal information Currently in Congress: breach notification; SSN protection; electronic health information sharing 11

  12. Why protect privacy? – Ohio View It’s a best practice and rapidly becoming Ohio law and policy! Executive Order 13: Improving State Agency Data Privacy and Security Ohio IT Bulletin ITB-2007.02: Data Encryption and Securing Sensitive Data ITP-B.11: Data Classification Policy HB 104: Data Breach Notification Law HB13: No SSN - Vehicle Registration Renewal Notice SB 6: Credit Freeze; SSN Redaction; PIA SafeBoot encryption Upcoming Administrative Rules on Sensitive Data Protection, and Privacy Policies And more… Other states, especially California, are also pushing forward with privacy & security legislation 12

  13. Why protect privacy? – Citizen View Increasing sensitivity & fear of ID Theft Cost of ID Theft in U.S. 2006 = $49 Billion Security breaches - Daily occurrence 446 Breaches as of 12/31/07, involving 128 million records TJ Maxx breach may cost as much as $256 million! UK Breach: sensitive info of 25 million citizens Federal OMB: 30 data breach incidences occur daily 13

  14. Why Protect Privacy? - Public Trust Citizens have no option to shop around – they are required to provide personal information to government. We have an obligation to protect the information entrusted to us. 14

  15. The Future of Privacy & Security?

  16. Data aggregation Data Sharing Threats/ Vulnerabilities Biometrics, RFID Risk Assessment Transparency Accountability The Future of Privacy & Security We can no longer make assumptions about privacy & use of data. We must create a legal and policy framework that respects personal information (privacy) and safeguards its proper use (security), all while respecting Ohio’s Sunshine Laws.

  17. Privacy (law, policy, rules, awareness) Law: Data minimization; bulk records requests Policies Business Continuity; System Development Lifecycle (PIA & app vulnerability testing); Physical security Enhanced awareness & training efforts Incident response training a *must* Security (technology) Data-level encryption ID/Access Management Physical security Threats Social engineering; netbots; web app vulnerabilities; wireless; employee activities The Future of Privacy & Security - Ohio 17

  18. Increased inter-agency data-sharing OAKS & elsewhere Development of a template data-sharing agreement Increased multi-agency solutions Sharing of best practices, policies, procedures, RFQs Enterprise-wide procurement opportunities Mobile encryption Statewide CISO & CPO Shared resources for enabling & auditing Ohio’s privacy security environment SB 6 calls for statewide CISO; Governor’s & DAS/OIT office already looking at the issue The Future of Privacy & Security - Ohio 18

  19. What Agencies Need to Do: Publish, test & maintain your incident response plan Define & Classify Data Sensitive PII; Confidential/Critical Map data Where does it live; follow data flows; data lifecycle Minimize – less is more Data & Access Work Cooperatively Within the agency; across the state enterprise Vendor Management Build privacy & security into contract terms Validate & monitor vendor practices Beware of vendor sub-contracting Invest in Privacy & Security Policy & Procedure Technology Awareness & Training 19

  20. Investing in Privacy & Security • Policy & Procedure Investment • Make sure agency-specific policies & procedures are promulgated & implemented (especially incident response) • Classify Data • Keep abreast of the latest privacy & security laws & news • Weekly CPO Privacy & Security News Brief • State of Ohio Privacy & Security Information Center website • Technological Investment • Encryption • Data mapping • ID/Access Management • Physical security • Awareness & Training Investment (Might be most important investment of all) • Use centralized resources (CPO, training ppts, OIT FAQs) • Build into on-boarding & performance reviews • Regular refreshers 20

  21. Privacy & Security Are NOT Just IT-Related • Sr. Staff/Data Owners/Legal • Data Minimization • Risk Analysis • Data Classification • Policy & Procedure Development • Ensuring Funding • Vendors/contracting • Education & Awareness • IT = Data Custodian • Secure data per risk analysis & classification • Maintain security throughout system life cycle 21

  22. Spotlight on Data Classification • Data classification is NOT an IT function – it is a business process and requires business resources to be successful. • Classification requires an educated Steering Committee to include: • IT management, security & audit • Risk management • Business Leaders • Legal • Use the Steering Committee to: • Baseline the data environment & determine scope • Identify risk, laws, policies, and regulations • Validate objectives • Monitor progress

  23. BOTTOM LINE Incidents will occur • Understand that privacy & security are EVERYONE’S business • Be prepared & invest • Policy, procedure, planning • Incident response policy - plan & test • Awareness & training • Part of on-boarding; performance review • IT security infrastructure • Build privacy & security at beginning • Lifecycle view: PIA & App testing

  24. Public Trust Privacy & security are the right thing to do Citizens have no option to shop around – they are required to provide personal information to government. We have an obligation to protect the information entrusted to us. 24

  25. NEVER AGAIN! 25

  26. (Some) Privacy Resources Ohio Privacy & Security Information Center http://www.privacy.ohio.gov/ Federal Citizen Information Privacy Resources http://www.pueblo.gsa.gov/privacy_resources.htm Federal Trade Commission Privacy Initiatives http://www.ftc.gov/privacy/index.html Onguard Online http://onguardonline.gov/index.html Identity Theft Resource Center http://www.idtheftcenter.org/ Center for Democracy & Technology http://www.idtheftcenter.org/ 26

  27. Questions? Sol BermannChief Privacy Officer, J.D., CIPPDAS-OIT sol.bermann@ohio.gov 614-644-9391

More Related