C-MIST SDL managing and reducing risk of sensitive pii disclosure
-
Upload
karin-jensen -
Category
Government & Nonprofit
-
view
27 -
download
0
Transcript of C-MIST SDL managing and reducing risk of sensitive pii disclosure
Absorb what is useful, disregard what is not, add what is uniquely your own.
-Bruce Lee
Pre amble:
Did you know consumer software is two and half times more likely to be attacked? To help make the Internet more safe, how about some examples on how to make software more secure? This February 7th, we are sharing one of our presentations on building secure software.
Some years ago I had the pleasure of working with the great staff at the DisabilityAlliance organization in British Columbia. We put together a digital card for use in the Emergency Preparedness Program. This is the security development lifecycle presentation.
In general, it’s easier to protect an asset the closerprotection is provided. Unnecessary complexity is a threat to good security. Security solutions designed for one environment may not be transferable to work in another. Ergo it is important to understand the limitations of any security solution.
SDL-> NGO Requirements
SDL Process: alignment between SDL practices and HIPAA Security Rules. HIPAA is heavily focused on the management of risk. There have been recent changes in the management of IT risk with the release of the Information Security Forum (ISF) Risk Assessment Methodology and the RiskIT Framework from NIST and ISACA.org, which provides a systematic way to identify, codify, and manage IT-related risk.
C-MIST: Functional Needs Framework
The Functional Needs Framework looks at the needs that people with disabilities will have in an emergency.
There are many people who do not identify as “a person with a disability,” but will have needs in one or more of the functional areas.
Having a completed C-MIST tile allows a fast identification and response to identified needs. First responders plan, respond and initiate recovery in comprehensive ways relative to people’s functional needs.
Why a Specific PII SDL for C-MIST?
1. The British Columbia Coalition of People with Disabilities is a Non-Governmental Organization. C-MIST is an excellent response for people with disabilities as part of Emergency Preparedness.
2. Completed C-MIST tiles contain Level III Sensitive Personally Indentifying Information.
3. Many available options for data protection on Windows Phone 7 platform: which works best for C-MIST Sensitive PII?
C-MIST contains Level III Sensitive PII.
Communication
Medical Independence
Supervision
Transportation
SDL PII Solution for C-MIST Software on Windows Phone 7 Platform.
Remember, numbers can be rescinded and new ones issued,
but once PII is disclosed: there is no putting that cat back in the bag.
The UI contains sensitive PII: but there is no further identifying information. An old trick is to separate the areas of concerns. Identifying information such as name, number and address is readily available on the device. However, the User makes the decision to self-disclose more information.
The date box shows the most recent interaction in the textbox of Communication Needs, and first responders can gauge the “freshness” of the information.
Further reducing PII disclosure…
Implement and develop using managed code: take full advantage of .NET security features. Use Mature Ratings for access.Reduce the attack surface of the program. Only the user has access. Rather then one big loopy program, have a selection of tiles. Let the user decide and choose which tile/s are most appropriate for their functional needs. Use Isolated Storage for User data storage and critical parts of program. To prevent unauthorized access, slave to the Operating System: if re-installed either by remote swipe or servicing, the program and user information are deleted. Buffer Overflow/Underflow: appropriate checks. Tampering and Repudiation: provide time stamping when changes detected in CMIST textbox.
Provide a “help and how to” button. Provide notice and consent by means of appropriate asset and software licensing.
Provide a “help and about” button, traditionally how to use the software. What I think would be most useful is how to get out alive and extend the help to others.
Release and Response Plan
Maturity Model – holistic and multilevel approachRelease Archive Processes – integrated into the Business Operations FrameWork
To successfully respond to incidents, you need to:Minimize the number and severity of security incidents.Define an incident response plan -> built on the need for trust.Contain the damage and minimize risks -> need for trust and EULAHave a partner who has experience at this and can guide the response. Use approved tools for remote swipe.
Remember – we made it AND we can delete it.
Used in Guidance
Windows Secure Development Lifecycle Jericho Forum: delivering a de-perimeterized vision
National Institute of Standards and Technology Special Publication 800-124
Content provided through “Fair Use Protocols” and remain the property of there respective owners.
For the love of the DUCK!