Privacy and Security of NPI - Office of HIPAA Privacy & Security
Confecting Security And Privacy
-
Upload
guest3bd2a12 -
Category
Business
-
view
934 -
download
1
description
Transcript of Confecting Security And Privacy
ConConffecting Security ecting Security and Privacyand Privacy
OROR
How to bake a security TRA How to bake a security TRA with your PIAwith your PIA
Marcel Gingras
Cinnabar Networks Inc.
613.262.0946
The Cook’s BackgroundThe Cook’s Background
• A major in security with a minor in privacy A major in security with a minor in privacy • Manager of Risk AnalystsManager of Risk Analysts
– TRA, PIA, BCPTRA, PIA, BCP– Big on methodology development Big on methodology development
• IT Security since 1995, Privacy since 2001IT Security since 1995, Privacy since 2001• Public service for 16 yearsPublic service for 16 years• IT software developer, software and IT software developer, software and
network architect and network support network architect and network support managermanager
RecipeRecipe
• IngredientsIngredients– Risk Management and Limiting DisclosureRisk Management and Limiting Disclosure– PIA and TRA MethodologiesPIA and TRA Methodologies
• PreparationPreparation– Sharing the Data GatheringSharing the Data Gathering
• CookingCooking– Collaborative AnalysisCollaborative Analysis
• Testing for DonenessTesting for Doneness– Tasty Privacy and Security SafeguardsTasty Privacy and Security Safeguards
Conference Theme: Conference Theme: DisclosureDisclosure
• Privacy DomainPrivacy Domain– Principle: Limiting Use, Principle: Limiting Use, DisclosureDisclosure, and , and
RetentionRetention– Affects business process designAffects business process design– May need security “confidentiality” services to May need security “confidentiality” services to
limit disclosure (authentication, authorization, limit disclosure (authentication, authorization, confidentiality services_confidentiality services_
• Security Security – Protects a business processProtects a business process– Provides confidentiality, integrity and Provides confidentiality, integrity and
availability security servicesavailability security services
Disclosure Requirements Disclosure Requirements using Risk Management using Risk Management
ProcessesProcesses• Variety of Risk Management ProcessesVariety of Risk Management Processes
– Business Strategic RiskBusiness Strategic Risk– Business Service Delivery Risk (Operational)Business Service Delivery Risk (Operational)– Financial Risk ManagementFinancial Risk Management– Business Continuity Planning (BCP)Business Continuity Planning (BCP)– Privacy Impact Analysis (PIA)Privacy Impact Analysis (PIA)– Security Threat and Risk Analysis (TRA)Security Threat and Risk Analysis (TRA)
• Latter two directly analyze disclosure Latter two directly analyze disclosure risksrisks
Security Risk Management:Security Risk Management:A Long HistoryA Long History
• Physical securityPhysical security– Walls, doors, locks and safesWalls, doors, locks and safes
• Military securityMilitary security– Protect the country, safeguard the Protect the country, safeguard the
troopstroops– Codes and ciphersCodes and ciphers
• IT Security Risk AnalysisIT Security Risk Analysis– Well developed models and Well developed models and
methodologiesmethodologies
IT Security Risk Analysis IT Security Risk Analysis ProcessProcess
• Conceptual analysis of system or applicationConceptual analysis of system or application• Statement of SensitivityStatement of Sensitivity
– Inventory of Assets (includes classification)Inventory of Assets (includes classification)– Injury testsInjury tests
• Threat AssessmentThreat Assessment• Vulnerability AssessmentVulnerability Assessment• Examination of Existing SafeguardsExamination of Existing Safeguards• Risk AssessmentRisk Assessment• Security Safeguard RecommendationsSecurity Safeguard Recommendations
Privacy Risk Management:Privacy Risk Management:A Short HistoryA Short History
• Variable expectations between social Variable expectations between social groupsgroups– Values within a country, variations depending Values within a country, variations depending
on context (commercial, banking, health, legal)on context (commercial, banking, health, legal)• Sense of privacy being under attackSense of privacy being under attack
– Fear of government ‘big brother’Fear of government ‘big brother’– Fear of erosion of privacy in an IT information Fear of erosion of privacy in an IT information
ageage• Privacy Compliance and Risk AnalysisPrivacy Compliance and Risk Analysis
– New models, limited risk management and New models, limited risk management and ‘young’ supporting methodologies‘young’ supporting methodologies
Current Privacy Compliance Current Privacy Compliance and Risk Analysisand Risk Analysis
• Slanted towards compliance auditSlanted towards compliance audit• Checklist basedChecklist based• No ranking of potential damages No ranking of potential damages • No ranking of risk (too many yes/no No ranking of risk (too many yes/no
questions)questions)• No ranking of safeguard effectivenessNo ranking of safeguard effectiveness• No action planNo action plan
Unless particular privacy safeguards are Unless particular privacy safeguards are specified, it’s all ‘best guess’specified, it’s all ‘best guess’
Current Privacy Compliance Current Privacy Compliance and Risk Analysis – The and Risk Analysis – The
EffectEffect• Audit against legislation and policy Audit against legislation and policy
sufficient in some cases, but not helpful sufficient in some cases, but not helpful in selecting strength of privacy in selecting strength of privacy safeguards neededsafeguards needed
• Checklist based discourages risk analysisChecklist based discourages risk analysis• Lack of risk rankings makes it difficult to Lack of risk rankings makes it difficult to
justify appropriately strong solutionsjustify appropriately strong solutions• Lack of a prioritized action plan makes it Lack of a prioritized action plan makes it
difficult to plan next steps in the projectdifficult to plan next steps in the project
Other Annoying IssuesOther Annoying Issues
• Too many TLAs (Three letter acronyms)Too many TLAs (Three letter acronyms)• Clutter in the project planClutter in the project plan• Too many interviews asking the same questionsToo many interviews asking the same questions• Timing issues: When to do these things to get Timing issues: When to do these things to get
actual value… Requirements when you need actual value… Requirements when you need them and a reality check on the solution when them and a reality check on the solution when you need it.you need it.
• Contradictory ‘disclosure’ and ‘confidentiality’ Contradictory ‘disclosure’ and ‘confidentiality’ recommendationsrecommendations
• Potential for security solutions to be privacy Potential for security solutions to be privacy invasiveinvasive
What Can We Improve? What Can We Improve? (1)(1)
• We can do privacy protection We can do privacy protection requirements gathering, analysis, requirements gathering, analysis, and audit at the right time in the and audit at the right time in the project lifecycle process.project lifecycle process.
• We can align related risk We can align related risk management processes (E.g. PIA management processes (E.g. PIA and TRA) to be supportive and and TRA) to be supportive and consistent.consistent.
What Can We Improve? What Can We Improve? (2)(2)
• We can improve PIAs by borrowing from We can improve PIAs by borrowing from more mature risk analysis processes.more mature risk analysis processes.
• We can incorporate the risk analysis We can incorporate the risk analysis processes into the current compliance audit processes into the current compliance audit PIA templates, providing a tool to be used PIA templates, providing a tool to be used as needed.as needed.
Note: The current form and rigor of Note: The current form and rigor of existing PIA methodologies do not need to existing PIA methodologies do not need to be changed, just augmented.be changed, just augmented.
Project Lifecycle Project Lifecycle IntegrationIntegration
• What information do we need when?What information do we need when?– Privacy requirements identification with Privacy requirements identification with
other business requirementsother business requirements– Privacy protection solution Privacy protection solution
identification with other business identification with other business solutionssolutions
– Audit/testing of privacy solutions with Audit/testing of privacy solutions with other business functionality other business functionality audit/testingaudit/testing
Bad Things That Can Bad Things That Can Happen…Happen…
• Unknown privacy requirement kills Unknown privacy requirement kills projectproject– E.g. Illegal use of SIN, Illegal disclosure of E.g. Illegal use of SIN, Illegal disclosure of
health card numberhealth card number• Unknown security requirement creates Unknown security requirement creates
‘add-on’ expense‘add-on’ expense• Poorly implemented safeguards leave Poorly implemented safeguards leave
information at riskinformation at risk• Intended safeguard implementation is Intended safeguard implementation is
deferred with unknown risk exposuredeferred with unknown risk exposure
Project Lifecycle Project Lifecycle IntegrationIntegration
Concept Analysis Design Develop Deploy Operate
I.T. SecurityRisk
Management
BusinessContinuityPlanning
PrivacyRisk
Management
BusinessRisk
Management
PrivacyRequirementsAnalysis (PIA)
PrivacyPlan (PIA)
PreliminaryRisk Analysis
BusinessRisk Analysis
Project RiskTracking
IT RiskMitigation Plan
(TRA)
IT SecurityTest Plan
IT Risk Audit& Certification
IT RiskRequirements
Plan (TRA)
BusinessImpact
AnalysisBCP/DRP
IncidentResponse
Plans
BCP/DRPTesting &
Maintenance
PrivacyAudit
Project Risk Management
ProgramAudit
Things to NoteThings to Note
• All risk management activities should have All risk management activities should have a minimum of 3 stages:a minimum of 3 stages:– Requirements: Identification of risk and Requirements: Identification of risk and
safeguard requirementssafeguard requirements– Solution Evaluation: Verify that the proposed Solution Evaluation: Verify that the proposed
solutions are effectivesolutions are effective– Implementation: Verify that the solutions are Implementation: Verify that the solutions are
installed and operating as advertisedinstalled and operating as advertised
Cost note: Typically, the cost of the first Cost note: Typically, the cost of the first two exercises does not exceed 1.5 times two exercises does not exceed 1.5 times the cost of doing a single large exercise the cost of doing a single large exercise (TRA or PIA). It’s an incremental update.(TRA or PIA). It’s an incremental update.
Risk Assessment AlignmentRisk Assessment AlignmentPIAs and TRAsPIAs and TRAs
•Can we integrate PIA and TRA Can we integrate PIA and TRA risk analysis processes? …save risk analysis processes? …save time and money?time and money?
•Can we do the two analyses in a Can we do the two analyses in a timely fashion?timely fashion?
•Can we ensure that resulting Can we ensure that resulting safeguard recommendations do safeguard recommendations do not conflict?not conflict?
Yes, But…Yes, But…
• Garbage in – Garbage outGarbage in – Garbage out– It still takes expertise in the It still takes expertise in the
methodology and subject area (security, methodology and subject area (security, privacy, …) to do good analysisprivacy, …) to do good analysis
– Privacy analysis requires expertise of a Privacy analysis requires expertise of a separate body of knowledgeseparate body of knowledge
– Security analysts are not automatically Security analysts are not automatically good privacy analystsgood privacy analysts
• Team-of-2 approach works well!Team-of-2 approach works well!
At a High Level, TRAs & At a High Level, TRAs & PIAs Have SimilaritiesPIAs Have Similarities
• Both risk management processes seek to Both risk management processes seek to avoid adverse outcomesavoid adverse outcomes
• Both are communications and decision Both are communications and decision making toolsmaking tools
• Both seek to identify risks and identify Both seek to identify risks and identify safeguard requirements at the analysis safeguard requirements at the analysis phasephase
• Both seek to document “due diligence” Both seek to document “due diligence” analysis and safeguards prior to deploymentanalysis and safeguards prior to deployment
• Both stem from legislative or policy Both stem from legislative or policy requirementsrequirements
PIA/TRA Analysis ProcessPIA/TRA Analysis ProcessShared ElementsShared Elements
•System descriptions: detailed System descriptions: detailed knowledge of the information knowledge of the information flowflow
•Knowledge of effectiveness of Knowledge of effectiveness of safeguardssafeguards
•Concept of “Damages” and Concept of “Damages” and “Acceptable Risk” of value to “Acceptable Risk” of value to bothboth
Not Shared: Privacy Threats Not Shared: Privacy Threats (1)(1)
More Than Keeping Personal More Than Keeping Personal
SecretsSecrets •Lack of authority to collectLack of authority to collect• Inadequate consentInadequate consent•Poorly informed data subjectPoorly informed data subject•Low quality (incorrect) Low quality (incorrect)
informationinformation•Too much information being Too much information being
held (or held too long)held (or held too long)
Not Shared: Privacy Threats Not Shared: Privacy Threats (2)(2)
• Inappropriate useInappropriate use– Data profilingData profiling– Data mappingData mapping– Transaction monitoringTransaction monitoring
• Identification of individualsIdentification of individuals•Lack of, or fuzzy accountabilityLack of, or fuzzy accountability•Lack of openness Lack of openness
Not Shared: Privacy Threats Not Shared: Privacy Threats (3)(3)
•Loss of personal control over and Loss of personal control over and access to data, including right to access to data, including right to object / challenge the systemobject / challenge the system
•Physical observation of individualsPhysical observation of individuals•Publishing or re-distribution of Publishing or re-distribution of
databases containing personal databases containing personal informationinformation
Recap: Why do PIAs and Recap: Why do PIAs and TRAs together?TRAs together?
•Timeliness and cost savingsTimeliness and cost savings•Minimize disruption to business Minimize disruption to business
and development teamsand development teams•Assessments feed critical info Assessments feed critical info
to each otherto each other•Requirements integrated and in Requirements integrated and in
agreement agreement
Solution: Risk Assessment Solution: Risk Assessment Alignment - DetailAlignment - Detail
TRAPIA
Methodology
Background
Purpose Purpose
Scope
Methodology
Target Risk
Information Gathering
System Description
Data Flow Documentation
Privacy Legislation Framework
Statement of Sensitivity
Policies and Standards
Dat
a G
athe
ring
Dat
a G
athe
ring
Solution: Risk Assessment Solution: Risk Assessment Alignment - DetailAlignment - Detail
TRAPIAAccountability
Identifying Purpose
Consent
Limiting Collection
Limiting Use, Disclosure (feed threatanalysis) and Retention
Accuracy (feed threat analysis)
Safeguards (Appropriateness, withEfficacy Referenced Out)
Openness
Individual Access
Challenging Compliance
Privacy Recommendations
Recommended Safeguards(Efficacy)
Threat Analysis
Vulnerability Analysis
Existing Safeguards(Efficacy)
Risk Analysis
Ten
Priv
acy
Prin
cipl
esA
naly
sis
Con
fiden
tialit
y, In
tegr
ity, A
vaila
bilit
yA
naly
sis
The ReportsThe Reports
• Separate PIA and TRA for different Separate PIA and TRA for different audiencesaudiences
• Similar layout for easy reading Similar layout for easy reading (optional)(optional)
• Risk scenario based privacy analysis Risk scenario based privacy analysis supporting PIA questionnaires supporting PIA questionnaires (optional)(optional)Note: Questionnaire formats are being Note: Questionnaire formats are being revisited in some jurisdictions as they revisited in some jurisdictions as they have encouraged poor analysishave encouraged poor analysis
Improving PIAs with Risk Improving PIAs with Risk Scenario Analysis (1)Scenario Analysis (1)
•Start with the privacy questionnaire…Start with the privacy questionnaire…•Postulate system-specific attacks Postulate system-specific attacks
against particular personal informationagainst particular personal information•Consider the initial risks, based on Consider the initial risks, based on
damages caused by disclosure, damages caused by disclosure, inaccuracy, etc. inaccuracy, etc.
•Consider existing privacy safeguardsConsider existing privacy safeguards
Risk Scenario Analysis (2)Risk Scenario Analysis (2)
•Rate residual riskRate residual risk•Make additional privacy Make additional privacy
safeguard recommendations (if safeguard recommendations (if needed)needed)
•Rate residual riskRate residual risk•Organize analysis and Organize analysis and
safeguards by privacy principlessafeguards by privacy principles
Risk Scenario Analysis (3)Risk Scenario Analysis (3)
•Sample questionnaire questionSample questionnaire questionIf personal information is to be used If personal information is to be used or disclosed for a secondary or disclosed for a secondary purpose not previously identified, purpose not previously identified, is consent required? is consent required?
Very generic, asks for a Yes/No, Very generic, asks for a Yes/No, does not encourage analysis does not encourage analysis
Risk Scenario Analysis (4)Risk Scenario Analysis (4)Simplified Analysis Table Simplified Analysis Table
ItemItem
PRPR2222
Consent is not Consent is not obtained in all obtained in all cases. cases. Persons Persons who make who make inquiries by inquiries by telephone or by telephone or by regular mail may regular mail may not formally not formally consent to having consent to having personal personal information stored information stored in a repository, or in a repository, or may not may not understand that understand that their contact their contact information will be information will be retained following retained following satisfaction of satisfaction of their inquiry. their inquiry. Their consent may Their consent may be viewed as be viewed as implicit.implicit.
MM HH M-M-HH
R-R-PSGP112PSGP112
XXX User AgreementsXXX User Agreements LL
R-PSP201R-PSP201 Business ManualBusiness Manual
R-PSP250R-PSP250 Business Liaison with Business Liaison with ATIPATIP
P-PSP251P-PSP251 Consistent notices and Consistent notices and formsforms
R-PSP252R-PSP252 Consent proceduresConsent procedures
P-PSA500P-PSA500 Periodic audits by Periodic audits by ATIP officeATIP office
RR##
Risk ScenarioRisk Scenario II LL RR Privacy Privacy SG#SG#
Safeguards (Existing Safeguards (Existing and Recommended)and Recommended)
RR
Risk Scenario Analysis (5)Risk Scenario Analysis (5)Privacy Safeguard ItemPrivacy Safeguard Item
PSPPSP250250
Business Liaison with Business Liaison with ATIPATIP: There should : There should be a manager-level be a manager-level business line point of business line point of contact or points of contact or points of contact with the ATIP contact with the ATIP office to ensure office to ensure consistency of policy consistency of policy and practices, as well and practices, as well as integration of as integration of privacy policy and privacy policy and practices throughout practices throughout the lifetime of the the lifetime of the system.system.
Recom-Recom-mendemendedd
Recipe Recap: Get the right Recipe Recap: Get the right information at the right information at the right
timetime• Lifecycle Alignment and Integration: Lifecycle Alignment and Integration:
– Set up your project to get privacy Set up your project to get privacy requirements and solutions at the right requirements and solutions at the right timetime
• Risk Analysis Process Integration: Risk Analysis Process Integration: – Align your privacy and security risk Align your privacy and security risk
management processesmanagement processes• PIA Analysis ImprovementPIA Analysis Improvement
– Formalize and harmonize privacy risk Formalize and harmonize privacy risk analysis with other risk analysis processesanalysis with other risk analysis processes