Privacy of Information (Securing Personal Data)
-
Upload
sapphire-ilithya -
Category
Documents
-
view
26 -
download
2
description
Transcript of Privacy of Information (Securing Personal Data)
Casualty Actuarial SocietyCasualty Actuarial SocietyMay 16, 2005May 16, 2005
John B. Storey, John B. Storey, cisspcissp
Privacy of InformationPrivacy of Information(Securing Personal Data) (Securing Personal Data)
2
Securing Data Is No Monkey Securing Data Is No Monkey BusinessBusiness
3
Public Concerns for Personal Public Concerns for Personal DataData
The “Big Brother” imageThe “Big Brother” image Identity theft on the rise and a sense of helplessness Identity theft on the rise and a sense of helplessness
prevailsprevails Are corporations and the government doing enough to Are corporations and the government doing enough to
protect Personally Identifiable Information (PII) in their protect Personally Identifiable Information (PII) in their custody? custody?
Identification numbers are attached to almost every Identification numbers are attached to almost every transactional activity in our lives and historytransactional activity in our lives and history
Balancing the good and bad uses of information about an Balancing the good and bad uses of information about an individualindividual
Our need for access to many data sources has created a Our need for access to many data sources has created a need for quick response need for quick response
Securing PII and Personal Health Information (PHI) is a Securing PII and Personal Health Information (PHI) is a federal mandate federal mandate
4
FBI Annual Report FBI Annual Report
Over $65 Billion is lost as a result of Over $65 Billion is lost as a result of identity theft each yearidentity theft each year
There are over 10 million incidents of There are over 10 million incidents of identity theft each yearidentity theft each year Many people who suffer a loss don’t make a Many people who suffer a loss don’t make a
report report Consumers have spent over 300 million Consumers have spent over 300 million
hours in dealing with clearing their credit hours in dealing with clearing their credit reportsreports Many don’t get through the process for yearsMany don’t get through the process for years Others have been unjustly denied job Others have been unjustly denied job
opportunities opportunities
5
The Need for Data Repositories The Need for Data Repositories
““Everyone wants to know it now and fast”Everyone wants to know it now and fast” The ease of access to information for quick decisionsThe ease of access to information for quick decisions
Large data repositories for fraud detection Large data repositories for fraud detection Are criminals exploiting our system?Are criminals exploiting our system? Are people impersonating others? Are people impersonating others?
Analytical data models and the almost perfect Analytical data models and the almost perfect degree of accuracy requireddegree of accuracy required Creating the fair balance with scores Creating the fair balance with scores
Risk analysis in a business transactionsRisk analysis in a business transactions
6
Recent Publicized Personal Data Recent Publicized Personal Data DilemmasDilemmas
Choice PointChoice Point 145,000 names, addresses and social security numbers 145,000 names, addresses and social security numbers
obtained by false customers and used in an identity theft obtained by false customers and used in an identity theft ring ring
DSW Shoe WarehouseDSW Shoe Warehouse 1.4 million credit card and drivers-license numbers1.4 million credit card and drivers-license numbers
Time WarnerTime Warner 600,000 employee and customer social security numbers 600,000 employee and customer social security numbers
misplaced by the SEFETY vaultmisplaced by the SEFETY vault Bank of AmericaBank of America
1.2 million customers social security numbers misplaced in 1.2 million customers social security numbers misplaced in transit transit
LexisNexisLexisNexis 310,000 social security and drivers-license numbers 310,000 social security and drivers-license numbers
7
Inadvertent Disclosure DataInadvertent Disclosure Data
Viruses can be used to obtain passwordsViruses can be used to obtain passwords Search randomly or specifically for password filesSearch randomly or specifically for password files Inadvertent disclosure and theft of data Inadvertent disclosure and theft of data
Phishing uses creative “bait and hook”Phishing uses creative “bait and hook” Deception and coercion lure the unsuspecting Internet user into Deception and coercion lure the unsuspecting Internet user into
disclosing sensitive information disclosing sensitive information Trojan Horses – the silent listenerTrojan Horses – the silent listener
Get into a computer system in many waysGet into a computer system in many ways Could be used to intercept sensitive informationCould be used to intercept sensitive information
Social EngineeringSocial Engineering Don’t be tricked into giving sensitive information to the wrong Don’t be tricked into giving sensitive information to the wrong
individual individual Employees and contractorsEmployees and contractors
Beware of the opportunist and safeguard sensitive information Beware of the opportunist and safeguard sensitive information by strictly applying the “need to know” rulesby strictly applying the “need to know” rules
83% of companies surveyed experienced a security breach in 83% of companies surveyed experienced a security breach in 20042004
2004 Deloitte Global Security Survey2004 Deloitte Global Security Survey
8
Protecting Data in your Protecting Data in your CustodyCustody
Are data custodians aware of stored or shared Are data custodians aware of stored or shared PII data?PII data?
Who is using the data and for what purpose?Who is using the data and for what purpose? Is the data available for viewing on the Is the data available for viewing on the
Internet?Internet? Is encryption used?Is encryption used? Is the Customer or viewer properly credentialed?Is the Customer or viewer properly credentialed?
What type of logs or electronic footprints are What type of logs or electronic footprints are kept to meet regulatory requirements?kept to meet regulatory requirements?
Where is it stored and for how long?Where is it stored and for how long? Inherent security controls must be in place Inherent security controls must be in place
consistently as long as the data is stored and usedconsistently as long as the data is stored and used Are adequate data disposal controls in place?Are adequate data disposal controls in place?
9
The Cost of Security The Cost of Security BreachesBreaches
2001 ChoicePoint paid $1.3 million 2001 ChoicePoint paid $1.3 million for sending drivers license for sending drivers license information over the Internet information over the Internet
2003 Acxiom experienced a hacking 2003 Acxiom experienced a hacking activity that resulted in information activity that resulted in information loss loss The cost for the Privacy breach was The cost for the Privacy breach was
approximately $12 million approximately $12 million 2005 ChoicePoint had a privacy 2005 ChoicePoint had a privacy
breachbreachThe approximate cost to date is $15 - The approximate cost to date is $15 -
$20 million in loss of potential business$20 million in loss of potential business
10
Protecting Data with an Protecting Data with an effective Security Programeffective Security Program
Develop risk management methodologies to quantify technology risks for informed decision processes, based on industry standards such as OCTAVE and NIST Risk Management.
Develop policies and best practices to safeguard ISO and Subsidiaries electronic information. Policies and best practices must be Third Party validated standards such as ISO17799 and BS7799-2.
Educate and raise awareness among employees of your company
Monitor, quantify, and report violations of access controls
Risk Mgt.Policies,
Procedures and Best Practices
Awareness & Training
Monitoring & Reporting
11
StatisticsStatisticssource: Symantec/MSS 2003source: Symantec/MSS 2003
(20,000 sensors deployed in over 180 countries)(20,000 sensors deployed in over 180 countries)
Attack activity by type
Exploit Attempts17%
Pre-AttackRecon.40%
Worms andBlended Threats
43%
Severe events experienced by industries per 10,000 events
7.8
6.2 6.15.4 5.1
3 2.7 2.5 2.4 1.9
0
2
4
6
8
10
Fina
ncia
l Ser
vice
s
Busin
ess Se
rvices
Hea
lthca
re
Power
& E
nerg
y
Med
ia/E
nt
Non
profi
t
E-co
mm
erce
Mfg
.
Hig
h-Te
ch
Telco
Industries
Severe
even
ts
Rank Country Total First Half 2003
Position in 2/2002
1 United States 58% 1 12 Canada 8% 5 73 China 3% 2 34 Japan 3% 9 105 Australia 3% NR NR6 Germany 2% 3 47 South Korea 2% 4 28 Taiwan 2% NR 69 France 1% 6 5
10 Italy 1% 10 8
Top Originating Countries Excluding Worms
12
The Cost of Security The Cost of Security vulnerabilitiesvulnerabilities
Sophisticated attacksSophisticated attacks Tools from password sniffing to self-propagating malicious Tools from password sniffing to self-propagating malicious
software (malware)software (malware) Speed of attacks from 3 years (i.e., boot sector) to 4 days Speed of attacks from 3 years (i.e., boot sector) to 4 days
(i.e., Melissa) to minutes (i.e., Beagle worm)(i.e., Melissa) to minutes (i.e., Beagle worm) Financial loss worldwide of $2 billion in August 2003 due to Financial loss worldwide of $2 billion in August 2003 due to
3 worms in 12 days (Blaster, Welchia, and Sobig.F)3 worms in 12 days (Blaster, Welchia, and Sobig.F) Increased number of software and system Increased number of software and system
vulnerabilitiesvulnerabilities From 171 vulnerabilities in 1995 to 3,784 in 2003 From 171 vulnerabilities in 1995 to 3,784 in 2003
(source: CERT/CC)(source: CERT/CC) Average of 10 vulnerabilities per dayAverage of 10 vulnerabilities per day 70% of vulnerabilities are classified as EASY TO EXPLOIT 70% of vulnerabilities are classified as EASY TO EXPLOIT
(source: Symantec)(source: Symantec) Open computing environment attacksOpen computing environment attacks
i.e., remote access, PDA, wireless, etc.i.e., remote access, PDA, wireless, etc.
13
Federal and State Federal and State Electronic Information ProtectionElectronic Information Protection
FederalFederal Graham-Leach-Bliley Act (GLBA) Graham-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA)Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (COSO and COBIT)Sarbanes-Oxley (COSO and COBIT) Fair Credit Reporting Act (FCRA) Fair Credit Reporting Act (FCRA)
StateState NYS Department of Health Cyber Security NYS Department of Health Cyber Security
could follow California regulations on protecting could follow California regulations on protecting employees and overseas outsourced arrangementsemployees and overseas outsourced arrangements
NYS276 NYS276 Additional privacy requirements on GLBAAdditional privacy requirements on GLBA
CA1386 CA1386 Strict security control requirements informationStrict security control requirements information other states could followother states could follow
14
SummarySummary
Implement security controls consistent with Implement security controls consistent with industry standards for adherence to industry standards for adherence to regulatory regulatory
Businesses and Technology must work Businesses and Technology must work together to protect the privacy of data together to protect the privacy of data
Adhere to regulatory security controls Adhere to regulatory security controls requirements requirements
Safeguard your Corporation’s Intellectual Safeguard your Corporation’s Intellectual Property and investmentsProperty and investments
Use prudent measures to safeguard your Use prudent measures to safeguard your Corporation from internal exposures Corporation from internal exposures
15
Elements of a Elements of a Privacy ChecklistPrivacy Checklist
What data is stored on your systems and does it What data is stored on your systems and does it require encryption? require encryption?
What privacy elements are contained in the What privacy elements are contained in the data? data?
How long will the data be stored on your How long will the data be stored on your systems? systems?
Are adequate security access controls in place?Are adequate security access controls in place? Is sensitive information transmitted Is sensitive information transmitted
unencrypted?unencrypted? Do you have a way to determine if data is out of Do you have a way to determine if data is out of
date?date? Are security controls in place to prevent Are security controls in place to prevent
tampering?tampering? Are you complying with privacy regulations Are you complying with privacy regulations
16
Thank YouThank You