Privacy, Security and Reality
description
Transcript of Privacy, Security and Reality
![Page 1: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/1.jpg)
Copyright © 2006 Quest Software
Privacy, Security and Reality
Paul Christman
National Sales Director, Public Sector
![Page 2: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/2.jpg)
2
“Veterans Angered By Scandal”
• Department of Veterans Affairs reports the personal records of 26.5 MILLION veterans were compromised
• An employee routinely took these records home on his laptop for work purposes
• His laptop was stolen during a burglary– Identity theft was probably not the thief’s objective
• VA upper management was not notified for two weeks• High level resignations
• $2,000 laptop theft will cost $100,000,000+ to remedy
Source: Washington Post, May 2006
![Page 3: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/3.jpg)
3
Was this a breach of Security or Privacy?
![Page 4: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/4.jpg)
4Source: Privacy Rights Clearinghouse, www.privacyrights.org
More than 104,405,000privacy breaches have been reported
since the ChoicePoint incident onFebruary 15, 2005
![Page 5: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/5.jpg)
5
19,420 breach of privacy grievances have been filed with the Federal
Government since HIPAA regulations went into effect 36 months ago.
Source: Washington Post, June 5, 2006
![Page 6: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/6.jpg)
6
3,000,000 DNA “fingerprints”are on file with the FBI
80,000 new records areadded every month
Every newborn child could beadded to this database
Source: Washington Post, June 5, 2006
![Page 7: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/7.jpg)
7
PA Senate Bill 712The Breach of Personal Information Notification Act
“Breach of the security of the system” is defined as:
The unauthorized access and acquisition of computerized data that MATERIALLY compromises the security or confidentiality of personal information maintained by the entity.....”
Source: General Assembly of Pennsylvania, December 6, 2005
![Page 8: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/8.jpg)
8
Privacy
• Access to information only as needed to conduct an authorized transaction
• Privacy may be voluntarily sacrificed in exchange for perceived benefits.
• Unfortunately, privacy is becoming the exception rather than the rule
• Privacy deals with the use of data
![Page 9: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/9.jpg)
9
Security
• The control of access to a resource– Physical: facilities, paper records and machines that hold electronic
records
– Electronic: control of the data files regardless of physical access
• Appropriate access by authorized individuals– Who decides “appropriate” and “authorized”?
• Security deals with the control of data
![Page 10: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/10.jpg)
10
0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000
Why Identities are Compromised
Source: Privacy Rights Clearinghouse, www.privacyrights.org
6,000 Document Theft
3,073,463 Exposed Online
19,077,925Dishonest Insider
65,444,764Stolen or Lost Hardware/Tape
43,303,499Hackers/Identity Thieves
![Page 11: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/11.jpg)
11
PA LAW: Affected Individuals and Businesses Must be NOTIFIED by the keepers of the Data
• Would you know if there was a breach?
• How would you know what was accessed?
• Could you determine if data was encrypted or not?
• Could you figure out who breached the system?
• Would you know who to notify?
![Page 12: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/12.jpg)
12
The first step to getting better is admitting that you have a problem…
![Page 13: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/13.jpg)
13
12 Steps to Wellness1. Install and maintain a firewall to protect data
2. Do not use vendor-supplied defaults for passwords or security configurations
3. Protect stored data
4. Encrypt transmission of data across public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to sensitive or privileged data
10. Track and monitor all access to network resources and data
11. Regularly test security systems and procedures
12. Maintain a policy that addresses information security
Source: Payment Card Industry Data Security Standard, December 2004
![Page 14: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/14.jpg)
14
#8: Assign a Unique ID to each person
• This ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users
• Implies “role based” access and regular activity reporting
• Roles may need to be changed in times of emergency
• This can be done with current technology
![Page 15: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/15.jpg)
15
#8: Assign a Unique ID to each person
• Identify all users with a unique username before granting access
• Employ passwords, tokens or biometrics in addition to unique identification to authenticate all users
• Implement a 2-factor authentication for remote access
• Encrypt passwords in transmission and storage
• Create authentication and password management for all users and administrators on all system components
– Verify user identity prior to password resets– Control the provisioning and de-provisioning of users– Remove inactive user accounts every 90 days– Limit repeated access attempts and revoke access after x tries– Password control screen savers
![Page 16: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/16.jpg)
16
#10: Regularly Monitor and Test Networks
• Link all access to system components to an individual user – no generic shared administrator id’s
• Implement audit trails to trap/report suspicious activities
• Secure the audit logs so they can be proven to be accurate and un-altered
• Review logs daily for suspicious activities
• Retain logs for the appropriate length of time to satisfy internal and external requirements
– Usually at least 1 year of activity with last 90 days available online
![Page 17: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/17.jpg)
17
NASCIO Best Practices
• Have a Incident Response Plan!– 35% of CIOs have had a security or privacy breach– 25% do not have a response plan; 41% have a plan; 34% don’t know
• Every project must have a privacy review, impact statement & incident response plan with threshold triggers
• Set clear expectations of privacy (or not) when anyone provides data inbound or outbound
• Investigate your “partners” to determine their security and privacy standards – you are accountable for them!
• THINK AHEAD: Pay now or 10x later
![Page 18: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/18.jpg)
18
DataFlows
VeryQuickly!
![Page 19: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/19.jpg)
19
The links in the chain
• Privacy requires Security
• Security requires Control
• Control requires Authentication
Where is your weakest link?
![Page 20: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/20.jpg)
20
Reference Materials
NASCIO: www.nascio.org or [email protected]
For a complete list of federal and state privacy and security regulations
IAPP: www.privacyassociation.org
International Assoc. of Privacy Professionals
PA PowerPort privacy policy: www.state.pa.us/papower/cwp/view.asp?a=3&q=414879
Contact Brenda Orth at [email protected]
Quest Software solutions for IdM and Compliancehttp://www.quest.com/quest_solutions/
![Page 21: Privacy, Security and Reality](https://reader036.fdocuments.us/reader036/viewer/2022062517/56813c7f550346895da6208d/html5/thumbnails/21.jpg)
Copyright © 2006 Quest Software
Discussion and Questions
Paul Christman
National Sales Director, Public Sector