260 likes | 443 Views
Information Management: Privacy & Security in the Work Place Today. Peter R. Gee, CCP, I.S.P., ITCP Senior Consultant, xwave 3 Dec 2009. Agenda. Information Management and Security Security Requirements and responsibilities, Standards, Information Security “Story”. Personal Privacy
E N D
Information Management: Privacy & Security in the Work Place Today Peter R. Gee, CCP, I.S.P., ITCPSenior Consultant, xwave 3 Dec 2009
Agenda • Information Management and Security • Security • Requirements and responsibilities, • Standards, • Information Security “Story”. • Personal Privacy • Component of Security Management • PIPEDA
Why Security at an Information Management Seminar?? Proposition: Often today staff are disconnected in regards to why employers want things done a certain way concerning this topic. (Shawn Johnson) Is this because the Corporate IT landscape is changing, FAST?? • Accelerating corporate database growth • Increasing number of applications • Growth of unstructured data (e.g. email) • Increasing Web presence • Sophistication of attacks on high value information assets • Virtualization of IT hardware and services
Why Security at an Information Management Seminar?? And……corporate governance standards are evolving to meet these needs: • Beefed-up corporate security policies, including individual “sign-up” • Increased focus on risk management • Post-Enron regulatory requirements (e.g. SOX) And……IT security tools have matured • Lower license costs have boosted adoption rate • Security-related Skill sets readily available • Outsourcing available for some • Result in Security taking a much larger role in IT
Why Security at an Information Management Seminar?? But……Change Management sometimes takes a back seat to implementation • Timeframe for threat response may be short • Information Security….not a destination but a journey • As with most changing environments, understanding always helps • A “cultural” approach will go a long way toward addressing the sense of “disconnection”
What Should Management Do? It is the responsibility of senior management to: • Clarify what data should be protected • Decide how sensitive this information is • Budget for the protection of different types of data • Determine how much risk the organization is willing to accept • Implement business processes to regular monitor and improve • Assign responsibility for this to appropriate senior staff
What Should IT Do? The IT department can then decide on the best way to provide the necessary security: • Work with management to inventory the corporate information assets & develop security policy • Stay informed of breaking issues • Develop and maintain security management capabilities (in-house or contract resources) • Participate in security audits It is advisable to concentrate responsibility for the security of information in all forms, printed and electronic, under a single management structure.
What Can You Do? Once an information security system has been established, organizational culture is a critical factor in ensuring that individual employees pay attention to the information security policies and implement the procedures: • Become aware of the information assets that cross your desk • Each time you forward corporate information to someone ask yourself if there are any security risks • Speak up if you see evidence of security breaches • Provide feedback to IT to assist ongoing management of Information Security Information Security is everyone’s business!!
What is “Security & Privacy”? “Information Security” relates to the information “owned” by an organisation. Traditionally included three component parts: • Confidentiality. Controlled access to information. Confidentiality of personally identifiable information is also a Privacy concern. • Integrity. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. • Availability. Assurance that information is accessible when needed.
What Else is “Security”? It has been suggested recently that these should be reviewed completely or that at least two more components should be added: • Accountability. Someone is personally accountable and responsible for the protection of information assets. • Auditability. Ability to explain changes to information “state” and ongoing audit tests.
Information Security Standards ISO/IEC 27001 (ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements) but commonly known as "ISO 27001". • Published in 2005 • Formally specifies a management system that is intended to bring information security under explicit management control. • Mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant • Management systematically examines the organization's information security risks, taking account of the threats, vulnerabilities and impacts; • Requires a comprehensive suite of information security controls and/or other forms of risk treatment (e.g. risk avoidance, risk transfer) • Requires a management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
What is “Information Security”? Information security is exactly what it says, the security of information. Typically, this is the information that you or an organisation 'own' and process. Applying security to information is analogous to the application of security to any physical asset, like your home or car: • You need to have someone responsible for your car or home (you) so that this person can set the level of security required; • If you have two homes or cars- which one do you spend more on protecting (risk assessment) or if you have only one - what level of protection do you set (risk assessment)? • If you get burgled, how do you know what is missing from your house or car (asset register)?
What is “Information Security”? (cont) • If you are going to have staff or third parties work on your car or in your house (perhaps you run a business or work from home?) then how do you select them and what protection do you need to have in place (personnel and contract security)? • What sort of level of physical security, in terms of locks and bolts or maybe alarms do you need to have in place, including their infrastructure (physical security)? • If you had a computer at home that is used by the family then you need to ensure that it is all working properly and that it is properly managed and maintained - such things as backups etc. (Communications and operations management);
What is “Information Security”? (cont) • If you work from home then you may not want all of the family to view your work or you may need to ensure, as a responsible parent, that your children are protected from adult or inappropriate content on the internet (access control); • If, like many people, you do some programming, then you will want to properly test the code before putting it live on the system. You may also need to ensure that if you are testing software that you ensure there is appropriate security in place and that you don't break the law (system development and maintenance); • If your car is stolen, what fall back do you have to allow you to travel as if you still had your car (fallback planning)? • When running your car or maintaining your house what legal or regulatory aspects do you need to take note of and how can you prove that you are complying with them (legislative and regulatory compliance).
Personal Privacy Personal Information Protection and Electronic Documents Act (PIPEDA) : An Overview of the Privacy Legislation
Overview • PIPEDA is brings Canada into line with other jurisdictional privacy laws • Act applies to all businesses and organizations in Canada since January 1, 2004 • Except where provincial legislation is deemed “substantially similar” • What is privacy and why is it important? • PIPEDA • Overview • Are you prepared for the Act? • Role of the Privacy Commissioner of Canada
What is Privacy? • The Office of the Privacy Commissioner of Canada defines the right to privacy as: • “The right to control access to one’s person and information about oneself.” • This falls under the “Confidentiality” component of Information Security
Why is Privacy Important? • Choices that businesses and individuals make with respect to privacy influence our business environment • Promotes trust among all business stakeholders • Competitive advantage since people tend to do business with those they trust • Good customer relations • Besides, it’s the Law!!
What is PIPEDA? • Legislation implemented by the federal government to protect the privacy of Canadians in the private sector • Sets out ground rules for the collection, use and disclosure of personal information in the course of commercial activities
Who is Covered? • The Act applies to all businesses and organizations in NB since January 1, 2004.
Personal Information • Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form. • Personal information does not include the name, title, business address or telephone number of an employee of an organization.
Employee vs. Customer Information • The Act applies to all commercial activities • The Act does not extend to employment unless the organization is a federal work, undertaking or business • Provincial laws govern the treatment of employee information
Compliance With the Act? • Have you reviewed your privacy practices? • Have you appointed your Chief Privacy Officer? • Have you consulted the Privacy Commissioner’s office?
Role of the Privacy Commissioner • Oversight • Investigates complaints under the Privacy Act and PIPEDA • Negotiates and persuades to find solutions • Makes recommendations based on findings
Role of the Privacy Commissioner (cont’d) • Brings privacy issues to the attention of Parliament • Public Education • Educates Canadians about their privacy rights and promotes respect for privacy
Questions and Follow-up?? • This presentation will be published on your website (with no confidentiality concerns) • Non-technical sources of Information Security may be found • Find out who is responsible for Information Security at your workplace and take them to lunch! Thank You!