1 / 21

Privacy, Security and Reality

Privacy, Security and Reality. Paul Christman National Sales Director, Public Sector Paul.Christman@quest.com. “Veterans Angered By Scandal”. Department of Veterans Affairs reports the personal records of 26.5 MILLION veterans were compromised

melvyn
Download Presentation

Privacy, Security and Reality

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy, Security and Reality Paul Christman National Sales Director, Public Sector Paul.Christman@quest.com

  2. “Veterans Angered By Scandal” • Department of Veterans Affairs reports the personal records of 26.5 MILLION veterans were compromised • An employee routinely took these records home on his laptop for work purposes • His laptop was stolen during a burglary • Identity theft was probably not the thief’s objective • VA upper management was not notified for two weeks • High level resignations • $2,000 laptop theft will cost $100,000,000+ to remedy Source: Washington Post, May 2006

  3. Was this a breach of Security or Privacy?

  4. More than 104,405,000privacy breaches have been reported since the ChoicePoint incident onFebruary 15, 2005 Source: Privacy Rights Clearinghouse, www.privacyrights.org

  5. 19,420 breach of privacy grievances have been filed with the Federal Government since HIPAA regulations went into effect 36 months ago. Source: Washington Post, June 5, 2006

  6. 3,000,000 DNA “fingerprints”are on file with the FBI80,000 new records areadded every monthEvery newborn child could beadded to this database Source: Washington Post, June 5, 2006

  7. PA Senate Bill 712The Breach of Personal Information Notification Act “Breach of the security of the system” is defined as: The unauthorized access and acquisition of computerized data that MATERIALLY compromises the security or confidentiality of personal information maintained by the entity.....” Source: General Assembly of Pennsylvania, December 6, 2005

  8. Privacy • Access to information only as needed to conduct an authorized transaction • Privacy may be voluntarily sacrificed in exchange for perceived benefits. • Unfortunately, privacy is becoming the exception rather than the rule • Privacy deals with the use of data

  9. Security • The control of access to a resource • Physical: facilities, paper records and machines that hold electronic records • Electronic: control of the data files regardless of physical access • Appropriate access by authorized individuals • Who decides “appropriate” and “authorized”? • Security deals with the control of data

  10. Stolen or Lost Hardware/Tape 65,444,764 Hackers/Identity Thieves 43,303,499 Dishonest Insider 19,077,925 Exposed Online 3,073,463 Document Theft 6,000 Why Identities are Compromised 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 Source: Privacy Rights Clearinghouse, www.privacyrights.org

  11. PA LAW: Affected Individuals and Businesses Must be NOTIFIED by the keepers of the Data • Would you know if there was a breach? • How would you know what was accessed? • Could you determine if data was encrypted or not? • Could you figure out who breached the system? • Would you know who to notify?

  12. The first step to getting better is admitting that you have a problem…

  13. 12 Steps to Wellness • Install and maintain a firewall to protect data • Do not use vendor-supplied defaults for passwords or security configurations • Protect stored data • Encrypt transmission of data across public networks • Use and regularly update anti-virus software • Develop and maintain secure systems and applications • Restrict access to data by business need-to-know • Assign a unique ID to each person with computer access • Restrict physical access to sensitive or privileged data • Track and monitor all access to network resources and data • Regularly test security systems and procedures • Maintain a policy that addresses information security Source: Payment Card Industry Data Security Standard, December 2004

  14. #8: Assign a Unique ID to each person • This ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users • Implies “role based” access and regular activity reporting • Roles may need to be changed in times of emergency • This can be done with current technology

  15. #8: Assign a Unique ID to each person • Identify all users with a unique username before granting access • Employ passwords, tokens or biometrics in addition to unique identification to authenticate all users • Implement a 2-factor authentication for remote access • Encrypt passwords in transmission and storage • Create authentication and password management for all users and administrators on all system components • Verify user identity prior to password resets • Control the provisioning and de-provisioning of users • Remove inactive user accounts every 90 days • Limit repeated access attempts and revoke access after x tries • Password control screen savers

  16. #10: Regularly Monitor and Test Networks • Link all access to system components to an individual user – no generic shared administrator id’s • Implement audit trails to trap/report suspicious activities • Secure the audit logs so they can be proven to be accurate and un-altered • Review logs daily for suspicious activities • Retain logs for the appropriate length of time to satisfy internal and external requirements • Usually at least 1 year of activity with last 90 days available online

  17. NASCIO Best Practices • Have a Incident Response Plan! • 35% of CIOs have had a security or privacy breach • 25% do not have a response plan; 41% have a plan; 34% don’t know • Every project must have a privacy review, impact statement & incident response plan with threshold triggers • Set clear expectations of privacy (or not) when anyone provides data inbound or outbound • Investigate your “partners” to determine their security and privacy standards – you are accountable for them! • THINK AHEAD: Pay now or 10x later

  18. DataFlowsVeryQuickly!

  19. The links in the chain • Privacy requires Security • Security requires Control • Control requires Authentication Where is your weakest link?

  20. Reference Materials NASCIO: www.nascio.org or nascio_privacy@listserv.amrms.com For a complete list of federal and state privacy and security regulations IAPP: www.privacyassociation.org International Assoc. of Privacy Professionals PA PowerPort privacy policy: www.state.pa.us/papower/cwp/view.asp?a=3&q=414879 Contact Brenda Orth at borth@state.pa.us Quest Software solutions for IdM and Compliance http://www.quest.com/quest_solutions/

  21. Discussion and Questions Paul Christman National Sales Director, Public Sector Paul.Christman@quest.com

More Related