130 likes | 265 Views
Open Data Security Considerations. Terminology: Information Systems Security Specialists Tend to Think About Privacy and Security As Follows. Privacy –
E N D
Terminology:Information Systems Security Specialists Tend to Think About Privacy and Security As Follows Privacy – the legal rights of an individual or entity to control the acquisition, storage, distribution and use of information about themselves/itself Privacy, defined in this context, warrants the confidentiality and level of information privacy available for use by an application, system, process, or other individual/entity
Terminology:Information Systems Security Specialists Tend to Think About Privacy and Security (Continued) Information Systems Security – The ability to achieve specified levels of Confidentiality (privacy), Integrity, and Availability (CIA) as a means of protecting individuals and entities from unauthorized access or use of information technology resources (ITRs) (e.g., data, hardware, software, and transmission media) Security, defined in this context is the means of implementing privacy protection controls, available to or on behalf of individuals and entities
Terminology:Information Systems Security Specialists Tend to Think About Privacy and Security (Continued) But, it is more…. Security is also a way of demonstrating that systems and applications have been sufficiently protected to achieve pre-specified levels of CIA… irrespective of whether they process public or sensitive data
Assurance that the information is made publicly accessible in compliance with applicable privacy, confidentiality, and other relevant legal requirements Affirmatively defined in conformance with public disclosure laws such as the Massachusetts Public Records Law and with consideration to Enterprise Information Security Standards: Data Classification 1 1 http://www.mass.gov/Eoaf/docs/itd/policies_standards/DCStandardsDraftFD.rtf Massachusetts Open Data Initiative Confidentiality (Privacy) Requirements
1 2 3 1 Computerworld: Open government could lead to data leaks; Experts say standards are needed to avoid exposure of sensitive information, by Jaikumar Vijayan - June 15, 2009 12:01 AM ET http://www.computerworld.com/s/article/340078/Open_Government_Could_Lead_to_Data_Leaks http://www.computerworld.com/s/article/9133921/U.S._mistakenly_posts_list_of_civilian_nuke_sites_ http://www.latimes.com/news/nation-and-world/la-na-tsa9-2009dec09,0,6418033.story 2 3 Data Confidentiality (Privacy) Controls must mean more than a policy “When data previously available from a few hundred government sources suddenly starts becoming available via thousands of Web sites — including widely used social networks like Facebook and MySpace — there need to be controls in place to protect against inadvertent leaks “ “U.S. mistakenly posts list of civilian nuke sites ” “TSA investigates online posting of airport screening procedures ”
Assurance that the information as well as the information technology resources (ITRs), (I.e., data, hardware, software, and transmission media) are protected against unauthorized access or use (I.e., modification) “State government data must be up to date, accurate, credible, reliable, appropriate, secure and complete. That is, the quality of data presented on a state data.gov portal will be assured.” 1 1 “A call to Action for State Government: Guidance for Opening the Doors to State Data” http://www.nascio.org/publications/documents/NASCIO-DataTransparency.pdf Massachusetts Open Data Initiative Integrity (Reliability) Requirements
Massachusetts Open Data Initiative Availability (Presence) Requirements Assurance that information as well as the ITRs are protected against unplanned and/or unauthorized service outage, disruption, or degradation information obtainable and accessible to authorized users in accordance with specified service level objectives
Security Controls Most Vulnerable at the Application(s) Layer(s) “If an organization isn't taking a systematic and proactive approach to web security, and to running a web application vulnerability assessment in particular, then that organization isn't defended against the most rapidly increasing class of attacks.” “Gartner estimates that 75 percent of attacks on web security today are aimed straight at the application layer.” Web Application Vulnerability Assessment Essentials http://www.developerfusion.com/article/6845/web-application-vulnerability-assessment-essentials/
Security Controls Vulnerable at Other Layer(s) Too 1 The Top Cyber Security Risks 1 September 2009, SANS Top 20 Vulnerabilities http://www.sans.org/top-cyber-security-risks/?ref=top20#trends
Deliver Secure Open Data And We Can Help • Information Security Policies • Vulnerability Scanning & Penetration Testing • Configuration Management • Patch Management • Anti-Malware Deployment • Event Monitoring • Compliance Assurance • Managing these three areas alone can account for 90% of a community’s security posture.
1 “A call to Action for State Government: Guidance for Opening the Doors to State Data” http://www.nascio.org/publications/documents/NASCIO-DataTransparency.pdf http://www.wired.com/politics/security/commentary/securitymatters/2007/12/securitymatters_1213 2 ‘Why 'Anonymous' Data Sometimes Isn't ” 2 “With the proliferation of data, what collisions will occur as more sophisticated analysis methods emerge? What new correlations and multi-variant analysis may actually pierce the privacy and security barriers?” 1 In 2006, Netflix published 10 million movie rankings by 500,000 customers, as part of a movie reference challenge. Two researchers at the University of Texas at Austin, de-anonymized some of the Netflix data by comparing rankings and timestamps with publicinformation in the Internet Movie Database, or IMDb. 2
Security Considerations Checklist The dataowner has affirmed the following: • Publicly accessible use of the information is in conformance with Massachusetts Public Records Law and applicable privacy, confidentiality, and/or other relevant legal requirements. • The information has been accurately classified and labeled. • The information is protected against unauthorized access or use (I.e., prevent unauthorized modification to the data) • Information Technology Resources (ITRs; data, hardware, software, transmission media) used to present the information cannot be used to gain unauthorized access to other internal systems or data. • The information, as well as the ITRs, are protected against unplanned and/or unauthorized service disruption