1 / 34

Protecting Privacy and Securing Information: National Administrative Staff College

Learn about the basics of information security and the importance of an information security policy. Discover the life cycle of an information security policy and how to gather information and conduct a gap analysis. Develop an effective policy to safeguard sensitive data.

spector
Download Presentation

Protecting Privacy and Securing Information: National Administrative Staff College

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Protection of Privacy and Life Cycle of Information Security PolicyNational Administrative Staff College BimalPratapShah

  2. Information: Basic Concepts • Result of mental activity • In ICT- result of processing, manipulating, and organizing data • Information Security (IS)- defined as an asset; something that has value and thus should be protected

  3. Data Breach • Data breaches are among the most common and costly security failures in organizations of any size. • In fact, studies show that companies are attacked an average of 16,856 times a year, and that many of those attacks result in a quantifiable data breach. • And with today's data moving freely between corporate networks, mobile devices, and the cloud, data breach statistics show this disturbing trend is rapidly accelerating

  4. Types of Attacks • Hacking • Denial of Service Attack • Malicious Code • Social Engineering

  5. What is Information Security (IS) In response to attempts to obtain information illegally, people are making an effort to prevent information-related crimes or to minimize the damage such crimes can cause.

  6. Information Security Policy A set of policies issued by an organization to ensure that all information technology users within the domain of the organization or its networks comply with rules and guidelines related to the security of the information stored digitally at any point in the network or within the organization's boundaries of authority. “The policy provides the framework for government organizations to establish local policies and procedures necessary for the protection of information and technology assets for the Province of British Columbia.” - Information Security Policy- Government of British Colombia, Canada

  7. Life Cycle of Information Security Policy • As with other policies, the lifecycle of information security policy can be divided into four phases • Information gathering and gap analysis • Establishment of the policy • Implementation of the policy • Control and feedback

  8. Info Gathering and Gap Analysis • Information gathering • Review examples of information security and related policies from other countries and within the country • While reviewing consider similarities in • Level of national information security • Direction of policy establishment • Network and system infrastructure

  9. Info Gathering and Gap Analysis • Information Gathering • Materials to be collected • Information security policies, laws and regulations • Internationally used IS methodology and examples from different countries • Threat trends and counter-measures or controls to attack types • Countermeasures for privacy protection • Domestic materials • Collect and analyze and evaluate all laws, regulations, and policies that are related or relevant to IS

  10. Info Gathering and Gap Analysis • Gap Analysis • Sun Tzu’s ‘ The Art of War says, “ Know your enemy”- know your limits and well as that of the enemy • What needs to be protected through and IS policy and vulnerabilities and threats to information security

  11. Info Gathering and Gap Analysis The main objective of ‘Gap Analysis’ is to be able to identify the practical countermeasures that need to be taken. It is also the most basic step in information security policymaking

  12. Info Gathering and Gap Analysis • Gap Analysis • Can be divided into two phases • Understanding the countries abilities and capacities • Policy makers need to be familiar with the Information Security organization and human resources. • Experts in information security should be identified and tapped • Understand the current status of the information-communication infrastructure for information security • Identifying the external threats • Understand these threats to be able to decide what countermeasures are necessary • Understand the penetration rate of threats, most common and current types, and threat types and their expected degree of strength.

  13. Formulating Information Security Policy • Formulating a national information security policy involves • Setting the policy direction • Constituting the information security organization and defining its roles and responsibilities • Articulating the information security policy framework • Instituting and/or revising laws to make them consistent with the policy • Allocating a budget for information policy implementation

  14. Formulating Information Security Policy • Setting up Policy Direction • Should be spearheaded by the government • Play a lead role in putting necessary infrastructure • Private sector joins to participate in R&D and system construction • Government should play a supportive role than a controlling one

  15. Formulating Information Security Policy • Constitution of the IS organization and definition of roles and responsibilitiesOncethe direction of IS policy has been set, the implementing organization should be constituted • Administrative organization • Division Vice Presidents • Supervisors • Chief IS Officer • Technical Organization • Administrative System IS Teams • IT Service Departments • Systems Development and Maintenance • Consultants

  16. Setting up Framework for IS Policy • Information Security Framework : Sets the parameters for IS policy- Ensures that the policy: • takes into account IT resources • Reflects international laws and regulations • Meets the principles of information availability, confidentiality, integrity, accountability and assurance • The IS policy is the most important part of the information security framework . The policy includes five areas.

  17. Setting up Framework for IS Policy • Plan and Organization • Security of Organization and operation • Organization and system of the national IS organization • Procedure of each IS organization • Constitution and management of the nation’s information security • Cooperation with the relevant international agency • Cooperation with expert group • Asset classification and control • Registration instruction and risk assessment of important assets • Management of access privileges • Security management of documents

  18. Setting up Framework for IS Policy • Acquisition and implementation • Human resources security involves defining a management method for hiring new employees • HR security countermeasure and security training • Security management of computer room and equipment • Access to main facilities and buildings • Information systems acquisition and development security • Security checks when and information system is acquired • A national encryption system • Suggested security requirements when outsourcing development

  19. Setting up Framework for IS Policy • Privacy Protection • The inclusion of privacy protection in an information security policy is NOTmandatory • Advisable to include privacy as privacy protection is an international issue. The provisions should cover the following • Personal information collection and use • Prior consent when taking advantage of people’s privacy

  20. Setting up Framework for IS Policy • Operation and support: This area has to do with physical and technical security • Information system operation and security management • Operation and security management of server, network, etc • Information storage management • Account privilege security management • Registration deletion, privilege management of users • Physical security • Prevention of damage from natural and other disasters

  21. Setting up Framework for IS Policy • Monitoring and Assessment • This area of information security policy requires the formulation of standards and processes for preventing security incidents and managing and responding to security incidents • Security Inspection • Implementing periodic security inspection • Management of and response to security incident requires defining • Procedures for observing and recognizing symptoms of security incidents

  22. Setting up Framework for IS Policy • Instituting and/or revising laws to be consistent with the information security policy • Laws must be consistent with the information security policy • The law must be the fundamental standard for information security in the country and all related laws need to confirm to it

  23. Setting up Framework for IS Policy • Allocating Budget for Information Policy Implementation

  24. Policy Execution/Implementation • The smooth implementation of IS policy requires cooperation among government, private sector and international agencies • The areas of cooperation • Policy Development • ICT Infrastructure protection • Incident Response • Accident Prevention • Privacy Protection • International Coordination

  25. Review and Evaluation of IS Policy • The final step in IS policymaking is evaluating policy and supplementing underdeveloped areas. • Policy revision is essential after the efficiency of an IS Policy has been determined • Regular audits of national and IS policy from an organization that is independent from IS policymaking organization and implementing organization • Responsive to changes in environment

  26. Big data usually includes data sets with sizes beyond the ability of commonly used software tools to capture, curate, manage, and process the data within a tolerable elapsed time. Big data sizes are a constantly moving target, as of 2012 ranging from a few dozen terabytes to many  petabytes of data in a single data set – Wikipedia

  27. Privacy in the era of Big Data • We live in the age of Big Data • Data has become the raw material of production, a new source of immense economic and social value • Advances in data mining and analytics and the massive increase in computing power and data storage capacity have expanded, by orders of magnitude, the scope of information available to businesses, government, and individuals. • Data create enormous value for the global economy, driving innovation, productivity, efficiency, and growth • At the same time, the “data deluge” presents privacy concerns that could stir a regulatory backlash, dampening the data economy and stifling innovation.

  28. Privacy in the era of Big Data • In order to craft a balance between beneficial uses of data and the protection of individual privacy, policymakers must address some of the most fundamental concepts of privacy law, including the definition of “personally identifiable information,” the role of consent, and the principles of purpose limitation and data minimization.

  29. Big Data – Big Benefits • The uses of big data can be transformative, and the possible uses of the data can be difficult to anticipate at the time of initial collection. • Google Flu Trends, a service that predicts and locates outbreaks of the flu by making use of information—aggregate search queries—not originally collected with this innovative application in mind. • Early detection of disease, when followed by rapid response, can reduce the impact of both seasonal and pandemic influenza.

  30. Big Data- Big Concerns • All data should be treated as personally identifiable and subjected to the regulatory framework. • A further pitfall is that with a vastly expanded definition of personally identifiable information, the privacy and data protection framework would become all but unworkable.  • Policymakers should engage with this question, consider which activities are socially acceptable, and spell out the default norms accordingly.

  31. Opt-in or Opt-Out • The principles of privacy and data protection must be balanced against additional societal values such as public health, national security and law enforcement, environmental protection, and economic efficiency.  • When consumers see the term ‘privacy policy,’ they believe that their personal information will be protected in specific ways; in particular, they assume that a website that advertises a privacy policy will not share their personal information

  32. Big Data Develop a model where the benefits of data for businesses and researchers are balanced against individual privacy rights

  33. End Thanks

More Related