480 likes | 498 Views
This article explores strategies for privacy and security in the workplace, including prevention, detection, and investigation of misuse, as well as the importance of establishing corporate policies and monitoring employee activities. It also discusses the potential risks and costs associated with non-work-related internet use.
E N D
Privacy and Security Yvonne Geibel Assistant Vice President of Human Resources AES April 23, 2007
Workplace E-mail and Internet Use: Protecting Employer and Employee
Information Security Strategy Prevention Detection Investigation Reporting
Prevention Corporate Policy Acceptable and Unacceptable Practices Employer and Employee Protection Monitoring Employees
Business Purpose for Monitoring Preventing Misuse of resources Preventing Lawsuits Protecting Records Protecting Company Assets
Establishing Ownership of Technology Reduces Expectation of Privacy Clarifies Employer’s Rights
Detection Reduce Risk Security Legal Protection Cost
Studies Show: 30 to 40 percent of employee Internet activity is non-work-related (IDC) 50% of respondents spent more than 10% of their work time surfing the Web for personal reasons, equals roughly four hours per week, or nearly nine days per year (SonicWALL) Misuse of the Internet in the workplace cost businesses $63 billion in lost productivity annually (Websense Inc.) More than 75% of respondents have accidentally visited pornographic Web sites at work. Sources for such accidents include popup windows (55%), misrepresented links (52%), misspelled URLs (48%), and e-mail autolinks (23%) (SonicWALL) 16% of respondents have knowingly surfed pornography sites at work. 40% have seen coworkers surf porn sites which, offended 68% of those respondents (SonicWALL) 91% of respondents have seen people shopping online (SonicWALL)
Investigation Security Officer Obtain Legal Advice Identify Course of Action Levels of Consequences Protect Employees
Reporting Security Breaches Actions Taken Shared and Reviewed by Appropriate Parties Effectiveness
Creating Effective Policies Be as detailed as possible If you say you are going to do it , then do it Policies must be enforceable
Closing Thoughts Employers have the right to and should decide how their property is used Include legal counsel and Human Resources Determine what makes the most business sense The risk of monitoring may be less than the risk of not monitoring
References Declan, C.L. & France, A.H.. Workplace monitoring balancing business interests with employee privacy rights. SHRM legal report. [Retrieved On-line 02/16/2007]. Available: http://www.shrm.org/hrresources/lrpt_published/CMS_005109.asp Wakefield, R.L. Computer monitoring and surveillance. The CPA Journal. [Retrieved On-line 02/16/2007]. Available: http://www.nysscpa.org/printversions/cpaj/2004/704/p52.htm Olsen, J.W. How to control employees’ internet use. InformationWeek. [October 27, 2005]. Retrieved On-line 02/16/2007]. Available: http:www.informationweek.com/story/showArticle.jhtml?articleID=172901080 Wakefield, R.L. Computer monitoring and surveillance. The CPA Journal. [Retrieved On-line 02/16/2007]. Available: http://www.nysscpa.org/printversions/cpaj/2004/704/p52.htm Muhl, C.J. Workplace e-mail and internet use: employees and employers beware. Monthly labor review. [February 2003]. Retrieved On-line 02/20/2007]. Available: http://findarticles.com/p/articles/mi_m1153/is_2_126/ai_100729675 Zeidner, R. An hour a day goes to cyberslacking, study says. HR technology forum [August 2005]. Retrieved On-line 02/16/2007]. Available: http//www.shrm.org/hrtx/library_published/nonIC/CMS_013758
Questions? Yvonne Geibel (717) 720-3475 ygeibel@aessuccess.org Thank You!
Privacy and Security Jody Angelini Vice President, Enterprise Security Office AES April 23, 2007
Assessment of what needs protection Procedures to manage and control risk Written Policies Periodic Risk Analysis Incident Response Plan Factors to consider: Probability, severity of potential risks Company size and capabilities Nature and scope of business activities Nature and sensitivity of information Company’s infrastructure Costs of security measures How to Develop A Security Program
Physical access Technical access (i.e. Internet) How breaches are detected Employee procedures, include laptops and telecommuting System modification Data integrity, confidentiality and storage Data destruction Audit controls Contingency plan Incident Response plan What Categories Should Security Measures Address?
Monitoring and Testing Periodic assessments of security measures Monitor compliance with security program Program Maintenance Review and Adjustments • Results of testing and monitoring • Material changes to business • Changes in technology • Changes in internal/external threats • Environmental or operational changes
Laptop Encryption Email Encryption Email Retention Email Quarantine Workstation Endpoint Device Blocker Network Forensics Tapes to Transmissions Contingency Plan Security Posture to Guard against unauthorized entities
Laptop Encryption • Every 12 seconds, a PC is lost or stolen — most with confidential or sensitive information. • Full hard disk encryption software encrypts your laptop's hard disk drive so data thieves cannot read your files. • By encrypting the entire drive this renders data completely undecipherable to unauthorized users. • Combine the security of full disk encryption with pre-boot authentication. • Pre-boot user authentication forces the laptop owner to provide credentials prior to the load of the operating system, guaranteeing a secure environment before Windows starts. • Easy administration from central console
Secures external email communication Mitigate the risks of legal liability Reduce the risk of security breaches Enforce email use policies Email Encryption
Liability – Must have an email retention policy that meets legal requirements. Security – An email policy is no longer enough. This policy must enlist the use of the latest technology to enforce security measures. Regulation – Many new government regulations are affecting how we must store and protect information, including email. Compliance – Capturing all messages in a tamper-proof, secure store, ensuring compliance obligations can be met. Discovery – Providing the ability to search across the entire store to find an email message or attachment to or from anyone in the organization, sent within or outside of that organization, ensuring discovery requests can be met. Archiving – Efficiently managing the storage of email data, and ensuring access to those messages important to the business. Email Retention
High-performance filtering appliance that blocks unwanted email Filters spam, viruses, and unwanted images Appliance is pre-configured default spam-stopping rules that are easily customized specifically for your organization. Email Quarantine
Provides organizations with the visibility they need to identify and effectively manage endpoint vulnerabilities. Current and historical audits -- reports all devices currently or previously connected to any endpoint Precise device identification -- gathers detailed device information, allowing tailoring of security policies to exact vulnerabilities Enforces security policies by blocking the use of any unauthorized hardware. Unauthorized hardware could be any device that would be plugged into your USB, PCMCIA, serial, or parallel ports Example: IPods, external hard drives, flash drives, digital cameras, and non company printers. In addition, CD-ROM and floppy drives are restricted to read-only. Workstation Endpoint Device Blocker
Allows you to respond rapidly to computer security breeches This system allows immediate ‘snapshots’ of the state of a computer to determine if a compromise has occurred. If needed, a forensically sound backup of the system can be made, that can be provided to law enforcement or investigators to assist in the incident response. With this system, you can guarantee that the evidence from a potential breech is collected in a professionally and legally sound manner, that is admissible in both civil and criminal proceeding More importantly, it allows you to conduct investigations into alleged abuse of computer systems, malicious software infections, and potential security incidents in an automated, efficient manner. Network Forensics
Federal law requires that organizations to take appropriate steps to protect Non-Public Personal Information (NPPI) and prevent its disclosure to unauthorized parties. With the threat of data theft and the demands of regulatory compliance, organizations should eliminate tape cartridges and CDs and move to secure file transmissions. NPPI is personally identifiable financial information that; (1) the customer or potential customer provides to organization; (2) results from any transaction with the customer or service we performed for the customer; or (3) is otherwise obtained by the organization. Tapes to Transmission
Is prepared by the organization to anticipate, react to, and recover from events that threaten the security of information and information assets in the organization, and subsequently, to restore the organization to normal modes of business operations. Incident Response Plan, Disaster Recovery Plan and Business Continuity Plan are subsets of the overall Contingency Plan. The IRP focuses on immediate response, but if the attack escalates or is disastrous (e.g., fire, flood, earthquake, or total blackout) the process moves on to disaster recovery and business continuity plans. The DRP typically focuses on restoring systems at the original site or an alternative site after disasters occur, and as such is closely associated with the BCP. The BCP occurs concurrently with DRP when the damage is major or long term, requiring more than simple restoration of information and information resources. BCP establishes critical business functions at an alternate site. Contingency Planning
Risk is the likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability
FFIEC addresses the need for: Risk Based assessments Customer Awareness Enhanced Security Measures to authenticate customers using Internet-based products and services Focus is on products and services that process high risk transactions involving access to non-public private information or the movement of funds to other parties Guidance Recommends: Perform Risk Assessment Identify high risk areas Outline other steps including mitigation and remediation FFIEC Purpose
The guidance dictates no particular form of additional authentication Authentication can be combinations of : What a customer knows (e.g. a password/PIN, shared secrets); What a customer has (e.g. a token card); and What a person is (e.g., biometrics) Multiple factors can be from the same factor type which means you could construct an authentication program that includes two or more different categories of what users know (e.g., password and challenge response.) Single-factor authentication, when used as the only control mechanism, is deemed inadequate for high-risk transactions FFIEC Key Points
No prescribed risk assessment process Each company has to design its risk assessment process. No endorsement of specific technologies. Access Entry Point Available Actions Data Accessible / Displayed Authentication Method Types of Data Transaction Type FFIEC Risk Assessment
Type of Data Critical = 3 Could be used for identity theft; includes SSN, name and DOB (must include all three) Other NPPI = 2 Includes NPPI; may be SSN, name or DOB Informational = 1 All other data including loan information Transaction Type Transaction Type Initiate financial transaction = 3 Make a payment, apply for a loan Modify account information = 2 Modify demographic or other loan data Inquire = 1 View data only Risk Rating High = 7 – 9 points Medium = 4 – 6 points Low = 1 – 3 points Risk Factor
Questions? Jody L. W. Angelini 717 720-3337 jangelin@aessuccess.org Thank You!
Privacy and Security Tera Kolvenbach Vice President, Compliance Wachovia Education Finance April 23, 2007
Compliance Perspective: “You are only as strong as your weakest link” How can you strengthen the links in your organization?
Three areas with possible “weak links” Internet Electronic communications Human factor
Internet authentication (FFIEC guidelines): Develop a risk-based strategy Is platform targeted? Is single ID/reusable password the “key to the kingdom”? Do you use a single authentication server? Do you have a central repository of IDs, passwords?
Other considerations in risk analysis: Type of customer Transaction capabilities Sensitivity of data Ease of using the communication method Volume of transactions
Possible strategies Multifactor (combination of 2 or more) what you know (password, PIN) what you have (tokens, ATM, Smart card) what you are (fingerprint, retinal scan) Layered approach Less secure than multifactor May be acceptable based on risk analysis
Periodic review required for potential new threats due to: Phishing Pharming Malware Sophisticated criminal element always looking for new penetration areas
Outside of authentication, multiple levels of control required to: Prevent fraud Monitor suspicious patterns Set transaction limits Safeguard customer information Timely removal of unauthorized users Management of outsourced functions
Electronic communications E-mail Is your “secure” e-mail really secure? Password protected spreadsheets? Communication of detailed policies FTP/other secured transmission sites Faxes
Human Factor “Wet” or Paper Processes at risk Manual handling inconsistencies Points of weakness (new staff, temporary workers, non-peak times) Good training, strong controls and periodic monitoring are essential
Mailing of documents/electronic media Use of vendor with tracking mechanism Tyvek or double packing Accurate manifests Brightly colored cover page with contact information
Workstation Security Passwords Locking workstations Clearing desk of confidential data Shredding documents Phone conversations (when traveling) Laptop locks and encryption
Questions? Tera Kolvenbach (916) 631-5456 tera.kolvenbach@wachovia.com Thank You!