1 / 48

Privacy and Security Yvonne Geibel Assistant Vice President of Human Resources AES April 23, 2007

This article explores strategies for privacy and security in the workplace, including prevention, detection, and investigation of misuse, as well as the importance of establishing corporate policies and monitoring employee activities. It also discusses the potential risks and costs associated with non-work-related internet use.

wileym
Download Presentation

Privacy and Security Yvonne Geibel Assistant Vice President of Human Resources AES April 23, 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Security Yvonne Geibel Assistant Vice President of Human Resources AES April 23, 2007

  2. Workplace E-mail and Internet Use: Protecting Employer and Employee

  3. Information Security Strategy Prevention Detection Investigation Reporting

  4. Prevention Corporate Policy Acceptable and Unacceptable Practices Employer and Employee Protection Monitoring Employees

  5. Business Purpose for Monitoring Preventing Misuse of resources Preventing Lawsuits Protecting Records Protecting Company Assets

  6. Establishing Ownership of Technology Reduces Expectation of Privacy Clarifies Employer’s Rights

  7. Detection Reduce Risk Security Legal Protection Cost

  8. Studies Show: 30 to 40 percent of employee Internet activity is non-work-related (IDC) 50% of respondents spent more than 10% of their work time surfing the Web for personal reasons, equals roughly four hours per week, or nearly nine days per year (SonicWALL) Misuse of the Internet in the workplace cost businesses $63 billion in lost productivity annually (Websense Inc.) More than 75% of respondents have accidentally visited pornographic Web sites at work. Sources for such accidents include popup windows (55%), misrepresented links (52%), misspelled URLs (48%), and e-mail autolinks (23%) (SonicWALL) 16% of respondents have knowingly surfed pornography sites at work. 40% have seen coworkers surf porn sites which, offended 68% of those respondents (SonicWALL) 91% of respondents have seen people shopping online (SonicWALL)

  9. Investigation Security Officer Obtain Legal Advice Identify Course of Action Levels of Consequences Protect Employees

  10. Reporting Security Breaches Actions Taken Shared and Reviewed by Appropriate Parties Effectiveness

  11. Creating Effective Policies Be as detailed as possible If you say you are going to do it , then do it Policies must be enforceable

  12. Closing Thoughts Employers have the right to and should decide how their property is used Include legal counsel and Human Resources Determine what makes the most business sense The risk of monitoring may be less than the risk of not monitoring

  13. References Declan, C.L. & France, A.H.. Workplace monitoring balancing business interests with employee privacy rights. SHRM legal report. [Retrieved On-line 02/16/2007]. Available: http://www.shrm.org/hrresources/lrpt_published/CMS_005109.asp Wakefield, R.L. Computer monitoring and surveillance. The CPA Journal. [Retrieved On-line 02/16/2007]. Available: http://www.nysscpa.org/printversions/cpaj/2004/704/p52.htm Olsen, J.W. How to control employees’ internet use. InformationWeek. [October 27, 2005]. Retrieved On-line 02/16/2007]. Available: http:www.informationweek.com/story/showArticle.jhtml?articleID=172901080 Wakefield, R.L. Computer monitoring and surveillance. The CPA Journal. [Retrieved On-line 02/16/2007]. Available: http://www.nysscpa.org/printversions/cpaj/2004/704/p52.htm Muhl, C.J. Workplace e-mail and internet use: employees and employers beware. Monthly labor review. [February 2003]. Retrieved On-line 02/20/2007]. Available: http://findarticles.com/p/articles/mi_m1153/is_2_126/ai_100729675 Zeidner, R. An hour a day goes to cyberslacking, study says. HR technology forum [August 2005]. Retrieved On-line 02/16/2007]. Available: http//www.shrm.org/hrtx/library_published/nonIC/CMS_013758

  14. Questions? Yvonne Geibel (717) 720-3475 ygeibel@aessuccess.org Thank You!

  15. Privacy and Security Jody Angelini Vice President, Enterprise Security Office AES April 23, 2007

  16. Assessment of what needs protection Procedures to manage and control risk Written Policies Periodic Risk Analysis Incident Response Plan Factors to consider: Probability, severity of potential risks Company size and capabilities Nature and scope of business activities Nature and sensitivity of information Company’s infrastructure Costs of security measures How to Develop A Security Program

  17. Physical access Technical access (i.e. Internet) How breaches are detected Employee procedures, include laptops and telecommuting System modification Data integrity, confidentiality and storage Data destruction Audit controls Contingency plan Incident Response plan What Categories Should Security Measures Address?

  18. Monitoring and Testing Periodic assessments of security measures Monitor compliance with security program Program Maintenance Review and Adjustments • Results of testing and monitoring • Material changes to business • Changes in technology • Changes in internal/external threats • Environmental or operational changes

  19. Laptop Encryption Email Encryption Email Retention Email Quarantine Workstation Endpoint Device Blocker Network Forensics Tapes to Transmissions Contingency Plan Security Posture to Guard against unauthorized entities

  20. Laptop Encryption • Every 12 seconds, a PC is lost or stolen — most with confidential or sensitive information. • Full hard disk encryption software encrypts your laptop's hard disk drive so data thieves cannot read your files. • By encrypting the entire drive this renders data completely undecipherable to unauthorized users. • Combine the security of full disk encryption with pre-boot authentication. • Pre-boot user authentication forces the laptop owner to provide credentials prior to the load of the operating system, guaranteeing a secure environment before Windows starts. • Easy administration from central console

  21. Secures external email communication Mitigate the risks of legal liability Reduce the risk of security breaches Enforce email use policies Email Encryption

  22. Liability – Must have an email retention policy that meets legal requirements. Security – An email policy is no longer enough. This policy must enlist the use of the latest technology to enforce security measures. Regulation – Many new government regulations are affecting how we must store and protect information, including email. Compliance – Capturing all messages in a tamper-proof, secure store, ensuring compliance obligations can be met. Discovery – Providing the ability to search across the entire store to find an email message or attachment to or from anyone in the organization, sent within or outside of that organization, ensuring discovery requests can be met. Archiving – Efficiently managing the storage of email data, and ensuring access to those messages important to the business. Email Retention

  23. High-performance filtering appliance that blocks unwanted email Filters spam, viruses, and unwanted images Appliance is pre-configured default spam-stopping rules that are easily customized specifically for your organization. Email Quarantine

  24. Provides organizations with the visibility they need to identify and effectively manage endpoint vulnerabilities. Current and historical audits -- reports all devices currently or previously connected to any endpoint  Precise device identification -- gathers detailed device information, allowing tailoring of security policies to exact vulnerabilities  Enforces security policies by blocking the use of any unauthorized hardware. Unauthorized hardware could be any device that would be plugged into your USB, PCMCIA, serial, or parallel ports Example: IPods, external hard drives, flash drives, digital cameras, and non company printers. In addition, CD-ROM and floppy drives are restricted to read-only. Workstation Endpoint Device Blocker

  25. Allows you to respond rapidly to computer security breeches This system allows immediate ‘snapshots’ of the state of a computer to determine if a compromise has occurred. If needed, a forensically sound backup of the system can be made, that can be provided to law enforcement or investigators to assist in the incident response. With this system, you can guarantee that the evidence from a potential breech is collected in a professionally and legally sound manner, that is admissible in both civil and criminal proceeding More importantly, it allows you to conduct investigations into alleged abuse of computer systems, malicious software infections, and potential security incidents in an automated, efficient manner. Network Forensics

  26. Federal law requires that organizations to take appropriate steps to protect Non-Public Personal Information (NPPI) and prevent its disclosure to unauthorized parties. With the threat of data theft and the demands of regulatory compliance, organizations should eliminate tape cartridges and CDs and move to secure file transmissions. NPPI is personally identifiable financial information that; (1) the customer or potential customer provides to organization; (2) results from any transaction with the customer or service we performed for the customer; or (3) is otherwise obtained by the organization. Tapes to Transmission

  27. Is prepared by the organization to anticipate, react to, and recover from events that threaten the security of information and information assets in the organization, and subsequently, to restore the organization to normal modes of business operations. Incident Response Plan, Disaster Recovery Plan and Business Continuity Plan are subsets of the overall Contingency Plan. The IRP focuses on immediate response, but if the attack escalates or is disastrous (e.g., fire, flood, earthquake, or total blackout) the process moves on to disaster recovery and business continuity plans. The DRP typically focuses on restoring systems at the original site or an alternative site after disasters occur, and as such is closely associated with the BCP. The BCP occurs concurrently with DRP when the damage is major or long term, requiring more than simple restoration of information and information resources. BCP establishes critical business functions at an alternate site. Contingency Planning

  28. Risk is the likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability

  29. FFIEC addresses the need for: Risk Based assessments Customer Awareness Enhanced Security Measures to authenticate customers using Internet-based products and services Focus is on products and services that process high risk transactions involving access to non-public private information or the movement of funds to other parties Guidance Recommends: Perform Risk Assessment Identify high risk areas Outline other steps including mitigation and remediation FFIEC Purpose

  30. The guidance dictates no particular form of additional authentication Authentication can be combinations of : What a customer knows (e.g. a password/PIN, shared secrets); What a customer has (e.g. a token card); and What a person is (e.g., biometrics) Multiple factors can be from the same factor type which means you could construct an authentication program that includes two or more different categories of what users know (e.g., password and challenge response.) Single-factor authentication, when used as the only control mechanism, is deemed inadequate for high-risk transactions FFIEC Key Points

  31. No prescribed risk assessment process Each company has to design its risk assessment process. No endorsement of specific technologies. Access Entry Point Available Actions Data Accessible / Displayed Authentication Method Types of Data Transaction Type FFIEC Risk Assessment

  32. Type of Data Critical = 3 Could be used for identity theft; includes SSN, name and DOB (must include all three) Other NPPI = 2 Includes NPPI; may be SSN, name or DOB Informational = 1 All other data including loan information Transaction Type Transaction Type Initiate financial transaction = 3 Make a payment, apply for a loan Modify account information = 2 Modify demographic or other loan data Inquire = 1 View data only Risk Rating High = 7 – 9 points Medium = 4 – 6 points Low = 1 – 3 points Risk Factor

  33. Questions? Jody L. W. Angelini 717 720-3337 jangelin@aessuccess.org Thank You!

  34. Privacy and Security Tera Kolvenbach Vice President, Compliance Wachovia Education Finance April 23, 2007

  35. Compliance Perspective: “You are only as strong as your weakest link” How can you strengthen the links in your organization?

  36. Three areas with possible “weak links” Internet Electronic communications Human factor

  37. Internet authentication (FFIEC guidelines): Develop a risk-based strategy Is platform targeted? Is single ID/reusable password the “key to the kingdom”? Do you use a single authentication server? Do you have a central repository of IDs, passwords?

  38. Other considerations in risk analysis: Type of customer Transaction capabilities Sensitivity of data Ease of using the communication method Volume of transactions

  39. Possible strategies Multifactor (combination of 2 or more) what you know (password, PIN) what you have (tokens, ATM, Smart card) what you are (fingerprint, retinal scan) Layered approach Less secure than multifactor May be acceptable based on risk analysis

  40. Periodic review required for potential new threats due to: Phishing Pharming Malware Sophisticated criminal element always looking for new penetration areas

  41. Outside of authentication, multiple levels of control required to: Prevent fraud Monitor suspicious patterns Set transaction limits Safeguard customer information Timely removal of unauthorized users Management of outsourced functions

  42. Electronic communications E-mail Is your “secure” e-mail really secure? Password protected spreadsheets? Communication of detailed policies FTP/other secured transmission sites Faxes

  43. Human Factor “Wet” or Paper Processes at risk Manual handling inconsistencies Points of weakness (new staff, temporary workers, non-peak times) Good training, strong controls and periodic monitoring are essential

  44. Mailing of documents/electronic media Use of vendor with tracking mechanism Tyvek or double packing Accurate manifests Brightly colored cover page with contact information

  45. Workstation Security Passwords Locking workstations Clearing desk of confidential data Shredding documents Phone conversations (when traveling) Laptop locks and encryption

  46. Questions? Tera Kolvenbach (916) 631-5456 tera.kolvenbach@wachovia.com Thank You!

More Related