Data Safety - College Of Education – University Of Florida
2y ago
26 Views
1 Downloads
1.37 MB
37 Pages
Report/dmca
Download PDF

Transcription

Privacy and Information SecurityWhat's in it for me?Fabian Andre Perezfapv.xc@gmail.com

AgendaI.Focus on security principles rather than specificsII.Use common sense rather than technical termsIII. If information is in digital format, it is shockingly easy to reproduce willingly or notIV. Regulations, frameworks, standards, .V.Information security vs. Risk ManagementVI. Risk and value assessment of our activitiesVII. Mitigate our risksVIII. Monitor our controlsIX. Base our decisions on security principlesX.Follow well recognized guidelinesXI. Practical examples

I. Focus on security principles ratherthan specifics Security applies to every individual in a society. Security might be seen as an inconvenience. until proven helpful, ORuntil we have to pay for the consequences.Security principles and concepts to apply in everyday activities.

II. Use common sense rather thantechnical terms Golden rule:“always use common sense”What are the risks and vulnerabilities?

III. If information is in digital format, it isshockingly easy to reproduceoriginal (analog)digital versions

III. If information is in digital format, it isshockingly easy to reproduceINFORMATION FORMATANALOGDIGITALextremely hard(usually one at a time)easy(technical details)extremely hard(ages with time)easy(technical details)not possibleextremely easy(replicas usually expensive)(usually very cheap)MODIFIABLEextremely hard(usually not possible)easy(technical details)SECURABLEeasy(there might befinancial considerations)hard(extremely hard withoutaffecting RESERVABILITYREPRODUCIBILITYNOTE: The more important the information, the more difficult it is to protect it.

IV. Regulations, frameworks, standards,laws.REGULATIONFOCUSCOMMENTCOSOInternal ControlCommittee of Sponsoring Organizations of theTreadway CommissionCobiTIT GovernanceControl Objectives for Information and relatedTechnologyISO 17799/27001Information SecurityInternational Organization for StandardizationSOXFinancial reportingSarbanes & OxleyHIPAAHealth care informationHealth Insurance Portability and Accountability ActFERPAstudent education recordsFamily Educational Rights and Privacy ActPCICredit Card InformationPayment Card Industry Data Security StandardBASELInternational bankingregulationsState lawsFederal laws

V. Information Security vs. RiskManagement Perfect security is not achievable Instead focus on a:“Reasonable level of security that mitigatesthe risks to an acceptable level, to a levelthat we are comfortable to live with” How does this apply to our examples.?

VI. Risk and value assessment of ouractivities What is the value of the activities we perform? What are the risks of these activities? Of these risks: What is their potential impact? and more importantly, what is their probability ofoccurrence?These analyses are critical in order to properlyprioritize our activities.

VI. Risk and value assessment of ouractivities

VII. Mitigate our risks Apply resources to the activities with highestpriority.To handle the risk we could: avoid mitigate transfer accept eliminate

VIII. Monitor our controls“Control: The policies, procedures, practicesand organizational structures designed toprovide reasonable assurance that the businessobjectives will be achieved and undesiredevents will be prevented or detected”Definition by cobitonline The success of the controls depends in theability to “monitor” and learn from them.

VIII. Monitor our controlsLet's review what we have learned: Everyday we have to perform a number of activities to comply with ourresponsibilities.These activities always face risks where each risk has a potential impactand a probability of occurrence.Based on the value and the risk of the activity we can single out theactivities that need attention and we should invest resources in order tomitigate these risks.We can accept, avoid, transfer or mitigate the risks, and the actions weperform to mitigate the risks are known as controls.The important point about controls is that they should be continuouslymonitored to get information on how they are performing and what to doto keep the risks at an acceptable level.

IX. Base our decisions on securityprinciples Design principles from “The Protection of Information inComputer Systems” by J. Salter and M. Schroeder:– principle of least privilege– principle of fail safe defaults– economy of mechanism– complete mediation– open design– separation of privilege– least common mechanism– psychological acceptability

IX. Base our decisions on securityprinciples1. The principle of least privilege states that a subject should begiven only those privileges necessary to complete the assignedactivity and nothing else.

IX. Base our decisions on securityprinciples2. The principle of fail safe defaults states that a subject shouldbe given only those privileges necessary to complete theassigned activity and nothing else

IX. Base our decisions on securityprinciples3. The principle of economy of mechanism states that theactivity should be kept as simple as possible. Simpler meansless can go wrong, and if anything goes wrong the problems areeasier to understand and fix.

IX. Base our decisions on securityprinciples4. The principle of complete mediation states that in any activityevery action should be checked for proper permission. Ifpermissions change after the first check, unauthorized accessmight occur.

IX. Base our decisions on securityprinciples5. The principle of open design states that security of an activityshould not depend on the secrecy of its design orimplementation. It should depend on the strength of its design.

IX. Base our decisions on securityprinciples6. The principle of separation of privilege states that criticalactivities must require multiple conditions to grant privilege. Thisis also known as separation of duty.

IX. Base our decisions on securityprinciples7. The principle of least common mechanism states thatmechanisms that handle critical information should not beshared.

IX. Base our decisions on securityprinciples8. The principle of psychological acceptability states thatsecure activities should not add difficulty to the actions toaccess the information.

X. Follow well recognized guidelines CobiT security baseline Information Security Survival Kit for: Home Users Professional Users Managers Executives Senior Executives Board of m?Section Home&CONTENTID 36883&TEMPLATE /ContentManagement/ContentDisplay.cfm

X. Follow well recognized n Home&CONTENTID 36883&TEMPLATE /ContentManagement/ContentDisplay.cfm

X. Follow well recognized n Home&CONTENTID 36883&TEMPLATE /ContentManagement/ContentDisplay.cfm

X. Follow well recognized n Home&CONTENTID 36883&TEMPLATE /ContentManagement/ContentDisplay.cfm

XI. Practical examplesExample I:What is the value?What are the risks?Potential impact, probability of occurrenceHow do we mitigate the risks?

XI. Practical examplesExample II:What is the value?What are the risks?Potential impact, probability of occurrenceHow do we mitigate the risks?

XI. Practical examples

XI. Practical examples

XI. Practical examples In August 2006 Unisys, a subcontractor of theVeterans Affairs, lost a laptop with personalinformation pertaining to veterans. It includedSSN and personal identifiable information;enough information to apply for credit cards,wireless phone accounts, etc. The White Housewas considering spending 160 million just tomonitor whether the lost information would beused for fraud.http://www.privacyrights.org/ar/VABreach.htm

XI. Practical examples T. J. Maxx had a security fiasco that is beingestimated to cost 4.5 billion to fix, which willprobably increase because T. J. Maxx is thesubject of a class action law suit because of owArticle.jh

XI. Practical examples CardSystems Solutions, a credit cardprocessing company, exposed 40 million debitand credit card accounts; this information couldbe used for fraud. How much did it cost to fixthe problem? Well, let’s answer that saying thatCardSystems does not exist ews/2005

XI. Practical examples

Privacy and Information Security,what's in it for me?

Privacy and Information Security,what's in it for me? FERPA PA/ HIPAA Traininghttp://privacy.health.ufl.edu/training/ UF Information Technology Security /drafts.html

Privacy and Information Security,what's in it for me?Q&AFabian Andre Perezfapv.xc@gmail.com(352)339 4489

VIII. Monitor our controls Let's review what we have learned: Everyday we have to perform a number of activities to comply with our responsibilities. These activities always face risks where each risk has a potential impact and a probab

Related Books

Palomar College and MiraCosta College Nursing Education .

Palomar College and MiraCosta College Nursing Education .

BACHELOR OF SCIENCE - College of Education College of .

BACHELOR OF SCIENCE - College of Education College of .

Science Safety & Safety Symbols - Semantic Scholar

Science Safety & Safety Symbols - Semantic Scholar

FORKLIFT SAFETY TIPS - Health and Safety Authority

FORKLIFT SAFETY TIPS - Health and Safety Authority

Process Safety Performance IndicatorsProcess Safety .

Process Safety Performance IndicatorsProcess Safety .

Better Safety Conversations - Occupational Safety and .

Better Safety Conversations - Occupational Safety and .

Delivering Patient Safety Through Education, Training and .

Delivering Patient Safety Through Education, Training and .

Improving Safety Through Education and Training

Improving Safety Through Education and Training

Health Education England, Local Education and Training .

Health Education England, Local Education and Training .

Blood Brothers Education Pack:Blood Brothers Education Pack

Blood Brothers Education Pack:Blood Brothers Education Pack

GROSSMONT ADULT EDUCATION - Education that Works

GROSSMONT ADULT EDUCATION - Education that Works

2020 Annual Security and Fire Safety Report - Urshan College

2020 Annual Security and Fire Safety Report - Urshan College

PopularTags

Recent Views