information security’s new partner: privacy - isaca.org · pdf file... data ethics llc...
Post on 06-Mar-2018
220 Views
Preview:
TRANSCRIPT
Information Security’s New Partner: Privacy
A Presentation for:
ISACA WNY Controls and Compliance Conference 2017
by:
Brandan Keaveny, Ed.D., CIPM
Copyright 2017, Data Ethics LLC 1
Objectives
Participants will
1) be able to identify where privacy and security processes overlap and where they are different.
2) be able to identify different types of privacy management considerations.
3) relate the concepts of privacy to a reality based scenario.
4) be introduced to the IAPP, and be knowledgeable about the efforts occurring to form a regional chapter.
Copyright 2017, Data Ethics LLC 2
Privacy in Context, A Video Scenario
Copyright 2017, Data Ethics LLC 3
Privacy in Context-Things to Consider
• Is this situation a privacy issue or a security issue or both?
• What are the differences between privacy and security?
Copyright 2017, Data Ethics LLC 4
Privacy in Context-Things to Consider
• Is this situation a privacy issue or a security issue or both?
• What are the differences between privacy and security?
Copyright 2017, Data Ethics LLC 5
Defining privacy
• 1a : the quality or state of being apart from company or observation : SECLUSION
1b : freedom from unauthorized intrusion <one's right to privacy>
• 2 archaic : a place of seclusion
• 3a : SECRECY
3b : a private matter : SECRET
Source: Privacy. (n.d.). Retrieved February 8, 2017, from https://www.merriam-webster.com/dictionary/privacy
Copyright 2017, Data Ethics LLC 6
Further refining the definition:
• General: the right to be free from secret surveillance and to determine whether, when, how, and to whom, one's personal or organizational information is to be revealed.
• In specific, privacy may be divided into four categories
1. Physical: restriction on others to experience a person or situation through one or more of the human senses;
2. Informational: restriction on searching for or revealing facts that are unknown or unknowable to others;
3. Decisional: restriction on interfering in decisions that are exclusive to an entity;
4. Dispositional: restriction on attempts to know an individual's state of mind.
Source: privacy. BusinessDictionary.com. Retrieved February 04, 2017, from BusinessDictionary.com website: http://www.businessdictionary.com/definition/privacy.html
Copyright 2017, Data Ethics LLC 7
Classes of Privacy
As defined by Banisar and Davies:
• Information privacy, involving the establishment of rules governing the collection and handling of personal data such as credit information and medical records;
• Bodily privacy, concerning the protection of people's physical beings against invasive procedures such as drug testing and cavity searches;
• Privacy of communications, covering the security and privacy of mail, telephones, email and other forms of communication; and
• Territorial privacy, concerning the setting of limits on intrusion into the domestic and other environments such as the workplace or public space.
Source: Banisar, D. & Davies, S. (1999). Global trends in privacy protection: An International survey of privacy, data protection, and surveillance laws and developments. John Marshall Journal of Computer & Information Law 18.
Copyright 2017, Data Ethics LLC 8
What is the relationship between privacy and security?
Security aims to ensure the confidentiality, integrity and availability of data as stored, transmitted and used
Privacy addresses the rights of individuals to control how and to what extent information about them—is collected and further processed.
Copyright 2017, Data Ethics LLC 9
Source: Densmore, R (2013). Privacy Program Management: Tools for Managing Privacy Within Your Organization. Portsmouth, NH: International Association of Privacy Professionals.
Privacy Depends on Security
Condition Privacy Security
The server is not secure.
Someone with legitimate access provided information to someone else
✓
Someone with legitimate access at the time obtains information and then shares information at a later date.
✓
• A network environment can be secure, however how the information obtained may lead to the disclosure of private information.
• If a network environment is not secure, there is no way privacy can be assured.
• Hacking v. Leaking
Copyright 2017, Data Ethics LLC 10
What is the relationship between privacy and security?
Information security and privacy practices exist within a mutual space of data protection.
Copyright 2017, Data Ethics LLC 11
Back to the Scenario: Privacy in Context
Problem: Several days after the debate records are leaked to the media showing that the young candidate was suspended as a sophomore in high school for cyber bullying.
Situation: An attorney for the candidate contacts you for consultation as to how this information could have been obtained.
Question: How do you respond?
Copyright 2017, Data Ethics LLC 12
Are these valid questions?
• Were the school district databases hacked?
• Did someone from the school district have legitimate access to the database?
• Did someone at one time have legitimate access, archive information locally, and then lost a copy of the data?
Copyright 2017, Data Ethics LLC 13
Are these valid questions?
• Were the school district databases hacked?
• Did someone from the school district have legitimate access to the database?
• Did someone at one time have legitimate access, archive information locally, and then lost a copy of the data?
Copyright 2017, Data Ethics LLC 14
NYS Information Security Breach and Notification Act
• The NYS Information Security Breach and Notification Act is comprised of section 208 of the State Technology Law and section 899-aa of the General Business Law.
• State entities and persons or businesses conducting business in New York who own or license computerized data which includes private information must disclose any breach of the data to New York residents (state entities are also required to notify non-residents)
Source: New York State Office of Information Technology Services (https://its.ny.gov/eiso/breach-notification)
Copyright 2017, Data Ethics LLC 15
NYS Information Security Breach and Notification Act§899-aa of the General Business Law
• Personal Information shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such a natural person.
• Private Information shall mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:• Social Security number• Driver’s license number or non-driver identification card number • Account number, credit or debit card number, in combination with any required security
code, access code, or password that would permit access to an individual’s financial account.
Source: New York State Office of Information Technology Services (https://its.ny.gov/eiso/breach-notification)
Copyright 2017, Data Ethics LLC 16
NYS Information Security Breach and Notification Act§899-aa of the General Business Law
• Under section 899-aa of the General Business Law, a person or business conducting business in New York must also notify three (3) NYS offices: the NYS Attorney General; the NYS Division of State Police; and the Department of State's Division of Consumer Protection.
• Notification Requirements to those individuals affected by the breach
Source: New York State Office of Information Technology Services (https://its.ny.gov/eiso/breach-notification)
Copyright 2017, Data Ethics LLC 17
Taking the first step to implementing a Privacy Program
• Does your organization/business have a privacy statement that is derived from a privacy policy?
• Components of a Privacy Policy
Copyright 2017, Data Ethics LLC 18
www.iapp.org
About the IAPP
• A global community for privacy professionals to connect, share best practices, advance privacy management issues and exchange ideas
• More than 26,000 members spanning 88 countries
• A resource that provides services, education, networking, conferences and certification addressing the latest privacy trends and challenges
www.iapp.org
KnowledgeNet ChaptersMeet other privacy pros in your area, network and learn something new.
• 75+ chapters worldwide
• 200+ chapter activities held worldwide per year
• Free for members, guests and non-members are allowed to attend one meeting as space allows
• Earn free CPE credits
Learn more: www.iapp.org/connect/communities/chapters
www.iapp.org
Contact Information
• www.DataEthics.net
• 585-270-1981
• accountability@dataethics.net
Copyright 2017, Data Ethics LLC 22
top related