confidentiality privacy and security in pgmt

8/8/2019 Confidentiality Privacy and Security in PGMT

1/16

Confidentiality,

Privacy and

Security


2/16

Simple Definitions

Privacy: The desire of a person to control thedisclosure of personal information

Confidentiality :The ability to control release ofinformation under an agreement that limitsfurther release of that information

Security : Protection of privacy andconfidentiality through policies, proceduresand safeguards.


3/16

Why do they matter?

Ethically, privacy and confidentiality areconsidered to be rights in our profession/culture.

Information revealed may result in harm tointerests of the organization (Or its partners,customers or suppliers)


4/16

Privacy solutions

Forbid the collection of data that might be misused

Allow the collection of information within a

structure, but with rules and penalties for violationcollectingprocedures.

Generate policies to which individual information

handlers must adhere.


5/16

How to ensure Security?

Security can be ensured by controlling the following

Availability ofInformation

Accountability ofindividuals who handle theInformation

Perimeter definition for storing the information

Rule-limited access for the intended user

Comprehensibility and control of all the above.


6/16

Security controls

Management controls

Program management/risk management

Operational controls

Operated by peopleTechnical controls

Operated by the computer system


7/16

Core security policies

Confidentiality through agreements

Data distribution/transmissionthrough recognised (Email, FTP,

VPN etc)

System access thru defined control.

Virus protection

Backup and recoverySecurity training and awareness


8/16

Security: availability

Ensures that accurate, up-to-date information isavailable when needed at appropriate places

Security: accountability

Ensures that users are responsible for theiraccess to and use of information based on a

documented need and right to know


9/16


10/16

Threats

Threat 1

Insiders who make innocent mistakes andcause accidental disclosure

Elevator discussion, info left on screen, chartleft in hallway etc.

Counter threat 1Behavioral code

Screen savers, automated logout


11/16

Threats

Threat 2

Insiders who abuse their privileges

Counter threat 2

Deterrence

Sanctions

Audit

Encryption (user must obtain access keys)


12/16

Threats

Threat 3

Insiders who access information inappropriatelyfor spite or profit

London Times reported that anyones electronicrecord could be obtained for $300

Counter threat 3Audit trails

Sanctions appropriate to crime


13/16

Threats

Threat 4

Unauthorized physical intruder

Fake Employee

Counter threat 4

Deterrence

Strong technical measures (surveillance tapes)

Strong identification and authentication measures


14/16

Threats

Threat 5

Vengeful employees or outsiders bent ondestruction or degradation, e.g. deletion,

system damage, DOS attacksLatent problem

Counter threat 5

Obstacles

Firewalls


15/16

Countering threats

Deterrence

Create sanctions

Depends on identification of bad actors

Imposition of obstaclesFirewalls

Access controls

Costs, decreased efficiency, impediments toappropriate access


16/16

Activity

Lets identify the threats specific to our projectinformation.

How can we counter them?

confidentiality privacy and security in pgmt

Documents