Privacy and IT Security American Society of Access Professionals Presented by Samuel P. Jenkins,...

Privacy and IT Security

American Society of Access Professionals

Presented by

Samuel P. Jenkins, Director, Defense Privacy Office

February 2010

2


Agenda: Fair Information Practice Principles Laws and Statutes of Privacy and Security Privacy Defined IT Security Defined Annual FISMA Reporting Chief Information

Officer Questions PIA/SORN Essential Elements Crosswalk Conclusion - The Way Ahead


Fair Information Practice Principles

3

Privacy and IT Security –Fair Information Practice Principles

4

GAO-08-536 (May 2008)“Alternatives Exist for Enhancing Protection of Personally Identifiable Information”


Principle Description

Collection limitation

The collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the individual.

Data quality Personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that purpose.

Purpose specification

The purposes for the collection of personal information should be disclosed before collection and upon any change to that purpose, and its use should be limited to those purposes and compatible purposes.

Use limitation Personal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal authority.

Privacy and IT Security –Fair Information Practice Principles

5


Principle Description

Security safeguards Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure.

OpennessThe public should be informed about privacy policies and practices, and individuals should have ready means of learning about the use of personal information.

Individual participation Individuals should have the following rights: to know about the collection of personal information, to access that information, to request correction, and to challenge the denial of those rights.

Accountability

Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles.

GAO-08-536 (May 2008)“Alternatives Exist for Enhancing Protection of Personally Identifiable Information”


Laws and Statutes of Privacy and Security

6

7


Origin of Federal Information Security Management Act (FISMA):

From The E-Government Act of 2002 (Section 208 of Public Law 107-347) passed by the 107th Congress and signed into law by the President on 17 December 2002.

Recognized the importance of information security to the economic and national security interests of the United States.

Privacy and IT Security E-Government Act of 2002, Public Law 107- 347

Section 208 Requirements. Agencies are required to:

conduct privacy impact assessments for electronic information systems and collections and, in general, make them publicly available (see Section II of this Guidance),

Federal Agency PIA Requirements Section 208 of the E-Government Act of 2002 requires all

agencies to conduct PIAs for all new or substantially changed information systems that collect, maintain, or disseminate PII on the public.

8

9

Privacy and IT Security Title III of the E-Government Act, entitled the Federal

Information Security Management Act of 2002 (FISMA) requires:

each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security.


Federal Information Security Management Act (FISMA), Title III of the E-Government Act of 2002

Agencies must: Develop information security plans that are based on assessments of

risk/magnitude of harm that could result from unauthorized use, access, etc.

Develop security awareness training to inform employees of these plans

Periodic testing and evaluation of the effectiveness of IT security policies, procedures and practices.

Procedures for detecting, reporting and responding to security incidents

10

11


Office of Management and Budget (OMB). In support of and reinforcing this legislation, OMB

through Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires executive agencies within the federal government to:

Plan for security Ensure that appropriate officials are assigned security

responsibility Periodically review the security controls in their information

systems Authorize system processing prior to operations and, periodically,

thereafter


National Institute of Standards and Technology (NIST) Several NIST publications help agencies to

implement FISMA requirements:

Federal Information Processing Standards Publication (FIPS PUB) 199 Standards for Security Categorization of Federal Information and Information Systems

FIPS PUB 200 Minimum Security Requirements for Federal Information and Information Systems

12

ASAP Conference 13


From Report GAO-07-837 INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses ,“ July 2007.


Privacy Defined

14

Privacy and IT Security Privacy Defined Samuel D. Warren, a Boston attorney, and

Louis D. Brandeis, a justice of the United States Supreme Court published in the Harvard Law Review their paper titled “The Right To Privacy” (December 1890)

“… the right to be let alone.” Personal control over the collection, use and

disclosure of any recorded information about an identifiable individual

The organization's responsibility for data protection and safeguarding personal information in its custody or control

15

Privacy Defined (Continued) A right of privacy has been based in the U.S.

Supreme Court's examination of the Constitution. Case law has interpreted the U.S Constitution to protect personal freedoms, such as the right to privacy under the 14th amendment. The 1st, 4th, and 5th Amendments also provide some

protection of privacy, although in all cases the right is narrowly defined.

There is also the statutory right of privacy which limits access to personal information. The right of privacy must be balanced against the agency’s

need to collect, use, maintain and disseminate information about a person and that person’s expectation of privacy


16

Privacy is the right of an individual to control your own personal information, and not have it disclosed or used by others without

permission. Confidentiality is the obligation of another party

to respect privacy by protecting personal information they receive, and preventing it from being used or disclosed without the

subject’s knowledge and permission. Security is the means used to protect the

confidentiality of personal information through physical, technical and administrative safeguards

Privacy and IT Security - Definitions for Privacy & Security

17


Information Technology (IT)

Security Defined

18


Information Technology Information technology has been defined as:

"Any equipment, or interconnected system(s) or subsystem(s) of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency.”

19

Privacy and IT Security Computer Security: A Practical Definition Defining “Computer (IT) security" is not trivial. The difficulty

lies in developing a definition that is broad enough to be valid regardless of the system being described, yet specific enough to describe what security really is. In a generic sense, security is "freedom from risk or danger."

In the context of computer science, security is the prevention of, or protection against, access to information by unauthorized recipients, and intentional but unauthorized destruction or alteration of that

information this can be re-stated: “Security is the ability of a system to protect

information and system resources with respect to confidentiality and integrity." Note that the scope of this second definition includes system resources, which include CPUs, disks, and programs, in addition to information.

20

Privacy and IT Security Computer security is not restricted to the three

broad concepts.

Additional ideas that are often considered part of the characteristics of computer security include:

Access control -- Ensuring that users access only those resources and services that they are entitled to access and that qualified users are not denied access to services that they legitimately expect to receive

Non-repudiation -- Ensuring that the originators of messages cannot deny that they in fact sent the messages

21

Privacy and IT Security Computer security characteristics include: Availability -- Ensuring that a system is

operational and functional at a given moment, usually provided through redundancy; loss of availability is often referred to as "denial-of-service"

Privacy -- Ensuring that individuals maintain the right to control what information is collected about them, how it is used, who has used it, who maintains it, and what purpose it is used for

22

Privacy and IT Security Computer Security, A Functional View Analyzing security by function can be a valuable part

of the security planning process addressing the following five areas:

Risk avoidance -- A security fundamental that starts with questions: Does my organization or business engage in activities that are too

risky? Do we really need an unrestricted Internet connection? Do we really need to computerize that secure business process? Should we standardize a desktop operating system with no access

control fundamentals?

Deterrence -- Reduces the threat to information assets through fear. Can consist of communication strategies designed to impress potential attackers of the likelihood of getting caught.

23

Privacy and IT Security Computer Security A Functional View

(Continued) Prevention -- The traditional core of computer security.

Consists of implementing safeguards and tools. Absolute prevention is theoretical, since there's a vanishing point where additional preventative measures are no longer cost-effective.

Detection -- Works best in conjunction with preventative measures. When prevention fails, detection should kick in, preferably while there's still time to prevent damage. Includes log-keeping and auditing activities

Recovery -- When all else fails, be prepared to pull out backup media and restore from scratch, or cut to backup servers and net connections, or fall back on a disaster recovery facility. Arguably, this function should be attended to before the others starting with recovery.

24

Privacy and IT Security In Summary, Security Plus Privacy Privacy is the right of individuals to control what

information is: collected about them who maintains it how it is used, who has used it, and what purpose it is used for �

Security is the ability of a system to protect information and system resources with respect to: authentication data-integrity confidentiality non-repudiation data protection

25


Annual FISMA Reporting

Chief Information Officer Questions

26

27

Privacy and IT Security -FISMA Reporting Chief Information Officer Questions FY 2009Question 1: System Inventory Identify the number of agency and contractors

systems by component and FIPS 199 impact level (low, moderate, high). Please also identify the number of systems

that are used by your agency but owned by another federal agency (i.e., ePayroll, etc.) by component and FIPS 199 impact level."

28

Privacy and IT Security -FISMA Reporting Chief Information Officer Questions FY 2009

Source: FIPS 199

29

Privacy and IT Security -FISMA Reporting Chief Information Officer Questions FY 2009

Question 2: Certification and Accreditation (C&A), Security Controls Testing, and Contingency Plan Testing.

For the Total Number of Systems identified by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested within in accordance with policy.

Please identify all systems reported as not having a C&A. You will need to provide the System Name, and Unique Project Identifier (UPI).

30

Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009

Question 3: Annual Testing and Continuous Monitoring.

What tools and techniques do you use for continuous monitoring?

31

Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 4: Incident Detection, Monitoring, and Response

Capabilities. What tools, techniques, technologies, etc., does the agency use for incident

detection?

How often does the agency log and monitor activities involving access to and modification of critical information? (Answer will be a range in percentages)

What percentage of systems maintain audit trails that provide a trace of user actions?

Does the agency maintain an incident handling and response capability?

What tools, techniques, technologies, etc. does the agency use for incident handling and response?

32

Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 5: Security Awareness Training. Federal agencies and organizations cannot protect the

confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that all people involved in using and managing IT:

Understand their roles and responsibilities related to the organizational mission;

Understand the organization’s IT security policy, procedures, and practices; and

Have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible.

33

Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 6: Peer-to-Peer File Sharing Does the agency explain policies regarding

the use of peer-to-peer file sharing in information security awareness training, ethics training, or any other agency-wide training?

34

Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Interesting Peer-to-Peer Facts There are 150 million + users of peer-to-peer software.

(Internetfilterreview.com)

Students 12-18 years old make up 41% of American P2P users. (Recording Industry Association of America)

56% of files found using innocent search terms were pornographic. (House committee on Government

Reform and General Accounting Office)

Understanding Peer-to-Peer Networking i-SAFE America Inc.

35

Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 1What is file sharing?

File sharing involves using technology that allows internet users to share files that are housed on their individual computers. Peer-to-peer (P2P) applications, such as those used to share music files, are some of the most common forms of file-sharing technology.

However, P2P applications introduce security risks that may put your information or your computer in jeopardy.

1 From US-CERT Cyber Security Tip ST05-007, produced by Mindi McDowell, Brent Wrisley, Will Dormann, Carnegie Mellon University, 2005, 2008.

36

Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 1What risks does file-sharing technology introduce?

Installation of malicious code - When you use P2P applications, it is difficult, if not impossible, to verify that the source of the files is trustworthy.

Exposure of sensitive or personal information - By using P2P applications, you may be giving other users access to personal information.

Susceptibility to attack - Some P2P applications may ask you to open certain ports on your firewall to transmit the files.

Denial of service - Downloading files causes a significant amount of traffic over the network.

Prosecution - Files shared through P2P applications may include pirated software, copyrighted material, or pornography. If you download these, even unknowingly, you may be faced with fines or other legal action.

37

Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 1How can you minimize these risks?

The best way to eliminate these risks is to avoid using P2P applications. However, if you choose to use this technology, you can follow some good security practices to minimize your risk:

use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses.

install or enable a firewall - Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer.

1 From US-CERT Cyber Security Tip ST05-007, produced by Mindi McDowell, Brent Wrisley, Will Dormann, Carnegie Mellon University, 2005, 2008.

38

Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 7: Configuration Management Is there an agency wide security configuration policy? Yes or No.

If "Yes" is selected, then agency will enter systems/platforms/applications for which configuration policies exist and give status of implementation of policies.

What tools, techniques is your agency using for monitoring compliance?

Indicate the status of the implementation of FDCC at your agency Agency has documented deviations from FDCC standard

configuration. Yes/No

39

Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 7: Configuration Management Federal Acquisition Regulation 2007-004 language, which modified

"Part 39—Acquisition of Information Technology", is included in all contracts related to common security settings. Yes or No.7c.3 will be eliminated

Federal Acquisition Regulation (Part 24, Protection of Privacy and Freedom of Information) 52-224-1 Privacy Act Notification 52-224-2 Privacy Act

40

Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 8: Incident Reporting* How often does the agency follow documented policies

and procedures for identifying and reporting incidents internally?

How often does the agency comply with documented policies and procedures for timelines of reporting to US-CERT?

How often does the agency follow documented policies and procedures for reporting to law enforcement?

*All answers are a percentage range

41

Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 9: Performance Metrics for Security Policies and

Procedures IT security metrics provide a practical approach to

measuring information security. Metrics related roles and responsibilities are dispersed

throughout an organization. Many IT security metrics can be created to measure

each aspect of the organization’s IT security. Provide three (3) outcome/output-based performance

metrics your agency uses to measure the effectiveness or efficiency of security policies and procedures.

42

Privacy and IT Security - FISMA Reporting Chief Information Officer Questions FY 2009 Question 10: Homeland Security Presidential

Directive (HSPD-12) Policy for a Common Identification Standard

for Federal Employees and Contractors Number of FISMA applications in which

federal employees and contractors are using HSPD-12 Personal Identity Verification credentials for access.


Privacy Impact Assessments (PIA)

43

44

Privacy and IT Security What is a PIA?

A “Privacy Impact Assessment (PIA)--is an analysis of how information is handled:

to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy,

to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and

to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.”

OMB 03-22 (9/26/2003), EGOV 208(b)

45

Privacy and IT Security When is a PIA Required? When PII is collected, a PIA is required for:

Existing information systems and electronic collections where a PIA has not previously been completed to include systems that collect PII about Federal personnel and contractors.

New information systems or electronic collections: Prior to developing or purchasing, and when converting paper-based records to electronic systems.

46


When is a PIA not Required?

When the information system or electronic collection: Does not collect, maintain or disseminate personal

identifying information

Is a National Security System (including systems that process classified information)


PIA/SORN Essential Elements

Crosswalk

47

48

Privacy and IT Security Privacy Impact Assessment (PIA)/

System of Record Notice (SORN) Essential Elements Crosswalk

PIA SORN

What privacy information is collected Categories of Records in the System

Why the information is collected Authority/Purpose(s)

What the intended uses are for the information

Purposes(s)

With whom the information is shared Routine Uses

What opportunities individuals have to decline to provide PII

Privacy Act Statement/Notification procedure

How information is secured Safeguards

What privacy risks need to be addressed Narrative Statement/Probable or potential effects on the privacy of individuals.

Whether a System of Records Notice (SORN) exists

(Not applicable)

49



PIA SORN

What privacy information is collected?

• Nature of the information

• Scope of the information

Categories of Records in the System

• Describe the types of individually identifiable information maintained in the system, e.g., social security number, date of birth, patient medical history, school applications

50



PIA SORN

Why is the information collected?

• Describe the purpose of the collection, e.g., verification, identification, authentication, data matching

Authority

• Describe the specific legal authority (citation and descriptive title) for maintenance of the system. Only a statute or Executive Order of the President may be cited.

51



PIA SORN

What are the intended uses for the information?

• How will the information be used to fulfill the purpose previously stated?

Purpose(s)

• Describe the purpose for which the system of records was established and uses of the information internal to the organization.

52



PIA SORN

With whom is the information shared?

• Within the Agency

• With another Federal Agency

• State or local agency

• Contractor(s)

Routine Uses

• Describe routine uses of the information outside the organization which are authorized for records in the system. Each individual routine use should identify

• the third party to whom disclosure is authorized, • the type of information to be disclosed and• the purpose of the disclosure

53



PIA SORN

What opportunities will individuals have to decline to provide PII?

• Is this collection statutorily mandated?

• If voluntary, how can individuals grant or withhold consent?

Privacy Act Statement/Notification procedure

• Does the Privacy Act Statement accurately reflect the essential elements of the data collection?

• Provide the title and office to which the individual would write to determine whether or not the system contains a record about the individual, how they access their record, and what information the individual needs to provide to verify their identity.

54



PIA SORN

How is information secured?

• Physical Controls, e.g., security guards, locks, closed circuit TV, safe

• Technical Controls, e.g., firewall, public key infrastructure (PKI) Certificates, encryption, biometrics

• Administrative Controls, e.g., backups, periodic security audits, methods to ensure only authorized persons access PII

Safeguards

• Describe all measures in place to minimize the risk of unauthorized access to or disclosure of records in the system. Identify the categories of employees who are authorized to have access to the records.

55



PIA SORNWhat privacy risks need to be addressed?

• How do information handling practices at each stage of the “information life cycle” (i.e., collection, use, retention, processing, disclosure and destruction) affect individuals’’ privacy?

• For existing information systems or electronic collections, what measures have been put in place to address identified privacy risks?

• For new information systems or collections, what measures are planned for implementation to address identified privacy risks?

Narrative Statement/Probable or potential effects on the privacy of individuals.

• What is/could be the impact on the individual as a result of this compilation of information?

• What impact would a breach of this information have on the individual?

56



PIA SORNDoes a SORN exist to correspond with the collection documented in the PIA?

Does/Do PIA(s) exist to correspond with the data collection represented by the SORN?

57


PRIVACY IMPACT ASSESSMENT (PIA)

DoD Information System/Electronic Collection Name:

DoD Component Name:

SECTION 4: REVIEW AND APPROVAL SIGNATURESPrior to the submission of the PIA for review and approval, the PIA must be coordinated by the Program Manager or designee through the Information Assurance Manager and Privacy Representative at the local level.Program Manager or Other Official Signature(to be used at Component discretion)Component Senior Information Assurance Officer Signatureor DesigneeComponent Privacy Officer SignatureComponent CIO Signature(Reviewing Official)

Source: DD Form 2930


Conclusion-Way Ahead

58

Privacy and IT Security Lessons in Privacy and Security, can they exist

together?

Quote: “The thing I think should never be lost in our discussion, is the discussion about privacy…I’ve said for along time, privacy and security are two sides of the same coin. Very clearly, without security, we have no privacy. As I was going through and discussing with leadership coming into this position, I always made sure we had a discussion about privacy.”

Also spoke about privacy, security and innovation, an often challenged viewpoint by security people.

Howard Schmidt, January 29, 2010 in first speech as White House Cybersecurity coordinator in a speech about privacy, security and innovation.

59

Privacy and IT Security Important Lessons: What Can Be Done Organizations should implement goals and

consider the following: Update privacy and security policies Be aware of how and what personal information is

collected, transmitted, and processed All need to understand their specific information

environment to control and protect it. A Privacy official needs to understand Security,

and a Security official needs to understand Privacy

Need top-down commitment to implement successful data protection programs.

60

Privacy and IT Security Conclusion-What important lessons should

we learn? IT/Security staff need to have a basic understanding of

privacy protection laws (especially the Privacy Act) Privacy staff needs to understand security laws

Which should lead to positive, transparent relationships Include records management

Ensure the information is promptly disposed of in accordance with approved records control schedules.

Could reduce potential breaches Don’t look at security issues and privacy issues in a

vacuum, they are often interrelated

61

62

Focused on meeting the information requirements of the Agency while ensuring the protection of the rights of the individual in the collection, use and dissemination of PII.

Focused on protecting the information and information systems supporting the operations and assets of an organization.

Privacy’s success is

dependent on establishment

of basic foundation for

information security.

PRIVACY SECURITY

NIST Draft Guide to Protecting the Confidentiality of (PII) (1/09)

Critical Privacy – Security Interface


63

Questions?

Date post:	14-Dec-2015
Category:	Documents
Upload:	jon-acomb
View:	214 times
Download:	1 times

Privacy and IT Security American Society of Access Professionals Presented by Samuel P. Jenkins,...

Documents